Date post: | 13-Apr-2017 |
Category: |
Technology |
Upload: | everything-iot |
View: | 203 times |
Download: | 0 times |
Slide 1
Uncompromising Securityfor Connected DevicesGernot Heiser | [email protected] | @GernotHeiserMarch 2016Provably Secure Operating Systems
www.data61.csiro.au
Claim: A system must be considered untrustworthy unless proved otherwise!Corollary [with apologies to Dijkstra]:
Testing, code inspection, etc.can only show lack of trustworthiness!So, why dont we prove trustworthiness?Everything IoT, March'162 |
Fundamental Security Requirement: IsolationTrustworthy separation kernel
ProcessorUncritical/ untrustedSensitive/ critical/ trustedStrong IsolationCommunication subject to global security policyEverything IoT, March'163 |
3
Isolation for TrustworthinessSafety SecurityAvailabilityTimelinessConfidentialityIntegrityIsolation!Everything IoT, March'164 |
4
IntegrityProofAbstractModelC Imple-mentationProofConfiden-tialityAvailabilityBinary codeProofProofProofFunctional correctness[SOSP09]Isolation properties[ITP11, S&P13]Translation correctness[PLDI13]Exclusions (at present): Initialisation Privileged state & caches Multicore Covert timing channelsWorst-case execution time[RTSS11, RTAS16]Worlds fastest microkernel!
seL4 OS Microkernel: Provable IsolationEverything IoT, March'165 |
5
Inflammatory comments on heartbleed
Unmanned Little BirdDeployment VehicleSMACCMcopter Research Vehicle
Air Team Objectives:Provable vehicle safetyRed Team must not be able to divert vehicleNo sacrificing performance
Real-World Deployment:DARPA HACMS ProgramEverything IoT, March'166 |
SMACCM Building Blocks
Automatic Synthesis
Secure ArchitectureAADL Analysis
Secure Components Ivory/Tower
Everything IoT, March'167 |
Secure KernelseL4
Theyre doing model checking on the architecture/AADL level, and also assurance cases. I dont know what exactly they have proved by model checking. Something about different main states the system can be in (init, running, fall-back).
For the assurance case, they basically generate an argument tree that decomposes high-level properties into properties about lower-level components. Again, not sure what was actually proved, but some variant of only commands sent by a correctly authenticated ground station will be executed. The proofs bottom out at things like this component provides correct authentication, AADL connections are the only way to communicate, etc.7
Phase 2 Security Evaluation
MISSION BOARD
C&CRadioCOTS Network CameraARM A15 processorHARDWAREImage ProcessingSOFTWARECommand & ControlLinux KernelEthernet driver
Image courtesy of chanpipat at FreeDigitalPhotos.netRoot accessRed Team unable to compromiserest of system (white-box attack)Worlds most highly assured drone [DARPA]Everything IoT, March'168 |
Mesa, AZ, 24 July 2015
Inside!Everything IoT, March'169 |