Tiered trust for useful embedded systems security
Authors: 
Hudson Ayers, Prabal Dutta, Philip Levis, Amit Levy, Pat Pannuto, Johnathan Van Why, Jean-Luc WatsonAuthors Info & Claims
Hudson Ayers, Prabal Dutta, Philip Levis, Amit Levy, Pat Pannuto, Johnathan Van Why, Jean-Luc WatsonAuthors Info & ClaimsPages 15 - 21
Abstract
Traditional embedded systems rely on custom C code deployed in a monolithic firmware image. In these systems, all code must be trusted completely, as any code can directly modify memory or hardware registers. More recently, some embedded OSes have improved security by separating userspace applications from the kernel, using strong hardware isolation in the form of a memory protection unit (MPU). Unfortunately, this design requires either a large trusted computing base (TCB) containing all OS services, or moving many OS services into userspace. The large TCB approach offers no protection against seemingly-correct backdoored code, discouraging the use of kernel code produced by others and complicating security audits. OS services in userspace come at a cost to usability and efficiency. We posit that a model enabling two tiers of trust for kernel code is better suited to modern embedded software practices. In this paper, we present the threat model of the Tock Operating System, which is based on this idea. We compare this threat model to existing security approaches, and show how it provides useful guarantees to different stakeholders.
References
[1]
Joshua Adkins, Branden Ghena, Neal Jackson, Pat Pannuto, Samuel Rohrer, Bradford Campbell, and Prabal Dutta. 2018. The signpost platform for city-scale sensing. In 2018 17th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN). IEEE, 188--199.
[2]
Roger Alexander, Anders Brandt, JP Vasseur, Jonathan Hui, Kris Pister, Pascal Thubert, Philip Levis, Rene Struik, Richard Kelsey, and Tim Winter. 2012. RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. RFC 6550.
[3]
Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, and et al. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Conference on Security Symposium (Vancouver, BC, Canada) (SEC'17).
[4]
Arm Holdings. Accessed: 2020-02-24. Platform Security Architecture. www.arm.com/why-arm/architecture/platform-security-architecture.
[5]
Arm Limited. Accessed: 2020-02-24. Mbed. https://os.mbed.com/.
[6]
Anish Athalye, Adam Belay, M Frans Kaashoek, Robert Morris, and Nickolai Zeldovich. 2019. Notary: a device for secure transaction approval. In Proceedings of the 27th ACM Symposium on Operating Systems Principles. 97--113.
[7]
Emmanuel Baccelli, Oliver Hahm, Mesut Gunes, Matthias Wahlisch, and Thomas C Schmidt. 2013. RIOT OS: Towards an OS for the Internet of Things. In 2013 IEEE conference on computer communications workshops. 79--80.
[8]
Adam Dunkels. 2001. Design and Implementation of the lwIP TCP/IP Stack. Technical Report. Swedish Institute of Computer Science.
[9]
Adam Dunkels, Bjorn Gronvall, and Thiemo Voigt. 2004. Contiki-a lightweight and flexible operating system for tiny networked sensors. In 29th annual IEEE international conference on local computer networks. IEEE, 455--462.
[10]
Google. Accessed: 2020-03-02. OpenSK. github.com/google/OpenSK.
[11]
Google. Accessed: 2020-03-02. OpenThread. https://openthread.io/.
[12]
Google. Accessed: 2020-03-02. Tock-on-Titan. github.com/google/tock-on-titan.
[13]
M. M. Hossain, M. Fotouhi, and R. Hasan. 2015. Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things. In 2015 IEEE World Congress on Services. 21--28.
[14]
Galen Hunt, George Letey, and Ed Nightingale. 2017. The seven properties of highly secure devices. Technical Report MSR-TR-2017-16. Microsoft Research.
[15]
Steve Klabnik and Carol Nichols. 2018. The Rust Programming Language.
[16]
Paul C Kocher. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference. 104--113.
[17]
Philip Levis. 2012. Experiences from a Decade of TinyOS Development. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (Hollywood, CA, USA) (OSDI'12).
[18]
Philip Levis, Sam Madden, Joseph Polastre, Robert Szewczyk, Kamin Whitehouse, Alec Woo, David Gay, Jason Hill, Matt Welsh, Eric Brewer, et al. 2005. TinyOS: An operating system for sensor networks. In Ambient intelligence. 115--148.
[19]
Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. Multiprogramming a 64kB Computer Safely and Efficiently. In Proceedings of the 26th Symposium on Operating Systems Principles (Shanghai, China) (SOSP '17). 234--251.
[20]
Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. Def Con 21 (2013), 260--264.
[21]
Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu. 2017. WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 3--18.
[22]
Jacob Wurm, Khoa Hoang, Orlando Arias, Ahmad-Reza Sadeghi, and Yier Jin. 2016. Security analysis on consumer and industrial IoT devices. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE, 519--524.
[23]
Zephyr Project. Accessed: 2020-02-24. Security Best Practices. https://github.com/zephyrproject-rtos/zephyr/wiki/Security-Best-Practices.
[24]
Zephyr Project. Accessed: 2020-02-24. Zephyr Security Overview. https://docs.zephyrproject.org/latest/security/security-overview.html.
Index Terms
- Tiered trust for useful embedded systems security
Recommendations
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Practical Security Systems with Smartcards
HOTOS '99: Proceedings of the The Seventh Workshop on Hot Topics in Operating SystemsSecure hardware is a useful tool for enhancing computer system security. Traditionally, researchers have attempted to build secure operating systems by creating secure hardware and developing on top of it. Our approach is to integrate commodity secure ...
Robustly secure computer systems: a new security paradigm of system discontinuity
NSPW '07: Proceedings of the 2007 Workshop on New Security ParadigmsFor over 30 years, system software has been bound by compatibility with legacy applications. The system software base, whether proprietary or open source, is dominated by the programming language C and the POSIX operating system specification. Even when ...
Comments
Information & Contributors
Information
Published In
April 2022
70 pages
Copyright © 2022 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 April 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
EuroSys '22
Sponsor:
Acceptance Rates
Overall Acceptance Rate 241 of 1,308 submissions, 18%
Upcoming Conference
EuroSys '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 469Total Downloads
- Downloads (Last 12 months)178
- Downloads (Last 6 weeks)24
Reflects downloads up to 14 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in