Container Allowing for Secure and Trustworthy OS Refinement {Jnordholz, Peter, Jpseifert}@Sec.T-Labs.Tu-Berlin.De

Deutsche Telekom Innovation Laboratories - TU Berlin / FG SecT CASTOR Container Allowing for Secure and Trustworthy OS Refinement {jnordholz, peter, jpseifert}@sec.t-labs.tu-berlin.de

Motivation Use Cases

continuing growth in hardware capabilities government / business - opens up new opportunities - BYOD - permanent network connectivity - mobile secure network access

more varied stakeholders consumer - mutually distrustful - media hub - owner - entertainment - manufacturer - e-health - network operator - content streaming - service/content provider - smart metering

tendency towards commodity OS automotive - tools - remote maintenance - developers - navigation, infotainment - apps - management of e-mobility - supported platforms - C2X - yet: lacking in security Architecture deep defense - account for long life cycles objectives - remain operational after security incident - small trusted computing base - remote management (over-the-air updates) - secure encapsulation - only attainable through advanced system architecture - little guest modifications - efficiently implementable without hardware virt. support Existing Solutions guest interface virtualization - vCPU - depends on hardware support for efficient implementations - vTLB - hypercall interface type-2 hypervisors for embedded systems Task VTLB VTLB - integrates well with shipping environments Guest Linux flexible implementation Linux Linux Process Process - proprietary guest modifications - execution monitor VTLB VTLB VTLB native entry/exit paths Guest Linux hypercall interface - huge attack vector through host OS interface - kernel Linux Linux Task Process Process CASTOR Execution Monitor low-level entry paths vcpu hypercall interface threads C++ L4vcpu C++ L4Re cap microkernel-based systems entry/exit path Caps CASTOR Kernel Task subsystem Scheduler - still evolving VTLB subsystem Scheduler VTLB subsys. Fiasco.OC Microkernel - geared towards native ecosystem Hardware Hardware - not developed with virtualization in mind - unnecessary complexity in guest VTLB Preliminary Results VM Guest Linux VTLB Task Task Task Guest Guest Linux Linux Linux Linux Linux Linux Process Process Process Process Process Process L4Linux L4Linux platform: Samsung Galaxy S2 Task PROCESS native low-level code PROCESS PROCESS Task privileged instructions L4Linux Host Host VM Monitor vcpu Process Process GUI Task threads Memory Management Task mapper KARMA VM Monitor secure infrastructure Task Task L4OpenBSD L4Linux vcpu C++ L4vcpu C++ L4Re glue threads Host Linux C++ L4vcpu C++ L4Re cap/mem entry/exit path Caps Caps entry/exit path Caps - preboot authentication boot auth gfx driver Scheduler Task subsystem Hypervisor - GUI VM subsystem Module Task subsystem Scheduler Fiasco.OC Microkernel VTLB subsystem Fiasco.OC Microkernel Fiasco.OC Microkernel - 3D driver

Hardware VM facility Hardware Hardware Hardware multiple OS compartments Credits & References - open Android - secure Android Interfaces CASTOR builds on contributions by Adam Lackorzynski and Alexander Warg, who are authors of Fiasco.OC OS (L4, Linux) and L4Linux, and on contributions by Steffen Liebergeld and Janis Danisevskis, who developed the KARMA - infrastructure Paravirtualized VMM, the ancestor of CASTOR. - VPN manager Hardware [1] Pocket hypervisors: Opportunities and challenges; Landon P. Cox and Peter M. Chen; Workshop on Mobile Computing Systems and Applications; 2007 [2] A survey of mobile malware in the wild; Felt et. al. 1st ACM workshop on Security and privacy in smartphones and mobile devices; 2011 [3] The VMware mobile virtualization platform: is that a hypervisor in your pocket?; Barr et. al.; ACM SIGOPS Operating Systems Review; 2010 [4] Generic Virtualization with Virtual Processors; Lackorzynski et. all.; Real-Time Linux Workshop; 2010 Telekom Innovation Laboratories