CerberOS: A Resource-Secure OS for Sharing IoT Devices Sven Akkermans, Wilfried Daniels, Gowri Sankar R., Bruno Crispo and Danny Hughes imec-DistriNet, KU Leuven 3001 Leuven, Belgium [email protected] Abstract 1 Introduction To continue to grow, the Internet of Things (IoT) requires The Internet of Things (IoT) is growing rapidly with scalable and secure system software solutions for resource- large-scale networks of constrained devices being deployed constrained devices. To maximize return on investment of in our homes and across all sectors of industry. Despite ad- these devices, IoT platforms should support multiple third- vances in hardware and software technologies, IoT deploy- party applications and adaptation of software over time. ments are costly to create and operate due to the manpower However, realizing the vision of shared IoT platforms de- required to deploy, configure and manage thousands of de- mands not only strong guarantees on the confidentiality and vices. This motivates the maximization of Return on Invest- integrity of application data, but also guarantees on the use of ment (RoI) by sharing IoT platforms with multiple parties. critical resources such as computation, sensors and energy. In this paper, we explore how these IoT platforms can be We refer to this vision as resource security. Prior research securely shared by multiple applications (apps), without in- on Operating Systems (OS) for tiny IoT devices has focused creasing hardware costs or significantly decreasing battery on miniaturizing core functionality such as scheduling and life. Secure multi-app hosting is as-of yet poorly supported communication and does not consider resource security. To by current IoT OS research [9, 12, 17]. Memory protection address this problem, we introduce CerberOS, a resource- often is not supported or requires additional hardware. Soft- secure OS for sharing IoT devices. CerberOS enables mul- ware on IoT devices is not prevented from blocking or ex- tiple applications on constrained IoT devices while, for the hausting essential resources. As IoT infrastructure providers first time, guaranteeing data confidentiality, integrity and se- cannot share their platforms with third parties while retaining cure resource management. Our approach is based upon the full manageability and control of their resources, multi-app twin pillars of virtualization, which isolates applications, and IoT devices are not common. This is a significant roadblock contracts, which control application resource usage. Evalu- in achieving commercial large-scale IoT deployments. ation shows that CerberOS supports the secure coexistence To overcome this roadblock, we present CerberOS, a of up to seven applications on a representative IoT device resource-secure operating system for tiny multi-app IoT with a memory usage of 40KB ROM and 5KB RAM while nodes. The core idea of CerberOS is instruction-level mon- preserving multi-year battery lifetimes. itoring and fine-grained resource management for all apps Categories and Subject Descriptors running on the device. This is achieved by an interpreting virtualization layer, implemented through a virtual machine, I.6 [Operating Systems Security]: Virtualization and se- that isolates apps and separates the system into user and ker- curity nel space. Resource security is paramount in our system. General Terms Key resources, such as memory and peripherals, are man- DESIGN, SECURITY aged so that apps can run safely on a node without being disrupted by other apps. Our research aims to leverage the Keywords benefits of existing, efficient solutions while going beyond Multiple applications, virtualization, resource security, prior work to enable resource-secure multi-app IoT devices. Internet of Things, operating systems Specifically, CerberOS protects the device and its apps from any malicious or malfunctioning app. CerberOS is implemented on a representative IoT device based on the ATmega1284P. It is designed to be modular and can work stand-alone but also allows the use of discrete assets from other OSs, such as timers, scheduling and net- International Conference on Embedded Wireless working. CerberOS works on nodes with as little as 40KB Systems and Networks (EWSN) 2017 ROM and 5KB RAM and is shown to support seven coex- 20–22 February, Uppsala, Sweden isting applications. Our experimental evaluation proves that © 2017 Copyright is held by the authors. Permission is granted for indexing in the ACM Digital Library the performance overhead and energy impact of CerberOS is ISBN: 978-0-9949886-1-4 feasible for real-world IoT scenarios. 96 ment which are essential for securely sharing devices be- tween untrusted third parties. In addition, many IoT platforms are battery powered, em- ploying energy saving techniques to achieve lifetimes of sev- eral years on a single battery charge [28]. Energy harvesting approaches are increasingly common but likewise impose a strict limit on the power consumption of IoT devices. These resource limitations must be considered when sharing IoT platforms. In contrast to the cloud, in fog computing ev- Figure 1. A smart city deployment with multiple stake- ery processor cycle, byte of memory and joule is precious holders for the city of Antwerp (Belgium) [27]. and must be carefully managed. The infrastructure provider therefore requires support for monitoring and limiting the re- sources that apps use. The app developer likewise requires The remainder of this paper is structured as follows: Sec- assurances that the resources they require will be available. tion 2 gives the case, requirements and threat model for The ideal multi-app IoT OS executes efficiently on Class- multi-app IoT devices, Section 3 discusses related work, 1 embedded devices and secures the execution and resource Section 4 describes the design and architecture of CerberOS, usage of coexisting third-party apps. Management support is Section 5 presents the evaluation and Section 6 concludes. necessary to minimize the effort needed to develop, deploy and manage multiple apps and preserve scalability. In the 2 Background following section, we analyze these requirements in detail. 2.1 The Case for Sharing IoT Devices 2.2 Requirements Analysis The IoT envisions a future where billions of Internet- To realize a secure multi-app IoT OS, we identify three connected devices are deployed in our environment to sup- families of requirements: (i) core OS demands, (ii) resource- port novel cyber-physical applications. Contemporary IoT security guarantees, and (iii) classic security support. networks are rapidly growing in scale from smart build- The core OS demands for sharing embedded devices are: ings to smart cities. Research deployments such as City of • Preemptive multi-threading: The OS must provide Things [27], shown in Figure 1, and SmartSantander [24] al- mechanisms to safely and fairly execute coexisting ready incorporate tens of thousands of IoT devices. How- apps. Cooperative scheduling, used by Contiki and ever, commercial deployments of similar scale have been TinyOS [9, 17], is insufficient since any app may block slow to appear. One reason for this disparity is the unclear other apps or the OS by refusing to yield. It is essential RoI for large-scale IoT networks, which demand significant that the OS can preempt processes to maintain control. up-front investment in infrastructure as well as technical staff to deploy, manage and maintain the system. • Remote management support: For large-scale de- Supporting multiple apps enables IoT infrastructure ployments such as smart cities, dispatching employees providers to increase their RoI. Multi-app nodes allow an to service thousands of individual devices is clearly not IoT deployment to satisfy multiple stakeholders and there- cost-effective. All management activities must be per- fore minimizes hardware costs and associated staff costs aris- formed remotely. This includes: deployment and re- ing from the deployment, management and maintenance of moval of apps, adaptation of platforms, and monitoring devices. IoT infrastructure providers can specialize in de- of software state and node health. ploying IoT infrastructure or platforms as a service and lease • Lightweight and efficient: An IoT OS should exe- out resources on underutilized devices to third parties. IoT cute efficiently on Class-1 devices with 10KB RAM software developers can focus on their core competencies and 100KB ROM as they make up the majority of to- while still having access to scalable and elastic hardware so- day’s embedded IoT systems. Furthermore, the OS lutions. The efficacy of this approach has been extensively should minimize energy consumption through duty- demonstrated in mainstream cloud computing and the attrac- cycling techniques to retain multi-year battery lifetimes. tiveness of such a model has led key industry players to coin the term ‘fog computing’ [4]. Realizing multi-app IoT plat- The limited resources of IoT devices must be care- forms requires security mechanisms that ensure: (i) only au- fully managed to ensure the resources of the infrastructure thorized parties deploy apps, (ii) apps execute as determined provider are spent according to contracts and resource se- by contracts, (iii) app code and data remain confidential, and curity is maintained. Therefore, resources should not be (iv) the integrity of app code and data is assured. blocked for an unreasonable time span (e.g., processor, net- Large-scale IoT networks primarily consist of IETF work, peripherals) or exhausted