Slide 1

Uncompromising Securityfor Connected DevicesGernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiserMarch 2016Provably Secure Operating Systems

www.data61.csiro.au

Claim: A system must be considered untrustworthy unless proved otherwise!Corollary [with apologies to Dijkstra]:

Testing, code inspection, etc.can only show lack of trustworthiness!So, why dont we prove trustworthiness?Everything IoT, March'162 |

Fundamental Security Requirement: IsolationTrustworthy separation kernel

ProcessorUncritical/ untrustedSensitive/ critical/ trustedStrong IsolationCommunication subject to global security policyEverything IoT, March'163 |

3

Isolation for TrustworthinessSafety SecurityAvailabilityTimelinessConfidentialityIntegrityIsolation!Everything IoT, March'164 |

4

IntegrityProofAbstractModelC Imple-mentationProofConfiden-tialityAvailabilityBinary codeProofProofProofFunctional correctness[SOSP09]Isolation properties[ITP11, S&P13]Translation correctness[PLDI13]Exclusions (at present): Initialisation Privileged state & caches Multicore Covert timing channelsWorst-case execution time[RTSS11, RTAS16]Worlds fastest microkernel!

seL4 OS Microkernel: Provable IsolationEverything IoT, March'165 |

5

Inflammatory comments on heartbleed

Unmanned Little BirdDeployment VehicleSMACCMcopter Research Vehicle

Air Team Objectives:Provable vehicle safetyRed Team must not be able to divert vehicleNo sacrificing performance

Real-World Deployment:DARPA HACMS ProgramEverything IoT, March'166 |

SMACCM Building Blocks

Automatic Synthesis

Secure ArchitectureAADL Analysis

Secure Components Ivory/Tower

Everything IoT, March'167 |

Secure KernelseL4

Theyre doing model checking on the architecture/AADL level, and also assurance cases. I dont know what exactly they have proved by model checking. Something about different main states the system can be in (init, running, fall-back).

For the assurance case, they basically generate an argument tree that decomposes high-level properties into properties about lower-level components. Again, not sure what was actually proved, but some variant of only commands sent by a correctly authenticated ground station will be executed. The proofs bottom out at things like this component provides correct authentication, AADL connections are the only way to communicate, etc.7

Phase 2 Security Evaluation

MISSION BOARD

C&CRadioCOTS Network CameraARM A15 processorHARDWAREImage ProcessingSOFTWARECommand & ControlLinux KernelEthernet driver

Image courtesy of chanpipat at FreeDigitalPhotos.netRoot accessRed Team unable to compromiserest of system (white-box attack)Worlds most highly assured drone [DARPA]Everything IoT, March'168 |

Mesa, AZ, 24 July 2015

Inside!Everything IoT, March'169 |