Constructing Secure Operating Environments by Co-Locating Multiple Embedded Operating

Systems Shuichi Oikawa Hiroo

Ishikawa Masatoshi Iwasaki Tatsuo

Nakajima

Presented By,

Bhargavi Konduru

Introduction

Nowadays, most electronic appliances have computing capabilities that run on embedded operating system (OS) kernels, which provide basic execution primitives that can be commonly used by many appliances.

The recent emergence of digital appliances requires more advancde features, such as networking and GUI, which dramatically complicates the appliances’ software systems and increases their code size.

Networked systems need to be prepared for attacks through the internet.

Users software systems must be more robust than ordinary personal computer systems.

Building such large, complex, and robust software systems on embedded kernels with the absence of a protection domain is very difficult as software bugs can cause system malfunction, data corruption, security breaches, or even system destruction.

To reduce the problem of the attacks a new system architecture is proposed in this paper.

Proposed System A system architecture that co-locates multiple

embedded operating systems on a microkernel is proposed.

It employs a microkernel to provide protected execution environment for the existing embedded kernels that have no protection mechanism.

No need to run the existing software on different operating systems as the same protection domain is shared.

As the micro kernel supports multiple protected execution environments, we can run multiple instances along with the applications.

System reinforces reliability and security, as the applications and servers can be decoupled to different protection domains.

The microkernel performs the scheduling of embedded kernel instances.

Here a system is developed that consists of a TL4 microkernel and a μITRON kernel.

Features Of the System It enables the provision of protected domains

without affecting the compatibility of the kernel APIs by employing a microkernel.

It can achieve maximum reusability of the existing software resources including embedded OS kernels and their applications.

It enables the schedulability analysis of real-time tasks on an embedded OS kernel.

These features can protect the existing software resources, maintain the software quality, and save costs.

Related Work To accommodate large and complex software

systems, new kernels that support protection domains have been created.

But this is considered as a drawback as there will be compatibility issues.

The architecture proposed in this paper enables the reuse of the current kernel, by co-locating multiple kernels on a micro kernel.

The proposed architecture incorporates the hierarchical CPU scheduling to handle the multiple independent instances of a real time kernel.

Overview of the System

It consists of TL4 microkernel, the multiple instances of a μITRON kernel.

Multiple applications can run within a single instance of a μITRON kernel.

Applications can access services provided by servers through server proxies.

Only TL4 microkernel executes in the privileged mode directly on top of hardware. It provides protection domains, threads, and IPC.

The misbehaviors of applications do not cause data destruction in servers protection domains as different protection domains are allocated for applications and servers.

Example System

It can effectively utilize multiple protection domains.

Mainly a protection domain should be dedicated to personal data file services in order to isolate personal data files from any illegal access.

Network services are isolated in another protection domain since a network subsystem is the most likely an entry point for a system to be compromised.

Local device servers implement the drivers of devices shared by applications and the other services

Protection domain We can make system consume less resources by

using protection domain. It is desirable to dedicate a protection domain to an

application program when it is not trusted or it needs to be installed from the internet.

Another use of protection domain is for debugging, as it is usually difficult to find bugs that share the same domain.

Out of range memory references can be easily detected.

Design TL4 microkernel is based on L4 μ-kernel and is

enhanced to enable the execution of multiple μITRON kernel instances.

TL4 microkernel inherits L4 μ-kernel’s simple abstractions, that include threads, protection domains, memory pages, and IPC.

Here TL4 microkernel’s execution entities are referred as threads and μITRON kernel’s execution entities are referred to as tasks or applications.

MICRO-ITRON’S KERNEL ON TL4 MICRO KERNEL A μITRON kernel is a simple embedded real-time

kernel that provides real-time tasks, synchronization and communication mechanisms and device drivers.

It is divided in to 3 parts• Machine Independent Part• Machine dependent part• Processor Emulator

To maximize the reusability and minimize the modifications, a layer called processor emulator is introduced that emulates the hardware and encapsulates the differences from the hardware.

The processor emulator deals with interrupts, time management, scheduling events, and the idle state.

Controlling Interrupts: Interrupts are disabled by setting a flag and enabled by a message notification.

Time Management: Here we need to consider the scheduling of the timer interrupt emulation threads for those kernel instances.

Dealing with external scheduling events: It happens when an interrupt occurs and a higher priority task wakes up.

Dealing with Idle State: When all tasks are blocked and there is no task to run in a ITRON kernel, the kernel falls into the idle state. Here the main execution thread needs to block in order to avoid disturbing the other instances execution.

TL4 Microkernel Enhancements: Scheduler: Here the scheduler determines which

thread to run as each instance has a thread queue that maintains runnable threads of the instance.

Scheduling of Interrupt Emulation Threads: It has three States.

• The instance is running• The instance is runnable but not running• The instance is not runnable

System Evaluation As the implementation of the system is finished

and described let us see the evaluation of the system.

Memory Footprints: It shows the memory sizes consumed to run a single instance of μITRON kernel on TL4 microkernel.

The memory footprint of a μITRON kernel instance on TL4 microkernel is 63KB, which is slightly smaller than the original μITRON kernel.

Invocation Latencies: Latencies from the software entry point of interrupt are measured.

They are measured by considering two tasks Application task 1 and Application task 2.

Latency values are measured for both cases of μITRON kernel on TL4kernel and μITRONkernel on hardware.

The results show that the μITRONkernel on TL4 kernel outperforms the μITRONkernel on the hardware.

Conclusion Here the authors proposed an alternative approach

to introduce protected domains to the existing embedded systems.

This approach employs a microkernel to provide protected execution environments for the existing embedded kernels.

It can achieve the maximum reusability of the existing software resources including embedded OS kernels and their applications.

Future work includes creating more realistic and practical setup, and more accurate system and its evaluation.

References G. Bollella and K. Jeffay. Support for Real-Time Computing within General Purpose Operating Systems -

Supporting Co-Resident Operating Systems. In Proceedings of the 1st IEEE Real-Time Technology and Applications Symposium, May 1995.

R. J. Creasy. The Origin of the VM/370 Time-Sharing System. IBM Journal of Research and Development, 25 (5), 1981.

R. P. Goldberg. Survey of Virtual Machine Research. IEEE Computer Magazine, pages 34–45, June 1974.

G. W. Dunlap, S. T. King, S. Cinar, M. Basrai, P. M. Chen. ReVirt: EnablingIntrusion Analysis through Virtual-Machine Logging and Replay.In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation, December 2002.

T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection BasedArchitecture for Intrusion Detection. In Proceedings of the Internet Society’s 2003 Symposium on Network and Distributed System Security, February 2003.

S. T. King, G. W. Dunlap, and P. M. Chen. Operating System Support for Virtual Machines. In Proceedings of the 2003 Annual USENIX Technical Conference, June 2003.

J. Sugerman, G. Venkitachalam, and B. H. Lim. Virtualizing I/O Devices on VMware Workstation’s Hosted Virtual Machine Monitor. In Proceedings of 2001 USENIX Annual Technical Conference, 2001.

H. Takada ed. μITRON4.0 Specification. TRON Association, 1999. (In Japanese)

H. Takada ed. μITRON4.0/PX Specification: Protection MechanismExtension to μITRON4.0 Specification. TRON Association Version Up WG, 2002. (In Japanese)