Minimalizace kybernetických rizik s platformou PikeOS

Minimalizace kybernetických rizik s platformou
PikeOS
Zabezpečení dat a komunikačních sítí v integrované
výrobě a v dopravě
© SYSGO AG
1
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
2
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
3
SYSGO overview
• An embedded software technology leader
• COTS products & related services for most demanding industrial systems
• Founded in 1991, privately owned until 2012
• Now owned by Thales Group
• 90 employees
• Business successful
• Profitable
• 15% growth in 2012
• Strong financial backup
• International presence
• Offices in Germany (Mainz, Ulm, Rostock), France (Paris), The Czech Republic
(Prague) and North America (Chicago)
• Distributors in Japan, Korea, Italy, Austria, Turkey…
© SYSGO AG
4
Company history
2005:
PikeOS
Market introduction
2011:
100% increase
incoming orders
2012:
Part of Thales
Group
2003:
PikeOS
Research Project
1992:
Distributor for
Safety-Critical
RTOS
Foundation
as RTOS
Services
Company
5
© SYSGO AG
1999:
ELinOS
Market introduction
1997:
1st Embedded
Linux project
2013:
1st SIL4
multicore
certification
2000:
1st DO178B
DAL A
Certification
2003:
ELinOS
Product of The
Year
5
2008:
Tier-1 Airbus
supplier
2010:
Record
turnover
Core business & expertise
• RTOS (Real-Time Operating
Systems)
• Embedded Virtualization
• Embedded Linux
• Safety Certification
• DO-178B/C, IEC 61508,
EN 50128, ISO 26262,
IEC 62304, …
• Security Certification
• Common Criteria EAL
• Market standards
• Linux, POSIX, Android, Arinc-653,
AFDX, Autosar, ...
© SYSGO AG
7
Markets
We consider our target markets to be all industries related to Embedded
Systems in which safety, security and certification are required.
© SYSGO AG
10
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
11
SYSGO s.r.o.
Research and Development Center Prague
• Sysgo’s Compentence Center
•
•
•
•
Products’ Development
Testing and Verification
Customer’s Projects and Support
QA/QM
• Established in 2004
• Number of employees 17 (12/2015)
• Focused on Engineering – 15 out 17 employees low-level
software developers
© SYSGO AG
12
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
13
PikeOS: Safe & Secure Virtualization RTOS
• Designed from ground-up for safety & security
•
•
Modularity and compactness
MILS compliant architecture
•
•
By design (no hypervisor add-on)
POSIX, ARINC-653, Linux, Android, RTEMS, etc.
•
•
No mix of old RTOS and new hypervisor add-on
Safety and security attributes available to all
•
•
•
Can be used just as small and fast RTOS
Multi-core support ranging from AMP to SMP
Widest range of supported Personalities in the market
•
x86, PowerPC, ARM, MIPS, SPARC/Leon, v850, SH-4,...
•
DO-178B/C, EN50128, IEC61508, ISO 26262, CC’s EAL,...
• Genuine virtualization for embedded/real-time
• Same core technology for all application domains
• Scalable and flexible
• Hardware independent
• Certification for safety & security
© SYSGO AG
14
ELinOS: Industrial Grade Linux
• Embedded Linux Distribution
•
•
Supports latest stable version of kernel
Previous versions available
•
Eclipse based CODEO
•
•
x86, PowerPC, ARM, MIPS, SPARC, SH
More than 500 BSPs developed
•
•
1500+ precompiled libraries and binaries
Adobe’s FlashLite support since 5.0 version
•
OSADL real-time patches
• Seamless development toolset
• Wide hardware support
• Large range of qualified features
• Real-time extensions
• SYSGO Quality Assurance
© SYSGO AG
18
Hardware ecosystem
20
© SYSGO AG
20
Software ecosystem
21
© SYSGO AG
21
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
22
PikeOS in a Nutshell
• HARD REAL TIME
• SAFE AND SECURE VIRTUALIZATION
• MIXED CRITICALITY
• Applications with different safety and security levels can run on the same hardware,
protected from each other by means of software partitioning
• Processor time is allocated to applications by means of time partitioning and priority
• MULTIPLE GUEST OPERATING SYSTEMS
• Virtualization enables multiple Personalities (OS environments, APIs, run-time
environments)
• HIGHLY PORTABLE
• Supports important CPU architectures like x86, PowerPC, ARM, MIPS and Sparc
• CERTIFIABLE
• Certifiable according to Highest Safety and Security Standards
• Modular certification Kit for Safety Critical Avionics, Industrial Automation and
Transportation Applications
© SYSGO AG
23
Main Design Principles
• Micro-Kernel approach
•
•
•
•
Limit the amount of code which runs in CPU Supervisor Mode
Provide one API sufficient to implement “Bare Metal” applications as well as for virtualization
of complex Guest Operating Systems
Hierarchical privilege management
Separation of common, CPU specific and board specific software
• Strict Time and Space Partitioning to support “Mixed Criticality”
•
All platform and operating system resources are assigned to Software Partitions based on a
static configuration
• Preemptive Design
•
Kernel and System Software are fully preemptive to guarantee fast response time and simplify
Worst Case Timing analysis
• Support of different APIs and Guest Operating Systems (“Personalities”)
•
•
•
•
Provide specialized services to support an efficient Guest OS implementation
Allow Guest Operating Systems to access all partition resources like memory, communication
ports, files, interrupts, shared memory and I/O devices
Allow guest operating systems to implement their own devices drivers (e.g. Linux)
Suitable for safety and security certifications
© SYSGO AG
24
Saltzer and Schroeder
Secure Design Principles
Design Principle [SS75]
Explanation [Bis00]
Principle of Economy of Mechanism
The protection mechanism should have a simple and small
design.
Principle of Fail-safe Defaults
The protection mechanism should deny access by default, and
grant access only when explicit permission exists.
Principle of Complete Mediation
The protection mechanism should check every access to every
object.
Principle of Open Design
The protection mechanism should not depend on secrecy of its
design
Principle of Separation of Privilege
The protection mechanism should grant access based on more
than one piece of information (e.g., two keys are needed to open
a vault-lock or defence in the depth).
Principle of Least Privilege
Every process shall operate with the minimum privileges needed
to perform its task
Principle of Least Common Mechanism
Minimize the amount of mechanism common to more than one
user and depended on by all users
Principle of Psychological Acceptability
The protection mechanism should be easy to use (at least as
easy as not using it).
© SYSGO AG
25
PikeOS supports Secure Design Principles
Design Principle
PikeOS Property
PikeOS is 10-15k LoC
Principle of Economy of Mechanism
Principle of Fail-safe Defaults
Principle of Complete Mediation
Principle of Open Design
Principle of Separation of Privilege
Principle of Least Privilege
Typical hypervisor sizes on market are 60k-200k LoC
That is PikeOS default policy: no information flow and no resource sharing
unless specified.
PikeOS is a small separation kernel, which controls all accesses to controlled
resources
1) PikeOS source code and design are available for certification
needs/vulnerability analysis, i.e. PikeOS security does not depend on secrecy
of its design
2) Detailed PikeOS API documentation available to all customers
PikeOS implements first level privilege, resource level. Thus,
system/application design can rely on it and build separate privilege control.
PikeOS separation is the technical mean to implement it on system level.
1) PikeOS can be the only shared component
Principle of Least Common Mechanism
2) PikeOS Separation allows modular sharing of system security mechanisms
1)
Decomposition of a system into partitions makes it easier to understand
and maintain its functionality
2)
Strong certification portfolio
Principle of Psychological Acceptability
26
© SYSGO AG
26
PikeOS Architecture
Application
Partition
PikeOS
Libraries
Application
Partition
Application
Partition
Application
Partition
POSIX
Personality
A653
Personality
Linux
Personality
PikeOS
Libraries
PikeOS
Libraries
PikeOS
Libraries
PikeOS System Software (PSSW)
Application
Partition
File
Provider
File
Provider
PikeOS Libraries
System
Extension
System
Extension
PikeOS PSP
PikeOSASP
PikeOS Microkernel
Kernel
Driver
Kernel
Driver
Target Bootloader
Hardware
Not Part of PikeOS
Executable
PikeOS Core Components
Library or Object File
Board specific Components
PikeOS Personalities
© SYSGO AG
27
Critical
Application
Application
Linux
PikeOS
Hardware Platform
© SYSGO AG
28
Compromised
Application
Critical
Application
Linux
PikeOS
Hardware Platform
© SYSGO AG
29
Compromised
Application
Critical
Application
Linux
PikeOS
Hardware Platform
© SYSGO AG
30
What would the attackers do?
• Target the other partition
•
•
•
•
Create side (or covert) channels
Use shared OS-managed resources (files, memory)
Use the underlying hardware platform (memory bus, caches, devices)
Take advantage of parallel execution on multicore processors
• Target the operating system
• Change communication rights
• Exploit OS bugs…
• Multi-step attacks
• Use intermediate partitions, e.g. file providers
• Complex API usage
© SYSGO AG
31
Multi-step attack
App
• External file providers
External
File Provider
• User partitions
• Client-server model
• File open action
• Enables communication
PikeOS
• Read and write actions
• Inter-partition communication
• Memory mapping
• Memory access rights can be transferred
• Untrusted/buggy file providers
Hardware Platform
• Form a chain of compromised partitions and file providers
© SYSGO AG
32
Application
Timing covert and side channels
Time
CPU1
• Multicore systems
MCU
• Two partitions running in parallel
• Timing not controlled by the OS
• Timing covert channels possible
CPU2
Time
• Shared hardware
CPU1
• L2, L3 caches (~ tens of kB/s)
• Memory bus (~ 1 kB/s)
MCU
CPU2
• OS
• Global lock(s) in system services
© SYSGO AG
33
Solutions
• Resource partitioning
• No accidental sharing of resources.
• Exhaustion does not cause information flow.
• Time partitioning
• Helps against timing issues.
• Compensate for multicore safety features like the big kernel lock
• Static configuration
• Minimize multi-step attack opportunities.
• Microkernel architecture, minimal functionality
• Minimize trusted code base.
© SYSGO AG
34
System integrator responsibilities
• System security policy
• Define who can communicate with whom
• System configuration must respect the policy
• Space partitioning
• Queuing ports are bidirectional channels
• External file providers
• Time partitioning
• Do not use TP0
• Enable cache flush on time partition switch
• Insert “sandwich” partitions
• Linux partitions
• TBD: do not use direct IO
© SYSGO AG
35
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
36
PikeOS Security Extensions
•
•
•
•
•
•
•
Secure boot
Cryptographic hardware support
ARM Trust Zone support
Hardware virtualization support
Kaspersky
SESAMO project outputs
EMC2 project outputs
© SYSGO AG
37
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
38
Common Criteria Certification
Confidence / Assurance
• An international standard (ISO/IEC 15408)
for computer security certification
•
•
EAL 7
Formally Verified Design and Tested
EAL 6
Semiformally Verified Design and Tested
EAL 5
Semiformally Designed and Tested
EAL 4
Method.Designed, Tested and Reviewed
EAL 3
Methodically Tested and Checked
EAL 2
Structurally Tested
EAL 1
Functionally Tested
EAL5 and above depends on product/country
Up to EAL4, certificates are recognized
unconditionally
© SYSGO AG
39
SYSGO Goal EAL 5+
PikeOS in CC terms
• Target of Evaluation
• Security Functionality
• Partitioning
• Documents
• MILS Protection Profile: Operating System
• Separation kernel, not hardware
• Security Target for PikeOS
• PikeOS 3.4 specific
• PikeOS Security Architecture
• PikeOS-specific
© SYSGO AG
40
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
41
EURO-MILS Consortium
www.euromils.eu
France
© SYSGO AG
Germany
42
Innovation Works, Germany
Innovation Works, France
EURO-MILS project
• MILS concept
• From “Multiple Independent Levels of Security”
• Security follows from system architecture.
• Separation kernel
• Project goals
•
•
•
•
MILS platform (demonstrators for automotive and avionics domains)
High assurance (formal methods)
Cross-European certification
Compositional certification
• Separation kernel = PikeOS
© SYSGO AG
43
EURO-MILS:
2 prototypes on the MILS platform
Avionic
Automotive
Trustworthy ICT
for networked
high-critical systems
© SYSGO AG
44
Example: Aircraft Security Domains
Perspective “User”
(not 100% accurate)
Crew
Passenger
Maintenance
(all types)
Others
(Air Traffic Control,
Airline Services,
Ground)
Picture adapted from ARINC 811.
Domains are defined In ARINC 664 Part 5.
•
•
© SYSGO AG
45
Example: Automotive Security Domains
Target of automotive security measures is the protection of instrument
cluster and head unit display control, as well as the underlying virtualisation
platform. Under no circumstances, these units may be compromised or
disturbed in their normal operation.
© SYSGO AG
46
EURO-MILS: MILS Architecture
• EURO-MILS's cornerstone is
Multiple Independent Levels of Security (MILS)
• MILS is a high-assurance security architecture that supports the coexistence of
untrusted and trusted components, based on verifiable separation mechanisms
and controlled information flow.
MILS Architecture
Low-criticality
Partition
(Network driver)
Medium-criticality
Partition
(File system)
High-criticality
Partition
(Actuator control)
MILS Platform (Separation Kernel)
Hardware
(CPUs, memory, and devices)
Network
© SYSGO AG
Actuator
47
Formal methods in EUROMILS
• Model of the separation kernel
• Model of PikeOS system calls.
• Scheduling mostly abstracted.
• Partitioning
• Formulated as non-interference
• Proved as a theorem on the model
• Security model
• Explains what “security policy” means
• Does not show functional correctness…
• Interactive theorem proving
• Isabelle/HOL
• Proof written manually but machine checked.
© SYSGO AG
49
TODAY’s AGENDA
•
•
•
•
•
•
•
•
Company Overview
Research and Development Center Prague
Product Overview
Building Secure System With PikeOS
PikeOS Security Extensions
PikeOS Security Certification
EURO-MILS Project
PikeOS References
© SYSGO AG
50
PikeOS success story
Airbus A350 XWB
Aerospace & Defense
ASF Cabinet (Data server in
cockpit) – FSA-NG (Fly Smart
with Airbus New Generation
•
•
•
•
•
PikeOS licenses
Certified File Sytem
Certified IP stack
Specific modules development
DO-178B Certification
© SYSGO AG
54
PikeOS success story
Airbus A400M
Aerospace & Defense
A400M Load Master Work
Station
• PikeOS license
• Porting on new hardware
• DO-178B certification
© SYSGO AG
55
PikeOS success story
RECOMP
Railway
RECOMP project
• PikeOS for cost reduction
certification
• Multi-core support
• EN 50128 and SIL 3
certification
© SYSGO AG
56
PikeOS success story
SAMSUNG
Railway
CBTC (Communications
Based Train Control)
• PikeOS for cost reduction
certification
• EN 50128 and SIL 3/4 certification
© SYSGO AG
57
Thank you for your attention!
More information on www.sysgo.com
© SYSGO AG
61