Minimalizace kybernetických rizik s platformou PikeOS
Minimalizace kybernetických rizik s platformou PikeOS Zabezpečení dat a komunikačních sítí v integrované výrobě a v dopravě © SYSGO AG 1 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 2 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 3 SYSGO overview • An embedded software technology leader • COTS products & related services for most demanding industrial systems • Founded in 1991, privately owned until 2012 • Now owned by Thales Group • 90 employees • Business successful • Profitable • 15% growth in 2012 • Strong financial backup • International presence • Offices in Germany (Mainz, Ulm, Rostock), France (Paris), The Czech Republic (Prague) and North America (Chicago) • Distributors in Japan, Korea, Italy, Austria, Turkey… © SYSGO AG 4 Company history 2005: PikeOS Market introduction 2011: 100% increase incoming orders 2012: Part of Thales Group 2003: PikeOS Research Project 1992: Distributor for Safety-Critical RTOS Foundation as RTOS Services Company 5 © SYSGO AG 1999: ELinOS Market introduction 1997: 1st Embedded Linux project 2013: 1st SIL4 multicore certification 2000: 1st DO178B DAL A Certification 2003: ELinOS Product of The Year 5 2008: Tier-1 Airbus supplier 2010: Record turnover Core business & expertise • RTOS (Real-Time Operating Systems) • Embedded Virtualization • Embedded Linux • Safety Certification • DO-178B/C, IEC 61508, EN 50128, ISO 26262, IEC 62304, … • Security Certification • Common Criteria EAL • Market standards • Linux, POSIX, Android, Arinc-653, AFDX, Autosar, ... © SYSGO AG 7 Markets We consider our target markets to be all industries related to Embedded Systems in which safety, security and certification are required. © SYSGO AG 10 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 11 SYSGO s.r.o. Research and Development Center Prague • Sysgo’s Compentence Center • • • • Products’ Development Testing and Verification Customer’s Projects and Support QA/QM • Established in 2004 • Number of employees 17 (12/2015) • Focused on Engineering – 15 out 17 employees low-level software developers © SYSGO AG 12 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 13 PikeOS: Safe & Secure Virtualization RTOS • Designed from ground-up for safety & security • • Modularity and compactness MILS compliant architecture • • By design (no hypervisor add-on) POSIX, ARINC-653, Linux, Android, RTEMS, etc. • • No mix of old RTOS and new hypervisor add-on Safety and security attributes available to all • • • Can be used just as small and fast RTOS Multi-core support ranging from AMP to SMP Widest range of supported Personalities in the market • x86, PowerPC, ARM, MIPS, SPARC/Leon, v850, SH-4,... • DO-178B/C, EN50128, IEC61508, ISO 26262, CC’s EAL,... • Genuine virtualization for embedded/real-time • Same core technology for all application domains • Scalable and flexible • Hardware independent • Certification for safety & security © SYSGO AG 14 ELinOS: Industrial Grade Linux • Embedded Linux Distribution • • Supports latest stable version of kernel Previous versions available • Eclipse based CODEO • • x86, PowerPC, ARM, MIPS, SPARC, SH More than 500 BSPs developed • • 1500+ precompiled libraries and binaries Adobe’s FlashLite support since 5.0 version • OSADL real-time patches • Seamless development toolset • Wide hardware support • Large range of qualified features • Real-time extensions • SYSGO Quality Assurance © SYSGO AG 18 Hardware ecosystem 20 © SYSGO AG 20 Software ecosystem 21 © SYSGO AG 21 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 22 PikeOS in a Nutshell • HARD REAL TIME • SAFE AND SECURE VIRTUALIZATION • MIXED CRITICALITY • Applications with different safety and security levels can run on the same hardware, protected from each other by means of software partitioning • Processor time is allocated to applications by means of time partitioning and priority • MULTIPLE GUEST OPERATING SYSTEMS • Virtualization enables multiple Personalities (OS environments, APIs, run-time environments) • HIGHLY PORTABLE • Supports important CPU architectures like x86, PowerPC, ARM, MIPS and Sparc • CERTIFIABLE • Certifiable according to Highest Safety and Security Standards • Modular certification Kit for Safety Critical Avionics, Industrial Automation and Transportation Applications © SYSGO AG 23 Main Design Principles • Micro-Kernel approach • • • • Limit the amount of code which runs in CPU Supervisor Mode Provide one API sufficient to implement “Bare Metal” applications as well as for virtualization of complex Guest Operating Systems Hierarchical privilege management Separation of common, CPU specific and board specific software • Strict Time and Space Partitioning to support “Mixed Criticality” • All platform and operating system resources are assigned to Software Partitions based on a static configuration • Preemptive Design • Kernel and System Software are fully preemptive to guarantee fast response time and simplify Worst Case Timing analysis • Support of different APIs and Guest Operating Systems (“Personalities”) • • • • Provide specialized services to support an efficient Guest OS implementation Allow Guest Operating Systems to access all partition resources like memory, communication ports, files, interrupts, shared memory and I/O devices Allow guest operating systems to implement their own devices drivers (e.g. Linux) Suitable for safety and security certifications © SYSGO AG 24 Saltzer and Schroeder Secure Design Principles Design Principle [SS75] Explanation [Bis00] Principle of Economy of Mechanism The protection mechanism should have a simple and small design. Principle of Fail-safe Defaults The protection mechanism should deny access by default, and grant access only when explicit permission exists. Principle of Complete Mediation The protection mechanism should check every access to every object. Principle of Open Design The protection mechanism should not depend on secrecy of its design Principle of Separation of Privilege The protection mechanism should grant access based on more than one piece of information (e.g., two keys are needed to open a vault-lock or defence in the depth). Principle of Least Privilege Every process shall operate with the minimum privileges needed to perform its task Principle of Least Common Mechanism Minimize the amount of mechanism common to more than one user and depended on by all users Principle of Psychological Acceptability The protection mechanism should be easy to use (at least as easy as not using it). © SYSGO AG 25 PikeOS supports Secure Design Principles Design Principle PikeOS Property PikeOS is 10-15k LoC Principle of Economy of Mechanism Principle of Fail-safe Defaults Principle of Complete Mediation Principle of Open Design Principle of Separation of Privilege Principle of Least Privilege Typical hypervisor sizes on market are 60k-200k LoC That is PikeOS default policy: no information flow and no resource sharing unless specified. PikeOS is a small separation kernel, which controls all accesses to controlled resources 1) PikeOS source code and design are available for certification needs/vulnerability analysis, i.e. PikeOS security does not depend on secrecy of its design 2) Detailed PikeOS API documentation available to all customers PikeOS implements first level privilege, resource level. Thus, system/application design can rely on it and build separate privilege control. PikeOS separation is the technical mean to implement it on system level. 1) PikeOS can be the only shared component Principle of Least Common Mechanism 2) PikeOS Separation allows modular sharing of system security mechanisms 1) Decomposition of a system into partitions makes it easier to understand and maintain its functionality 2) Strong certification portfolio Principle of Psychological Acceptability 26 © SYSGO AG 26 PikeOS Architecture Application Partition PikeOS Libraries Application Partition Application Partition Application Partition POSIX Personality A653 Personality Linux Personality PikeOS Libraries PikeOS Libraries PikeOS Libraries PikeOS System Software (PSSW) Application Partition File Provider File Provider PikeOS Libraries System Extension System Extension PikeOS PSP PikeOSASP PikeOS Microkernel Kernel Driver Kernel Driver Target Bootloader Hardware Not Part of PikeOS Executable PikeOS Core Components Library or Object File Board specific Components PikeOS Personalities © SYSGO AG 27 Critical Application Application Linux PikeOS Hardware Platform © SYSGO AG 28 Compromised Application Critical Application Linux PikeOS Hardware Platform © SYSGO AG 29 Compromised Application Critical Application Linux PikeOS Hardware Platform © SYSGO AG 30 What would the attackers do? • Target the other partition • • • • Create side (or covert) channels Use shared OS-managed resources (files, memory) Use the underlying hardware platform (memory bus, caches, devices) Take advantage of parallel execution on multicore processors • Target the operating system • Change communication rights • Exploit OS bugs… • Multi-step attacks • Use intermediate partitions, e.g. file providers • Complex API usage © SYSGO AG 31 Multi-step attack App • External file providers External File Provider • User partitions • Client-server model • File open action • Enables communication PikeOS • Read and write actions • Inter-partition communication • Memory mapping • Memory access rights can be transferred • Untrusted/buggy file providers Hardware Platform • Form a chain of compromised partitions and file providers © SYSGO AG 32 Application Timing covert and side channels Time CPU1 • Multicore systems MCU • Two partitions running in parallel • Timing not controlled by the OS • Timing covert channels possible CPU2 Time • Shared hardware CPU1 • L2, L3 caches (~ tens of kB/s) • Memory bus (~ 1 kB/s) MCU CPU2 • OS • Global lock(s) in system services © SYSGO AG 33 Solutions • Resource partitioning • No accidental sharing of resources. • Exhaustion does not cause information flow. • Time partitioning • Helps against timing issues. • Compensate for multicore safety features like the big kernel lock • Static configuration • Minimize multi-step attack opportunities. • Microkernel architecture, minimal functionality • Minimize trusted code base. © SYSGO AG 34 System integrator responsibilities • System security policy • Define who can communicate with whom • System configuration must respect the policy • Space partitioning • Queuing ports are bidirectional channels • External file providers • Time partitioning • Do not use TP0 • Enable cache flush on time partition switch • Insert “sandwich” partitions • Linux partitions • TBD: do not use direct IO © SYSGO AG 35 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 36 PikeOS Security Extensions • • • • • • • Secure boot Cryptographic hardware support ARM Trust Zone support Hardware virtualization support Kaspersky SESAMO project outputs EMC2 project outputs © SYSGO AG 37 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 38 Common Criteria Certification Confidence / Assurance • An international standard (ISO/IEC 15408) for computer security certification • • EAL 7 Formally Verified Design and Tested EAL 6 Semiformally Verified Design and Tested EAL 5 Semiformally Designed and Tested EAL 4 Method.Designed, Tested and Reviewed EAL 3 Methodically Tested and Checked EAL 2 Structurally Tested EAL 1 Functionally Tested EAL5 and above depends on product/country Up to EAL4, certificates are recognized unconditionally © SYSGO AG 39 SYSGO Goal EAL 5+ PikeOS in CC terms • Target of Evaluation • Security Functionality • Partitioning • Documents • MILS Protection Profile: Operating System • Separation kernel, not hardware • Security Target for PikeOS • PikeOS 3.4 specific • PikeOS Security Architecture • PikeOS-specific © SYSGO AG 40 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 41 EURO-MILS Consortium www.euromils.eu France © SYSGO AG Germany 42 Innovation Works, Germany Innovation Works, France EURO-MILS project • MILS concept • From “Multiple Independent Levels of Security” • Security follows from system architecture. • Separation kernel • Project goals • • • • MILS platform (demonstrators for automotive and avionics domains) High assurance (formal methods) Cross-European certification Compositional certification • Separation kernel = PikeOS © SYSGO AG 43 EURO-MILS: 2 prototypes on the MILS platform Avionic Automotive Trustworthy ICT for networked high-critical systems © SYSGO AG 44 Example: Aircraft Security Domains Perspective “User” (not 100% accurate) Crew Passenger Maintenance (all types) Others (Air Traffic Control, Airline Services, Ground) Picture adapted from ARINC 811. Domains are defined In ARINC 664 Part 5. • • © SYSGO AG 45 Example: Automotive Security Domains Target of automotive security measures is the protection of instrument cluster and head unit display control, as well as the underlying virtualisation platform. Under no circumstances, these units may be compromised or disturbed in their normal operation. © SYSGO AG 46 EURO-MILS: MILS Architecture • EURO-MILS's cornerstone is Multiple Independent Levels of Security (MILS) • MILS is a high-assurance security architecture that supports the coexistence of untrusted and trusted components, based on verifiable separation mechanisms and controlled information flow. MILS Architecture Low-criticality Partition (Network driver) Medium-criticality Partition (File system) High-criticality Partition (Actuator control) MILS Platform (Separation Kernel) Hardware (CPUs, memory, and devices) Network © SYSGO AG Actuator 47 Formal methods in EUROMILS • Model of the separation kernel • Model of PikeOS system calls. • Scheduling mostly abstracted. • Partitioning • Formulated as non-interference • Proved as a theorem on the model • Security model • Explains what “security policy” means • Does not show functional correctness… • Interactive theorem proving • Isabelle/HOL • Proof written manually but machine checked. © SYSGO AG 49 TODAY’s AGENDA • • • • • • • • Company Overview Research and Development Center Prague Product Overview Building Secure System With PikeOS PikeOS Security Extensions PikeOS Security Certification EURO-MILS Project PikeOS References © SYSGO AG 50 PikeOS success story Airbus A350 XWB Aerospace & Defense ASF Cabinet (Data server in cockpit) – FSA-NG (Fly Smart with Airbus New Generation • • • • • PikeOS licenses Certified File Sytem Certified IP stack Specific modules development DO-178B Certification © SYSGO AG 54 PikeOS success story Airbus A400M Aerospace & Defense A400M Load Master Work Station • PikeOS license • Porting on new hardware • DO-178B certification © SYSGO AG 55 PikeOS success story RECOMP Railway RECOMP project • PikeOS for cost reduction certification • Multi-core support • EN 50128 and SIL 3 certification © SYSGO AG 56 PikeOS success story SAMSUNG Railway CBTC (Communications Based Train Control) • PikeOS for cost reduction certification • EN 50128 and SIL 3/4 certification © SYSGO AG 57 Thank you for your attention! More information on www.sysgo.com © SYSGO AG 61
© Copyright 2024