TY - GEN
T1 - Tiered Trust for Useful Embedded Systems Security
AU - Ayers, Hudson
AU - Dutta, Prabal
AU - Levis, Philip
AU - Levy, Amit
AU - Pannuto, Pat
AU - Van Why, Johnathan
AU - Watson, Jean Luc
N1 - Publisher Copyright:
© 2022 Owner/Author.
PY - 2022/4/5
Y1 - 2022/4/5
N2 - Traditional embedded systems rely on custom C code deployed in a monolithic firmware image. In these systems, all code must be trusted completely, as any code can directly modify memory or hardware registers. More recently, some embedded OSes have improved security by separating userspace applications from the kernel, using strong hardware isolation in the form of a memory protection unit (MPU). Unfortunately, this design requires either a large trusted computing base (TCB) containing all OS services, or moving many OS services into userspace. The large TCB approach offers no protection against seemingly-correct backdoored code, discouraging the use of kernel code produced by others and complicating security audits. OS services in userspace come at a cost to usability and efficiency. We posit that a model enabling two tiers of trust for kernel code is better suited to modern embedded software practices. In this paper, we present the threat model of the Tock Operating System, which is based on this idea. We compare this threat model to existing security approaches, and show how it provides useful guarantees to different stakeholders.
AB - Traditional embedded systems rely on custom C code deployed in a monolithic firmware image. In these systems, all code must be trusted completely, as any code can directly modify memory or hardware registers. More recently, some embedded OSes have improved security by separating userspace applications from the kernel, using strong hardware isolation in the form of a memory protection unit (MPU). Unfortunately, this design requires either a large trusted computing base (TCB) containing all OS services, or moving many OS services into userspace. The large TCB approach offers no protection against seemingly-correct backdoored code, discouraging the use of kernel code produced by others and complicating security audits. OS services in userspace come at a cost to usability and efficiency. We posit that a model enabling two tiers of trust for kernel code is better suited to modern embedded software practices. In this paper, we present the threat model of the Tock Operating System, which is based on this idea. We compare this threat model to existing security approaches, and show how it provides useful guarantees to different stakeholders.
KW - IoT
KW - embedded systems
KW - operating systems
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85128352725&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85128352725&partnerID=8YFLogxK
U2 - 10.1145/3517208.3523752
DO - 10.1145/3517208.3523752
M3 - Conference contribution
AN - SCOPUS:85128352725
T3 - EuroSec 2022 - Proceedings of the 15th European Workshop on Systems Security
SP - 15
EP - 21
BT - EuroSec 2022 - Proceedings of the 15th European Workshop on Systems Security
PB - Association for Computing Machinery, Inc
T2 - 15th European Workshop on Systems Security, EuroSec 2022
Y2 - 5 April 2022 through 8 April 2022
ER -