Genode - OS Security By Design

Dr.-Ing. Norman Feske<norman.feske@genode-labs.com>

Outline

1. Introduction

2. Architectural Principles

3. Showcases

4. Current Topics

Genode - OS Security By Design 2

Outline

1. Introduction

2. Architectural Principles

3. Showcases

4. Current Topics

Genode - OS Security By Design 3

Universal Truths

Ease of useSecurity

Utilization

ScalabilityAssurance

Accountability

Genode - OS Security By Design 4

Problem: Complexity

Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)

TCB of an application on Linux:

Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user

→ User credentials are exposed to millions of lines of code

Genode - OS Security By Design 5

Problem: Complexity (II)

Implications:

High likelihood for bugs (need for frequent security updates)Huge attack surface for directed attacksZero-day exploits

Genode - OS Security By Design 6

Universal Truths

Ease of useSecurity

Utilization

ScalabilityAssurance

Accountability

Genode - OS Security By Design 7

Problem: Resource management

Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers

Genode - OS Security By Design 8

Universal Truths

Ease of useSecurity

Utilization

ScalabilityAssurance

Accountability

Genode - OS Security By Design 9

Key technologies

Microkernels

Componentization, kernelization

Capability-based security

Virtualization

...but how to compose those?

Genode - OS Security By Design 10

Genode architecture

→ Application-specific TCB

Genode - OS Security By Design 11

Combined with virtualization

Genode - OS Security By Design 12

Components

Genode - OS Security By Design 13

Components

Genode - OS Security By Design 14

Components

Genode - OS Security By Design 15

Components

Genode - OS Security By Design 16

Components

Genode - OS Security By Design 17

Components

Genode - OS Security By Design 18

Outline

1. Introduction

2. Architectural Principles

3. Showcases

4. Current Topics

Genode - OS Security By Design 19

Object capabilities

Delegation of authority between components

Each component lives in a virtual environmentA component that possesses a capability can

I Use it (invoke)I Delegate it to acquainted components

Genode - OS Security By Design 20

Recursive system structure

Genode - OS Security By Design 21

Service announcement

Genode - OS Security By Design 22

Session creation

Genode - OS Security By Design 23

Session creation

Genode - OS Security By Design 24

Resource management

Explicit assignment of physical resources to components

Genode - OS Security By Design 25

Resource management (II)

Resources can be attached to sessions

Genode - OS Security By Design 26

Outline

1. Introduction

2. Architectural Principles

3. Showcases

4. Current Topics

Genode - OS Security By Design 27

Faithful Virtualization

User Mode

Privileged ModeNOVA Hypervisor

Core

Init

Resource Multiplexer

UnmodifiedGuest OS

virtual CPU

virtual device

virtual RAM

VMMDevice Driver

Kernel

Genode - OS Security By Design 28

OS-level Virtualization

Genode - OS Security By Design 29

Rich applications

Loader

Init

AroraWeb

Browser

Init

NitpickerGUI

TCP/IP

Menu

NitpickerGUI

Virtual FramebufferLaunchpad

Testnit

Genode - OS Security By Design 30

Outline

1. Introduction

2. Architectural Principles

3. Showcases

4. Current Topics

Genode - OS Security By Design 31

Current Topics

Eating our own dog food

I Noux (GCC, VIM, bash, coreutils...)I Wireless networking

Capability-based user interface

seL4 kernel as base platform

ARM Virtualization

Package management

Genode - OS Security By Design 32

Thank you

Genode OS Frameworkhttp://genode.org

Genode Labs GmbHhttp://www.genode-labs.com

Source code at GitHubhttp://github.com/genodelabs/genode

Genode - OS Security By Design 33