genode - os security by designgenode.org/files/slides/genode_osio2014_slides.pdf · huge attack...
TRANSCRIPT
Genode - OS Security By Design
Dr.-Ing. Norman Feske<[email protected]>
Outline
1. Introduction
2. Architectural Principles
3. Showcases
4. Current Topics
Genode - OS Security By Design 2
Outline
1. Introduction
2. Architectural Principles
3. Showcases
4. Current Topics
Genode - OS Security By Design 3
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode - OS Security By Design 4
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:
Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode - OS Security By Design 5
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)Huge attack surface for directed attacksZero-day exploits
Genode - OS Security By Design 6
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode - OS Security By Design 7
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode - OS Security By Design 8
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode - OS Security By Design 9
Key technologies
Microkernels
Componentization, kernelization
Capability-based security
Virtualization
...but how to compose those?
Genode - OS Security By Design 10
Genode architecture
→ Application-specific TCB
Genode - OS Security By Design 11
Combined with virtualization
Genode - OS Security By Design 12
Components
Genode - OS Security By Design 13
Components
Genode - OS Security By Design 14
Components
Genode - OS Security By Design 15
Components
Genode - OS Security By Design 16
Components
Genode - OS Security By Design 17
Components
Genode - OS Security By Design 18
Outline
1. Introduction
2. Architectural Principles
3. Showcases
4. Current Topics
Genode - OS Security By Design 19
Object capabilities
Delegation of authority between components
Each component lives in a virtual environmentA component that possesses a capability can
I Use it (invoke)I Delegate it to acquainted components
Genode - OS Security By Design 20
Recursive system structure
Genode - OS Security By Design 21
Service announcement
Genode - OS Security By Design 22
Session creation
Genode - OS Security By Design 23
Session creation
Genode - OS Security By Design 24
Resource management
Explicit assignment of physical resources to components
Genode - OS Security By Design 25
Resource management (II)
Resources can be attached to sessions
Genode - OS Security By Design 26
Outline
1. Introduction
2. Architectural Principles
3. Showcases
4. Current Topics
Genode - OS Security By Design 27
Faithful Virtualization
User Mode
Privileged ModeNOVA Hypervisor
Core
Init
Resource Multiplexer
UnmodifiedGuest OS
virtual CPU
virtual device
virtual RAM
VMMDevice Driver
Kernel
Genode - OS Security By Design 28
OS-level Virtualization
Genode - OS Security By Design 29
Rich applications
Loader
Init
AroraWeb
Browser
Init
NitpickerGUI
TCP/IP
Menu
NitpickerGUI
Virtual FramebufferLaunchpad
Testnit
Genode - OS Security By Design 30
Outline
1. Introduction
2. Architectural Principles
3. Showcases
4. Current Topics
Genode - OS Security By Design 31
Current Topics
Eating our own dog food
I Noux (GCC, VIM, bash, coreutils...)I Wireless networking
Capability-based user interface
seL4 kernel as base platform
ARM Virtualization
Package management
Genode - OS Security By Design 32
Thank you
Genode OS Frameworkhttp://genode.org
Genode Labs GmbHhttp://www.genode-labs.com
Source code at GitHubhttp://github.com/genodelabs/genode
Genode - OS Security By Design 33