1 / 23

KVM + Security Layer on eCos

KVM + Security Layer on eCos. EE202A – Fall/2003 Project Yusuke Matsuoka. Outline. Introduction Motivation Cryptography Java Libraries KVM Customization & Building Java Cryptography Applications & Simulation Results Experimental Setup Experimental Results & Demo Conclusions Future Work.

audrey-cunningham
Download Presentation

KVM + Security Layer on eCos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KVM + Security Layer on eCos EE202A – Fall/2003 Project Yusuke Matsuoka

  2. Outline • Introduction • Motivation • Cryptography Java Libraries • KVM Customization & Building • Java Cryptography Applications & Simulation Results • Experimental Setup • Experimental Results & Demo • Conclusions • Future Work

  3. KVM - Introduction • Compact, portable Java Virtual Machine for small, resource constrained devices • Implemented in ANSI C • J2ME(Java 2 Micro Edition) • CDC (Connected Device Configuration) • CLDC (Connected, Limited Device Configuration) • CLDC characteristics: • Small subset of Java APIs • 128KB to 512KB of memory • a 16bit or 32bit processor • lower power consumption • (operating with battery) • connectivity to network with limited bandwidth Source: J2ME Datasheet from Sun

  4. Motivation • KVM has been implemented on many embedded devices. e.g. cell phones • But, very poor security (only HTTPS, or no secure protocols!) • Future embedded systems need more flexible, customizable ,and better optimized security schemes How to implement the security protocols? • JSSE and JCE from Sun? → too big! (they requires the full set of J2SE class APIs) • Additional HW/SW co-processing? → Yes, but expensive! Should be more flexible, customizable Lightweight cryptography Java APIs • Aiming at small implementation of cryptographic algorithms • No throughout study on the performance for embedded systems • How fast? How small? How easy can we do “security” in Java? JSSE: Java Secure Socket Extension, JCE: Java Cryptography Extension, J2SE:Java 2 Standard Edition

  5. Half of them are for J2SE The Bouncy Castle & The IAIK JCE/iSaSiLk are chosen Cryptography Java Libraries How to include the library into KVM? IAIK: Institute for Applied Information Processing and Communications @ Graz University of Technology at Austria

  6. KVM Customization • Based on J2ME CLDC 1.1 Reference Implementation • Customization is done by adding APIs (source or class files) Directory Structure of RI

  7. Building KVM w/ Security Libs KVM executable Compile (gcc, javac) Comparison of KVMs (results on Cygwin)

  8. Performance on Cygwin (P4 3.0GHz, 512MB RAM) Units in msec Java Cryptography Applications (1) • KVM with Bouncy Castle APIs • Based on test programs included in the library package • Test vectors are based on documents of the standard (e.g. NIST’s FIPS, RFCs) Example of Time measurement BufferedBlockCipher cipher = new BufferedBlockCipher(engine); byte[] out = new byte[input.length]; startTime = (new Date ()).getTime(); for( i=0; i<1000; i++ ){ cipher.init(true, param); int len1 = cipher.processBytes(input, 0, input.length, out, 0); try{ cipher.doFinal(out, len1); } catch (CryptoException e){ return new SimpleTestResult(false, getName() + ": failed - exception " + e.toString()); } } endTime = (new Date ()).getTime(); interval = (endTime – startTime)/1000; NIST: National Institute of Standards and Technology FIPS: Federal Information Processing Standards RFC: Request for Comments

  9. Java Cryptography Applications (1) • KVM with Bouncy Castle APIs – Performance on PC (Contd.) Symmetric Ciphers Message Digests

  10. Java Cryptography Applications (2) • KVM with IAIK APIs • Retrieve a web-page data via HTTPS connection over the internet

  11. Java Cryptography Applications (2) • KVM with IAIK APIs (Contd.) Cipher Suite Example ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_3DES_CBC_SHA Active protocol: TLS 1.0 Active cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA Performance Example on PC

  12. Experimental Setup (1) • The Intel StrongARM SA-1110 Board • SA-1110 Processor • Optimized for portable and embedded application • 32-bit RISC, 2.1MIPS@206MHz • I-cache:16Kbytes, D-cache:8Kbytes • 64MB SDRAM@100MHz • 16MB Flash Memory • RS232, JTAG ports KVM ?? SA-1110 Board • How to port the KVM? • How to configure? • How to debug? • Device drivers? eCos is used

  13. Experimental Setup (2) • eCos Porting • eCos • Open source, Royalty-free, Embedded Real-time OS • Integrated with GNU toolchain (GCC, GDB, etc) • Good configuration system for many development boards • Device drivers for Serial, Ethernet, USB, etc. • TCP/IP libraries • Design template for SA-1110 board was used • Boot Configuration: Redboot(RedHat) and JFlash1.2(Intel) eCos Libraries for SA-1110 Used to port KVMs for SA-1110 (compile/link)

  14. Experimental Setup (3) • KVM Porting • arm-elf-gcc cross-compiler • Makefile modification • Compilation Flags, etc. • How to load/run applications on the board? Size of ported KVMs +0.88MB +1.2MB

  15. Applet Loading KVM startup: Prompt% kvm.exe my_applet

  16. Oops! Before talk about the experimental results, Let me prepare for the demo…

  17. Experimental Results (1) • KVM with Bouncy Castle APIs • Roughly 9x slower than PC (3.0GHz vs 206MHz) Performance on SA-1110 Board Units in msec

  18. Experimental Results (2) • KVM with Bouncy Castle APIs – Performance on the board (Contd.) Symmetric Ciphers Message Digests

  19. Experimental Results (3) • Performance Comparison • So far, the results are on BC. • How about the IAIK ? • Another AES test program was implemented on both BC and IAIK Another AES Example IAIK was slightly faster

  20. Demo (1) • AES Encryption/Decryption on Board SA-1110 Board PC Ported KVM eCos Configuration Tool GDB Debugger target remote /dev/com1 load … … RS-232 Download

  21. Demo (2) – HTTPS on KVM • KVM with IAIK APIs • Retrieve a web-page data via HTTPS connection over the internet

  22. Conclusions • Two cryptography Java libraries were implemented on customized KVM • Functionality and performance were confirmed on desktop PC • Bouncy Castle API – Popular cryptographic algorithms were implemented • IAIK API – SSL application was implemented • KVMs were ported to the SA-1110 board with eCos library, and successfully executed • Performance of the cryptographic algorithms were feasible for embedded systems

  23. Future Work • Make KVM smaller • # of class libraries vs. # of algorithms supported • Make eCos smaller • Removing unnecessary libraries, drivers • Heapsize evaluation • How much memory do we need? • Energy consumption estimation • More algorithms

More Related