230 likes | 416 Views
Trusted Virtual Domains on OKL4 - Secure Information Sharing on Smarphones ACM STC’11 , October 17, 2011, Chicago, Illinois, USA. Mingyuan GAO 20111047 System Software Lab. Table of Contents. 1. Background. Motivation
E N D
Trusted Virtual Domains on OKL4 - Secure Information Sharing on SmarphonesACM STC’11, October 17, 2011, Chicago, Illinois, USA. MingyuanGAO 20111047 System Software Lab.
1. Background Motivation Smartphones that used for private and corporate purposes do not provide isolation between the data and application of different security domains Data Leakage Unwanted information flow … This paper presents the design and implementation of Trusted Virtual Domain (TVD) security architecture for smartphones.
1. Background Trusted Virtual Domain (TVD) The main goal of TVD concept is to execute workloads of different domains in isolated computing environments A TVD is a coalition of mutually trusting members, usually virtual machines Members of a TVD are assigned a security label (also “color” of the TVD) that identifies the TVD Communication between two components is allowed iff.they share the same color
1. Background Trusted Virtual Domain (TVD) Logical View: isolated (virtual) computer networks Physical View: separated virtual networks that are operated over one physical network
1. Background • TVD Master • central management component • stores the TVD policy • controls the admission of other physical platforms to the TVD infrastructure Trusted Virtual Domain (TVD) The TVD Policy is a set of rules that state the security requirements a TVD must satisfy to be accepted as TVD member, e.g., integrity measurements of the virtual machines and their software components TVD Policy is configured centrally and enforce locally * The graph is not excerpted from the paper • TVD Proxy • on each platform, created for each TVD • a local copy of the TVD Master • responsible for the admission of the VMs to the corresponding TVD
1. Background OKL4 Microvisor Provides virtualization and compartmentalization in embedded systems Manages hardware resources, offers hardware abstraction (virtual CPUs, virtual MMU) and virtual device abstraction (virtual interrupts) Maintains isolated execution environments (cells or compartments) Each cell can run native applications or guest operating systems, e.g., Android, Linux, Symbian * The graph is not excerpted form the paper
1. Background OKL4 Microvisor Communication between cells is performed only via IPC Offers fast IPC among cells and enforces mandatory access control on IPC calls based on capabilities, i.e., security tokens that protect access to protected resources The system administrator defines for each cell the available IPC channels, and specific capabilities which other cells must process in order to communicate over this channel * The graph is not excerpted the paper
2. Architecture Architecture Overview
2. Architecture Compartment Types TVD compartments that are assigned to a TVD typically run a guest OS, e.g., para-virtualized Android System compartments that do not belong to any TVD but provide security services to the rest of the system, including Secure GUI Attestation service Software Mobile Trusted Module (MTM) Compartment Manager …
2. Architecture Building Blocks Virtualization layer OKL4 provides high performance IPC and enforces access control on IPC calls Mobile Trusted Module Software MTM is used (i) to establish trusted channels, (ii) to support remote attestation, and (iii) to manage cryptographic keys Attestation Service Attests the security kernel and application-level compartments Used in a process of a trusted channel establishment between TVD Proxy and TVD Master
2. Architecture Building Blocks Compartment Manager It delegate the commands received from the user to be executed by the TVD proxy Secure GUI Catches all user inputs and offers an unique framebufferfor graphical outputs of each compartment TVD Compartments Each compartment runs a single OS The Android Linux Kernel is modified with the OK:Android package to provide microkernel support for Android
2. Architecture Building Blocks TVD Master A remote TVD administrator, responsible for defining a TVD security policy Each TVD has its own TVD Master TVD Proxy Responsible for establishment of the trusted channel to a TVD Master and TVD Policy delivery to a local platform When several domains are deployed on the platform, TVD Proxy communicates with the corresponding TVD Masters, receives the TVD Policies, and maps these policies to an OKL4 configuration
2. Architecture Building Blocks TVD Policy Specifies the TVD compartments to be installed on the platform and the available resources on the device to be assigned to compartments Inter-TVD communication may also be specified Expressed in XML language
2. Architecture Building Blocks TVD Policy Target Platform: specifies the platform the TVD Policy is defined for Trusted Systems: specifies a trusted computing base (TCB) of the platform, e.g., system services and the OKL4 kernel Systems: represents the set of TVD compartments Resources: specifies resources on the devices to be assigned to compartments
3. System Management TVD Policy Mapping Map multiple TVD Policies to a single OKL4 configuration (n 1) Based on the fact that The TVD Policy and the OKL4 Configuration share several characteristics, e.g., resources and virtual machines Mainly the processing of XML file according to some predefined rules OKL4 configuration is also an XML file, including machine configuration (HW-Config) microkernel resources like physical and virtual pool for itself
3. System Management Management Commands install/remove/update a TVD compartment install/remove a TVD Due to the static property of the OKL4 configuration These commands can be realized only via an update of OKL4 image configuration and building and installation of a complete new OKL4 system image on the mobile device Two alternative solutions to perform the task: Image Building on Mobile Devices Image Building by TVD Master
3. System Management Management Commands
4. Implementation & Evaluation Implementation OKL4 Development: Open Kernel Labs SDK Security Services: Part as native applications that run directly on the top of OKL4 cell, including Compartment Manager Secure GUI Part as Linux applications that run in a small Linux OS instance Mobile Trusted Module (MTM) TVD Proxy Attestation Service Policy Mapper as part of a TVD Proxy security service
4. Implementation & Evaluation Evaluation The performance for building the image on the client and the TVD master is measured, steps: running the Policy Mapper tool to creat OKL4 configuration file building the system image Hardware Client Bealebord (rev. C4) Chipset TI OMAP3530 ARM-Contex-A8 CPU TVD Master Dell OptiPlex 980
4. Implementation & Evaluation Evaluation OKL4 system installation by TVD Proxy For both cases, 99% of the computing Power and just 1, 6% of RAM were used OKL4 system installation by TVD Master
5. Conclusion This paper presented a TVD solution for mobile devices, based on the OKL4 microkernel hypervisor. This work extends an existing Trusted Mobile Desktop architecture with TVD components Despite the static nature of OKL4, this work provides a working end-user system for separating private and enterprise domains for data and applications on smartphones At the same time, this work showed some limitations.
5. Conclusion Limitations Not possible to add or delete new compartments during runtime, rather we have to perform it at install time All TVD commands like Install Compartment or TVD Policy Update involve the deletion of the whole system image Not possible to start or stop compartments on demand. All compartments are started on device upon boot up.