Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Enabling Trustworthy Remote Recovery
with seL4
Dr. Richard Skowyra
15 November 2018
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under
Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the
Assistant Secretary of Defense for Research and Engineering. © 2018 Massachusetts Institute of Technology. Delivered to the U.S. Government with Unlimited Rights, as defined in DFARS Part 252.227-
7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed above. Use of this work other
than as specifically authorized by the U.S. Government may violate any copyrights that exist in this work.
SmallSat Div. Seminar - 2
KWI. 1-NOV-2018
The United States Relies Heavily on Space Assets
SmallSat Div. Seminar - 3
KWI. 1-NOV-2018
SmallSats are an Attractive Option …
SmallSat Div. Seminar - 4
KWI. 1-NOV-2018
… and Cyber is an Attractive Vector
“Break one, break all”
COTS HW + SW
Inability to Reassert Physical Control
SmallSat Div. Seminar - 5
KWI. 1-NOV-2018
… and Cyber is an Attractive Vector
“Break one, break all”
COTS HW + SW
Inability to Reassert Physical Control
SmallSat Div. Seminar - 6
KWI. 1-NOV-2018
Terrestrial vs. Space Platforms
Variable Terrestrial Space
Physical access Easy Not Easy
Environmental
threats
Power surges, spilled
coffeeRadiation, thermal
SWaP concerns Low Very high
Installation method Person carrying box Rocket carrying box
Communications Wired, wireless Intermittent wireless
User specialization Low High
Platform
specializationLow High
Mission duration Days to Months Months to Years
No physical access to re-assert control over a compromised device
SmallSat Div. Seminar - 7
KWI. 1-NOV-2018
A Representative SmallSat: ORS-5
CCD Radiator (-40°C)
Star Tracker
Avionics
Baffle
One-time Cover
Reaction Wheels (3)
CCD
Radio
Telescope
Torque Rods (3)
Battery
GPS
Magnetometer
SmallSat Div. Seminar - 8
KWI. 1-NOV-2018
Satellite System Overview
Controls Comms and Power
Controls Mission Functionality
Controls Orientation and Thrusters
Low Compute Power
Increasing Compute Power Requirements
Dependent on Bus
Space Vehicle
(SV)
Bus ControlFocused on maintenance and survival
Ground
Bus
Payload
Payload ControlFocused on mission objectives
• Encrypting the link between the Ground and the Space Vehicle is necessary, but not sufficient
Key Security Attributes
SmallSat Div. Seminar - 9
KWI. 1-NOV-2018
Our Security Goals
Space Vehicle
(SV)
Bus Control-
Ground
Bus
Payload
Payload Control-
• Reassert control if the satellite is compromised
• Enable the satellite to survive if the ground stationis temporarily compromised
SmallSat Div. Seminar - 10
KWI. 1-NOV-2018
Larger Effort: MITLL SmallSat Security Program
• Fail Slowly
• Go Beyond COMSEC
• Flexible Defenses
• Field and Leverage Telemetry
• Include a Root of Recovery
• Monitor the Pre-Launch Environment
• Security as a Feature
• Succeed Quickly
SmallSat Div. Seminar - 11
KWI. 1-NOV-2018
(SV)
Ground
Bus
Payload
Root of Recovery
• RISK: An adversary may be able to compromise the SV and “lock out” the legitimate ground station
– Adversary can effect denial of service or takeover
• APPROACH: Implement an immutable “root of recovery” onboard the SV
Drivers
Root of Trust (sel4 Microkernel)
Update +
Root of
Recovery
AppsCOMSECSafety of
Flight
– Guarantees enough C2 to force a reset into
a “safe mode” and apply a software update
to fix the defect
EFFECT: Adversary cannot permanently
compromise the SV. Additionally reduces
risk for software update, both to fix security
problems and to augment or update
functionality.
SmallSat Div. Seminar - 12
KWI. 1-NOV-2018
A Representative Stack for a Satellite Bus
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorOn-Board
CommsPeripheral
SmallSat Div. Seminar - 13
KWI. 1-NOV-2018
A Representative Stack for a Satellite Bus
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
SmallSat Div. Seminar - 14
KWI. 1-NOV-2018
Operating System
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
Formally Verified
No common implementation errors (use-after-free,
deadlock, buffer overflow, etc.)
Authority confinement, confidentiality and integrity
guarantees
Not Formally Verified
600 lines of assembly code
36000+ lines of specification
The boot process
Almost everything built on top of seL4
SmallSat Div. Seminar - 15
KWI. 1-NOV-2018
Processor
• Native seL4 support
• High processing power
– 2 ARM Cortex A9s
• Integrated on-die FPGA
• COTS LEO applicability
– Part of the CHREC Space Processor
– 39 CSP computers over 14 missions since December 2015
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
SmallSat Div. Seminar - 16
KWI. 1-NOV-2018
BSP + Wired Comms
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
Device Driver
Wired Comms
Driver
PHYZynq
seL4
AXI
SmallSat Div. Seminar - 17
KWI. 1-NOV-2018
Peripheral / Testing Environment
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
SmallSat Div. Seminar - 18
KWI. 1-NOV-2018
Recap
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
SmallSat Div. Seminar - 19
KWI. 1-NOV-2018
Where is the Root of Recovery?
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
Root of
Recovery
Software-Defined
Radio (SDR)
End Cryptographic
Unit (ECU)
Embedded Power
Supply (EPS)
FLASH Controller
• Root of Recovery must always permit the spacecraft to:
– Receive the “recover” command from an authorized principal,
– Reset to a previous state, or
– Load a new state (software, firmware, and/or data) and reset to it
Userspace
Application
Userspace Drivers
SmallSat Div. Seminar - 20
KWI. 1-NOV-2018
Need for Defense-in-Depth
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
Root of
Recovery
Software-Defined
Radio (SDR)
End Cryptographic
Unit (ECU)
Embedded Power
Supply (EPS)
FLASH Controller
Driver code is
unverified
Applications may
have realtime
constraintsUpdate may be
unauthorized
Hardware may contain
vulnerabilities
SmallSat Div. Seminar - 21
KWI. 1-NOV-2018
Next Steps: A Secure Root of Recovery
Application Middleware AdapterOperating
System
Board
Support
Package
ProcessorWired
CommsPeripheral
Root of
Recovery
Software-Defined
Radio (SDR)
End Cryptographic
Unit (ECU)
Embedded Power
Supply (EPS)
FLASH Controller
Driver code is
unverified
Applications may
have realtime
constraints• Update may be
unauthorized
Hardware may contain
vulnerabilities
• Upcoming seL4
extensions
• FPGA-based real-
time protections
Formally verified
digital signature
algorithm
Implementation in
Rust, a memory-
safe language
• SW separation
• FPGA-based monitors
• Bus protections
SmallSat Div. Seminar - 22
KWI. 1-NOV-2018
Future Work
• Run alongside a representative bus application suite
– Operate NASA Core Flight System (CFS) on top of seL4 and CFS
• Incorporate other efforts from the MITLL Smallsat security initiative into a reference architecture for secure smallsats
• Deploy reference architecture on a flatsat to prove out real-world feasibility
• Concepts are applicable to any physically remote embedded platform:
– SCADA
– Long-Loiter UxVs
– Infrastructure / IoT
SmallSat Div. Seminar - 23
KWI. 1-NOV-2018
Conclusion
• MIT LL has developed a set of design guidelines to aid designers in building more securable satellites
• Small satellites are attractive cyber targets, and require a root of recovery to restore to a known good state while in orbit
– Must be secured against attack to have real value
– seL4 is necessary, but not sufficient
• MIT LL is building a secure reference architecture for small satellites
– seL4 provides strong isolation
– Root of recovery provides ability to re-assert control if the satellite is compromised
– Other security extensions enable the satellite to conduct its mission if the ground station is temporarily compromised
SmallSat Div. Seminar - 24
KWI. 1-NOV-2018
Questions
Dr. Richard Skowyra
781-981-0664