Virtualization and diversification

Security issues are becoming an increasing concern in the domain of safety-critical applications (air, space, road, railways, etc.). This is due to several factors:

  • Commercial-Off-The-Shelf (COTS) components (hardware and software) are more and more being integrated into computerized embedded systems, mainly to the cost-effectiveness advantages offered by such mature and generic components.
  • Embedded systems, which traditionally operated autonomously, are increasingly being interconnected to other less-critical systems or networks (including the Internet), to respond to the high demand from customers and companies for more flexibility and new services.
  • Threats are escalating, from the viewpoints of both the growing population of potential attackers (from personnel to customers) and the potentially exploitable vulnerabilities: open communication facilities, residual bugs in embedded COTS components, etc.

As a result, the attendant risk of damage to critical functions is dramatically escalating.

In such a context, it is mandatory to investigate architectural solutions that go beyond the classical approaches for security/safety enforcement when considering applications with different levels of criticality: either prevent any communications between them or only allow unidirectional information flows from high to low levels of criticality. Indeed, these approaches are too restrictive for deploying many useful services that call for some upward (normally forbidden) flows.

For example, in aviation, the ability to connect a standard COTS-based laptop to on-board avionics computers and use a standard user interface would significantly facilitate the activities of crew or maintenance personnel. However, for that, it is mandatory to prevent possible errors due to malware affecting the laptop resources (especially the OS) from impacting the on-board system.

Objective of the work and issues addressed

Totel’s model [1] proposed a conceptual framework to control the flow of information between software tasks with different criticality levels. Our recent work builds on and extends these previous results to propose a novel architectural solution for securing data flows from low to high criticality levels [2-3].

The goal is to secure the information provided to the operator and to the on-board computer systems by critical tasks (e.g., aircraft maintenance) running on a standard laptop, in spite of inherent laptop vulnerabilities: it runs a COTS OS and from time to time can be linked to the Internet. In this situation, it is necessary to raise the level of confidence attached to the maintenance information processed on the laptop from low (open world) to a level compatible with the level of the on-board computer systems.

We have considered that the specific tasks executed on the laptop are the same as those usually run in current scenarios using on-board equipment, and are thus validated to the required level. Accordingly, the targeted threats concern primarily the attacks that may affect the OS running on the standard laptop.

The architectural solution that we have proposed relies on the diversification paradigm: at least two task instances running on distinct OSes (e.g., Windows and Linux) are executed and compared. The underlying rationale is that an attack that would target a particular software component, running on a specific platform, would likely fail on others. For such an approach to be practical and acceptable, the two OS instances have to run on the same physical machine, this calls for using the virtualization approach [2]. Each replica of a critical task is executed on a distinct virtual machine running its own guest operating system. The comparison of the results is performed on a third safe virtual machine running a dedicated OS that is much simpler (and thus safer and more secure) than the COTS OSes (see figure).

Two scenarios have been considered for such a secured laptop: i) calculation and assignment of flight parameters (take-off speed, speed limit for aborting a flight, etc.) for a safe take-off profile by the pilot and ii) assistance to the maintenance operator for analyzing the error reports and applying the proper maintenance procedures.

Fig 1: Laptop software architecture

A prototype of the proposed scheme has been implemented for the maintenance scenario using the Xen hypervisor to manage the different virtual machines. The maintenance application is developed in Java. Each replicated instance is executed on a dedicated Java Virtual Machine (JVM). Both use the Swing library to manage graphical objects. A single user interface (keyboard, screen) is used (only the screen is shown here). The task compares the results provided by each task instance before displaying one single consolidated result. In the same way, results are compared for consistency before being sent to the on-board-computer [3].

This study allowed us to identify the properties required by mechanisms validating upward information flows in distributed software architectures featuring multiple criticality levels.

The application of diversification and virtualization techniques while implementing a single user interface is an original approach and has resulted in several interesting studies. In particular, this had led to a in-depth analysis of the interactions between the hypervisor, the virtual machines, the host OSes and the executed tasks in order to identify the appropriate level to capture the upward information flows to be validated, depending on the level of accessibility of the code. In the prototype, we have considered read-only access to the code (i.e., source code is available, but cannot be modified): accordingly, the comparison was carried out at the level of the calls to the methods of the JVMs.

Ongoing and future work concerns:

a) an in-depth analysis of the potential sources of non determinism that may cause the task replicas on different virtual machines to produce different results in normal (fault-free) operation, and the investigation of generic solutions to prevent such discrepancies;
b) extending the set of mechanisms enforcing the control of upward information flows in on-board software architectures using a shared database but featuring multiple criticality levels.

This work is being carried out in the framework of two projects with Airbus, ArSec (Architectures de Sécurités) and GEODESIE (GEstion Optimisée et sécurisée des DonnEes pour le Système d’Information Embarqué), as part of the AIRSYS Convention.

Key references

[1] E. Totel, J.-P. Blanquart, Y. Deswarte, D. Powell, “Supporting Multiple Levels of Criticality,” in Proc. 28th IEEE  Int. Symp. on Fault-Tolerant Computing (FTCS-28), Munich, Germany, 1998, pp. 70-79.

[2] Y. Laarouchi, Y. Deswarte, D. Powell, J. Arlat, E. De Nadaï, “Enhancing Dependability in Avionics Using Virtualization,” in Proc. 1st EuroSys Workshop on Virtualization Technology for Dependable Systems (VTDS 2009), Nuremberg, Germany, 2009, pp. 13-17.

[3] Y. Laarouchi, Y. Deswarte, D. Powell, J. Arlat, E. De Nadaï, “Connecting Commercial Computers to Avionics Systems,” in Proc. 28th IEEE/AIAA Digital Avionics Systems Conf. (DASC), Orlando, FL, USA, October 2009.