Nested compartmentalisation for constrained devices

Dejon, Nicolas; Gaber, Chrystel; Grimaud, Gilles

doi:10.1109/ficloud49777.2021.00055

Cited by 2 publications

(5 citation statements)

References 7 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The framework proposed in [10] provides design guidelines for setting up nested compartmentalisation as well as an API to call the services provided by the compartmentalisation entity. In the framework, userland components can create subdomains out of their own memory space.…”

Section: Analogy Between the Nested Compartmentalisation Framework An...mentioning

confidence: 99%

“…In Section 4, we present Pip-MPU's requirements that include Pip's requirements plus some requirements specific to constrained devices. In Section 5, we verify which requirements are already satisfied by the use of the nested compartmentalisation framework [10]. We then derive and specialise this framework in the light of Pip's system calls and metadata structures to fulfil the security requirements.…”

Section: Introductionmentioning

confidence: 96%

“…The motivation of this work is to make constrained devices more secure and more flexible, given the ubiquity of these devices and the emerging complex IoT applications. We propose to achieve flexible memory isolation for constrained devices with an MPU by adapting Pip's MMU-based memory isolation to be MPU-based and by leveraging Dejon et al's framework [10]. Indeed, this framework proposes to use the memory access permissions on memory blocks provided by the MPU in order to create multiple levels of isolation.…”

Section: Introductionmentioning

confidence: 99%

“… We capture and define Pip's requirements that are landmarks to our adaptation.  We specialise the framework presented in [10] to match the aforementioned requirements. We also conduct a preliminary study of compatibility between Pip and the framework.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

Dejon¹,

Gaber²,

Grimaud³

2022

Artificial Intelligence, Soft Computing and Applications

Self Cite

View full text Add to dashboard Cite

This article presents a hardware-based memory isolation solution for constrained devices. Existing solutions target high-end embedded systems (typically ARM Cortex-A with a Memory Management Unit, MMU) such as seL4 or Pip (formally verified kernels) or target low-end devices such as ACES, MINION, TrustLite, EwoK but with limited flexibility by proposing a single level of isolation. Our approach consists in adapting Pip to inherit its flexibility (multiple levels of isolation) but using the Memory Protection Unit (MPU) instead of the MMU since the MPU is commonly available on constrained embedded systems (typically ARMv7 Cortex-M4 or ARMv8 Cortex-M33 and similar devices). This paper describes our design of Pip-MPU (Pip’s variant based on the MPU) and the rationale behind our choices. We validate our proposal with an implementation on an nRF52840 development kit and we perform various evaluations such as memory footprint, CPU cycles and energy consumption. We demonstrate that although our prototyped Pip-MPU causes a 16% overhead on both performance and energy consumption, it can reduce the attack surface of the accessible application memory from 100% down to 2% and the privileged operations by 99%. Pip-MPU takes less than 10 kB of Flash (6 kB for its core components) and 550 B of RAM.

show abstract

Section: Analogy Between the Nested Compartmentalisation Framework An...mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

Dejon¹,

Gaber²,

Grimaud³

2022

Artificial Intelligence, Soft Computing and Applications

Self Cite

View full text Add to dashboard Cite

show abstract

“…The goal of this work is to engage in the formal verification of Pip-MPU's isolation property, since Pip-MPU's high-level design and conceptual foundations have been introduced in earlier works [2,3]. Indeed, the motivation follows recent increases in cyber-threats on constrained devices (also referred to as low-end devices, of type microcontroller) and especially connected devices.…”

Section: Introductionmentioning

confidence: 99%

Untitled

2023

IJESA

View full text Add to dashboard Cite

Pip-MPU is a minimalist separation kernel for constrained devices (scarce memory and power resources). In this work, we demonstrate high-assurance of Pip-MPU's isolation property through formal verification. Pip-MPU offers user-defined on-demand multiple isolation levels guarded by the Memory Protection Unit (MPU). Pip-MPU derives from the Pip protokernel, with a full code refactoring to adapt to the constrained environment and targets equivalent security properties. The proofs verify that the memory blocks loaded in the MPU adhere to the global partition tree model. We provide the basis of the MPU formalisation and the demonstration of the formal verification strategy on two representative kernel services. The publicly released proofs have been implemented and checked using the Coq Proof Assistant for three kernel services, representing around 10000 lines of proof. To our knowledge, this is the first formal verification of an MPU based separation kernel. The verification process helped discover a critical isolation-related bug.

show abstract

Nested compartmentalisation for constrained devices

Cited by 2 publications

References 7 publications

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

Untitled

Contact Info

Product

Resources

About