Alexander Warg

L4Android: a generic operating system framework for secure smartphones

Smartphones became many peoples primary means of communication. Emerging applications such as Near Field Communication require new levels of security that cannot be enforced by current smartphone operating systems. Therefore vendors resort to hardware extensions that have limitations in flexibility and increase the bill of materials. In this work we present a generic operating system framework that does away with the need for such hardware extensions. We encapsulate the original smartphone operating system in a virtual machine. Our framework allows for highly secure applications to run side-by-side with the virtual machine. It is based on a state-of-the-art microkernel that ensures isolation between the virtual machine and secure applications. We evaluate our framework by sketching how it can be used to solve four problems in current smartphone security.

Taming subsystems: capabilities as universal resource access control in L4

The embedded and mobile computing market with its wide range of innovations is expected to remain growing in the foreseeable future. Recent developments in the embedded computing technology offer more performance thereby facilitating applications of unprecedented utility. Open systems, such as Linux, provide access to a huge software base. Nevertheless, these systems have to coexist with critical device infrastructure that insists on stringent timing and security properties. In this paper, we will present a capability-based software architecture, featuring enforceable security policies. The architecture aims to support current and future requirements of embedded computing systems, such as running versatile third-party applications on general purpose and open operating systems side by side with security sensitive programs.

Flattening hierarchical scheduling

Recently, the application of virtual-machine technology to integrate real-time systems into a single host has received significant attention and caused controversy. Drawing two examples from mixed-criticality systems, we demonstrate that current virtualization technology, which handles guest scheduling as a black box, is incompatible with this modern scheduling discipline. However, there is a simple solution by exporting sufficient information for the host scheduler to overcome this problem. We describe the problem, the modification required on the guest and show on the example of two practical real-time operating systems how flattening the hierarchical scheduling problem resolves the issue. We conclude by showing the limitations of our technique at the current state of our research.

Virtual machines jailed: virtualization in systems with small trusted computing bases

The trusted computing base of legacy applications can be reduced significantly by separating their security-critical parts into dedicated protection domains. As yet, paravirtualization has been used to host the non-secure portion. The applicability of this approach is limited by the need of source code access. We show how to implement efficient virtual machines in a microkernel-based system enabling the reuse of arbitrary operating systems. We found that the performance is on par with other virtual machine implementations, while security-sensitive applications retain their small trusted computing base. In fact, the kernel growth is marginal (500 SLOC), other security-critical components are not affected.

Rounding pointers: type safe capabilities with C++ meta programming

Recent trends in secure operating systems indicate that an object-capability system is the security model with pre-eminent characteristics and practicality. Unlike traditional operating systems, which use a single global name space, object-capability systems name objects per protection domain. This allows a fine-grained isolation of the domains and follows the principle of least authority. Programming in such an environment differs considerably from traditional programming models. The fine-grained access to functionality requires a programming environment that supports the programmer when using a capability system. In this paper, we present an object-oriented framework that uses the C++ programming language to offer a frame-work for building and using operating-system components and applications.

L4Android security framework on the Samsung galaxy S2

There is a recent trend to use privately owned mobile devices in corporate environments. This poses serious threats on the security of corporate data. In this demo we show how we applied an efficient sandboxing mechanism to the Android software stack. This allows us to run multiple instances of Android securely isolated side-by-side on one device. We implemented a prototype on the Samsung Galaxy S2.

Demo Abstract: Timing Aware Hardware Virtualization on the L4Re Microkernel Systems

Hardware virtualization support has found its way into real-time and embedded systems. It is paramount for an efficient concurrent execution of multiple systems on a single platform, including commodity operating-systems and their applications. Isolation is a key feature for these systems, both in the spatial and temporal domain, as it allows for secure combinations of real-time and non real-time applications. For such requirements, microkernels are a perfect fit as they provide the foundation for building secure as well as real-time aware systems. Lately, microkernels learned to support hardware-provided virtualization features, morphing them into microhypervisors. In our demo, we show our open-source and commercially supported L4Re system running Linux and FreeRTOS side by side on a multi-core ARM platform. While for Linux we use the hardware features for virtualization, i.e., ARMs virtualized extension, we revert to paravirtualization for running the FreeRTOS guest. Paravirtualization adapts the guest kernel to run as a native application on the microkernel. For simple guests that do not use advanced hardware features such as virtual memory and multiple privilege levels, virtualization is simplified and the state of a virtual machine is significantly reduced, improving interrupt delivery and context switching latency. Both guests as well as the native application drive LEDs to exemplify steering actual devices as well as to show their liveliness. Taking down the Linux guest will not disturb the others.

Hochsichere Smartphones mit L4Android

Smartphones vermitteln uns das Gefuhl rund um die Uhr vernetzt zu sein. Fur viele Anwender sind Smartphones das primare Kommunikationsgerat geworden. Grose Firmen investieren mittlerweile viel Geld, um mit Smartphones neue Geschaftsfelder zu erschliesen. Die neuen Anwendungen, wie z. B. Mobile Payment, haben hohe Anforderungen an die Geratesicherheit. Vorhandene Smartphonebetriebssysteme sind diesen Anforderungen nicht gewachsen. In dieser Arbeit stellen wir L4Android vor. L4Android ist ein Betriebssystemframework, welches das Erstellen sicherer Smartphonearchitekturen ermoglicht. Wir verwenden einen modernen Mikrokern und erlauben das Ausfuhren von nicht sicherheitskritischer Software in einer virtuellen Maschine.