Hiromasa Shimada

Temporal and spatial isolation in a virtualization layer for multi-core processor based information appliances

A virtualization layer makes it possible to compose multiple functionalities on a multi-core processor with minimum modifications of OS kernels and applications. A multi-core processor is a good candidate to compose various software independently developed for dedicated processors into one multi-core processor to reduce both the hardware and development cost. In this paper, we present SPUMONE, which is a virtualization layer suitable for developing multi-core processor based-information appliances.

Composition kernel: a multi-core processor virtualization layer for rich functional smart products

Future ambient intelligence environments will embed powerful multi-core processors to compose various functionalities into a smaller number of hardware components. This makes the maintainability of intelligent environments better because it is not easy to manage massively distributed processors. A composition kernel makes it possible to compose multiple functionalities on a multi-core processor with the minimum modification of OS kernels and applications. A multi-core processor is a good candidate to compose various software developed independently for dedicated processors into one multi-core processor to reduce both the hardware and development cost. In this paper, we present SPUMONE which is a composition kernel for developing future smart products.

A Lightweight Monitoring Service for Multi-core Embedded Systems

The recent increase in complexity and functionality in embedded systems makes them more vulnerable to rootkit-type attacks, raising the need for integrity management systems. However, as of today there is no such system that can guarantee the system’s safety while matching the low-resource, real-time and multi-core requirements of embedded systems. In this paper, we present a Virtual Machine Monitor (VMM)based monitoring service for embedded systems that checks the actual kernel data against a safe data specification. However, due to the VMM and multi-core nature of the system, the guest OS can be preempted at any time, leading to the checking of potentially inconsistent states. We evaluated two approaches to solve this problem: detecting such invalid states by checking specific kernel data, and detecting system calls using the VMM.

Using Virtual CPU Migration to Solve the Lock Holder Preemption Problem in a Multicore Processor-Based Virtualization Layer for Embedded Systems

When a real-time OS (RTOS) and a symmetric multiprocessing general purpose OS (SMP GPOS) are executed on the same multicore processor, there is a possibility to cause the lock holder preemption (LHP) problem, which is a well known problem of the sources of the performance degradation on an SMP GPOS. The problem occurs when a kernel mode thread holding a lock in a SMP GPOS is preempted by other OSes if these OSes share the same physical core. The existing solution does not take into account real-time responsiveness so it is not suitable to use in embedded systems. The paper proposes two new techniques to avoid the LHP problem for ensuring both the real-time responsiveness of real-time OS and the high throughput of SMP GPOS. The new proposed techniques have been implemented on our virtualization layer called SPUMONE, and we measured the results showing that the proposed new techniques reduce the LHP problem without degrading the real-time responsiveness.

A Light-Weighted Virtualization Layer for Multicore Processor-Based Rich Functional Embedded Systems

In this paper, we introduce a lightweight processor abstraction layer named SPUMONE. SPUMONE provides virtual CPUs for respective guest OSes, and schedules them according to their priorities. In a typical case, SPUMONE schedules Linux with a low priority and an RTOS with a high priority. We first discuss why the traditional virtual machine monitor design is not appropriate for embedded systems, and how the features of SPUMONE allow us to design modern complex embedded systems with less efforts. Then, we describe two features of SPUMONE for the real-time resource management. SPUMONE also offers a novel mechanism to protect a critical component from malicious programs injected into the GPOS kernel.

Hardware-Assisted Reliability Enhancement for Embedded Multi-core Virtualization Design

In this paper, we propose a virtualization architecture for the multi-core embedded system to provide more system reliability and security while maintaining the same performance without introducing additional special hardware supports or having to implement complex protection mechanism in the virtualization layer. Virtualization has been widely used in embedded systems, especially in consumer electronics, albeit itself is not a new technique, because there are various needs for both GPOS (General Purpose Operating System) and RTOS (Real Time Operating System). The surge of the multi-core platform in the embedded system also helps the consolidation of the virtualization system for its better performance and lower power consumption. Embedded virtualization design usually uses two kinds of approaches. The first one is to use the traditional VMM, but it is too complicated for use in the embedded environment if there is no additional special hardware support. The other is the use of the micro kernel which imposes a modular design. The guest systems, however, would suffer from considerable amount of modifications because the micro kernel lets the guest systems to run in user space. For some RTOSes and theirs applications originally running in kernel space, it makes this approach more difficult to work because a lot of privileged instructions are used in those codes. To achieve better reliability and keep the virtualization layer design light weighted, a common hardware component adopted in the multi-core embedded processors is used in this work. In the most embedded platforms, vendors provide additional on-chip local memory for each physical core and these local memory areas are private only to their cores. By taking this memory architectures advantage, we can mitigate above-mentioned problems at once. We choose to re-map the virtualization layers program called SPUMONE, which it runs all its guest systems in kernel space, on the local memory. By doing so, it can provide additional reliability and security for the entire system because the SPUMONEs design in a multi-core platform has each instance being installed on a separated processor core which is different from the traditional virtualization layer design and the content of each SPUMONE is inaccessible to each others. We also achieve this goal without bringing any overhead to the overall performance.

Automatic Invariant Generation for Monitoring OS Kernel Integrity

System administrators have used integrity checkers to prevent the system from malicious infections. Especially, checking the integrity of the kernel is important, since the infections of the kernel affect the entire system. Most of the previous works to prevent such infections rely on the developers or administrators to write specifications to detect them. Those works require high engineering cost and may incur vulnerabilities. The other previous works use virtualization techniques to trace the memory usage of the target system. However, they require hardware supports for the virtualization to avoid significant overhead. Most of embedded systems do not have such hardware supports. In addition, the overhead of the integrity checking affects all of the guest OSes, because they check integrity of the target OS in the virtualization layer. Therefore, they are difficult to be applied to multi-core environment.In this paper, we propose a method to generate the integrity checker automatically. The integrity checker runs on a virtualization layer and checks the integrity of kernel data structures of the target OS kernel from the outside of it. The virtualization layer does not require a special hardware support for the virtualization, because the integrity checker only reads memory area used by the target OS. Moreover, the integrity checker is executed as a guest OS, and thereforeit does not affect the entire system performance when it runs on multicore environment. The integrity checker checks the kernel data structures using invariants of them. In order to generate the invariants automatically, our system analyzes obtained kernel data structures. However, checking all of the kernel data structures is not feasible, since there are a lot of kernel data structures and an analyzer uses relationships with them to generate invariants. Therefore, our challenge is to reduce the target kernel data structures while avoiding false positives and false negatives as much as possible.

Composition Kernel: A Multi-core Processor Virtualization Layer for Highly Functional Embedded Systems

In this paper, we propose a composition kernel where multiple OS kernels are running on top of a very thin hardware abstraction layer. A composition kernel can reduce the engineering cost of developing an embedded system by reusing existing OS kernels and application with minimum modification without assuming special hardware supports.

Automatically Generating External OS Kernel Integrity Checkers for Detecting Hidden Rootkits

The integrity checker validates the data structures in a target OS kernel from outside to enhance system security. Because of a huge number of kernel data structures, all possible invariants cannot be generated automatically, as we encounter a combinatorial explosion. In this paper, we propose a framework to generate a practical integrity checker automatically without examining all data structures in an OS kernel. Hidden rootkits infect the pointer variables of kernel data structures, a filter proposed in the framework reduces the number of target kernel data structures without decreasing the detection accuracy. In our experiments, the proposed system generates an integrity checker for three Linux kernels in a practical time, and a generated integrity checker can detect all of the hidden root kits infecting the kernel data structures.

Design issues in composition kernels for highly functional embedded systems

Recent embedded systems are dramatically increasing their features to satisfy a users demanding requirements. In traditional approaches, each feature uses a dedicated processor to be implemented, but the approach increases the cost to develop highly functional embedded systems. A multi-core processor offers a new opportunity to solve the dilemma because various functionalities can be implemented on one multi-core processor. While the number of functionalities is increased, we can just add more cores in the multi-core processor. However, we need a desirable software platform to implement a large number of functionalities on a multi-core processor for developing highly functional embedded systems. A composition kernel makes it possible to compose multiple functionalities on a multi-core processor with the minimum modifications of OS kernels and applications. In this paper, we present SPUMONE, a composition kernel for developing highly functional embedded systems, and runs on the SH4-based multi-core processor. SPUMONE does not support the spatial isolation to isolate guest OSes not to sacrifice the performance due to its virtualization. The approach may sacrifice the reliability and security, so we also propose to add the monitoring service that runs in the outside of a target guest OS to enhance its reliability and security without relying on the spatial isolation.