Embedded Systems Design Europe - October 2007 - (Page 27) Linux arbitrates the interactions between domains and the underlying VM manager (VMM). From this point on, the integrity verification of domains happen in parallel and follows the same path as in Figure 3. An important aspect of this architecture is the link between the domainlevel access-control mechanism within the VMM, and the access-control mechanism governing each domain at run time. This link must be well-defined and implemented efficiently to allow for a viable solution. This approach is based on a hardware root of trust to provide security as reliable as the mechanism protecting this root. The approach implements a MAC mechanism based on embedded SELinux and can do it in a virtualized environment. This approach deploys the security capabilities available in hardware to enforce isolation among guest domains, by dedicating separate memory areas to different processes that exist in each domain. The overall security management, such as secure Inter Process Communication (IPC) of such processes is the responsibility of the VMM, which acts as the Hypervisor. This approach enables a hardware-enforced isolation among processes running in each guest domain, with a fine-grained MAC mechanism, provided by SELinux infrastructure. The initial verification of each guest domain happens prior to bringing it up. After each domain is online, ensuring its integrity is performed by SELinux infrastructure. It’s presumable that, due to differences in security requirements during start-up and run time, not all embedded devices would require all the elements discussed here. However, this doesn’t indicate a weakness in the architecture, as the main security aspects of the approach could be implemented/ enabled independently (that is, these aspects are “loosely coupled”). We’ve examined an approach to embedded Linux security that deploys a hardware root of trust to provide secure execution of applications in a virtualized environment. We augment that approach by adding a MAC mechanism to provide enhanced protection to applications and processes at run time. On a system which requires and implements all the capabilities provided in this architecture, a thorough analysis must be performed to ensure an appropriate security policy is in place to deploy the SELinux capabilities efficiently. An unnecessarily comprehensive and restrictive policy could hamper the overall performance and will increase the system’s memory footprint. The performance of the Hypervisor is also the key in this approach, as it’s the layer that arbitrates the interactions among the processes in each guest domain. . Jim Ready (jready@mvista.com) is the founder and chief technical officer of MontaVista Software. Hadi Nahari (hnahari@mvista.com) is the chief security architect at MontaVista Software. ACAL - Your LANTRONIX EMBEDDED ETHERNET & WIRELESS NETWORKING for demos, p ro duc t i nfo, pricing and technical suppor t find your local AC AL office at DISTRIBUTOR for SPECIALIST Serial-to-WiFi device server • Affordable embedded 802.11 b/g wireless networking • Wired Ethernet-to-wireless bridging • IEEE 802.11i-PSK,WPA-PSK, TKIP • Optional 256-bit AES end-to-end encryption Serial-to-Ethernet compact device server • 256-bit AES encryption for secure communications • Web-enable virtually any electronic device SOLUTIONS. Serial-to-Ethernet gateway module • Integrated module with RJ45 featuring dedicated networking SoC • Up to 230 Kbps data rate www.acal.co.uk G E R M A N Y • N E T H E R L A N D S • B E L G I U M • F R A N C E • I TA LY U K • S PA I N • N O R WAY • D E N M A R K • F I N L A N D • S W E D E N 022-023-024-025-026-027_ESDE.ind27 27 12/10/07 10:27:18 http://www.acal.co.uk http://www.acal.co.uk
Table of Contents Feed for the Digital Edition of Embedded Systems Design Europe - October 2007 Embedded Systems Design Europe - October 2007 Contents Linux Set to Dominate Torvalds Updates Linux Kernel ARM Establishes Smart Card Foundry Program Emerson Buys Motorola's Embedded Comms Group LynuxWroks and TTTech to Cooperate on Avionics MontaVista CEO Looks for Acquisitions in Europe Ready: Multiprocessing Technology Provides Opportunity Automotive to Drive MCU Market New Supporters Join COM Express Group Analyst Weighs TI Versus Xilinx Versus PicoChip Cover Feature: Embedded Systems Security Has Moved to the Forefront Trace Exposes the Toughest Real-Time Bugs Employ a Secure Flavor of Linux Use an MCU's Low-Power Modes in Foreground/Background Systems Transporting Video Over Wireless Networks New Products Advertising Contacts Embedded Systems Design Europe - October 2007 Embedded Systems Design Europe - October 2007 - Embedded Systems Design Europe - October 2007 (Page 1) Embedded Systems Design Europe - October 2007 - Embedded Systems Design Europe - October 2007 (Page 2) Embedded Systems Design Europe - October 2007 - Contents (Page 3) Embedded Systems Design Europe - October 2007 - Contents (Page 4) Embedded Systems Design Europe - October 2007 - Contents (Page 5) Embedded Systems Design Europe - October 2007 - ARM Establishes Smart Card Foundry Program (Page 6) Embedded Systems Design Europe - October 2007 - ARM Establishes Smart Card Foundry Program (Page 7) Embedded Systems Design Europe - October 2007 - LynuxWroks and TTTech to Cooperate on Avionics (Page 8) Embedded Systems Design Europe - October 2007 - Ready: Multiprocessing Technology Provides Opportunity (Page 9) Embedded Systems Design Europe - October 2007 - Analyst Weighs TI Versus Xilinx Versus PicoChip (Page 10) Embedded Systems Design Europe - October 2007 - Analyst Weighs TI Versus Xilinx Versus PicoChip (Page 11) Embedded Systems Design Europe - October 2007 - Cover Feature: Embedded Systems Security Has Moved to the Forefront (Page 12) Embedded Systems Design Europe - October 2007 - Cover Feature: Embedded Systems Security Has Moved to the Forefront (Page 13) Embedded Systems Design Europe - October 2007 - Cover Feature: Embedded Systems Security Has Moved to the Forefront (Page 14) Embedded Systems Design Europe - October 2007 - Cover Feature: Embedded Systems Security Has Moved to the Forefront (Page 15) Embedded Systems Design Europe - October 2007 - Cover Feature: Embedded Systems Security Has Moved to the Forefront (Page 16) Embedded Systems Design Europe - October 2007 - Trace Exposes the Toughest Real-Time Bugs (Page 17) Embedded Systems Design Europe - October 2007 - Trace Exposes the Toughest Real-Time Bugs (Page 18) Embedded Systems Design Europe - October 2007 - Trace Exposes the Toughest Real-Time Bugs (Page 19) Embedded Systems Design Europe - October 2007 - Trace Exposes the Toughest Real-Time Bugs (Page 20) Embedded Systems Design Europe - October 2007 - Trace Exposes the Toughest Real-Time Bugs (Page 21) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 22) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 23) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 24) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 25) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 26) Embedded Systems Design Europe - October 2007 - Employ a Secure Flavor of Linux (Page 27) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 28) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 29) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 30) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 31) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 32) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 33) Embedded Systems Design Europe - October 2007 - Use an MCU's Low-Power Modes in Foreground/Background Systems (Page 34) Embedded Systems Design Europe - October 2007 - Transporting Video Over Wireless Networks (Page 35) Embedded Systems Design Europe - October 2007 - Transporting Video Over Wireless Networks (Page 36) Embedded Systems Design Europe - October 2007 - Transporting Video Over Wireless Networks (Page 37) Embedded Systems Design Europe - October 2007 - Transporting Video Over Wireless Networks (Page 38) Embedded Systems Design Europe - October 2007 - New Products (Page 39) Embedded Systems Design Europe - October 2007 - New Products (Page 40) Embedded Systems Design Europe - October 2007 - New Products (Page 41) Embedded Systems Design Europe - October 2007 - New Products (Page 42) Embedded Systems Design Europe - October 2007 - Advertising Contacts (Page 43) Embedded Systems Design Europe - October 2007 - Advertising Contacts (Page 44)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.