Using Separation Kernel Technology to Architect & Develop a Secure Industrial IoT Gateway

04-06-2015 | By Will Keegan

Internet of Things gateways need to be interoperable, reliable and secure. One way to achieve this is by using separation kernel hypervisor technology which provides the tools to deal with all security vulnerabilities and real-time concerns, writes Will Keegan, Technical Director for Software Security at Lynx Software Technologies.

The “Internet of Things” (IoT) is a much-used phrase and one full of optimism and promise. This virtual connection of data from people, processes, and things offers a world of convenience, efficiency, and economic opportunity. To put that into perspective, one recent study suggested that the public sector alone could see as much as $4.6 trillion in IoT-related savings and revenues worldwide over the next decade.

The study looked at various ways interconnected systems are expected to improve employee productivity, reduce operating costs, use public resources more efficiently, and create new revenue streams for municipal and regional governments. It also factored in potential benefits that defence organisations around the globe might achieve through enhanced connectivity using next-generation communications systems.

Extrapolate that line of thinking throughout the private sector too, and the possibilities are as endless as they are exciting.

But history has taught us that where society makes changes for the benefit of the majority, we must always be wary of opportunists amongst us who will seek to disrupt it or take dishonest advantage of it. We will only reap the benefits of the IoT if we can build and sustain a trusted infrastructure to support it, and that includes the particularly challenging IoT gateway.

What is the IoT Gateway?

IoT infrastructure is generally comprised of four classes of computing devices – sensors, gateways, servers, and process control (figure 1). Sensors measure the state of a system, gateways gather data from the sensors and forward it to servers, and the servers analyse the data and make process control amendments.


Lynx-Fig-1

Figure 1. Even increasing interconnectivity makes it vital to ensure the trustworthiness of gateways rather than merely protecting the endpoints


The IoT gateway, therefore, primarily serves as a wireless aggregation point that collects IoT sensor data and forwards it. In essence, that is nothing new; wireless automation technology has been used by industrial applications for many years. The difference is that previously it was typically bundled in proprietary systems and deployed behind private wireless networks where the biggest threat to them came from the physical accessibility of the endpoints. Often, this was by the very people who would want to meddle with their results: customers interfering with their smart meter, for example, to reduce their energy bill or re-enable a terminated supply.

The IoT vision aims to broaden the scope of interoperability and expand connectivity throughout cities and potentially the world to improve efficiency and safety in systems like energy distribution and traffic control. As part of that extended scope, these endpoints are now being connected to each other and to remote machines via the Internet and are thus exposed to any number of additional, less localised threats. Particularly in a safety-critical industrial setting, it is therefore vital to ensure the trustworthiness of the gateway between networks rather than merely protecting the endpoints.

The Requirements and Challenges of IoT Gateway Functionality

There are several key technical attributes required by effective IoT gateways if they are to support the goals of the IoT whilst countering the threats to it.

  • Access a high level of interoperability coupled with standard network protocol support to provide the most flexibility in supporting connectivity between different types of sensor devices from different vendors
  • Deploy edge and mesh computing techniques to accommodate data analysis closer to the sensors, offering more lightweight deployment and reducing the wasted bandwidth of distributing sensor data up into the cloud
  • Provide generic platform services by hosting applications that require access to specific subsets of raw physical data from a broad set of sensors detecting information such as local temperature, traffic speed, and parking availability
  • Leverage deterministic computing capabilities to service timing-sensitive applications, such as robotic assembly lines and industrial processes
  • Be capable of certification to standards such as IEC 61508
  • Be autonomous, reliable, and capable of remote management to minimise physical handling
  • Be carefully designed so that the flexibility offered by a large variety of interfaces and network protocols, exposed deployments, complex software, and connectivity cannot serve as the gateway to malicious attacks 

Problems with Monolithic Architectures

Such a combination of desirable features presents significant challenges for traditional embedded designs using COTS-embedded operating systems, particularly concerning interoperability, high availability, and high security. Traditional embedded designs rely on monolithic architectures, such that applications are hosted by a single operating system, and all I/O support, management controls, and security controls are integrated into the operating system kernel.

Such a monolithic construction presents a fragile single point of failure. Hosting all applications, I/O handling, and management functions in the same space means that any failure in security policy or kernel coding can jeopardise the security and availability of the whole system. In particular, it is difficult to provide a strong degree of separation between co-located applications and hence ensure the privacy and availability of other applications.

Because the gateway needs to provide such a wide range of functionality, it is impossible to find a single operating system which is optimal for all of them. For example, with a monolithic design, all sensor and network interfaces drivers and I/O stack support must be built into the operating system kernel. If drivers do not exist for the selected OS, it can be difficult to support all varieties of desired sensor support and network interfaces, even if it is optimal in other ways.

Finally, due to highly complicated interdependencies of functionality in monolithic operating systems, the ability to patch or upgrade kernel functionality while maintaining platform operation is highly limited, especially where updates require platform reboots.

Separation Kernel Hypervisor (SKH) and the IoT Gateway

Separation kernel hypervisor COTS software technology is designed to focus on managing physical resources in support of modular composition. The SKH approach allows the subdivision and modularisation of applications, I/O, management functions, and security controls. Separation kernel hypervisors are designed to provide system architects with precise control over all forms of communication and allocation of time and resources, thus providing the tools to deal with all security vulnerabilities and real-time concerns.

SKHs offer the ability to run multiple variants of guest operating systems or even bare metal applications concurrently on the same platform (figure 2). This allows the optimal solution to be selected for each function.


Lynx-Fig-2

Figure 2. Combining the optimal security of a separation kernel with the practicality of a hypervisor offers a great deal of flexibility in IoT gateway design.


Through virtualisation, a SKH gateway design can offer a system supporting multiple “subjects”. For example, a particular design might deploy:

  • Timing critical applications such as load-balancing and failover protocols run in a real-time operating system,
  • Data handling capabilities are provided by a more general purpose, feature-rich operating system, and
  • Bare metal “trusted” applications with minimal application overhead provide extremely high performance or high assurance functionality

Virtualisation is a key capability in dealing with interoperability challenges and plays a key role in supporting edge computing and platforms as a service, allowing analysis tools and tenants to use any operating systems and applications best suited for the target task.

Of the various virtualisation techniques available, hardware virtualisation is particularly appealing because it leverages the capabilities of the CPU. That provides not only the strongest available degree of isolation, but also facilitates a tiny SKH footprint. SKHs tend to be ten to hundreds of times smaller than monolithic operating systems.

Such a small footprint helps considerably with any certification requirement for safety certification to standards such as IEC 61508, especially where artefacts are available and established. A small footprint also means that the trusted code base of the system as a whole is kept to a minimum, hence reducing vulnerability to malicious attack.

Isolation and robustness are assured as a result of the ability to closely control the partitioned hardware resources allocated to each subject and to control explicit execution schedules for guest operating systems and bare-metal applications. SKHs can therefore guarantee the availability of a system, ensuring any critical application can never be pre-empted or starved by competing applications.

Conclusions

Separation Kernel Hypervisors are not a new concept. Some examples have been in service for almost a decade, where they have been proven and certified in specialist applications such as military security. The fact that they are so ideally suited to the relatively new requirement of IoT gateway design and yet are already proven in very demanding applications makes them very appealing indeed.

Using the virtualisation and bare-metal application capabilities, and relying on the isolation and deterministic properties of an SKH, platforms can be constructed out of a variety of software modules where individual functions of the platform can run in independent partitions and simple interfaces between modules can be defined so that the state of the system is well defined and understood.

Monolithic architectures still have their place in such configurations, and indeed COTS embedded operating systems may well find a place as subjects within an SKH framework. The ability to select the ideal such architecture for each element of the gateway and yet guarantee isolation between them contributes to such an appealing overall package.

With the use of a Separation Kernel Hypervisor and modular design techniques, IoT gateway developers have many options for building highly interoperable, reliable, secure, and sustainable solutions using low cost COTS components.

LYNX_logo.png

By Will Keegan

Will Keegan is the product manager of the LynxSecure separation kernel at Lynx Software Technologies. He takes on the challenging roles of enhancing the virtualisation and security features of his product, raising the assurance level of the security-critical codebase, and enhancing the product artifacts and development infrastructure to support security evaluations. Will earned his BS degree at the University of Texas in Austin, where he focused on general-purpose microprocessor design and compiler optimisations.