1 / 16

ATC-NY * Architecture Technology Corporation

ATC-NY * Architecture Technology Corporation. Efficient Code Certification for Open Firmware OASIS PI Meeting, Santa Rosa, California August 19-21, 2002 ATC-NY Cornell Business and Technology Park 33 Thornwood, Suite 500 Ithaca, NY 14850 (607) 257-1975 (800) 672-1982

nona
Download Presentation

ATC-NY * Architecture Technology Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ATC-NY* Architecture Technology Corporation Efficient Code Certification for Open Firmware OASIS PI Meeting, Santa Rosa, California August 19-21, 2002 ATC-NY Cornell Business and Technology Park 33 Thornwood, Suite 500 Ithaca, NY 14850 (607) 257-1975 (800) 672-1982 http://www.atc-nycorp.com Matt Stillerman matt@atc-nycorp.com *formerly, Odyssey Research Associates Not for Public Release

  2. Contributors • Dexter Kozen, Cornell • TJ Merritt, CodeGen • Frank Adelstein, ATC-NY • Kori Oliver, ATC-NY & Cornell • Dave Shifrin, Cornell • David Baca, ATC-NY 2 Not for Public Release

  3. Outline • Project Overview • Status • Accomplishments • Compilation of Java for Open Firmware • Working Java Device Driver Example • Plans 3 Not for Public Release

  4. Project Overview • Goal: Build a prototype of the BootSafe system. • Purpose: Detect and stop malicious firmware at boot time. • Scope: Malicious fcode (firmware) on platforms using Open Firmware. • Approach: Static verification of fcode programs • Verifier runs as part of Open Firmware boot system. • Enhanced Open Firmware API and Java support package. • Certifying compiler for Java to fcode. • DARPA Phase II SBIR • Initial prototype, December 2002 • Enhanced prototype, December 2003 4 Not for Public Release

  5. Motivation • Boot program runs in privileged mode prior to the start of most security services. • Responsible for the initial integrity of the operating system. • Cornerstone of other security mechanisms. • Several routes for introduction of malicious boot firmware. • Exploitable by a well-funded adversary. 5 Not for Public Release

  6. Scope: Open Firmware • BootSafe will detect malicious fcode in Open Firmware-based systems. • Open Firmware is a widely used standard “platform” for boot firmware (IEEE-1275). • Standardizes the execution environment, the device API, the operating system API, and the user interface. • Popular because it enables reusability and portability of boot code. • Used by Sun Microsystems, Apple, and many embedded system vendors. • Used in DoD and US Government information systems. 6 Not for Public Release

  7. Open Firmware: Fcode Loading Other Software Fcode Interpreter Fcode “Probe” ROM Storage Fcode programs Peripheral Device Boot Program 7 Not for Public Release

  8. Efficient Code Certification (ECC) • Technique that underlies our static verification. • Program is written in a high level language. • Language guarantees some safety properties • Other desired properties would be easily checked. • Certifying compiler produces particularly well-structured executable. • Also produces a “certificate” that explains why the code is safe to run. • Verifier checks the validity of the explanation and its correspondence to the compiled code. • Proof checking is much easier than proof construction. 8 Not for Public Release

  9. ECC Applied to Open Firmware • We apply ECC-style verification to fcode modules compiled from Java. Will verify: • Basic safety properties: type safety, memory safety, jump safety, and stack safety. • Architecture appropriate for the intended role of the module within Open Firmware boot program. • Will focus on boot-time device drivers. • Dynamically loaded from peripheral devices at boot time. • Easily exploited method for introducing malicious code. 9 Not for Public Release

  10. BootSafe Firmware Development Open Firmware Boot System Java Verifier Interpreter Certificate JVM Bytecode SW API Fcode J2F Compiler BootSafe 10 Not for Public Release

  11. Status • About 30% complete. • On track to achieve project objectives. 11 Not for Public Release

  12. Java Compilation 12 Not for Public Release

  13. Java Compilation • Eager class loading and initialization • Stack frames • Objects, arrays • Virtual method invocation • Separate compilation of system classes • In-line Forth code • Future: • Garbage collection • Exceptions • Not planned: Threads, Reflection 13 Not for Public Release

  14. Device Driver Example • PCI disk drive, emulated in SmartFirmware • Device driver • Written in Java • Compiled with J2F • Linked against a small subset of system classes • Java language support • Open Firmware API support • Equivalent in design to a driver written by hand in Forth • Boots and opens the device node 14 Not for Public Release

  15. Class Hierarchy 15 Not for Public Release

  16. Plans • Near future: • Verifier, initial version. • Garbage collection. • Second example device. • Demo capabilities to Open Firmware platform vendors, device vendors, and end users. • Next year: • Enhanced “safe” API and more extensive Java support classes. • Reworked examples, using the new API. • Enhanced verifier. 16 Not for Public Release

More Related