{"id":50487,"date":"2018-09-26T14:02:06","date_gmt":"2018-09-26T14:02:06","guid":{"rendered":"http:\/\/www.sickgaming.net\/blog\/2018\/09\/26\/building-security-into-linux-based-azure-sphere\/"},"modified":"2018-09-26T14:02:06","modified_gmt":"2018-09-26T14:02:06","slug":"building-security-into-linux-based-azure-sphere","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2018\/09\/26\/building-security-into-linux-based-azure-sphere\/","title":{"rendered":"Building Security into Linux-Based Azure Sphere"},"content":{"rendered":"
<\/div>\n

It\u2019s still a bit unsettling to see a Microsoft speaker at a Linux Foundation conference. Yet, at the recent <\/span>Linux Security Summit<\/span><\/a>, Ryan Fairfax, Microsoft\u2019s head of OS development for Azure Sphere, quickly put the audience at ease with his knowledge of tuxified tech. His presentation on \u201cAzure Sphere: Fitting Linux Security in 4 MiB of RAM\u201d fits into the genre of stories in which developers are challenged to strip down their precious code to the spartan essentials for IoT. <\/span><\/span><\/p>\n

As we saw last year in Michael Opdenacker\u2019s presentation about <\/span>reducing the Linux kernel and filesystem<\/span><\/a> for IoT, Linux can be made to run — just barely — in as little as 4MB of RAM. That was Microsoft\u2019s target for Azure Sphere OS, the open source Linux-based distribution at the heart of <\/span>the <\/span>Azure Sphere<\/span><\/a> platform for IoT. Azure Sphere also includes a proprietary crypto\/secure boot stack called the <\/span>Microsoft Pluton Security Subsystem, which <\/span>runs on an MCU, as well an Azure Sphere <\/span>Security Service, a turnkey cloud service\u00a0for secure device-to-device and device-to-cloud communication.<\/span><\/span><\/p>\n

Last week, Seeed launched the first dev kit for Azure Sphere. The <\/span>Azure Sphere MT3620 Development Kit<\/span><\/a> <\/span>features MediaTek\u2019s MT3620, a 500MHz Cortex-A7\/Cortex-M4F hybrid SoC that runs\u00a0the lightweight Azure Sphere OS on a single -A7 core. The SoC\u2019s 4MB of RAM is the only RAM on Seeed\u2019s Grove compatible dev board. Other SoC vendors besides MediaTek will offer their own Cortex-A\/Cortex-M SoCs for Azure Sphere, says Microsoft.<\/span><\/span><\/p>\n

Major shrinkage<\/span><\/span><\/h3>\n

Fitting an entire Linux stack into 4MB was a tall order considering that \u201cmost of us hadn\u2019t touched Linux in 10 years,\u201d said Fairfax. Yet, the hard part of creating Azure Sphere OS was not so much the kernel modification, as it was the development of the rest of the stack. This includes the custom Linux Security Module, which coordinates with the Cortex-M4\u2019s proprietary Pluton security code using a mailbox-based protocol. <\/span><\/span><\/p>\n

\u201cWe decided early on to go with Linux,\u201d said Fairfax. \u201cMost of our changes to the kernel were small, and the core Linux features \u2018just worked\u2019 even with limited resources. That\u2019s a credit to the effort of the community and flexibility of the kernel.\u201d<\/span><\/span><\/p>\n

Fairfax\u2019s team started working on Azure Sphere in secret in 2016 after struggling to convince Microsoft leadership that working with a Linux kernel \u201cwas viable,\u201d said Fairfax. The project was unveiled in April 2018, and the first public preview will be released soon.<\/span><\/span><\/p>\n

One of the main goals of Azure Sphere was to bring security to the MCU world where \u201csecurity is basically nonexistent,\u201d said Fairfax. Microsoft somewhat confusingly refers to the MediaTek MT3620 as an MCU rather than an application processor due to its inclusion of Cortex-M4 MCU cores. In part, this may be a marketing ploy since Microsoft intends to compete directly with the Cortex-M oriented <\/span>Amazon FreeRTOS<\/span><\/a>.<\/span><\/span><\/p>\n

Sign up to receive updates on Open Source Summit and ELC+OpenIoT Europe: <\/span><\/em><\/p>\n

Azure Sphere OS sits on top of the MCU\u2019s Pluton stack, architecturally speaking, and the base layer is a security stack based on Arm TrustZone. This is followed by the custom Linux kernel, which in turn is topped by a cloud services update connectivity layer. The top level is for POSIX and real-time I\/O app containers.<\/span><\/span><\/p>\n

The custom kernel is currently based on mainline Linux 4.9. Patches are merged upstream every month, and there are plans to upgrade to LTS branches yearly.<\/span><\/span><\/p>\n

The first step in reducing the kernel was \u201cto avoid putting text into memory,\u201d said Fairfax. To do this, the OS depends a lot on <\/span>Execute-In-Place<\/span><\/a> (XiP) technology, which is commonly integrated in MCU flash controllers. \u201cXiP lets you take a flash region and map it into the address space in read only, but also in a mode where you can execute it as code.\u201d<\/span><\/span><\/p>\n

In addition, \u201cwe tuned the kernel to make things modular so we could turn things off,\u201d explained Fairfax. \u201cWe tuned cache sizes and patched to tweak default sizes.\u201d <\/span><\/span><\/p>\n

The team turned off a lot of the memory tracking options and things like <\/span>kallsyms<\/span><\/a>. <\/span>They reluctantly cut sysfs, which saved almost 1MB, but for Fairfax was the coder equivalent of the writer\u2019s challenge to <\/span>kill your darlings<\/span><\/a>. In the end, <\/span>much of the kernel space was taken up by the network stack and hardware drivers.\u201d<\/span><\/span><\/p>\n

A lightweight Linux Security Module <\/span><\/span><\/h3>\n

Initially, the Azure Sphere OS team tried using SSH server with a fixed root password for security, but they quickly realized that this \u201cwas not going to cut it long term,\u201d said Fairfax. To reduce the attack surface, they experimented with different security models, including \u201cbaking things into the file system and leveraging set UID and SGID to create predictable environments.\u201d<\/span><\/span><\/p>\n

These approaches caused some IPC problems and were otherwise flawed because \u201cthey put all the burden at build time,\u201d said Fairfax. \u201cAny mistake would propagate through the system and leave you vulnerable.\u201d<\/span><\/span><\/p>\n

Fairfax and his team revisited existing Linux technologies that might help make permissions more granular and \u201ccreate a model where apps can access resources with the principle of least privilege,\u201d said Fairfax. They finally decided on a stripped-down version of the <\/span>Linux Security Model<\/span><\/a> (<\/span>LSM), a set of kernel extensions that \u201cwould reduce attack surface by taking certain features completely off the table. There\u2019s no shell or user account management, which really isn\u2019t relevant for an IoT device, and there\u2019s no sophisticated job and process management.\u201d<\/span><\/span><\/p>\n

Fairfax also added fields that created an app identity for every task. \u201cApplications and kernel modules can use these new fields for extended access control,\u201d said Fairfax. \u201cValues are immutable — once set, they inherit by default.\u201d<\/span><\/span><\/p>\n

The developers \u201cexperimented a lot with file systems,\u201d said Fairfax. They tried the read-only cramfs with XIP patches, as well as writable file systems like ext2, jfffs, and yaffs, but \u201cthey all took hundreds of kilobytes to initialize, or about 1\/16<\/span>th<\/span> of the total system memory available.\u201d In the end, they ported the ultra-lightweight <\/span>littlefs<\/span><\/a> from <\/span>Arm\u2019s Mbed OS to Linux as a VFS module.<\/span><\/span><\/p>\n

One problem with securing a Linux IoT device is that \u201cLinux treats the entire GPIO infrastructure as a single resource,\u201d said Fairfax. \u201cIn the real world not everything connected to your chip has the same sensitivity. I might have one GPIO pin that toggles an LED saying I\u2019m connected to the network, which is not super sensitive, but another GPIO might open the solenoid on my furnace to start gas flow, which is more worrisome.\u201d To compensate, the team added access control to existing features like GPIO to provide more granular access control.<\/span><\/span><\/p>\n

User and application model<\/span><\/span><\/h3>\n

If Azure Sphere\u2019s kernel is not radically different than any other extremely reduced Linux kernel, the user mode differs considerably. \u201cThe current Linux model is not designed for resource constrained environments,\u201d said Fairfax. \u201cSo we built a custom init called the application manager that loads apps, configures their security environments, and launches them. It\u2019s the only traditional process that runs on our system — everything else is part of an application.\u201d<\/span><\/span><\/p>\n

Azure Sphere applications are self describing and independently updatable. In fact, \u201cthey\u2019re actually their own independent file systems,\u201d explained Fairfax. \u201cThey run isolated from each other and cannot access any resource from another app.\u201d<\/span><\/span><\/p>\n

There are initially four pre-loaded system applications: network management, updates, command and control via USB, hardware crypto and RNG acceleration. GDBServer is optional, and OEMs can \u201cadd one or two apps that contain their own business logic,\u201d said Fairfax.<\/span><\/span><\/p>\n

One Azure Sphere rule is that \u201ceverything is OTA updatable and everything is renewable,\u201d said Fairfax. In addition, because \u201cquick OTA is critical\u201d in responding to new threats, the team is aiming for OTA security patch updates within 24 hours of public disclosure, a feat they achieved with the Crack virus. Microsoft will manage all the OS updates, but OEMs control their own app updates.<\/span><\/span><\/p>\n

The Microsoft team tried hard to find a way to run containers, including using LXC, but \u201cwe couldn\u2019t get it to fit,\u201d said Fairfax. \u201cContainers are great, but they have some serious RAM overhead.\u201d \u00a0They also tried using namespaces to create self-contained apps but found that \u201cmany peripherals such as GPIO don\u2019t play right with namespaces.\u201d<\/span><\/span><\/p>\n

For now, \u201cwe have pivoted off of containers and are focused on isolating apps and making sure that our permission model is sane,\u201d said Fairfax. \u201cWe ensure that a buffer overrun in an application only gives you what that application can already do. We build each app as its own file system so they mount or unmount as part of install or uninstall. There\u2019s no copying of files around for installation.<\/span><\/span><\/p>\n

\u201cEach application has metadata in the file system that says: \u2018Here\u2019s how to run me and here\u2019s what I need,\u201d continued Fairfax. \u201cBy default, all you get is compute and RAM — even network access must be declared as part of the manifest. This helps us reason about the security state and helps developers to do least privilege in apps.\u201d <\/span><\/span><\/p>\n

Future plans call for revisiting namespaces to create \u201csomething like a container,\u201d and there\u2019s a plan to \u201creduce cap_sys_admin or make it more granular,\u201d says Fairfax. He also wants to explore integrating parts of SELinux or AppArmor. More immediately, the team plans to upstream some of the work in memory improvements and file systems, which Fairfax says \u201care applicable elsewhere even if you\u2019re talking about something like a Raspberry Pi.\u201d<\/span><\/span><\/p>\n

You can find more information about Azure Sphere on Microsoft\u2019s <\/span>product page<\/span><\/a>, and you can watch the complete presentation below.<\/span><\/span><\/p>\n

[embedded content]<\/p>\n

Join us at\u00a0<\/span>Open Source Summit + Embedded Linux Conference Europe<\/span><\/a>\u00a0in Edinburgh, UK on October 22-24, 2018, for 100+ sessions on Linux, Cloud, Containers, AI, Community, and more.<\/span><\/span><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

It\u2019s still a bit unsettling to see a Microsoft speaker at a Linux Foundation conference. Yet, at the recent Linux Security Summit, Ryan Fairfax, Microsoft\u2019s head of OS development for Azure Sphere, quickly put the audience at ease with his knowledge of tuxified tech. His presentation on \u201cAzure Sphere: Fitting Linux Security in 4 MiB […]<\/p>\n","protected":false},"author":2,"featured_media":50488,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-50487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-freebsd-unix"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/50487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=50487"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/50487\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/50488"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=50487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=50487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=50487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}