Skip navigation
2009

Unintended software interactions are bugs, or at least potential bugs. They're among the most difficult problems to diagnose and correct because the pre-conditions may be difficult to reproduce. Such bugs are annoying in Personal Computers used for office work, but may form the basis for dangerous failures when present in embedded systems that control cars, planes, heavy equipment, pacemakers and many other applications.

 

One solution restricts software interactions to the lowest levels of the systems software and formalized inter-process communications. This is most often achieved by some level of virtualization. Limiting inter-process communications to formalized queues, deques, stacks, and the like reduces the amount of software that needs to be proven correct. This in turn reduces the opportunity for software failure to corrupt memory. While a software-only option is an improvement over no virtualization, Intel® VT hardware for Virtual Machine Monitors (VMM) moves key aspects of virtualization into hardware. Doing so reduces the amount of software that can cause interactions and restricts interactions to very specific, controlled types based on the operating software. Intel Virtualization Technology provides hardware capabilities that enable simpler and more robust VMM designs. It allows for total VMM separation from each VM by creating a new privileged ring structure. Inter-process communications are then managed at or below the VMM level.

 

Conceptually, software interactions may be controlled by the generic methods of Virtual Machine partitioning. Under this system a Hypervisor controls dispatching OSes and applications. Inter-process communications and physical resources such as peripherals are managed by well defined and controlled APIs.

 

74i30C1D1FC2CE9D04C

 

LynuxWorks®,  an Affiliate member of the Intel® Embedded and Communications Alliance (Intel ECA) offers several variations on Linux ranging from a hard real-time operating system to BlueCat® Embedded Linux - a Linux OS enhanced for embedded systems. LynuxSecureTM from LynuxWorksTM offers technical facilities that protect against memory leaks, runaway indexed memory addresses, other memory faults and I/O conflicts. By using the intrinsic qualities of a VMM and Intel's® Virtualization Technology, LynuxSecure partitions eliminate the possibility for memory faults overwriting data or code space in another partition. VM partitioning reduces unintended software interaction.

 

LynxSecure relies on a hypervisor to create a virtualization layer. This layer of abstraction maps physical system resources to each guest operating system. Each guest operating system is assigned dedicated resources, such as memory, CPU time and I/O peripherals. LynxSecure isolates each virtual instance (guest operating system) by providing hardware protection to every partition and its own virtual addressing space. Resource availability, such as memory and processor-execution resources, is guaranteed to each partition. Therefore no software can fully consume the scheduled memory or time resources of other partitions. LynxSecure supports simultaneous use of system interfaces, including multiple instances of the same or different operating systems in different partitions.

 

An Intel VT capable processor such as an Intel core-2 Duo forms the Hardware base of the platform. For processors that support Trusted eXecution Technology (TXT), additional safeguards may be used. The hardware platform is controlled by VT technology which secures the platform during boot using TXT and if appropriate, Trusted Boot (tboot). Conceptually software interactions may be controlled by the generic methods of VM partitioning. Under this system a Hypervisor controls dispatching OSs and applications.

There are other products available from Intel® ECA  members that can aid in reducing the opportunity for unintended software interactions. For example, Intel ECA Affiliate Real Time Systems GmbH's Real-Time Hypervisor provides basic partitioning for standard OSes. Another Intel ECA Affiliate Green Hills® Software offers its IntegrityTM OS in several configurations dealing with a variety of systems needs. Wind River's Hypervisor also supports VM partitioning enabling designers to separate multiple software applications. This minimizes the potential of unwanted software interactions. Wind River is an Associate member of Intel ECA.

 

VMs hold the possibility of isolating legacy software to isolate existing applications and their occasional bad behavior (relative to other applications) so that systems may continue operating in the face of faults.

 

Intel's Virtualization Technology offers promise for a new way of developing software. Like top-down step-wise refinement of the early 70s, the ability to virtualize user interfaces, non-realtime functions, and realtime operations can compartmentalize design and implementation parameters. Abstraction has proven to be a powerful design and implementation approach for many different technologies, including software. A major side effect of pragmatic abstraction is reduction in unwanted software interactions.

 

I think that virtualization can fundamentally change the way in which we design and implement embedded systems. What do you think?

 

In 1976 I was developing software and hardware for medical test equipment that helped ophthalmologists diagnose eye diseases and prescribe glasses. Few of us worried about keeping the patients' information confidential on the equipment. That changed in just a few short years. Embedded modems and serial connections joined embedded processors to enable a whole new set of solutions - and risks - for a wide variety of machines that we didn't think of. The ubiquitous Automated Teller Machine (ATM) became practical through the combination of slow speed modems and embedded computing, as did retail Point of Sale Systems (POS). Most of these systems were originally based on one-off Operating Systems (OSes) that were more simple dispatchers and schedulers at best.  This made hacking the system more complex: to hack each unique system required a unique attack. But as systems complexity increased, developers selected a different development path: combine standardized OS software to provide common functions with application-specific software to enable the product features.

 

With many of the commonly used Operating Systems and BIOSes available as Freeware or Open Source, hackers have a head start looking for vulnerabilities. These vulnerabilities can be minimized by employing secured systems such as Intel®'s Trusted Execution Technology(TXT). TXT provides a mechanism for loading and executing only trusted code, such as a Virtual Machine Monitor (VMM) or OS, even if there is malware present, the BIOS has become compromised, or an active attack on the loading process is underway. The specific behavior of TXT depends on the launch control policy. If a compromised BIOS is present in the system, the loading process stops. No security system can guarantee absolute security under all conditions - every system can be compromised given the right conditions, and with adequate time and money. But, TXT provides some critical operations in hardware to increase the level of difficulty encountered when trying to hack the system.

 

In the figure below, TXT is used to validate the VMM before it is loaded. If the VMM code is unchanged from a known good copy, the loading continues. Otherwise, loading is halted. 

68i6D59EEA74573AAB1

 

The Intel Trusted Execution Technology Software Development Guide uses the term measurement frequently. Using Intel's definition of "measuring software" means that the system must process (hash) the executable code, obtaining results that are unique to that specific code. Differences in hash codes indicate that changes have occurred in the executable code. A cryptographic hash algorithm meets these needs and is used to hash all critical software including BIOS and the operating kernel. The result is a hash code of a length that ensures a low probability of a modified piece of critical software matching the hash code of the unmodified software.

 

Hacking difficulty is further complicated by the crypto key stored inside a microcontroller within the embedded system and never presented to the outside world. This microcontroller is called the Trusted Platform Module (TPM).  The TPM  securely stores passwords and digital keys and certificates that can provide unique identification, among other things.  The TPM, depending on the platform chipset, is either a discrete IC or it is integrated into the chipset itself.  A TPM-resident co-processor performs cryptographic operations such as key generation, encryption/decryption, hashing, and random number generation.

 

Green Hills Software INTEGRITY Secure Virtualization Technology and RTOS (Real Time Operating System) use the underlying security capabilities of Intel's VT-capable processors to provide multiple virtualized guests on the same core, such as Windows and Linux, while providing an evironment for secure, realtime applications. According to David Kleidermacher, CTO of Green Hills Software, "by using the hardware capabilities of VT-enabled Intel processors, INTEGRITY is able to guarantee the highest levels of security."  INTEGRITY-based platforms, used in military/aerospace,  infotainment, critical control systems, and financial/banking, are already certified to the highest software criticality slevels, including the FAA's DO-178B Level A and Common Criteria Evaluation Assurance Level EAL 6+. Green Hills Software is an Affiliate member of the Intel® Embedded and Communications Alliance (Intel® ECA).

67i608172610A6105CF

Real Time Systems GmbH, another Intel® ECA affiliate, takes a different approach. By virtualizing the processor or processors in an application platform, Real Time Systems enables multiple OSes to run simultaneously and independent of each other. Virtualization technology separates OS operations and applications programs in a series of partitions that are protected from each other. RTS Real-Time Hypervisor provides real time performance with no added latencies. Designers gain the ability to mix several different operating systems including Windows XP, Windows CE, QNX, Linux, On Time RTOS-32, VxWorks, Microware OS-9, and Pharlap ETS. Communications between tasks may be configured via a virtual network using standard TCP/IP protocol or a shared memory space.

 

Using the hardware-based root of trust enabled by TXT provides designers with new trust alternatives: many software components can be removed from the trust chain and platform configuration checks are performed and values locked.

 

While I've addressed a high level overview of how you can provide increased security for embedded computer-based data, there may be other uses for the TXT technology. As presented here, TXT is used to ensure a trustable load of a load process, VMM, and/or OS kernel. What other applications of the technology can you imagine? I'd like to hear your thoughts.

Message Edited by Henry-Davis on 08-11-2009 04:57 AM
Most microcontrollers, DSPs or other types of embedded processors boot pretty fast, typically in the order of a couple hundred milliseconds or less. But if you're using an Intel® Architecture processor and running a standard BIOS, boot times are measured in seconds. This can be a showstopper for some embedded applications, like a military battlefield device, where a long boot time could put troops in jeopardy.

 

Why does a standard PC BIOS take so long to boot? Because it's a one-size-fits-all solution that supports a wide range of system configurations, legacy interfaces and other bells and whistles.  The BIOS is one of the features that drove the remarkable plug-and-play PC environment.  Yet, this universal approach isn't needed for some embedded devices that have a well bounded set of peripherals and run a limited number of applications, such as a network appliance whose only I/O are Ethernet ports and status LEDs - It boots from FLASH and doesn't have storage, a display, a keyboard or a mouse, etc. In these cases, you can implement a slimmed-down BIOS that's platform-specific and delivers sub-second boot times.

 

Slimming down the BIOS.

 

For a good starting point, see how Intel engineers carved up a BIOS written for the Intel® AtomTM processor. They cut 10 seconds off the boot time by making ten straightforward modifications to the BIOS code, bringing it down from nearly 12 to under 2 seconds. The biggest bang for the buck came from turning off debugging and removing BIOS setup (i.e., hot keys that terminate the boot process), which saved over 5 seconds. Those ten changes are listed in the table below, and all the details are in a white paper at http://download.intel.com/design/intarch/papers/320497.pdf.

 

boot.JPG

 

A BIOS alternative?

 

A commercial alternative to the BIOS is available from QNX Software Systems, an Associate member of the Intel® Embedded and Communications Alliance (Intel® ECA).  QNX trains engineers to boot IA-based systems in as little as 200 milliseconds using their QNX® fastboot technology. It's based on the QNX IPL (Initial Program Loader) that replaces a traditional BIOS to achieve an "instant-on" capability. QNX claims that a fastboot-based system will boot significantly faster than a BIOS-based system because designers select or discard boot steps based on their particular hardware configuration. Engineers tailor the platform initialization sequence using a QNX IPL start-up kit and a board support package (BSP) for the Intel Atom processor and the QNX Neutrino® RTOS. David Green, software developer at QNX, shows how this was done in a video and explains what the IPL does and doesn't do at  http://www.youtube.com/watch?v=yTUweJKAUfk.

 

The fastboot approach does require some amount of developer time unless it has already been implemented by the board supplier or operating system vendor. If becoming a BIOS engineer isn't your ambition, QNX can provide services to customize an IPL specifically for your device.

 

When boot times greater than one second are still too long, why not avoid booting altogether and just put the system in sleep mode when not in use? Kontron, a Premier member of Intel ECA, and QNX have shown how they can wake up an Intel Atom processor from a zero power sleep state to full operation in milliseconds. This approach uses the S5 sleep state (off) instead of power consuming sleep modes (S1 - S4) as described in http://edc.intel.com/Download.aspx?id=2140.

 

"The versatility of BIOS-based systems is not required in the embedded applications targeted by the Intel Atom based platforms, so it seems a waste to incur the boot time cost when no benefit is gained," says Christine Van De Graaf, Product Marketing Manager at Kontron.

 

Before ditching a full featured BIOS, consider the time and engineering effort it saves, especially if you have various hardware configurations and devices to support.  Moreover, the do-it-yourself approach may necessitate poking into some special function registers in order to turn on processor and chipset features.  Removing the BIOS isn't for everyone, but for those who need to make booting nearly imperceptible, there are workable options. 

 

Will it be long before most board vendors offer quick boot software as part of their standard offering?  Anyone care to offer an opinion? 

 

Message Edited by Felix_M on 08-05-2009 01:32 PM
Message Edited by Felix_M on 08-06-2009 06:27 AM
Message Edited by Felix_M on 08-10-2009 10:24 AM