Enclaves in Real-Time Operating Systems

Alex Thomas

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2021-134
May 15, 2021

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.pdf

With the growing popularity of edge computing and Internet of Things (IoT) devices, there is an increased need for secure computation on embedded devices. Typically, embedded devices have a heterogeneous environment and do not have general security protections compared to hosts on the cloud. As we see more third-party libraries and applications being run on embedded devices, we face the risk of system compromise that even the device's RTOS kernel cannot protect. There is a need for creating Trusted Execution Environments (TEEs) on embedded devices; however, many current TEEs have expensive hardware requirements. We propose using Keystone, a framework for creating customizable TEEs, on RISC-V architectures. The hardware requirement for creating TEEs in Keystone are generally available on standard RISC-V devices as RISC-V already provides PMP registers, the basis of Keystone's isolation. We propose using Keystone with FreeRTOS to implement a module in FreeRTOS for creating efficient and dynamic TEEs on embedded devices. We introduce ERTOS, a new module to FreeRTOS that allows the creation of secure tasks that can be attested and strongly isolated from other tasks using Keystone's security monitor. ERTOS exposes an easy-to-use API that allows developers to create and run enclave-protected tasks. ERTOS adds negligible performance overhead for computation-intensive tasks inside an enclave and introduces optimizations to allow inter-task communication to be more efficient.


BibTeX citation:

@mastersthesis{Thomas:EECS-2021-134,
    Author = {Thomas, Alex},
    Title = {Enclaves in Real-Time Operating Systems},
    School = {EECS Department, University of California, Berkeley},
    Year = {2021},
    Month = {May},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.html},
    Number = {UCB/EECS-2021-134},
    Abstract = {With the growing popularity of edge computing and Internet of Things (IoT) devices, there is an increased need for secure computation on embedded devices. Typically, embedded devices have a heterogeneous environment and do not have general security protections compared to hosts on the cloud. As we see more third-party libraries and applications being run on embedded devices, we face the risk of system compromise that even the device's RTOS kernel cannot protect. There is a need for creating Trusted Execution Environments (TEEs) on embedded devices; however, many current TEEs have expensive hardware requirements. We propose using Keystone, a framework for creating customizable TEEs, on RISC-V architectures. The  hardware requirement for creating TEEs in Keystone are generally available on standard RISC-V devices as RISC-V already provides PMP registers, the basis of Keystone's isolation. We propose using Keystone with FreeRTOS to implement a module in FreeRTOS for creating efficient and dynamic TEEs on embedded devices. We introduce ERTOS, a new module to FreeRTOS that allows the creation of secure tasks that can be attested and strongly isolated from other tasks using Keystone's security monitor. ERTOS exposes an easy-to-use API that allows developers to create and run enclave-protected tasks. ERTOS adds negligible performance overhead for computation-intensive tasks inside an enclave and introduces optimizations to allow inter-task communication to be more efficient.}
}

EndNote citation:

%0 Thesis
%A Thomas, Alex
%T Enclaves in Real-Time Operating Systems
%I EECS Department, University of California, Berkeley
%D 2021
%8 May 15
%@ UCB/EECS-2021-134
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.html
%F Thomas:EECS-2021-134