Enclaves in Real-Time Operating Systems
Alex Thomas
EECS Department, University of California, Berkeley
Technical Report No. UCB/EECS-2021-134
May 15, 2021
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.pdf
With the growing popularity of edge computing and Internet of Things (IoT) devices, there is an increased need for secure computation on embedded devices. Typically, embedded devices have a heterogeneous environment and do not have general security protections compared to hosts on the cloud. As we see more third-party libraries and applications being run on embedded devices, we face the risk of system compromise that even the device's RTOS kernel cannot protect. There is a need for creating Trusted Execution Environments (TEEs) on embedded devices; however, many current TEEs have expensive hardware requirements. We propose using Keystone, a framework for creating customizable TEEs, on RISC-V architectures. The hardware requirement for creating TEEs in Keystone are generally available on standard RISC-V devices as RISC-V already provides PMP registers, the basis of Keystone's isolation. We propose using Keystone with FreeRTOS to implement a module in FreeRTOS for creating efficient and dynamic TEEs on embedded devices. We introduce ERTOS, a new module to FreeRTOS that allows the creation of secure tasks that can be attested and strongly isolated from other tasks using Keystone's security monitor. ERTOS exposes an easy-to-use API that allows developers to create and run enclave-protected tasks. ERTOS adds negligible performance overhead for computation-intensive tasks inside an enclave and introduces optimizations to allow inter-task communication to be more efficient.
BibTeX citation:
@mastersthesis{Thomas:EECS-2021-134,
Author= {Thomas, Alex},
Title= {Enclaves in Real-Time Operating Systems},
School= {EECS Department, University of California, Berkeley},
Year= {2021},
Month= {May},
Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.html},
Number= {UCB/EECS-2021-134},
Abstract= {With the growing popularity of edge computing and Internet of Things (IoT) devices, there is an increased need for secure computation on embedded devices. Typically, embedded devices have a heterogeneous environment and do not have general security protections compared to hosts on the cloud. As we see more third-party libraries and applications being run on embedded devices, we face the risk of system compromise that even the device's RTOS kernel cannot protect. There is a need for creating Trusted Execution Environments (TEEs) on embedded devices; however, many current TEEs have expensive hardware requirements. We propose using Keystone, a framework for creating customizable TEEs, on RISC-V architectures. The hardware requirement for creating TEEs in Keystone are generally available on standard RISC-V devices as RISC-V already provides PMP registers, the basis of Keystone's isolation. We propose using Keystone with FreeRTOS to implement a module in FreeRTOS for creating efficient and dynamic TEEs on embedded devices. We introduce ERTOS, a new module to FreeRTOS that allows the creation of secure tasks that can be attested and strongly isolated from other tasks using Keystone's security monitor. ERTOS exposes an easy-to-use API that allows developers to create and run enclave-protected tasks. ERTOS adds negligible performance overhead for computation-intensive tasks inside an enclave and introduces optimizations to allow inter-task communication to be more efficient.},
}
EndNote citation:
%0 Thesis %A Thomas, Alex %T Enclaves in Real-Time Operating Systems %I EECS Department, University of California, Berkeley %D 2021 %8 May 15 %@ UCB/EECS-2021-134 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-134.html %F Thomas:EECS-2021-134