Secure Virtualization for Embedded Systems

Virtualization is the use of hypervisors or virtual machine monitors to support multiple virtual machines on a single real machine. Such a solution has important benefits, including increased hardware utilization and more flexible system management. Moreover, with a hypervisor providing an abstraction layer separating virtual machines from the real hardware, and isolating virtual machines from each other, many useful architectural possibilities arise. In particular, virtualization is a strong enabler for security both as a result of the isolation enforced by the hypervisor between virtual machines, and due to the hypervisors high-privilege suitability as a strong base for security services operating on the virtual machines.

System level virtualization, in particular, is interesting as it enables tight control of a complete execution environment on the target system.

There are, however, significant research challenges of both practical and theoretical nature. In particular, virtualization in the context of embedded or resource constrained deviceses is not well understood. As interconnection and integration increases in the emerging network of things, security threats are sure to migrate quickly to the embedded domain. Moreover, many of the deeper issues concerning the effect of the virtualization on performance and correctness, and how to effectively bridge the gap between application level and system level security remains unresolved. The group at the Theoretical Computer Science Department at KTH has been exploring related issues in the context of Java security for several years, and the aim is to explore this synergy for greater impact in both theory and practice.

The joint SICS-KTH research project has the following main objectives:

  • Design, modeling and analysis of new thin-hypervisor based security architectures for embedded platforms.
  • Proof of concept including benchmark figures on ”typical” hardware set ups.

This is project is a joint project with the Theoretical Computer Science Department at KTH (Mads Dam and Dilian Gurov).