Who actually has control over your systems?
For critical or sensitive applications most standard software is unsuitable. On the one hand, vulnerabilities allow attackers to gain control, on the other hand, security updates entail adjustments and downtime. Our component-based platform enables robust systems where critical software is protected by formally proven components.
We are a young, owner-operated company, which as a spin-off from the Chair of Privacy and Data Security at TU Dresden has a strong focus on current research questions.
Our mission is the construction of secure IT systems that are ready for a connected world. To achieve this goal we develop the Componolit open source platform. We focus on two applications: a trusted operating system for mobile devices and the security of industrial applications.
Due to the vast number of functional requirements, software is constantly getting bigger and more complex. This increases the likelihood of exploitable vulnerabilities. Attacks on one part can spread to another, critical part because of the monolithic architecture of our current systems.
The Componolit platform relies on a component-based architecture which run applications in isolation by default. Legacy software can be reused through various compatibility layers and are protected by trustworthy, formally verified components.Read on
Industrial control systems often have a lifetime of several decades. At the same time Industry 4.0 and IoT brings the Internet and networked IT to this domain. Security holes and monthly patch cycles are the rule here.
By combining trusted filters, execution environments for legacy software and the parallel execution of different software versions, the Componolit platform enables long-term stable operation of industrial applications.Read on
Smartphones are as vulnerable as they are useful. The next careless click may result in the loss of confidential data, financial damage or attacks on other devices. The reason are archaic system architectures and development methods in the light of ever more complex requirements.
The Componolit platform offers maximum security to end users without restricting the usability of their devices.Read on
Componolit: A Platform for Trustworthy Systems
Due to the vast number of functional requirements, software is constantly getting bigger and more complex. At the same time, more devices are connected to the Internet and reachable remotely. This increases the likelihood of exploitable vulnerabilities. Attacks on one part can spread to another critical part because of the monolithic architecture of our current systems.
The Componolit platform implements a component-based architecture based on the Genode OS Framework. Applications run isolated from each other by default and can access resources only when granted by a policy. Device drivers, file systems, network stacks and other services which make monolithic kernels very complex and error prone are executed as separate, unprivileged applications.
Legacy software may be reused by means of compatibility layers, which are protected by trusted, formally verified components.
Welcome to the Past.
But why is the development of secure devices such a big challenge? The first fully programmable computer was built over 70 years ago. Since then, computer-controlled probes have explored other planets and autonomous cars are no longer pure fiction. One would assume that computer science would have managed to produce robust systems by now.
The world of IT systems is extremely fast-paced. New hardware that is pushed onto the market every day entails implementing device drivers and adapting existing software. At the same time, user requirements and thus applications are becoming more diverse. As a result, ever more complex software must be developed in an ever shorter time frame.
Many of the languages and system architectures we apply to meet these requirements are more than 50 years old. Wide-spread unsafe programming languages barely help developers to avoid programming errors and routinely lead to critical vulnerabilities.
Unfortunately, the equally outdated monolithic architectures we use today hardly protect from the propagation of those errors. A flaw in one part of a system will often compromise the security of other parts. Furthermore, it is much harder to find and eliminate errors in large and complex software.
Consequently, with each added feature our systems become a little less secure. Manufacturers trying to improve the situation with timely security updates failed due to the high overhead. Vendors hardening their monolithic software were also affected by critical bugs in the past. Software which is developed privately is particularly vulnerable, as it receives fewer reviews and less external testing.
With the techniques of the 1970s, we will not be able to solve tomorrows security problems.
Secure Systems Engineering!
As long as there is a business case or another motivation, attackers will bring devices under their control to misuse them for their own purposes. It is highly unlikely, though, that authorities will be able to put a stop to those criminal activities any time soon. Our only chance to protect us is to use systems that are far more robust and secure than to date.
An effective design pattern for robust systems are component-based architectures. Software components are executed in isolation, interact through well-defined interfaces exclusively, and only with components they are permitted to communicate with. As errors cannot not spread between components directly, it is possible to implement trustworthy proxy services. While those critical services must be correct, errors in untrusted components have no security implications.
Isolation is typically achieved by a microkernel, which is reduced to resource management, isolation of processes and inter-process communication. Due to its limited functionality and small size, it can be tested for errors thoroughly or even mathematically proven.
The security of a component-based system depends not only on the microkernel, but above all on the correctness of the trusted components. To ensure their correctness in our platform, we integrate the SPARK secure programming language with the Genode OS Framework.
SPARK is a language that avoids many programming errors by construction using safe constructs like strong typing and forbidding unsafe ones like implicit type conversion. Properties of the software can be formally verified at different levels using the SPARK toolset. From correct initialization and data flow, over the absence of run-time errors up to functional correctness of algorithms.
Do you trust your smartphone?
As the center of our digital lives, smartphones help us to manage appointments, send e-mail or share private documents. We use them for online shopping, to take photos or make friends. There are endless possibilities. Switch on the heating while not at home? Transfer money on the go? Start the engine of your car? No problem with a smartphone these days.
Unfortunately, it is very risky to use these devices for such sensitive tasks. Attackers may gain full control, steal documents or credit card information, send text messages, blackmail users, or hold data for ransom. Besides loss of privacy and business secrets, attacks may result in financial damages or serve as a starting point for attacks on other smart devices.
So far, there are no effective counter-measures to protect smartphones. Experts shift responsibility to the users and call for caution when opening files and links, latest antivirus software and regular backups. While backups are crucial, they do not protect from data theft or financial consequences. Antivirus programs increasingly become part of the problem rather than the solution due to their far-reaching privileges, lack of effectiveness, and own vulnerabilities.
Ultimately, users are on their own with that risk. But can end users really be expected to recognize dangerous links and files themselves? We do not think so.
The development of a secure mobile platform bears enormous challenges. Despite increased security, the system needs to maintain good usability. For the acceptance and the viability of a platform, the availability of relevant applications is inevitable. Compatibility with software from well-known app stores is thus an important goal.
In addition to isolated software components, a trustworthy mobile platform needs to partition the hardware to protect from malicious peripherals. In current mobile devices, the application processor often shares memory with the baseband processor which allows for direct attacks from radio networks. Other network-facing devices like WiFi chipsets have had similar issues. Hence, an important research question is the design and verification of well-defined interfaces between networking peripherals and the application processor which enforce well-formedness and a strict security policy.
Beyond compatibility and trustworthiness of the platform, questions related to power management need to be analyzed right from the beginning to allow for usable devices.
The Android mobile operating system dominates the mobile devices market. A main goal is therefore the support of the Android API, such that Android applications can be run unmodified. This requires research on:
- Combining the communication models of Android and the component-based Genode OS Framework
- Creating a lightweight Android-compatible environment from the Android runtime
- Providing Android core services on the Genode OS framework
The tight integration of application processor with networking peripherals allows attackers to gain full control over the system from external networks. Research to prevent such attacks includes:
- Analysis of the effects of separating previously tightly integrated hardware
- Definition of secure channels between the application processor and the peripherals
- Creation of verified components to enforce security policies
Mobile devices will not be well-received if their battery life does not meet user expectations under normal conditions. In this regard, component-based systems offer interesting possibilities for optimizing energy management:
- How can software components be saved and terminated quickly?
- How can power management functions of the CPUs be integrated into the component-based platform?
Further Research Questions
Component-based systems are most trustworthy if security-relevant parts are implemented in isolated components that are as small as feasible to facilitate verification. The following questions related to software separation are examined:
- Which parts of the software are security-relevant?
- How can these parts be identified efficiently?
- How can an optimization towards a small Trusted Computing Base be achieved?
- Can such an optimization trade between component size and communication cost?
Software constructed for robustness, as your machines.
In the past, industrial systems were largely isolated from external networks, making existing vulnerabilities harder to exploit. This has changed with the increasing number of remote maintenance interfaces, but especially with the integration of external applications in the course of Industry 4.0.
Operating system and applications on control computers are seen as an integral part of an industrial system. While industrial systems continue to function unaltered for years, the software is usually outdated and contains vulnerabilities that do not get fixed by software vendors anymore.
This results in new risks that were less critical in previous isolated networks: Software vulnerabilities and inadequate filtering in new external Industry 4.0 applications may allow attackers to gain access to industrial networks. This can disrupt operation, damage the equipment, or result in loss of confidential data.
Trying to reduce the risk by regular updates poses another challenge. Updates to the operating system often require restarting services or the entire device. In addition, updates may imply adjustments to applications, resulting in further downtime. Often a system must be re-certified after an operating system update, if this is at all envisaged by the manufacturer.
The Componolit platform combines a number of strategies to minimize these risks. Application-specific trusted filters protect the communication with external systems. Virtualization and stable interfaces enable legacy software to run securely in parallel to new components.
Protection from Attacks
Especially older applications often lack security functions such as authentication, encryption or a role concept that are standard in modern software today. As they assume only local, trusted communication partners, many programs insufficiently validate their input. Attackers can exploit these vulnerabilities to gain control over the software and thus the industrial system.
On the Componolit platform, software that can not be upgraded is protected by trusted components. The interaction with these components is done through a local interface governed by the microkernel. Towards the network, the component acts as an intermediary which can for example retrofit missing encryption or validate protocols to discard invalid messages that a weak applications would not expect.
Stable Application Platform
Components are loosely coupled through so-called sessions on the Componolit platform. When some component needs a particular service, it asks its parent process for a suitable session. The parent mediates a respective session provider without revealing its identity.
This local view allow components with compatible sessions to be recombined as needed. Even different software versions can be executed simultaneously in separate subtrees of the system. By means of filter components a translation between old interfaces and new interfaces can be realized transparently, without changing existing software.
The concept enables long-term stable systems, in which subsystems operate unchanged while parts of the system get modified. The platform offers various adaptation layers for legacy software. Unmodified operating systems, Android apps, and Java applications run virtualized. POSIX and Qt applications can be recompiled to the platform.
Koenigsbruecker Strasse 124
Responsible for the content of this website under §55 Abs. 2 RStV
Koenigsbruecker Strasse 124
Phone: +49 351 417241990
Phone: +49 351 417241990
Based in Dresden
VAT Identification Number