Jo Van Bulck awarded by BELCLIV for his original contribution to ICT Security

JoVanBluckJo Van Bulck's MSc Thesis on 'Secure Resource Sharing for Embedded Protected Module Architectures' is awarded by BELCLIV for the original contribution to ICT Security.  This is the second award for Jo's Master thesis: in 2015 he also received the VASCO award.

 

 

 

 

Below the abstract of the award winning thesis.

Secure Resource Sharing for Embedded Protected Module Architectures

Small embedded devices are becoming omnipresent in our daily lives. Through the rise of wireless sensor networks, ubiquitous computing and the Internet of Things, lightweight extensible platforms are increasingly entrusted critical and privacysensitive tasks. Yet, to minimise production costs and power consumption, these devices commonly lack hardware support for conventional security measures, such as virtual memory and processor privilege levels.
In this respect, recent research on hardware-level Protected Module Architectures (PMAs) provides an alternative, very lightweight memory protection scheme. These systems allow the execution of security-critical code in protected modules that are isolated from the rest of the system, without relying on a trusted software layer to enforce this separation. While secluding software modules in their own hardwareenforced protection domains allows for strong security guarantees, it also limits their ability to securely share platform resources, such as CPU time or peripheral devices.
This master’s thesis explores the feasibility of supplementing the hardwareenforced security guarantees offered by the Sancus PMA with availability and access control guarantees for shared system resources. In contrast to a conventional Operating System (OS), an omnipotent kernel software layer is not introduced. The main contributions of this master’s thesis are twofold. First, a generic approach to encapsulate and control access to a shared platform resource is proposed. The approach is implemented and evaluated for a protected file system that can control access to either a shared memory buffer or a shared peripheral flash drive. Second, a secure multithreading model and an accompanying unprivileged scheduler implementation are presented. The scheduler controls access to the CPU time resource by interweaving the execution of logical threads that are conceptually isolated from each other and that might span multiple protection domains.
The work presented in this master’s thesis shows that embedded PMAs provide sufficiently strong hardware primitives to not only isolate software modules from each other, but also allow secure implementation of typical OS responsibilities.