conferences | speakers | series

Genode - OS security by design

home

Genode - OS security by design
FOSDEM 2015

Most provisions against the steadily growing threats imposed by malware, viruses, and directed attacks are fighting symptoms rather than addressing the root of the problem, which lies in the operating system. Genode is an open-source OS technology that promises to give an answer to those threats. By organizing the system as nested sandboxes and consequently applying the principle of least privilege, it protects the privacy of the user and renders most classes of malware ineffective. The talk will be presented on a Genode-based system, which allows the demonstration of the concepts live during the talk.

The effects of malware and client-side attacks seem to have become a prevalent part of our inter-connected world and increasingly affect individuals, businesses, and governmental institutions alike. The topic has even managed to capture the attention of main-stream media, prompting vocal calls for counter-measures. Governments invest large sums in forming cyber-defense departments. Computer users are urged to invest money in anti-virus software and install a steady stream of security updates. However, those actions are just reactive, fighting symptoms, and merely relieve the problem rather than solving it. For example, none of those measures is effective against zero-day exploits.

The root of the problem is not the "dumb user", or "outdated anti-virus software", or "cyber terrorists" but the antiquated way of how today's operating systems are structured, how they implement security, and the chaotic way of how software components are allowed to interact with each other.

Genode is an operating-system architecture that promises to prevent most classes of security problems by design. Genode-based systems are created out of surprisingly simple primitives: Each program runs in a dedicated sandbox and gets granted only those rights and resources that are needed for its actual task. Programs can create and manage sub-sandboxes out of their own resources, thereby forming hierarchies where policies can be enforced at each level. Furthermore, programs are able to communicate and trade their resources, but only in a well-defined manner. Thanks to this rigid regime, the attack surface of security-critical functions can be reduced by orders of magnitude compared to contemporary operating systems.

This sounds pretty academic but there exists an Open-Source implementation in the form of the Genode OS Framework showing that those ideas translate to a general-purpose OS. In line with Unix philosophy, this framework is a collection of small building blocks, out of which complex systems can be composed. But unlike Unix, those building blocks include not only applications but all classical OS functionalities including kernels, device drivers, file systems, and protocol stacks.

During the talk, we will see several of those compositions demonstrated, hinting at the vast flexibility the architecture provides. At present, this makes Genode a rich playground for OS enthusiasts. The ultimate goal, however, is a fully-fledged operating system that protects the user's privacy and data, and relieves us from worrying about malware, virus infections, and directed attacks. The talk will show how Genode renders various classes of malware pointless and how the Genode developers envision their migration path from current-generation OSes to Genode.

Speakers: Norman Feske