Research On High-trusted Architecture Of Embedded Operating Systems

With the rapid development of embedded systems, the embedded real-time system became the core of the control component in many more security and safety critical applications, whose failure could result in loss of life, significant property damage, or destroy to the environment. There are many well-known examples in application areas such as avionics, nuclear systems, medical devices and military systems. Typically, in the embedded systems for avionics and military, there are multitudes of applications with multi-Level Security (MLS). These systems are named as Embedded Security and Safety Critical Systems with MLS (MLS-ESCS). At present, as the Internet and software technology have been widely applied in the MLS-ESCS, the failure, default and attack of software become the bottleneck of the MLS-ESCS. Therefore, how to improve the trustworthiness of MLS-ESCS is more and more important. As a very crucial measure improving the trustworthiness of MLS-ESCS, the high-trusted architecture of embedded operating system has become a hot topic.This dissertation has systematically analyzed the existing approaches of improving trustworthiness of MLS-ESCS. We find that there are three shortcomings in these appoaches:1) These approaches can not simultaneously satisfy many trusted attributes, such as security, safety, real-time, etc;2) These approaches can not support MLS;3) These approaches increase the complexity of operating system, hence it is too complicated to be verified at the higher level.To resolve aforementioned problems, the author studied the trustworthy attribute. Based on the embedded trusted operating system, the high-trusted technologies and some theories of the MLS-ESCS are systematically investigated in this dissertation, some main work and contributions are as follows:(1) The definition and attributions of trusting computing are deeply investigated in this dissertation. To improve the trustworthiness of the MLS-ESCS, the author summarizes the limitations and shortage of high-trusted technology in embedded operating system, and furthermore proposes the definition of embedded trusted operating system.(2) A high-trusted architecture of embedded operating system, called Hades, is proposed for satisfying the multiple high-trusted attributes and supporting MLS of MLS-ESCS. This approach is based on the concept of temporal/spatial isolation and partition mechanism, thus the whole system is usually divided into a few subsystems with different criticality. The applications with different security levels run on different partitions, thereby apart from each other. Even if some other partition is confronted with attack or failure, the rest partitions can still work imperviously.(3) The Hades architecture permits sharing and exchanging information and data inter-partitions, only a limited provision for access to other partition's information exists. To assure the confidentiality of the information and data, the strict information flow control (IFC) mechanism and model are presented. Based on IFC mechanism, all the information communication between the partitions with different security level are strictly controlled and granted by trusted separation kernel (TSK) of Hades. Experimental results show that IFC can manage and control all information flow between partitions, thus the IFC mechanism is verified to be effective. In addition, it only adds small codes to TSK, which means that this approach does not affect the TSK to be certified at a higher level.(4) To resolve the CPU schedule problem in Hades architecture, the static scheduling model based on the period partition and the dynamical scheduling model based on the bounded-delay partition are presented. Based on these models, the author presented a two-level scheduling mechanism with priority bitmap algorithm and two scheduling policies for tasks in partitions: RM and EDF scheduling algorithm. The scheduling conditions and schedulability of the tasks are researched theoretically, and schedulable conditions of tasks are proposed. The experimental results improve that the proposed scheduling models and conditions are correct.(5) A layered framework for security and safety policies is proposed for supporting security and safety of MLS-ESCS simultaneously. Based on the security service partition the system administrator can manage, configure, tailor and extend the policies. The mandatory access control mechanism is provided for the realization of security policies, and the safety model based on the Finite State Machine (FSM) for safety policies. Finally, this dissertation takes the nuclear power control system as the example and studies a FSM-based implementation of the safety policy, which can be used by any other safety-critical devices.At present, the research work on embedded trusted operating system are at the stage of initial development, and there are many problems still open. The architecture of trusted embedded operating system, its relative technologies and mechanism presented in this dissertation may provide some new techniques and ideas for the development of trusted embedded operating system.