-
The most widely deployed mobile virtualization solution
Data Sheets
Platform Requirements
Minimized Privileged Context and Content
Both legacy RTOSes running complex application stacks and enterprise-style embedded OSes suffer from comparable ailments - running too much sensitive and critical code in a single execution context. RTOS kernels, drivers, libraries, middleware, and application code all share a single namespace and physical address space. Errant routines or external exploits meet no barriers whatsoever to corrupting and/or commandeering the entire complement of resources in the device. Embedded Linux, or even Windows, at least separates system code from user applications but can present larger and more vulnerable execution contexts for exploitation - massive OS kernels (100s MLoC) that share address space with device drivers and shared user-space resources (application registries, file systems, network applications, etc.).
A secure embedded platform must give architects the means to segment systems and applications code into trusted and untrusted domains. It must offer the ability to minimize the scope of, access to, and resources needed by trusted or privileged program execution.
Encapsulation / Isolation
Building a secure system starts with restricting scope of privileged operations and access. Rich OSes, virtualized or not, represent large code bases containing device drivers, file systems, network stacks, and other components. These are practically impossible to get free of security-critical bugs, and as such a rich OS represents a large attack surface for intruders.
One characteristic of a secure embedded platform is that it lets designers encapsulate and isolate critical resources with appropriate and scalable granularity and control.
Controlled Inter Process Communications (IPC)
Isolating critical resources can still prove insecure if untrusted programs can freely exploit system communications mechanisms (especially IPCs such as signals, pipes, semaphores, shared memory, etc.).
A secure embedded platform must provide for trusted communications and synchronization mechanisms to facilitate communication among trusted and untrusted domains.