References
This collection of background material for Platform Security Summit 2018 was edited by Rich Persaud, with contributions from many others. It is intended to provide historical timeline context and does not imply endorsement of linked materials.
Table of Contents
- Policy, Law, Incentives and Ecosystems
- Firmware Resiliency and Device Attestation
- Hyper-V Hardening with Hardware
- OpenXT, Xen and OpenEmbedded
- Functional Safety: Automotive
- Events
1. Policy, Law, Incentives and Ecosystems
- 1993: Russell Nelson, Crynwr Software, Free Software Business Mailing List
- 1996: Barry Nalebuff, Yale School of Management, Co-opetition
- 1998: Eric S. Raymond, Goodbye, “free software”; hello, “open source”
- 1998: Eric S. Raymond, The Cathedral and the Bazaar
- 1998: Frank Hecker, Setting Up Shop: The Business of Open-Source Software (Netscape memo)
- 1998: Jim Hamerly, Freeing the Source: The Story of Mozilla
- 2001: Hannu Puttonen, The Code: Story of Linux, documentary (1h)
- 2001: J.T.S. Moore, Revolution OS, documentary (1h 25m)
- 2001: Pamela Samuelson, The Law and Economics of Reverse Engineering
- 2002: Richard Stallman, Can You Trust Your Computer (2015 appendix on TPM)
- 2003: Ross Anderson, Cambridge University, ‘Trusted Computing’ FAQ
- 2009: U.S. DoD CIO, Open Source Software (OSS) FAQ
- 2009: David A. Wheeler, Open Source Software and the U.S. Departent of Defense
- 2009: Winston Messer, Mil-OSS: Military Open Source, video (1h)
- 2011: Samir Chopra, The Law of Artificial Agents
- 2015: Jeremy Jie Ming Kwok, Coopetitive Supply Chain Relationship Model: Application to the Smartphone Manufacturing Network
- 2016: Nadia Eghbal, Ford Foundation, Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure
- 2017: Stephen R. Walli, Microsoft, There is NO Open Source Business Model: slides · essay
- 2017: Bruce Byfield, The Linux Foundation and its Critics
- 2018: Christine Peterson, (2006) How I coined the term ‘open source’
- 2018: Paul Gillin, Oracle’s victory over Google in Java copyright case may rewrite the rules of software
- 2018: Gwern Branwen, Laws of Tech: Commoditize Your Complement
2. Firmware Resiliency and Device Attestation
- Nov 2008: Andrew Martin, The ten-page introduction to Trusted Computing
- Mar 2009: David Grawrock, Dynamics Of A Trusted Platform
- Jul 2009: Rafal Wojtczuk, Attacking Intel BIOS
- Nov 2009: Google Chromium OS Verified Boot: design · flowchart
- Jan 2011: David Fisher, Jonathan McCune, Archie Andrews, Trust and Trusted Computing Platforms
- Nov 2012: Bill Jacobs, Vincent Zimmer, Open platforms and Security Technologies
- Jan 2015: Xeno Kovah, History of BIOS bugs
- Oct 2015: Joanna Rutkowska, Intel x86 considered harmful
- Dec 2015: David Kaplan, When hardware must “just work”: slides · video
- Mar 2017: Microsoft Project Sopris for IoT
- May 2017: NIST (draft) firmware resiliency
- Jul 2017: Vincent Zimmer, Firmware is the new Black
- Jul 2017: Alex Matrosov, Betraying The BIOS
- Aug 2017: Google Titan hardware root of trust
- Sep 2017: Jonathan McCune, A Vendor-Agnostic Root of Trust for Measurement
- Sep 2017: Philipp Deppenwiese, coreboot: Trusted Computing vs. Authenticated Code Modules
- Sep 2017: TCG DICE specs
- Oct 2017: Alex Matrosov, Who Watch BIOS Watchers
- Oct 2017: Ron Minnich, Google, Replace your exploit-ridden firmware with a Linux kernel
- Nov 2017: Microsoft OpenCompute Cerberus specifications
- Dec 2017: HP SureStart research paper
- Feb 2018: Bryan Kelly, OCP Cerberus: video (1h)
- Feb 2018: Ron Minnich, OCP Firmware, The Final Frontier: slides · video (1h)
- Feb 2018: Nate Klein, OCP Security Team Work Session (2h)
- Apr 2018: Galen Hunt, Azure Sphere for IoT. MCU edge devices can use royalty-free Microsoft silicon design and Microsoft Linux kernel, with 10 years of OTA LTS security updates via Azure, independent of device manufacturer.
- May 2018: NIST (final) Platform Firmware Resiliency Guidelines
- Aug 2018: IBM Extending POWER Boot Security to Guests
- Aug 2018: Ryan Fairfax, Microsoft Azure Sphere: Fitting Linux Security in 4 MiB of RAM (Linux Security Summit 2018)
- Jan 2019: Alex Matrosov, Rootkits and Bootkits
3. Microsoft Windows Hyper-V: Hardening With Hardware
- May 2003: Brandon Baker, Microsoft NGSCB - Next Generation Secure Computing Base
- May 2006: Microsoft Windows Hardware Engineering Conference (WinHEC)
- Jul 2007: Brandon Baker, Windows Server Virtualization and the Windows Hypervisor
- Jan 2010: Jesper Krogh, Hyper-V Security
- May 2014: ERNW Security Assessment of Microsoft Hyper-V
- Aug 2014: Wyatt Roersma, Memory forensics with Hyper-V VMs: slides · video
- Apr 2015: Alex Ionescu, Hyper-V IPC Internals, Ring 0 to Ring -1 Attacks
- July 2015: Alex Ionescu, Battle of SKM and IUM - How Windows 10 Rewrites OS Architecture: slides · video
- Oct 2015: Gerhart, Hyper-V internals · debugging
- July 2016: Rafal Wojtczuk, Attack Surface of Windows 10 Virtualization-Based Security: slides · video
- Jan 2017: Adrien Chevalier, Virtualization Based Security and Device Guard: part1 · part2
- Jun 2017: Andrea Allievi, Hyper-V and its Memory Manager: slides · video
- Jul 2017: Ladi Prosek, Nesting Hyper-V in KVM
- Sep 2017: Gerhart, Hyper-V sockets internals
- Oct 2017: Roman Kagan, VMBus (Hyper-V) devices in QEMU/KVM
- Jan 2018: BlueHat slides, video
- Mar 2018: Secure hardware baseline
- Mar 2018: UEFI hardware validation
- Mar 2018: Future Windows will default to S mode, disallowing non-Store apps. VDI remote desktop could be used to run non-Store apps in a cloud VM.
- Mar 2018: Windows moved to cloud division in corporate re-org
- Apr 2018: Lars Iwer, Hyper-V symbols for debugging
- Apr 2018: System Guard Runtime Attestation
“… has/will have hardware rooted boot attestations for TXT DRTM, SMM protections, and boot integrity. We want to make this an API that anyone can use to verify the integrity of key security properties on windows from boot all the way to runtime. This can be used by relying parties for zero trust/conditional acccess implementations.”
- May 2018: Google, Asylo: an open-source framework for confidential computing (SGX, TEE)
4. OpenXT, Xen and OpenEmbedded
Summary: OpenEmbedded (OE) provides a cross-compile environment to create custom Linux-based systems for ARM and x86 devices. The OE ecosystem accommodates competing vendors and use cases via layers. OE’s meta-virtualization layer supports Xen, Linux KVM and containers.
Xen Project is a versatile, general-purpose, Open Source hypervisor that continues improving in response to use in public clouds, enterprise servers, middleboxes, desktops, vehicles and embedded devices. Xen is available in OE meta-virtualization.
OpenXT uses OE and Xen in a platform for hardware-assisted isolation of untrusted Linux and Windows workloads. If Windows System Guard adds IOMMU, TPM and TXT to hardware baselines, more OEMs will validate hardware security features used by Qubes and OpenXT since 2010.
- 1972: James P. Anderson, USAF, Computer Security Technology Planning
- 1981: John Rushby, SRI, Design and Verification of Secure Systems
- 1981: R.J. Creasy, IBM, The Origin of the VM/370 Time-sharing System
- 1998: Ray Spencer et al., The Flask Security Architecture: System Support for Diverse Security Policies
- 2001: Ross Anderson, Why Information Security is Hard — An Economic Perspective
- 2003: Keir Fraser et. al, Xen and the Art of Virtualization
- 2005: Xen security meetings: Boston · Cambridge
- 2007: Joseph Cihula, Intel, Trusted Boot: Verifying the Xen Launch: slides
- 2008: Infineon, TPM Fundamentals
- 2008: Derek G. Murray et al., Improving Xen Security through Disaggregation
- 2008: Jonathan McCune et al., Flicker: An Execution Infrastructure for TCB Minimization
- 2009: Rob Dobry, NSA, High Assurance Platform (HAP)
- 2009: Terry Relph-Knight, Linux and the Trusted Computing Module
- 2010: Joanna Rutkowska, ITL, Qubes OS Architecture
- 2011: Patrick Colp et al., Breaking Up is Hard to Do: Security and Functionality in a Commodity Hypervisor
- 2012: Ian Pratt, u-Xen (micro-virtualization, Type-2 Windows VMM, rapid VM fork, de-privileged Windows, VM graphics compositor)
- 2013: Yuri Bulygin, Why Full-Disk Encryption With TPM is Insecure on Many Systems
- 2014: Andre Richter, TUM, Performance Isolation Exposure in Virtualized Platforms with PCI Passthrough
- 2014: Philip Tricca, Security and the Properties of a Xen Virtualization Platform: slides, video
- 2014: Richard Purdie, Chris Larson and Phil Blundell, BitBake User Manual
- 2014: Joanna Rutkowska, ITL, Software compartmentalization vs. physical separation
- 2015: Igor Smolyar, Technion, Securing Self-Virtualizing Ethernet Devices: paper
- 2015: Tawfiq Shah, Radium: Secure Policy Engine in Hypervisor: thesis · slides · demo
- 2016: Christopher Clark, OpenXT Technical Overview: slides, video
- 2016: NIAP virtualization protection profiles: Umbrella · Client · Server
- 2016: Yongwang Zhao, A survey on formal specification and verification of separation kernels
- 2016: Quarkslab Cappsule fast-fork Linux hypervisor
- 2016: AIS Bareflank hypervisor
- 2017: Facebook, TPM 2.0 Practical Usage
- 2017: Ahmed Samy, KSM, lightweight x64 nesting hypervisor
- 2017: Lei Shi, Nexen and XSA analysis, Deconstructing Xen
- 2017: Rich Persaud, “In Device We Trust”, TXT measured launch with TPM 2.0 and OTA update: article
- 2017: Simon Gaiser, Qubes MSI support for PCI device pass-through with stub domains
- 2017: Adventium, Magrana multi-domain server
- 2017: Ricardo Salvetti, Open Source Foundries / Linaro: Secure OTA Collaboration
- 2018: Joanna Rutkowska, Qubes Air: Generalizing the Qubes Architecture
- 2018: Christopher Clark, Meltdown and Spectre Exposure Analysis: Xen, Linux & Windows: spreadsheet
- 2018: Rich Persaud, Open-Source Embedded Hypervisors: table
- 2018: Jeremy Boone, TPM Genie: Interposer Attacks Against the TPM Serial Bus: paper · github
- 2018: Xen and OpenEmbedded wiki
- 2018: Stefano Stabellini, ViryaOS: Secure Containers for Embedded and IoT
5. Functional Safety: Automotive
Summary: $80B USD of autonomous driving R&D pursues trillions in projected revenues. Powered by mapping, sensors, connectivity, AI/ML, energy storage density and low-power SoCs, the autonomy economy extends security concerns to safety and long-term maintenance.
VMMs reduce size, weight and power via consolidation, but must guarantee spatial and temporal isolation for safety-critical workloads. Nested hypervisors and inter-partition messaging can enable app compatibility without losing bare-metal safety. Time-sensitive networking HW/VMM/OS features enable multi-node certification.
OpenEmbedded and Xen are used on Renesas, NXP and Xilinx Arm boards, while Toyota uses AGL/OE. Gap analysis for Xen is underway and may result in a Kconfig subset of Xen that is optimized for security and safety certification. This subset may overlap with OpenXT requirements.
- Jan 2013: Wei Jing, Performance Isolation for Mixed Criticality with Xen
- Apr 2013: Wilfried Steiner, TTTech: An Introduction to TTEthernet
- Aug 2014: CGP Grey, Humans Need Not Apply, video (15m)
- Mar 2015: TCG TPM 2.0 Library Profile for Automotive-Thin, specification
- Jan 2016: McKinsey report: Automotive revolution - perspective towards 2030
- May 2016: Keiichi Matsuda, Hyper-Reality, video (6m)
- Jul 2016: Yongwang Zhao, A survey on formal specification and verification of separation kernels
- Nov 2016: EU DREAMS mixed-criticality VMM research report
- Apr 2017: Car-hacking in pop culture: Fate of The Furious
- Apr 2017: Alexis C. Madrigal, Robots, Piers Full of Robots
- Jul 2017: Adversarial Machine Learning resources
- Jul 2017: DornerWorks whitepaper: hardware vs. software partitioning
- Oct 2017: Brookings report: Gauging Investment in self-driving cars
- Oct 2017: Wind River Sparts Project for trust in open-source supply chains
- Dec 2017: CPS-Xen for safety-critical applications: source
- Mar 2018: Intel ACRN functional-safety Type-1 VMM announced: ELC slides, video
- Mar 2018: Stefano Stabellini, Xen vs. ACRN
- Mar 2018: Intel Time-Sensitive Networking for mixed-criticality: ELC slides, video
- Mar 2018: Stanford FutureLaw, Crash Course In Modern Accident Law
- Mar 2018: Benedict Evans, a16z, Steps to autonomy · videos
“…some people argue that L1 is actually safer than L2 or L3 - with L1 you do know explicitly that it’s you that’s driving the car ALL THE TIME, but sometimes the car will stamp on the brakes when you weren’t looking and save a life. This is why so much work is going into how the vehicle might communicate with the user - how does it say ‘this is an L5 journey and you can sleep’, or ‘I’ll drive myself for the next hour, and alert you 5 minutes before it’s time for you to take over’?”
- Mar 2018: Ross Anderson, Making Security Sustainable
“security will be more about safety than privacy. Certification will no longer mean testing a car once before selling it for 10 years … Phones and laptops do not kill a lot of people, at least directly; cars and medical devices do… As we build more complex artifacts, which last longer and are more safety critical, the long-term maintenance cost may become the limiting factor…On the technical side, at present it is hard to patch even five-year-old software. The toolchain usually will not compile on a modern platform … Could we develop on virtual platforms that would support multiple versions?”
- Apr 2018: Automotive Grade Linux (AGL) virtualization whitepaper draft
“Xen can partition or pool plural resources while optionally virtualizing —securely sharing— singular hardware resources like coprocessors. Xen provides stable interfaces as applications and platforms evolve. For environments with real-time constraints, it can be configured as a partitioning hypervisor, eliminating scheduler overhead, reducing interrupt latency and delegating I/O and memory isolation to hardware with an IOMMU. Xen also provides static CPU assignment and multiple real-time schedulers (including an ARINC 653 scheduler) to further isolate resources and provide real-time guarantees.”
- Apr 2018: Intel Security Essentials
“Although hardware-based security is not a silver bullet, it does provide a “chain of trust” rooted in silicon that makes the device and extended network more trustworthy and secure.”
- Apr 2018: Uber: Rethinking GPS: Engineering Next-Gen Location
- Apr 2018: Voyage: Open Autonomous Safety
- Apr 2018: Xen and Safety Certification work summary
6. Events
- Jun 2018: Nanjing, China, Xen Summit 2018
- Aug 2018: Las Vegas, USA, System Firmware Attack and Defense for the Enterprise
- Aug 2018: Vancouver, Canada, Linux Security Summit North America
- Sep 2018: Nuremberg, Germany, Open Source Firmware Conference
- Oct 2018: Edinburgh, UK, Linux Security Summit Europe
- Oct 2018: Edinburgh, UK, Embedded Linux Conference Europe