How to Isolate your Critical Applications from Cyber Threats on seL4

Posted on August 25, 2022 by Lourens Willikes

When mixed-criticality embedded systems are deployed on vehicles in the field, it is imperative that high-criticality applications such as control or engine systems can run uninterrupted despite cyber-attacks threatening to disable them. These systems will commonly provide an interface to the high-criticality applications for data collection or remotely viewing process information, and while it may be necessary, it also provides another point of attack.

In addition to the benefit of isolation provided by the seL4 hypervisor, DornerWorks has developed a cyber component that can protect the high-criticality applications from the vulnerable code in the event of a cyber threat. This will eliminate the attack vector of the malicious party and allow the high-criticality applications to run without interruption.

seL4 Cyber Component

The cyber component consists of an additional virtual machine (referred to as the network break VM) and an seL4 userspace monitor application/component. The network break VM sits on the network in series between the incoming network traffic and the high-criticality applications, moving the direct attack surface from the high-criticality applications to the network break VM. Adding the network break VM allows different types of network inspection or memory introspection applications for determining threats and creates more variability when shutting down the interface.

High-level Architecture of System with Cyber Component

Network Break VM

The network break VM is the element of the system that will inspect activity for malicious attacks. In the system shown above, the network break VM has an application called Snort on it. Snort is an open-source network intrusion detection system that has the capability to examine network traffic. Snort uses a set of defined rules to match data in network packets such as source/destination IP address, packet sizes, contents, or formats. Shown below are some Snort rules and explanations for what they are matching (based on the system shown above).

alert tcp any any -> any
Match any tcp traffic destined for subnet (virtual network between VMs)
alert tcp any any -> any
Match any tcp traffic destined for network break VM
alert udp any any -> any (content:”deadbeef”)
Match any traffic destined for high-criticality VM that has the content “deadbeef”
alert tcp any any -> 23
Match any Telnet (TCP port 23) traffic destined for high-criticality VM
alert tcp any any -> 21
Match any FTP (TCP port 21) traffic destined for high-criticality VM

In addition to the inspection software, the network break VM contains an alert application that will forward the alerts and the associated threat levels to the monitor component.

seL4 Monitor Application

The monitor component is the seL4 application that can take the actions needed to isolate the high-criticality applications from the incoming attack. Based on the level of the threat the monitor can decide to do nothing, or take one of the following actions:

  • Remove the network connection to the high-criticality VM
  • Suspend the network break VM for a period
  • Restart the network break VM
  • Kill the network break VM completely

Shown below is the system with the network connection removed.

System with Virtual Network Removed

The following image shows the system with the network break VM suspended, restarting, or killed.

System with Network Break VM Removed

DornerWorks’ expertise with seL4 and mixed-criticality systems can add enhanced cyber security to your projects. Schedule a meeting with our team when you are ready for the peace of mind our secure technology solutions will give you.

Lourens Willikes
by Lourens Willikes
Embedded Engineer
Lourens Willekes is an embedded engineer at DornerWorks.