Nested compartmentalisation for constrained devices
Résumé
This paper presents a framework and implementation guidelines to set up nested compartmentalisation in constrained devices. All memory spaces are protected by the Memory Protection Unit (MPU). Current MPU-based systems offer efficient memory protection but are mostly tied to the fixed permission model provided by their operating system, kernel, hypervisor or by code instrumentation. New use cases evolve with the rise of the Internet of Things (IoT) ecosystems where software components could benefit from locally and dynamically established permissions. This includes a temporary nested subspace with restricted memory access rights. Our framework integrates subspace creation and management for runtime dynamic changes of the permission model for any level of abstraction. Global security policies of fixed permission models are reflected in the software architecture and the implementation of the framework. We also demonstrate the feasibility of providing nested compartmentalisation by showing how to leverage the MPU features.
Fichier principal
NestedCompartmentalisationForConstrainedDevices-accepted.pdf (153.33 Ko)
Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)