{"id":31972,"date":"2023-05-11T11:01:35","date_gmt":"2023-05-11T15:01:35","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/microkernel-os-for-smart-devices\/31972\/"},"modified":"2023-05-12T19:14:14","modified_gmt":"2023-05-12T08:14:14","slug":"microkernel-os-for-smart-devices","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/microkernel-os-for-smart-devices\/31972\/","title":{"rendered":"Microkernel OSs against threats to smart devices"},"content":{"rendered":"<p>By 2030, the number of\u00a0 connected devices in the world is expected to reach <a href=\"https:\/\/iot.ru\/promyshlennost\/kolichestvo-ustroystv-interneta-veshchey-utroitsya-k-2030-godu\" target=\"_blank\" rel=\"nofollow noopener\">24 billion<\/a>. This statistic includes a multitude of household systems and accessories: smart watches, fitness bands, speakers with intellectual voice assistants, and all the devices they control. It also covers smart ATMs, POS terminals, video surveillance cameras and the like. These are all devices users are accustomed to trusting with their sensitive data but are not quite able to control the security of. At the same time, internet-of-things (IoT) devices are becoming targets in a <a href=\"https:\/\/www.statista.com\/statistics\/1322216\/worldwide-internet-of-things-attacks\/%23:~:text=The%20number%20of%20Internet%20of,with%20approximately%2013%20million%20attacks.\" target=\"_blank\" rel=\"nofollow noopener\">growing number of attacks<\/a>. And although vendors try not to emphasize it, the IoT security problem gets more and more relevant \u2014 especially for ecosystems of several connected devices.<\/p>\n<p>For example, back in 2020, Check Point researchers <a href=\"https:\/\/blog.checkpoint.com\/security\/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb\/\" target=\"_blank\" rel=\"nofollow noopener\">experimented<\/a> with an attack on a network through a smart lightbulb. They succeeded in loading tweaked firmware into a smart lightbulb and using it to install malware on a device controlling the illumination system. From there, they penetrated the local network. The vulnerability was promptly closed, but what are the guarantees that a similar trick can\u2019t be pulled off using other IoT security loopholes?<\/p>\n<p>Another example \u2014 a situation involving a Korean <em>KeyWe<\/em> smart-locks vulnerability \u2014 looks even worse. In addition to key generation process flaws, researchers <a href=\"https:\/\/www.theregister.com\/2019\/12\/11\/f_secure_keywe\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> some fundamental design problems. These made it fairly easy for attackers to intercept and decrypt the locks\u2019 passwords. Moreover, it was found that it was impossible to update the firmware with a security patch\u00a0\u2014 the vulnerability could only be patched in new locks that are free of the mentioned design flaw.<\/p>\n<p>The latter example shows that IoT security gaps can originate at the system design level. To avoid such problems, a number of vendors have in recent years turned toward microkernel-based operating systems. In microkernel architecture, the kernel contains several times less code than kernel of a traditional system, and performs only strictly necessary functions \u2014 which makes it more reliable and fault-tolerant.\n<\/p>\n<h1>Microkernel OSs\u2019 popularity outstripping that of Windows and Android<\/h1>\n<p>\nIf you ask desktop computer users to name the most popular operating system they know of, you\u2019re sure to hear Windows as the answer. Indeed, its <a href=\"https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide\" target=\"_blank\" rel=\"nofollow noopener\">share of the global OS market is 72%<\/a>\u00a0\u2014 if counted by the number of computers with Windows onboard. But very few users ever think of what\u2019s going on a notch deeper: at the microchip and microcontroller firmware level. There, the most widespread operating system is <a href=\"https:\/\/en.wikipedia.org\/wiki\/Minix\" target=\"_blank\" rel=\"nofollow noopener\">MINIX<\/a>, based on microkernel architecture. It\u2019s the OS that comes with Intel ME 11 firmware. Today it\u2019s present in all desktops and laptops equipped with Intel CPUs, which makes <a href=\"https:\/\/www.statista.com\/statistics\/735904\/worldwide-x86-intel-amd-market-share\/\" target=\"_blank\" rel=\"nofollow noopener\">two thirds of the \u044586 CPU market<\/a>.<\/p>\n<p>There\u2019s a similar picture in the mobile, portable and embedded devices market. Here the favorite is Android. However, again, if we probe deeper, microkernel OSs are no less common in that market, although they remain in the background. One of the oldest microkernel architecture implementations in the mobile market is <a href=\"https:\/\/en.wikipedia.org\/wiki\/QNX\" target=\"_blank\" rel=\"nofollow noopener\">QNX<\/a>. This OS came about in 1980s in critical industrial machines, later being used in naval radar stations. Its more modern version, QNX Neutrino, worked in BlackBerry smartphones and in Cisco routers and is now to be found in <a href=\"https:\/\/blackberry.qnx.com\/en\/industries\/connected-autonomous-vehicles#future-automotive\" target=\"_blank\" rel=\"nofollow noopener\">firmware of hundreds of millions of motor vehicles<\/a>.<\/p>\n<div id=\"attachment_48168\" style=\"width: 1111px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-48168\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2023\/05\/12020420\/microkernel-OS-for-smart-devices-interface.jpg\" alt=\"Modern vehicle firmware interface proposed in 2017\" width=\"1101\" height=\"563\" class=\"size-full wp-image-48168\"><p id=\"caption-attachment-48168\" class=\"wp-caption-text\">Modern vehicle firmware interface <a href=\"https:\/\/www.youtube.com\/watch?v=u_RcFkexfkM\" target=\"_blank\" rel=\"nofollow noopener\">proposed in 2017<\/a><\/p><\/div>\n<p>Let\u2019s not forget other devices with microkernel firmware; for example, there\u2019s L4-kernel-family-based systems, including Qualcomm modems and automotive systems based on OKL4, whose popularity peaked in 2012.<\/p>\n<p>MINIX and L4 are certainly not the most relevant applications out there. Some might even call them vintage. But the evolution of microkernel OSs didn\u2019t stop there: their development was continued by a number of modern smart ecosystem vendors:\n<\/p>\n<ul>\n<li>A microkernel OS code-named Horizon forms the backbone of Nintendo Switch game consoles. The public has limited information about the OS itself as it\u2019s a proprietary system.<\/li>\n<li>In January 2023, <a href=\"https:\/\/9to5google.com\/2023\/01\/10\/google-fuchsia-launch-upcoming-device\/\" target=\"_blank\" rel=\"nofollow noopener\">9to5google journalists discovered<\/a> that the all-new Google Nest speaker would most likely ship with Fuchsia \u2015 an OS with the Zircon microkernel at its core.<\/li>\n<li>In November 2022, Huawei <a href=\"https:\/\/www.chinadaily.com.cn\/a\/202211\/05\/WS6365d711a3105ca1f2274371.html\" target=\"_blank\" rel=\"nofollow noopener\">announced<\/a> that 320 million of its devices are equipped with HarmonyOS\u00a0\u2015 a HongMeng-kernel-based microkernel operating system for wearable devices and IoT. By the end of 2022, devices equipped with HarmonyOS mace up <a href=\"https:\/\/www.techgoing.com\/sa-agency-huawei-harmonyos-phones-to-reach-2-global-share-by-2022\/\" target=\"_blank\" rel=\"nofollow noopener\">2%<\/a> of total global sales of smartphones. And in April 2023, the <a href=\"https:\/\/www.ixbt.com\/news\/2023\/02\/27\/android-harmonyos-3-1-huawei-mate-50-p50-p50-pro.html\" target=\"_blank\" rel=\"nofollow noopener\">new version HarmonyOS 3.1<\/a> was launched. According to the developers, they\u2019ve come a long way in optimizing the system.<\/li>\n<\/ul>\n<p>\nWhy are vendors so active in this field? On the one hand, it\u2019s because of the IoT market\u2019s development. On the other, it\u2019s because of a crisis of confidence in traditional superimposed protection that\u2019s not effective enough in the IoT world.\n<\/p>\n<h1>Things helping microkernel firmware vendors protect IoT systems<\/h1>\n<p>\nAs we\u2019ve seen from the abovementioned smart lightbulb hijacking case, IoT ecosystems are often based on multiple interconnected microcontrollers and sensors. <a href=\"https:\/\/www.kaspersky.com\/blog\/iot-report-2022\/\" target=\"_blank\" rel=\"noopener nofollow\">Attackers tend to specifically target<\/a> the unprotected end devices to use them as an entry point to later take control over the whole system through escalation of privileges. Equipping each little device with sophisticated protection mechanisms is economically unviable. The situation gives rise to two fundamental problems:\n<\/p>\n<ul>\n<li>We all want to trust the system\u2019s in-built protection. In IoTs, we\u2019re dealing with multiple small elements that cannot be trusted. There are two ways to approach this problem: either try to make each one as protected as possible, or begin with recognizing their limitations and engineer the system to still be secure\u00a0\u2014 even with such elements onboard.<\/li>\n<li>Control of interactions. In a big system, normally no elements operate in vacuum: they \u201ccommunicate\u201d among themselves and often have <em>privileges<\/em> to perform certain actions upon each other. In a system where we can\u2019t trust all the elements, these interactions and privileges should be limited and monitored with some <em>means of control<\/em>.<\/li>\n<\/ul>\n<p>\nThis is how these problems can be addressed with microkernel OSs:\n<\/p>\n<ol>\n<li>\n<strong>Microkernel OSs distinguish between trusted and untrusted components<\/strong>. Their architecture is built around multiple intercommunicating isolated components, which can be conveniently classified as <em>untrusted<\/em> or <em>trusted<\/em>. The kernel is among the trusted components: it performs only the most necessary functions and contains as few lines of code as possible; and all the drivers, file systems and the like are removed to separate components outside the kernel. This allows limiting the system elements whose code <em>we are forced to trust<\/em> to a necessary and sufficient minimum.<br>\n<br>\nThe fewer lines of trusted code the system contains the better, for it\u2019s both simpler and faster to check such code for errors. This is the reason why vendors try to make the microkernel as small as they possibly can: it simplifies validation of trust (more on that later).<\/li>\n<li>\n<strong>Microkernel OSs isolate most privileged components and operate them in user mode<\/strong>. In microkernel OSs, the kernel is responsible for isolation of components: each one resides within its own address space. The microkernel provides a mechanism for exchanging messages among components, plans out the flows, and controls memory, timers, and interruptions.<br>\n<br>\nThe trusted and untrusted components operated in user mode have just as many privileges as needed for them to perform their functions.<\/li>\n<li>\n<strong>Microkernel OSs feature extra capabilities and tools for interaction control.<\/strong> In a microkernel OS, any action equates to the sending of a message (communication). As mentioned earlier, the microkernel controls the key messaging mechanism. Apart from that, microkernel OSs often employ the \u201cobject capabilities\u201d mechanism, which allows, among other things, to control the establishing of new communication channels.<\/li>\n<\/ol>\n<p>\nThe only thing all these mechanisms tend to lack is trust verification options. Some components just have to be trusted, it\u2019s true; but how about \u201ctry before you trust\u201d? How do we migrate from \u201ctrusted\u201d to \u201ctrustworthy\u201d?<\/p>\n<p>There are different ways to make sure an element is trustworthy: tests, different analysis methods, formal specification and <a href=\"https:\/\/securelist.ru\/validaciya-i-verifikaciya\/27213\/\" target=\"_blank\" rel=\"noopener\">verification<\/a>. All these methods allow implementing verifiable security in which we base our confidence not on the vendor\u2019s reputation but on the results of reproducible verification. This lies at the heart of many recognized security models, for example <a href=\"https:\/\/en.wikipedia.org\/wiki\/Multiple_Independent_Levels_of_Security\" target=\"_blank\" rel=\"nofollow noopener\">MILS<\/a>, or security assessment standards and criteria such as the \u201ccommon criteria\u201d. We predict that these methods and models will be used more and more.<\/p>\n<p>In the near future, new generations of microkernel OSs will help achieve verifiable security and Cyber Immunity<\/p>\n<p>Following a long-term study of best protection practices, we\u2019ve used verifiable security principles to develop our own Cyber Immune approach, which we\u2019re going to use for building inherently secure IT systems. Cyber Immunity is an implementation of the Secure by Design approach, where information security is in focus at each and every development stage.<\/p>\n<p>In Cyber Immune systems, all interactions are typified and verified: in particular, a special monitor is in control of all interprocess communications. This module is capable of introspecting all data exchanged among the processes and can use them when making security-related decisions. Trust is validated through tests, static and dynamic analysis, fuzzing, pentesting, and formal methods.<\/p>\n<p>The <a href=\"https:\/\/os.kaspersky.com\/?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______&amp;utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=au_wpplaceholder_nv0092&amp;utm_content=link&amp;utm_term=au_kdaily_organic_vjclkbtvtsrw92s\" target=\"_blank\" rel=\"noopener nofollow\">microkernel-based KasperskyOS<\/a> is the first operating system that supports this approach, acting as a platform for creation of Cyber Immune products. But in general the methodology combines the best security principles around and doesn\u2019t depend much on which implementation tools are used. Therefore, we expect these principles to find their way into other microkernel device firmware applications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why such OSs are gaining more significance in markets in need of security.<\/p>\n","protected":false},"author":2736,"featured_media":31975,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993],"tags":[794,2505,659],"class_list":{"0":"post-31972","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-iot","10":"tag-kasperskyos","11":"tag-smart-devices"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/microkernel-os-for-smart-devices\/31972\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/microkernel-os-for-smart-devices\/25666\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/microkernel-os-for-smart-devices\/21084\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/microkernel-os-for-smart-devices\/28312\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/microkernel-os-for-smart-devices\/25964\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/microkernel-os-for-smart-devices\/26343\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/microkernel-os-for-smart-devices\/28829\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/microkernel-os-for-smart-devices\/35293\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/microkernel-os-for-smart-devices\/48167\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/microkernel-os-for-smart-devices\/20609\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/microkernel-os-for-smart-devices\/21295\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/microkernel-os-for-smart-devices\/30164\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/microkernel-os-for-smart-devices\/26269\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/microkernel-os-for-smart-devices\/31661\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/kasperskyos\/","name":"KasperskyOS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2736"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=31972"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31972\/revisions"}],"predecessor-version":[{"id":31979,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31972\/revisions\/31979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/31975"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=31972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=31972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=31972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}