RTC Magazine

Now more than ever, embedded systems developers and device OEMs face complex requirements for features and functionality in next-generation intelligent devices. In these emerging embedded applications, the size, scope and delivery costs of device software frequently outstrip investment in the hardware on which that software executes. Moreover, these and other devices are increasingly interconnected across wireline and wireless LANs and WANs and to the Internet. This mix of software complexity and connectedness poses significant challenges for device robustness and integrity: complexity leads to more exploitable bugs while connectivity provides more avenues for exploitation.

In a similar vein, responding to growing and pervasive threats to the security of intelligent devices and to content deployed on them, the embedded marketplace is confronting a new wave of security requirements. These emanate from a range of constituencies, including carriers, operators and content providers and ranging up to retail channels, financial institutions all the way to consumers.

Most embedded developers, while familiar with the basics of security, do not possess the expertise needed to “lock down” systems based on traditional RTOSs, on embedded Linux, or other pervasive OSs, if this is possible at all. Developers and OEMs must meet real needs for security, but lack the tools to secure their device applications.

Introducing Embedded Virtual Machines

System virtualization technology provides a software environment in which several “guest” operating systems can run as if each owned a complete hardware platform. Such virtual machines (VMs) abstract available system resources (memory, storage, CPU core(s), I/O, etc.) and present them in a regular fashion, such that “guest” software cannot distinguish VM-based execution from running on actual physical hardware. The VM is implemented by a software layer called virtual-machine monitor (Figure 1). This virtual machine monitor is sometimes popularly referred to as a hypervisor, but in this context we reserve that term for a more specific function.

Virtualization is a “killer app” enabler in the enterprise and on the desktop, conferring benefits in load balancing, server consolidation, legacy code migration, cross platform interoperability, and also security. In the last two years, virtualization has also made key inroads in embedded applications.

Contrary to the enterprise, virtualization in embedded systems is motivated by the co-existence of a fixed set of vastly different operating systems (low-level bare-bones RTOS and high-level application OS) rather than the dynamic creation and destruction of similar OS environments. Other motivations are architectural abstraction and, increasingly, security.

Virtual Machines as a Security Platform

In the enterprise, IT managers employ virtualization to realize two types of secure computing: as a safe “sand-box” in which to let loose and study viruses, worms and other invasive threats, and as a means to limit damage and response degradation inflicted by denial-of-service (DoS) at-tacks, by isolating and throttling (virtual) machines that host the targeted servers and services.

In embedded applications, developers can also benefit from virtualization as a security tool by using it to isolate application OSs, like Linux, BSD or Windows, from the relatively defenseless RTOS, which runs the critical real-time environment.

The primary mechanisms by which virtual machines improve security are the segregation of guest OSs into individual virtual machines, enforced by CPU operating modes (privileged/non-privileged) and memory management units (MMUs). This involves explicit communication channels between VMs with network-like mechanisms.

These applications of virtualization are of limited use in many embedded systems due to their resource-constrained nature. It is inherent in VM technology that each VM looks like raw hardware, and needs an OS to support any software. The resource impact of each VM is therefore significant, and most embedded systems can only support a small number of them. Furthermore, the VM model of inter-VM communication, (virtual) network interfaces, is fairly heavyweight and does not match the tightly integrated nature of embedded systems. These limitations mean that an appropriate technology for embedded systems must go beyond virtualization in the tradi-tional sense.

Microkernel-based virtualization provides a good match to the requirements of embedded systems, as we will see later, after a look at other approaches to embedded virtualization.