Using microkernels to securely encapsulate software into modules

Measuring instruments often use large standard operating systems as their software foundation. These operating systems hinder software testing because they contain numerous "bugs". A new software reference architecture developed at the PTB makes use of the benefits standard operating systems have, such as the greater functionality, a familiar user interface and many drivers, but still ensures security due to the encapsulation and modularization of the software.

This configurable software reference architecture is based on a microkernel. The microkernel is software that runs on the lowest level, under the actual operating systems. These operating systems in turn, are encapsulated into modules, so-called virtual machine (VM). The operating systems can continue to load their usual programs and drivers, but are obligated to communicate via the microkernel with each other and the hardware. The system architecture is based on a modular design that fulfils the requirements of the Measuring Instruments Directive of the European Union (MID) and the WELMEC 7.2 Software Guides. These can be seen in the figure and are as follows: displaying data (Secure GUI), data protection (Key & Signature Manager), storing data (Storage Manager), executing downloads (Download Manager), transferring data (Connection Manager), and internal data processing (Communication Monitor). Hence, the reference architecture ensures that all legally relevant measurement functions can be monitored safely. In addition, the architecture separates non-legally relevant software (N) and legally relevant software (L). All calculations that fall under legal control are carried out in the L-VM, everything else in the N-VM. This strict separation ensures that legally relevant software is not irregularly affected.

Fig.: Communication between the individual modules within the system architecture

The project will be continued in cooperation with the Technical University of Berlin, which is developing a new microkernel that will be mathematically formally verified, showing that typical operating system vulnerabilities are not present. This is important for instruments that need to judicially prove their correctness (e.g. traffic enforcement cameras). With this microkernel, the proposed framework has been implemented on a demonstrator. In addition, the system architecture is being adapted for specific measuring instruments, which have to fulfill different tasks, in cooperation with two SMEs. These measuring instruments are a medical device and a traffic enforcement camera.

Contact

   Dr. Ing. Daniel Peters

   Department 8.5 Metrological Information Technology

   Phone: +49 (0)30 3481-7916

   EMail: daniel.peters@ptb.de

Scientific Publications

1. D. Peters, M. Peter , J.-P. Seifert, F. Thiel: A Secure System Architecture for Measuring Instruments in Legal Metrology. Computers - Open Access Journal 4(2), 61-86, 2015
2. D. Peters, U. Grottker, F. Thiel, M. Peter, J.-P. Seifert, Achieving Software Security for Measuring Instruments under Legal Control, FedCSIS (EAIS), Warsaw, Poland, 7-10 September, 2014
3. D. Peters, F. Thiel, M. Peter, J.-P. Seifert, A Secure Software Framework for Measuring Instruments in Legal Metrology, IEEE International Instrumentation and Measurement Technology Conference (I2MTC), Pisa, Italy, May 11-14, 2015
4. J. Fischer, D. Peters, A Practical Succinct Data Structure for Tree-Like Graphs, WALCOM: Algorithms and Computation, LNCS, Springer International Publishing, ISBN: 978-3-319-15611-8

AnGeWaNt

The AnGeWaNt joint project is aimed at tapping the potential of digitization for the hybridization of business models, for the further development of work design and for calibration processes (metrology). To this end, procedures for the hybridization of business models are being developed and used as examples by manufacturers and users of commercial vehicles and add-on parts with calibrated scales. This applies accordingly to the digital support of metrolo-gy. Two compatible software platforms are being developed for this purpose: one for hybrid ser-vices and one for metrology. Procedures for the socio-technical adaptation of operational structures and procedures as well as corresponding learning concepts will be developed. The results will be prepared for transfer in the form of training concepts and action-guiding bro-chures with checklists and examples.

Duration: January 2019 to January 2022

Contact

   Dr. Alexander Oppermann

   Fachbereich 8.5 Metrologische Informationstechnik

   Telefon: (030) 3481-7483

   E-Mail: alexander.oppermann@ptb.de

Scientific Publications

Oppermann A., Eickelberg S., Exner J. (2021) Digital Transformation in Legal Metrology: An Approach to a Distributed Architecture for Consolidating Metrological Services and Data. In: Ziemba E., Chmielarz W. (eds) Information Technology for Management: Towards Business Excellence. ISM 2020, FedCSIS-IST 2020. Lecture Notes in Business Information Processing, vol 413. Springer, Cham. https://doi.org/10.1007/978-3-030-71846-6_8

Oppermann A, Eickelberg S (2021) Digitale Transformation hoheitlicher Prozesse in der Metrologie. In: GfA (Hrsg) Arbeit HumAIne Gestalten. Bericht zum 67. Kongress der Gesellschaft für Arbeitswissenschaft vom 03. – 05. März 2021. GfA-Press, Dortmund, Beitrag B.16.4

Oppermann A, Eickelberg S, Exner J (2020) Toward Digital Transformation of Processes in Legal Metrology for Weighing Instruments. In: Proceedings of the 2020 Federated Conference on Computer Science and Information Systems, Ganzha M, Maciaszek L, Paprzycki M (eds). ACSIS (21):559–562

Network security for communicative medical devices (NetMed)

The TransMeT cooperation project with Xiralite GmbH started in April 2017 and will continue until March 2020 to develop a novel, secure system software architecture for the Xiralite® medical device of the same name, which is connected to the network.

Xiralite GmbH is the market and innovation leader for optical imaging in rheumatology and, with the Xiralite® X5, has created a fluorescence camera system that represents microcirculation in the hands in order to detect centres of inflammation. For this purpose, the fluorescent dye indocyanine green, which is approved for microcirculation diagnostics in Europe, is incorporated during an examination. The XiraView® diagnostic software controls the examination and assists in the subsequent evaluation.

The new software concept is based on a software reference architecture that has been researched and tested in Department 8.5 and uses separation or microkernels and virtualization techniques. In order to adapt and further develop these for this special medical device, the risk analysis methods also developed in Department 8.5 were initially used and, together with the MPG, the BDSG, various DIN and FDA recommendations, new protection targets, threats and concrete attack vectors in the medical field were identified.

Based on the security analysis for the Xiralite® X5, a software system was selected with lower but sufficient security compared to the microkernel reference architecture, which considers handling and user friendliness for later use. The developments are also intended to promote a later expansion of the device into the US market. The basis of the software implementation is a Linux Ubuntu with poor functionality and therefore less susceptible to errors, including the latest security updates. Xen is used as a hypervisor for establishing, controlling and monitoring two virtual machines. One virtual machine is provided for legally relevant purposes such as the XiraView® diagnostic software and another for legally irrelevant purposes in order to update the software contained therein without re-certification. In addition, intrinsic software security is established inside the legally relevant virtual machine through restrictions, guidelines and rights management at operating system level.

UEFI uses Secure Boot, which guarantees a signed and authenticated, secure boot sequence until the virtual machines start. By two 1 TB hard disks, which are organized to a RAID 1, mirroring of the non removable disks, a high Resilienz of the system data and thus the later patient data as worth protecting good is reached.

A secured access from external serves as maintenance access and in a more restrictive variant with limited rights also as remote session for later training of the medical personnel and as remote diagnosis support services for physicians.

System for individual diagnosis and therapy control of rheumatic complaints of the hands (RheumaScan.net)

The approx. three-year BMBF cooperation project, which is expected to take place at the end of 2019 together with Xiraltie GmbH, TH Wildau and Charitè, is part of the topic complex "Chronic pain - innovative medical solutions for improving prevention, diagnostics and therapy".

In the course of life, chronic pain occurs in the hands of about 10% of the population. It is important to make the correct diagnosis at an early stage and to start therapy quickly in order to avoid permanent damage to the joints and bones as well as chronic pain. In this project, a bioinformatics platform for the diagnosis of inflammation in the hands is being researched and developed. This platform will ultimately bring together knowledge from the individual, distributed medical devices in order to support medical personnel in differential diagnosis and the subsequent monitoring of the course of therapy.

The Xiralite® fluorescence camera system for the diagnosis of inflammatory diseases on hands, which is internationally approved as a medical device, forms the peripheral basis of the platform. In Germany alone, more than 40 initial network users are available. The newly developed XiraViewTM 4.0 software reduces the amount of image data generated per examination and generates standardized, quantitative information on the extent of inflammation on the hands.

In the course of the project, the implementation of a public key infrastructure will ensure anonymisation and pseudonymisation of the various medical data, including for the transfer from and to the peripheries. In this way, authenticity checks of the participants and encryption of all data traffic will be made possible. The actual challenge is the various data formats such as hand photographs, patient-related data, computer system relevant data as well as machine learning and smart data. In addition, an integrity check of the data is to be established through the use of tried and tested hash algorithm procedures, and thus security against manipulation and data error recognition.

The risk analysis procedure developed at PTB and adapted for medical devices will be used to identify attack scenarios and countermeasures for the bioinformatics platform. In the later course of the project, the effectiveness of the established measures will be validated by concrete attacks on a server clone of the platform.

Through this bioinformatic platform, the time until the correct diagnosis should be shortened from 2 years to less than 3 months, whereby a health-related improvement of the patient's quality of life is achieved. In addition, a cost reduction by a factor of 8 is expected for this segment of the healthcare system.

Problem description

The advancing networking of measuring instruments not only holds numerous advantages, but also risks. While the unauthorized software modification of devices without a network connection previously required a seal break, this is often not the case with networked devices. The presence of a potentially exploitable programming error is already sufficient. In view of the increasing complexity of the measuring devices, the probability of the presence of such an error also increases.
Similar to the physical seal that confirms the integrity of the hardware, the checksum for the software components therefore represents an integrity and authenticity feature.  The comparison of a checksum with the expected value thus enables the detection of a persistent software change, but many manipulations take place in volatile memory (RAM) and therefore cannot be detected by the checksum comparison. In addition, the checksum calculation routine itself represents a point of attack whose manipulation can be used to hide the unauthorized changes to the persistent memory.  These examples show that the checksum methods offer only limited protection against possible software manipulations of the networked devices that are unwanted by the manufacturer. A further problem is the software manipulation desired by the manufacturer, which includes updates, because even the slightest change to the persistent memory leads to a change in the checksum. Since the checksum does not provide any information about the type of software change, a software update usually entails a recertification process.
One possible solution is software separation, the core idea of which involves separating the software into a legally relevant and a non-legally relevant part. This makes it possible to allow updates of the non-legally relevant part without recertification, but the technical prerequisites for such a separation represent a major hurdle, especially for smaller measuring instruments. Therefore, PTB conducts research on the development of alternative methods for software validation, which would allow updates without recertification. The approach presented here is based on a logical separation of the measurement software into core and auxiliary algorithms. The core algorithms include the methods that are directly involved in the processing of the raw measurement data into a measurement result.

Solution Approach

In the first step, a meta-description of the core algorithm is generated, on the basis of which a mathematical proof is constructed in the next step. The proof contains the complete logical description of the core algorithm without reference to a concrete implementation. If, for example, the software is described without changing the logic of the core algorithm, the proof remains valid. The proof itself is additionally secured by cryptographic methods and cannot be misused to reconstruct the core algorithm. The application of a proof in connection with the raw sensor data and the result displayed by the measuring device leads to a binary statement as to whether the transformation of the raw measurement data into the measurement result strictly follows the rules of the core algorithm. 
The great advantage of such a method over the checksums is its dynamic nature, so the evidence can be used to validate each individual measurement. The second and most important advantage is that the use of evidence makes software updates possible without recirculation, thus significantly improving the security of networked systems.