Secure Separation of Shared Caches in AMP-Based Mixed Criticality Systems

Abstract

The secure separation of functionality is one of the key requirements particularly in mixed criticality systems (MCS). Well-known security models as the multiple independent levels of security (MILS) aim to formalise the isolation of compartments to avoid interference and make them reliable to work in safety critical environments. Especially for in-car multimedia systems, also known as In-Vehicle Infotainment (IVI) systems, the composition of compartments onto a system-on-chip (SoC) offers a wide variety of advantages in embedded system development. The development of such systems implies often the combination of pre-qualified hardware- and software components. These components are CPU subsystems and operating systems, for example. However, the required strict separation can suffer due to the pre-qualified and therefore not reconfigurable hardware components. Particularly, this is true for shared cache levels in CPU subsystems. The phenomena of interference in the concurrent usage of shared last-level caches, are exploitable by adversaries. Therefore, this article identifies the attack surface and proposes a mitigation to prevent from the intentional misuse of the fixed cache association. Generally, the solution is based on a suitable mapping scheme in the intermediate address space of an asymmetric multiprocessing environment which implements the MCS. Furthermore, we evaluate the strength of the approach and show how the solution contributes to a separation property conformal system.