Lately, the usage on unmanned aerial vehicle (UAV) is increasing such as humanitarian, disaster response, search and rescue, and civilian leisure [1,2]. Accordingly, various security issues have been addressed on UAV. For example, physical security for UAV, such as collision or unauthorized location, is required and researched . Privacy security resulted from video data sniffing is also needed as UAV provides a number of applications . Wireless communications security is one of the considerations for UAV network as well .
Especially, secure operating systems of UAVs is one of the most significant security issues, in order to provide reliable and stable UAV control. The most operating systems of commercial UAVs are based on Linux . However, Linux systems are vulnerable on a wireless UAV control. The root exploit offense, which is able to interfere with UAV control, is one of the most well-known security issues [7,8]. Though the microkernel-based operating systems for this issue are developed, this system is not able to use the useful applications commonly utilized in Linux systems and it is too complicated to implement. Moreover, the microkernel-based UAV is vulnerable to fall down by the forced shutdown resulted by buffer overflow offense . In short, the Linux-based operating system is not secure from root exploit, and the microkernel-based operating system is not able to utilize the useful applications and vulnerable to the forced shutdown.
For this reason, this paper proposes a Linux-based operating system architecture, for UAV which is not only able to utilize the common applications but also robust against the vulnerabilities on UAV controls. This system uses the virtualized microkernel-based operating system on Linux to isolate wireless communication in UAVs. This enables the UAVs using the proposed architecture to prevent root exploit, falling by the forced shutdown offense, and to operate the Linux applications.
2. Related Works
The UAVs without an operating system, such as firmware-only UAVs, cannot use various functions. Since it is a pervasive stable operating system, in which diverse functions are already developed, Linux is widely adopted as the operating system for UAVs, e.g., robot operating system (ROS) [10-12].
Yet, Linux systems are known to be vulnerable to communication attacks. Since Linux is an open-source project, the data communication procedure is easily inferred. This results to loot network sessions, and hackers can insert the command evoking a shell through the buffer overflow vulnerability known as “Ghost” . Using this shell, the attackers are able to exploit root privilege with “Use-After-Free” .
The other operating systems for UAVs are based on a microkernel, e.g., seL4 . Most of recent research to enhance UAV security with operating system architecture are based on microkernel [14,15]. The microkernel-based operating system consists of only necessary components, which enable it to be lightweight. In contrast with Linux in that it needs to be implemented in person, this operating system is used for security. However, in other words, manual implementation all the time has an effect on its portability, and common applications are not able to be utilized on a microkernel-based operating system, which are easily used on Linux. In addition, as you can see , the UAV might be expose to shutdown offence. Some vulnerability of FreeRTOS has detected lately, which is a microkernel-based OS, and one of those is remote code execution vulnerability occurred by buffer overflow.
3. Architecture Overview
The proposed architecture is largely composed of Linux and microkernel-based operating system virtualized on it. The microkernel-based operating system has two virtual network interface, one is linked to the Ethernet interface of UAV, another is for communication with Linux. Also, the virtualized operating system has an interface in order to connect its virtual network interfaces. In short, Linux applications of UAV communicates via the microkernel-based operating system.
This structure is beneficial for network security of UAV. When UAV with the operating system is under attack, initial network access point is not Linux itself. In other words, UAV is not exposed on the offense using the vulnerability of transport layer of Linux. Attackers are not able to exploit root of the microkernel-based operating system that became the target of attack via a network. In addition, attacked aiming buffer overflow which gives rise to the forced shutdown, the microkernel-based operating system to which network access is reachable is turned off, not Linux. This allows UAV to continue its mission without falling using applications in Linux. Fig. 1 describes the proposed architecture.
Illustration of the proposed architecture.
3.1 Communication Manager
Communication Control Interface in Communication Manager is constructed of Port Table, Priority Manager, QoS Manager, Connection Manager, and Transceiver (Fig. 1). This interface is designed so that the virtual interfaces in Communication Manager are connected each other, as a result, Linux is able to establish and manage the secure connection with outside of UAV via Communication Manager.
Port Table is in charge of indicating, storing, and removing ports of communicating processes. Using Data Type field which can be identified using definitions of data types it has in advanced, Port Table parses Data Type into a registered port number in a table of applications running on Linux to route packets.
The packet format of Communication Control Interface.
Priority Manager determines the priority of packets Transceiver transmits and receives. According to the priority field in packets, Priority Manager inserts the packet into relevant one of the priority queues Transceiver reads. Reading the packet first of higher queue, Transceiver sends packets in sequence.
QoS Manager manages data for quality of service. This component configures bandwidth which should be guaranteed for data communication according to data types, such as control and multimedia. For this end, QoS manager checks QoS level field of packets as well.
Connection Manager detects a connection request by connection flag. Connection Manager confirms Connection flag in a packet and generates new Transceiver dedicating a specified session of connection. After that, the Transceiver communicates with the user who sent the request.
3.2 Report Manager
Fig. 3 describes that Transceiver component of Communication Manager send a heartbeat message, and UAV applications reports when the connection loss occurs with Transceiver. Report Manager plays a role of communication health supervisor for resilience. Report Manager receives reports from Transceiver and UAV Applications while they are communicating. This reporting mechanism informs connection loss when one is waiting for a response from the other too long than timeout. In case that the lost connection is controlling UAV, Flight Control Manager copes with the routing path of UAV, which is already configured method, e.g., hovering and awaiting reconnection. Moreover, utilizing Transceiver reporting heartbeat, Communication Manager killed by attackers is recovered by Communication Recovery in Report Manager.
Communication reports for recovery by Report Manager.
4. Implementation Issues and Analysis
To implement this architecture, there are some considerations and issues. First of all, the platform of the operating system structure must be selected, such as microkernel, hardware architecture, and virtualization method. Especially, the microkernel must contain the specified function, including communication control. In this process, some issues might occur. For example, the hardware architecture may need to support virtualization technology, such as trusted execution environment (TEE), or the microkernel must be able to run on the core architecture on the composed system. The platform we designed consists of seL4 microkernel, ARMv7 architecture, and Docker.
In the proposed architecture of the operating system of UAV, diverse applications and functions are available in ease. Besides, this structure is secure and resilient against communication offense with well-known vulnerabilities. Table 1 describes the differences among operating systems of UAV. Table 1. Differences among operating systems of UAV
Differences among operating systems of UAV
In contrast with Linux, the proposed operating system is invulnerable against root exploit and shutdown offence by separating the communication module. In addition, this operating system is able to use applications commonly used in Linux, and contains diverse functions which microkernel with minimized components does not have. Moreover, through Report Manager, the proposed architecture is able to keep the UAV from falling down and losing connection.
In this paper, a secure operating system architecture against communication offense with root exploit is designed. This structure is based on Linux so as to utilize lots of common application and functions for UAV. Simultaneously, the purposed operating system is robust due to keeping attackers from exploiting the well-known vulnerability of Linux, and resilient in that the UAV keeps its control without falling down by connection recovery.
Root exploit, control hijacking, and a crash of UAV might cause sniffing private data, to track confidential information, even to damage human life. This proposed structure is built simply and defenses these critical security issues completely and intuitively.
However, the network communication performance of this structure is inevitably deteriorated. For improving this architecture, we will study on the best way to implement network interfaces, and evaluate the network performance for demonstration.
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (Ministry of Science, ICT & Future Planning) (No. 2016R1A2B4013118).