Isolating Real-Time Safety-Critical Embedded Systems via SGX-based Lightweight Virtualization

TL;DR

This paper proposes using Intel SGX enclaves with unikernel OS virtualization to enhance isolation and certification ease in safety-critical real-time embedded systems, addressing current virtualization drawbacks.

Contribution

It introduces a novel approach combining SGX and unikernel virtualization to improve safety, real-time performance, and certification in embedded systems.

Findings

SGX enclaves provide strong isolation for real-time systems.

Unikernel virtualization reduces overhead and simplifies certification.

The approach enhances safety and scalability in critical embedded applications.

Abstract

A promising approach for designing critical embedded systems is based on virtualization technologies and multi-core platforms. These enable the deployment of both real-time and general-purpose systems with different criticalities in a single host. Integrating virtualization while also meeting the real-time and isolation requirements is non-trivial, and poses significant challenges especially in terms of certification. In recent years, researchers proposed hardware-assisted solutions to face issues coming from virtualization, and recently the use of Operating System (OS) virtualization as a more lightweight approach. Industries are hampered in leveraging this latter type of virtualization despite the clear benefits it introduces, such as reduced overhead, higher scalability, and effortless certification since there is still lack of approaches to address drawbacks. In this position paper, we propose the usage of Intel's CPU security extension, namely SGX, to enable the adoption of enclaves based on unikernel, a flavor of OS-level virtualization, in the context of real-time systems. We present the advantages of leveraging both the SGX isolation and the unikernel features in order to meet the requirements of safety-critical real-time systems and ease the certification process.