Symposium sur la sécurité des technologies de l'information et des communications

Last year we started to work on a separated deported UI designed to support an efficient secured and trusted display management with enhanced security level as alternative to technologies such as TrustZone. The goal was to be able to securely receive, manipulate and display requests from an eSE 2 in a separated, dedicated, control/data plane, with non-secure elements fully unaware of such a path. In the meantime, we have worked on a more formal specification on how to properly support a deported UI in our products, while still including our initial use cases as defined in [20]. Our work has been focused on deported trusted and secured UI architectures where an eSE drives directly an auxiliary UI component. Considering also our needs for modern UI rendering, we have then started to look on how to implement such an architecture on various MCUs,3 such as the STM32 family from STMicroelectronics, yet with portability in mind. After an in-depth review of the state of art, no convincing open solution has been identified on MCUs for hosting the firmware pieces of such deported UI. From there is born a new secure and versatile Operating System, denoted Outpost OS, conceived to support at the very same time code integration of various origins, runtime isolation, high level of robustness and security, and industrialization constraints. This article presents this new OS and its main associated concepts.