IoT security and Linux: Why IncludeOS thinks it has the edge

By giving the Internet of Things a more suitable operating system, Norwegian software outfit IncludeOS aims to secure the billions of IoT devices coming online.
Written by Stig Øyvann, Contributor

Security is a big worry for the Internet of Things. We've already seen countless incidents where smart internet-connected devices are taken over by an attacker and put to unintended use.

A major part of the problem lies with the operating system running on these devices, which by its nature is reconfigurable and open for internal and external communications.

Per Buer, CEO and co-founder of Norwegian software company IncludeOS, thinks the growing use of Linux as an embedded operating system is giving it a role for which it is far from perfect.

"Linux has impressive hardware and software support. It supports just about any protocol and any peripheral. It is all dynamic so anything at any time can connect to a Linux system," he wrote recently.

"The result is a massive amount of code and following this a considerable number of potential bugs that could lead to compromise."

He thinks his company's OS offers a better solution. It has created an open-source OS that links into the application at compile time, resulting in one software image where the OS functionality is inside the application and running directly on top of the hardware.

IncludeOS links only the OS functionality that the application needs into the binary software image, thus reducing both its size and possible attack surfaces. This approach is normally termed a 'library OS'.

IncludeOS runs in a single address space, so there are neither interprocess communications nor concepts like user space and kernel space.

SEE: 20 quick tips to make Linux networking easier (free PDF)

This quality makes it a unikernel OS, and together these concepts give the architecture some very different characteristics compared with traditional operating systems.

"Unikernel OSes are super-slim, a thousandth in size, compared with a typical Linux installation. Performance increases dramatically, because the application doesn't need to talk to the OS to get hardware resources like memory or network -- it knows how to do it itself," Buer tells ZDNet.

"A unikernel also starts extremely quickly. Typically, Unix-based OSes take 10 to 20 seconds to start up. We're booting in five milliseconds."

But the most important feature is security. As Linux, and most other OSes are designed to be general-purpose operating systems with long lifespans on different hardware platforms, they are reconfigurable. This quality can make them vulnerable to malicious misuse by an attacker.

"The ability for the operating system to reconfigure itself is something we never implemented. We may have had plans for that a couple of years ago, but today we see that as our greatest feature," Buer says.

IncludeOS was invented by CTO Alfred Bratterud as part of his studies of hypervisors at OsloMet University. As a result, IncludeOS was first implemented for running in virtual machines on top of hypervisors. Later, it was coded to run on bare metal x86 processors.

Meanwhile, IncludeOS' user community started to request a version for Arm-based computers. These processors are in widespread use for IoT devices, and earlier this year IncludeOS applied for EU funds for the project to port the code. As a result, it was granted €1.25m ($1.41m) in funding, and the work starts in January.

Buer says he expects the code to boot on Arm by next summer, and that the project will for the main part be completed in two years' time.

"So hopefully, in five years' time you'll never be more than 20 meters away from a piece of hardware that's running our software," Buer says.


IncludeOSCEO and co-founder Per Buer: "Typically, Unix-based OSes take 10 to 20 seconds to start up. We're booting in five milliseconds."

Image: Stig Oyvann/ZDNet

With IncludeOS the OS functionality is inside the application and running directly on top of the hardware.

Image: IncludeOS/Per Buer

Previous and related coverage

IoT security: Why it will get worse before it gets better

IoT brings opportunities but it also brings cyber security risks - some of which have barely been thought about.

Are IoT security standards around the corner?

Eran Fine, CEO and co-founder at NanoLock Security, and Tonya Hall discuss the best ways to protect IoT devices.

First IoT security bill reaches governor's desk in California

California IoT security bill criticized by security researcher. Expert says bill "is based upon an obviously superficial understanding of the problem."

The future of IoT? State-sponsored attacks, say security professionals

IT security professionals believe that nation states will begin to exploit smart, connected devices in the next 12 months.

Why open source isn't just about code (TechRepublic)

Abby Cabunoc Mayes of the Mozilla Foundation explains why open source is about culture as much as it is about code.

Smart home gadgets are open to attack: So time for IoT security laws? No, says Europe

EU's new Cybersecurity Act won't mandate certifications for IoT products, and consumer advocates are unhappy.

Defcon hacking challenge swings a sledgehammer at unlucky computers (CNET)

Whatever you do, don't roll a 4.

Editorial standards