Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Bare-metal Embedded Systems With Privilege Overlays

Published byTracey Bryant Modified over 6 years ago

Similar presentations

Presentation on theme: "Protecting Bare-metal Embedded Systems With Privilege Overlays"— Presentation transcript:

1 Protecting Bare-metal Embedded Systems With Privilege Overlays
Abraham A. Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer

2 Bare-Metal Systems Security left out Systems without an OS Constraints
Small memory sizes 1 MB Flash, 128 KB’s of RAM Tight run-time constraints Low power requirements Single Application No kernel/user space seperation Examples Amazon’s Dash button Smart door locks Engine controllers SD card controllers WiFi SoC’s Emphasis Mention Project Zero WiFi findings Security left out

3 Default: No Defenses Bare-metal Application
Unused or trivially bypassed Security Hardware Sensitive IO Always accessible IO Vulnerable to: Stack smashing Code injection Global data corruption Global Data RAM Stack All have same memory configuration Can be used to corrupt application/hardware Any bug is fatal Code Flash No ROP defenses Single (Root) execution domain

4 Defense Challenges Single application Systems lack a MMU
No separation privilege levels (e.g. kernel, user) Systems lack a MMU Defenses are limited to physical memory space Small memory sizes Tight run-time constraints Small Memory- Little entropy can’t add very much

5 EPOXY Embedded Privilege Overlay across X hardware for Y software
LLVM based compiler Protects against Code injection Control flow hijacking Data corruption Direct manipulation of IO Privilege Overlays Creates two privilege levels Foundation for other defenses EPOXY LLVM-based compiler Hardened Application Source Code Sensitive IO Forward Reference that will cover all in detail in presentation

6 Threat Model And Requirements
Arbitrary memory corruption Attacker goals: Obtain execution Corrupt specific global data Does not have physical access Requirements Hardware support for two execution privilege modes Memory Protection Unit (MPU) Hardware that enforces access permissions on physical memory Memory usage determined a priori

7 Before Epoxy Application Security Hardware Sensitive IO IO Global Data
Stack Code Privileged Execution

8 Privilege Overlay Creates multiple privilege levels
Enables developer to assume access to everything Restricts privileged operations at run-time Static analysis identifies privileged operations Specific instructions defined by the ISA that require privileges Sensitive memory mapped registers (e.g., MPU configuration , sensitive IO) Created by injecting code to: Configure MPU – Enforce DEP and restrict access to sensitive registers Reduce privileges of entire application Request privileges for restricted operations Handle privilege requests

9 Privilege Overlay Example
Default Privilege Overlay #define UART_RX=0xdeadbeef char menu_option; ... menu_option = *(UART_RX) switch (menu_option): case ’1’: handle_case_1; break; #define UART_RX=0xdeadbeef char menu_option; ... request privileges; menu_option = *(UART_RX) drop privileges; switch (menu_option): case ’1’: handle_case_1; break; menu_option = *(UART_RX) drop privileges; Privileged Execution Unprivileged Execution

10 Epoxy – After Privilege Overlay
Hardened Application Enabled enforcing DEP Access Restricted Security Hardware Sensitive IO Access Restricted IO Global Data Set to RW-NX Stopping Code Injection Stack Code Set to RX Providing Code Integrity Privileged Execution Unprivileged Execution

11 SafeSTack SafeStack from Code Pointer Integrity * RAM Stack Stack
Protects against stack smashing “Unsafe” variables moved to separate stack We adapted to bare-metal systems RAM Stack Stack UnSafeStack .data .bss heap .data .bss heap Guard Region UnSafeStack Unsafe, used in pointer arthmetic that can’t be proved to be safe, escapes the current bounds. Only functions which have functions which use unsafe variables are use unsafestack frame. * V. Kuznetsov et al., Code Pointer Integrity, OSDI 2014

12 Diversification Further protects against ROP attacks
Corruption of specific global data Seed 1 Binary 1 EPOXY Seed 2 Binary 2 Seed 3 Binary 3 Seed Seed 4 Binary 4 Source Code

13 Diversification Further protects against ROP attacks
Corruption of specific global data .data .bss Padding Stack A Stack .data a c b d B B b d c a .bss heap 1 2 4 3 C UnSafeStack heap D UnSafeStack A B C D E RAM Binary 1 Flash foo handler foo foo2 bar2 bar baz bar baz bar2 foo2 handler Jumps to handler invalid execution

14 Epoxy – All Protections
Hardened Application Enabled enforcing DEP Access Restricted Security Hardware Sensitive IO Access Restricted IO Isolated “Unsafe” Locals UnSafeStack Set to RW-NX Stopping Code Injection Global Data Protected Global Data Stack Stack Smashing Protection ROP Protections Tie to Desktop Code Set to RX Providing Code Integrity ROP Protections Privileged Execution Unprivileged Execution

15 Performance SS PO All Min -7.3% -1.3% -11.7% Ave -3.5% 0.1% 1.1% Max
BEEBs Runtime IoT Apps Runtime IoT Apps Energy SS PO All Min -7.3% -1.3% -11.7% Ave -3.5% 0.1% 1.1% Max 4.4% 2.1% 14.2% BEEBs Power SS PO All Min -4.2% -10.3% -10.2% Ave 0.2% -0.2% 2.5% Max 7.3% 2.8% 17.9% SS - SafeStack Only, PO - Privilege Overlay Only

16 ROP Compiler Used ROPgadget compiler* to identify gadgets across 1000 variants Gadget survives if same instructions (ending with a branch) at same address # Surviving Across App Total 2 5 25 50 Last PinLock 294K 14K 8K 313 48 FatFS-uSD 1,009K 39K 9K 39 32 TCP-Echo 676K 22K 985 700 107 Emphasis max only, get message that attacks do not scale across * J. Salwan, ROPgadget,

17 Privileged Instructions Executed
App Tool Exe Priv Priv % PinLock EPOXY 823K 1.4K 0.17% FreeRTOS-MPU 813K 98.78% FatFS-uSD 33.3M 3.9K 0.01% 34.1M 33.0M 96.77% TCP-Echo 310M 1.5K <0.001% 322M 307.0M 95.34% FreeRtos – standard embedded, not default

18 Conclusion Fast forwards bare-metal security three decades
Provides state-of-the-art protection for bare-metal systems Does not require rewriting application Provides strong stack protections, via an adapted SafeStack Minimizes number of privileged instructions executed Diversifies all memory Meets requirements for run-time, memory, and energy Open Sourced:

Download ppt "Protecting Bare-metal Embedded Systems With Privilege Overlays"

Similar presentations

Harbor: Software based Memory Protection for Sensor Nodes Ram Kumar, Akhilesh Singhania, Eddie Kohler and Mani Srivastava Introduction: Memory protection.

Harbor: Software based Memory Protection for Sensor Nodes Ram Kumar, Akhilesh Singhania, Eddie Kohler and Mani Srivastava Introduction: Memory protection.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Memory Management Unit

Memory Management Unit
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: 218 - 223 June 2007 2015/7/13.

Kumar R., Singhania A., Castner A., Kohler E Proceedings of Design Automation Conference Pages: June /7/13.
1 Chapter 13 Embedded Systems Embedded Systems Characteristics of Embedded Operating Systems.

1 Chapter 13 Embedded Systems Embedded Systems Characteristics of Embedded Operating Systems.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)

SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Similar presentations

Ads by Google