rai securing embedded systems with return address
play

RAI: Securing Embedded Systems with Return Address Integrity Naif - PowerPoint PPT Presentation

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and


  1. μRAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned 1 subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

  2. Current State of Security [1] [2] [3] Target: Embedded and IoT devices Running Microcontroller Systems (MCUS) Attack: Control-flow Hijacking [1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/ [2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/ [3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical 2

  3. MCUS Challenges Desktop MCUS  Small physical  Large virtual memory … … memory (GBs) Stack (MBs Flash, KBs RAM) … 0x08999555 0x08055555 (code) Flash … … … …  Basic defenses  Basic defenses … Code 0x08000000 (e.g., ASLR) (e.g., ASLR) Memory Heap 0x08022222 0x08777222 … Stack 0x02050000 …  Smaller code Larger code … Data (Data) 0x08011111 0x08555111 RAM Heap … … Code  DEP  DEP 0x08000000 0x08111000 Data 0x02000000 (Disabled  Fixable) 3

  4. MCUS Defenses for Return Addresses (Conceptual) Special hardware required Without extra hardware Safe Stack Overhead Shadow Shadow + Stack Stack High Software Runtime Overhead + + Fault MPU TEE Isolation 10% Randomized CFI μRAI Safe Stack Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 4

  5. MCUS Defenses for Return Addresses (Related Work) Special hardware required Without extra hardware Overhead CFI CaRE (Shadow stack) High Runtime Overhead [RAID17] RECFISH ACES [ECRTS 2019] [SEC18] 10% SCFP [EuroS&P18] Minion EPOXY C-FLAT uXOM Symbiote μArmor [NDSS18] LiteHAX (SafeStack ) [CCS16] μRAI [SEC19] [RAID11] [EuroS&P19] [ICCAD18] [S&P17] Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 5

  6. Return Address Integrity (RAI) • Every attack requires corrupting a return addresses by overwriting it • Main limitation of defenses  return addresses are in writable memory • Example: Information hiding • Key solution is to prevent an attacker from corrupting return addresses . RAI Property: • Ensure the return address is never writable except by an authorized instruction. • Return addresses are never pushed to the stack or any writable memory by an adversary. 6

  7. Threat Model & μRAI Protection Normal application μRAI main main Unprivileged • Reads from memory • Writes to memory • Knows the code layout Func1 Func2 Func1 Func2 • Targets backward-edges Corrupt Func3 Func3 return address Func4 Func4 Privileged Func5 Func6 MPU, VTOR Func5 Func6 MPU, VTOR Corrupt return address Func7 Func7 or corrupt sensitive Memory Mapped IO (MMIO) : Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI) 7

  8. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 8

  9. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 9

  10. μRAI and the State Register • State Register (SR): • Can be any general-purpose register  exclusively used by μRAI • Never spilled  cannot be overwritten through a memory corruption • Does not contain a return address  encoded values to resolve the return location • Example call graph: SR SR • Each edge  call Func2 reads the SR to resolve main Func1 Func2 the correct return location • How encode SR? SR SR • An XOR chain 10

  11. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … • Function Keys (FKs): Hard-coded keys used to encode the SR 11

  12. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function IDs (FIDs): Possible values of the SR for the function 12

  13. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function Lookup Table (FLT): List of FIDs for the function. 13

  14. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Encode the SR and call Func2 14

  15. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 reads the SR and executes the corresponding direct jump 15

  16. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 returns correctly and the SR is decoded 16

  17. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The previous SR value is restored 17

  18. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The same happens for other calls. Func1 can then return correctly 18

  19. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 19

Recommend


More recommend