rai securing embedded systems with return address
play

RAI: Securing Embedded Systems with Return Address Integrity Naif - PowerPoint PPT Presentation

Mar 04, 2024 •171 likes •771 views

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

  1. μRAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned 1 subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

  2. Current State of Security [1] [2] [3] Target: Embedded and IoT devices Running Microcontroller Systems (MCUS) Attack: Control-flow Hijacking [1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/ [2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/ [3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical 2

  3. MCUS Challenges Desktop MCUS  Small physical  Large virtual memory … … memory (GBs) Stack (MBs Flash, KBs RAM) … 0x08999555 0x08055555 (code) Flash … … … …  Basic defenses  Basic defenses … Code 0x08000000 (e.g., ASLR) (e.g., ASLR) Memory Heap 0x08022222 0x08777222 … Stack 0x02050000 …  Smaller code Larger code … Data (Data) 0x08011111 0x08555111 RAM Heap … … Code  DEP  DEP 0x08000000 0x08111000 Data 0x02000000 (Disabled  Fixable) 3

  4. MCUS Defenses for Return Addresses (Conceptual) Special hardware required Without extra hardware Safe Stack Overhead Shadow Shadow + Stack Stack High Software Runtime Overhead + + Fault MPU TEE Isolation 10% Randomized CFI μRAI Safe Stack Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 4

  5. MCUS Defenses for Return Addresses (Related Work) Special hardware required Without extra hardware Overhead CFI CaRE (Shadow stack) High Runtime Overhead [RAID17] RECFISH ACES [ECRTS 2019] [SEC18] 10% SCFP [EuroS&P18] Minion EPOXY C-FLAT uXOM Symbiote μArmor [NDSS18] LiteHAX (SafeStack ) [CCS16] μRAI [SEC19] [RAID11] [EuroS&P19] [ICCAD18] [S&P17] Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 5

  6. Return Address Integrity (RAI) • Every attack requires corrupting a return addresses by overwriting it • Main limitation of defenses  return addresses are in writable memory • Example: Information hiding • Key solution is to prevent an attacker from corrupting return addresses . RAI Property: • Ensure the return address is never writable except by an authorized instruction. • Return addresses are never pushed to the stack or any writable memory by an adversary. 6

  7. Threat Model & μRAI Protection Normal application μRAI main main Unprivileged • Reads from memory • Writes to memory • Knows the code layout Func1 Func2 Func1 Func2 • Targets backward-edges Corrupt Func3 Func3 return address Func4 Func4 Privileged Func5 Func6 MPU, VTOR Func5 Func6 MPU, VTOR Corrupt return address Func7 Func7 or corrupt sensitive Memory Mapped IO (MMIO) : Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI) 7

  8. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 8

  9. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 9

  10. μRAI and the State Register • State Register (SR): • Can be any general-purpose register  exclusively used by μRAI • Never spilled  cannot be overwritten through a memory corruption • Does not contain a return address  encoded values to resolve the return location • Example call graph: SR SR • Each edge  call Func2 reads the SR to resolve main Func1 Func2 the correct return location • How encode SR? SR SR • An XOR chain 10

  11. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … • Function Keys (FKs): Hard-coded keys used to encode the SR 11

  12. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function IDs (FIDs): Possible values of the SR for the function 12

  13. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function Lookup Table (FLT): List of FIDs for the function. 13

  14. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Encode the SR and call Func2 14

  15. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 reads the SR and executes the corresponding direct jump 15

  16. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 returns correctly and the SR is decoded 16

  17. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The previous SR value is restored 17

  18. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The same happens for other calls. Func1 can then return correctly 18

  19. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 19

Recommend

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias

RAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National

852 views • 35 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of contents What is an embedded system Examples of research topics Admission Overview of the programme Success rates Master Embedded

814 views • 31 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems pieter.willems@silexinsight.com V2.0 2019 Overview Silex Insight Introduction Embedded security markets and applications Security

590 views • 15 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Trends of RT Embedded Systems

332 views • 10 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State

Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State

Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU PCI Address Space A PCI target can

288 views • 10 slides
Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment

Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment

Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment More College Graduates Needed More Tennesseans must reap the benefits of higher education if the state is to enhance its economic viability

294 views • 11 slides
Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split in 2 parts: Lectures: ESE VO (182.721) ECTS: 3.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/esevo Staff: Prof. Radu Grosu,

859 views • 7 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
When Embedded Systems Attack Embedded systems can fail for a variety of reasons

When Embedded Systems Attack Embedded systems can fail for a variety of reasons

22.1 22.2 When Embedded Systems Attack Embedded systems can fail for a variety of reasons Electrical problems Unit 22 Mechanical problems Errors in the programming Incorrectly specified Errors caused by users Embedded

201 views • 5 slides
1 How are embedded systems different Timing and Concurrency than traditional software? Fire

1 How are embedded systems different Timing and Concurrency than traditional software? Fire

What is an Embedded System? Definition of an embedded computer system: Embedded Systems is a digital system. Introduction uses a microprocessor (usually). runs software for some or all of its functions. frequently used as a

158 views • 3 slides
Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE 6780/5780 Al Davis Al Davis Todays topics: logistics - minor synopsis of last lecture software desig finite state machine based

466 views • 19 slides
Last Time Embedded systems introduction u Definition of embedded system Common

Last Time Embedded systems introduction u Definition of embedded system Common

Last Time Embedded systems introduction u Definition of embedded system Common characteristics Kinds of embedded systems Crosscutting issues Software architectures Choosing a processor Choosing a

931 views • 39 slides
demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? -

demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? -

demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? - Embedded Systems? - Background - Systemd for Embedded Systems Myths - Baseline - Scaling Up - Super-tiny Systems - Brazilian - Software

446 views • 32 slides
Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Unit OS9: Real-Time and Embedded Systems 9.3. Embedded Systems with Windows XP Embedded Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 9.3 Windows XP Embedded Design Goals

336 views • 15 slides
Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS Operating Systems Major differences Details XPE / CE Embedded PC 2 The Windows Embedded OS family The modular, real The modular, real- -time

611 views • 22 slides
Dominant Species Embedded Information Technology Embedded = most processors! Systems 300

Dominant Species Embedded Information Technology Embedded = most processors! Systems 300

Dominant Species Embedded Information Technology Embedded = most processors! Systems 300 million PC and server Jakob Engblom 9000 million embedded Adj. Lektor, IT-inst Business Development Manager, Virtutech

559 views • 10 slides
Co-synthesis techniques for embedded systems embedded systems Kelvin Yuk June 5, 2002 EEC282 -

Co-synthesis techniques for embedded systems embedded systems Kelvin Yuk June 5, 2002 EEC282 -

Co-synthesis techniques for embedded systems embedded systems Kelvin Yuk June 5, 2002 EEC282 - Akella Introduction Co-synthesis of high-level systems Approaches to co-synthesis 1. Architectural Co-synthesis Algorithm 2. Process

257 views • 10 slides
When Embedded Systems Attack Therac-25 Embedded systems can fail for a variety of reasons

When Embedded Systems Attack Therac-25 Embedded systems can fail for a variety of reasons

1 2 When Embedded Systems Attack Therac-25 Embedded systems can fail for a variety of reasons The Therac-25 was a medical radiation therapy machine developed in the mid-1980s. Electrical problems Mechanical problems

65 views • 3 slides
High Performance Embedded High Performance Embedded Systems Systems IT Integration Solutions

High Performance Embedded High Performance Embedded Systems Systems IT Integration Solutions

High Performance Embedded High Performance Embedded Systems Systems IT Integration Solutions IT Integration Solutions Investor Presentation 1 February, 2011 CSP Inc. The Company wishes to take advantage of the safe harbor provisions

420 views • 25 slides

More recommend