Securing Real-Time Microcontroller Systems through Customized Memory - PowerPoint PPT Presentation

Securing Real-Time Microcontroller Systems through Customized Memory View Switching + * Chung Hwan Kim , Taegyu Kim, Hongjun Choi, Zhongshu Gu , By0ungyoung Lee, Xiangyu Zhang, Dongyan Xu + *

Security of Real-time Microcontrollers • Safety-critical embedded and cyber-physical systems 2

Security of Real-time Microcontrollers • Safety-critical embedded and cyber-physical systems 3

Security of Real-time Microcontrollers • Safety-critical embedded and cyber-physical systems • Security is often overlooked as a trade off 4

Security of Real-time Microcontrollers • Safety-critical embedded and cyber-physical systems • Security is often overlooked as a trade off • Demand both real-time guarantee and security 5

Missing Memory Protection of RT Microcontrollers • No process memory isolation • No MMU, no virtual memory • Memory space shared by all processes • Memory-mapped I/O (MMIO) Flash ROM SRAM Interrupt Vector Control/Timer Peripherals Peripherals All Code All Data Boot Loader Attack Surface (OS, (Global, System … … Drivers, Static, Libraries, Stack Apps) Data) 0xFFFFFFFF 0x0 6

Control Parameter Attack 7

Missing Memory Protection of RT Microcontrollers • No kernel memory isolation # of Kernel 10000 Type RTOS Manufacturer Unprotected systems isolation • Hardware and RTOS support Kernel memory isolation 3DR, enRoute, ✗ Time in μ sec (Log-scale) 18 NuttX Deadline • Privileged and unprivileged … 1000 UAV FreeRTOS Storm Racing ✗ processor modes 30 Drone, RISE, … 120 • Memory Protection Unit (MPU) 110 75 ✗ Paparazzi Parrot 6 100 ✗ • Many real-time microcontroller UGV NuttX Erie Robotics 2 NuttX, BlueRobotics, ✗ systems do not employ it ROV 2 10 OpenROV OpenROV, … • Verified with 67 commodity systems 3D D-creator, 104.38 726.28 124.02 ✗ 52.38 60.28 52.02 Printer Marlin 7 Wombot, … • Impact on real-time constraints 1 FreeRTOS Mongoose, ✗ IoT 2 update_mount gcs_send_heartbeat update_batt_compass Frequent mode switching Particle, … 3 DR IRIS+ UAV 8

Hard Timer Attack 9

Minion : Customized Memory View Enforcement • Key ideas • Break physical memory space into per-process memory views • Use the memory views as access control rules during run-time • Execute RTOS and applications in the same mode (unprivileged) • Run a tiny view switcher in privileged mode to enforce views Production run: Code For each process: Unpriv. MPU … RTOS A 1 A 2 Physical Data Memory memory View Privileged Peripherals View Switcher Program Memory View Analysis Enforcement 10

Memory View Tailoring • Memory view : Memory required for a process to run correctly • Find the physical memory regions essential for each process • Static firmware analysis (LLVM IR) • Code injection/reuse, data corruption, physical device abuse For each process: Access control rules: # Base Size rwx Code Data Device + + Reachability Accessibility Accessibility Analysis Analysis Analysis 11

Code Reachability Analysis • Find all reachable functions Call Call qux main foo from the entry functions Indirect call Indirect call • Entry functions bar irq_handler baz Call • Start function & interrupt handlers • Identified by analyzing a few RTOS Value X PointsTo: { bar } Value Y PointsTo: { foo } functions Value Z PointsTo: { bar } 08004970-08004988 main • Indirect calls? X 08088050-080880cc irq_handler • Inter-procedural points-to analysis X foo 0800498c- • Build a list of executable memory 08004a7c X bar 08004a84- 08004ad6 regions for each process X 08004ad8- baz 08004b4c X 12

Data Accessibility Analysis • Global data LDR r8, GlobA STR r2, GlobA LDR r0, • Forward slicing based on GlobB inter-procedural value flow graph main foo STR r5, • Build a list of global data for GlobB each process bar irq_handler baz • Stack and heap data LDR r2, GlobC • Memory pool size profiling with annotated memory allocator 200010f0-200010f4 GlobA RW 20014618-20014638 GlobB • Per-process memory pool RW GlobC 080b3428-080b3440 R allocation 13

Device Accessibility Analysis • A few patterns cover most MMIO operations • MMIO addresses are embedded in the firmware • Case 1 • Case 2 #define DEVICE_X 0x50000804 #define IRQ_A 1 int enable_irq (int irq) #define IRQ_B 2 { #define NVIC_A 0xe000e100 uint32_t addr, val; void dev_reset( struct dev *priv) { #define NVIC_B 0xe000e104 if (irqinfo(irq, &addr) == OK) { uint32_t val; val = *(uint32_t *) addr ; val = (1 << 2) | (1 << 4); int irqinfo (int irq, val |= (1 << 1); *(uint32_t *)DEVICE_X = val; uint32_t *addr) *(uint32_t *) addr = val; … { } } if (irq == IRQ_A ) { } *addr = NVIC_A; } else if (irq == IRQ_B ) { From NuttX RTOS (simplified) *addr = NVIC_B; … 14

Device Accessibility Analysis • Find load and store instructions with an MMIO address • Backward slicing on inter-procedural value flow graph • Build a list of peripheral-mapped memory regions for each process 50000804-50000808 DEVICE_X W main enable_irq NVIC_A e000e100-e000e104 irqinfo RW e000e104-e000e108 NVIC_B dev_reset hw_initialize RW 15

Run-time Memory View Enforcement Memory view RTOS P 1 P 1 P 2 P 2 Unprivilged Process Privileged # # Base Base Size Size rwx rwx Switch # # Base Base Size Size rwx rwx # # Base Base Size Size rwx rwx P 1 P 2 Re-configure Configure View Switcher MPU 16

Evaluation with Attack Cases • 8 realistic attack cases • Tested on a commodity UAV Name Attack surface Result ✓ Process termination RTOS function 3 DR IRIS+ ✓ Control parameter attack Control parameter ✓ RC disturbance RC configuration ✓ Servo operation Driver function ✓ Soft timer attack Hardware timer • Found 4 new vulnerabilities ✓ Hard timer attack Hardware timer ✓ Memory remapping Flash patch unit in the firmware ✓ Interrupt vector overriding Interrupt vector (confirmed and fixed) • All 8 attack cases blocked • 76 % memory space reduction • Zero violation of real-time constraints 17

Attack Under Minion’s Protection 18

19 Time in μsec (Log-scale) Performance Impact • All deadline constraints satisfied • 31 real-time tasks with deadlines: 2 % overhead 10000 1000 100 10 1 15.55 75 19.57 130 11.25 10.85 200 Unprotected 33.63 35.22 3.32 160 120 2.18 52.02 65.04 3.31 50 50 75 3.45 2.19 1.76 Protected 1.89 1.97 56.49 140 100 90 75 100 90 90 75 75 50 58.12 13.74 20.57 3.41 3.31 6.13 Deadline 9.6 24.18 29.03 2.78 3.64 10.03 9.31 2.21 4.62 2.81 3.66 2.92 2.5 10.61 180 110 15.04 60.28 66.92 3.56 550 550 3.57 62.22 64.81 52.38 75 59.23 5.25 350 4.76 4.03 110 100 75 75 3.07 5.22 5.55 2.5 7.62 5.48 5.09 2.36 200 2.86 1.8 75 75 3.88 1.68 2.76

Conclusion • Memory protection in RT microcontrollers • Minion : New architecture to bring memory isolation to RT microcontroller systems • Significant memory space reduction with maintained RT responsiveness • Attack cases and vulnerability discovery 20

Thank you! Questions?