Slide-deck for Graduate Computer Security (CS563) Fall 2018 University of Illinois Prof. Adam Bates Securing Real-Time Microcontroller Systems through Customized Memory View Switching
Wh What are Real-ti time Mi Microcontrollers? • Application-specific compute unit. • Lack of resources (especially RAM) • Low Power • Lower footprint e.g., kilobytes vs. megabytes. • Runs light-weight OS’es • E.g., Automotive, Consumer Electronics, Sensor Networks
Features • High resolution clocks and timers • RT application development requires support of timer services with resolution ~ µs • Static Priority Levels • RMA & EDF assume static priorities • Dynamic Priorities are used for better response to tasks blocked on I/O • Fast task Preemption • High priority task on arrival should instantly get CPU from low priority task • Predictable and Fast Interrupt Latency • Bottom Half
Features • Memory management Requirements • Memory Isolation(MI) : Process MI & Kernel MI • No Process MI • Lack of Virtual Memory support • Worst-case vs. Average (t mem ) • No Kernel Memory Isolation • Lack of privilege separation • Context switching leads to performance issues. • Save memory bits • Light-weight system call SECURITY?
Memory Protection Units(MPU) • Hardware-based memory isolation • Can be enabled in the firmware of the microcontroller • Access control rules for memory regions(usually 8 to 16) • If a memory region is accessed without the required permission, the processor raises a Protection Fault
At Attacks are (way too) common!
Se Security So Solution : MINION • Memory View • Minimum set of memory regions essential to correctly operate each process • Identified by static program analysis • View Switcher • Trusted Compute Base(TCB) • Component that loads memory-views • Isolated from RTOS and other unprivileged processes
Me Memory View Ta Tailoring • Find the physical memory regions essential , per- process • Static firmware analysis • Code injection/reuse, • Data corruption, • Physical device abuse
Cod Code Reachability An Analysis • Find all reachable functions from the entry functions • Entry functions • Start function & interrupt handlers • Identified by analyzing a few RTOS functions • Indirect calls are handled by inter-procedural points-to analysis • Build a list of executable memory regions for each process
Da Data Reachability LDR r8, GlobA An Analysis STR r2, GlobA LDR r0, GlobB main foo STR r5, GlobB • Global data • Forward slicing based on irq_handler bar baz inter-procedural value flow graph • Build a list of global data LDR r2, GlobC for each process • Stack and Heap data 200010f0-200010f4 RW GlobA • Memory pool size 20014618-20014638 RW GlobB profiling with annotated memory allocator 080b3428-080b3440 R GlobC • Per-process memory pool allocation
De Device Reachability An Analysis main enable_irq irqinfo • Find load and store instructions dev_reset hw_initialize with an MMIO address • Backward slicing on inter- procedural value flow graph • Build a list of peripheral- mapped memory regions for each process 50000804-50000808 DEVICE_X W NVIC_A e000e100-e000e104 RW e000e104-e000e108 RW NVIC_B
Run-time Memory View Enforcement Memory view RTOS P1 P1 P2 P2 Unprivilged Privileged Process # # Base Base Size Size rwx rwx Switch # # Base Base Size Size rwx rwx # # Base Base Size Size rwx rwx P1 P2 Re-configure Configure View Switcher MPU
Implementation • Drone platform, 3DR-IRIS+ based off Pixhawk µC • Fail-safe landing feature on illegal memory access • 787 LOC : View Switcher • 87 LOC : RTOS 3DR IRIS+
Evaluation: (1)Performance Impact Time in μsec (Log-scale) • Real-time Benchmarks: 1 0 1 0 0 0 0 1 0 0 0 • All deadline constraints satisfied • 31 real-time tasks with deadlines: 2% 1 0 0 1 r overhead (every context switch) c t _ h r l o o 15.55 t o 75 t p l e u 19.57 _ p u l d p o d 130 o 11.25 a p t e u a p e t 10.85 _ d o 200 _ a p G Unprote cte d t e t P 33.63 i c S _ a b 35.22 a l _ r t f e t l o a _ 3.32 d 160 120 50 50 75 140 100 90 75 100 90 90 75 75 50 c w _ o a 2.18 m u a r p x m a 52.02 _ s s _ s w m i 65.04 t o c t h o 3.31 e r s s _ 3.45 c h e a 2.19 c u u k p t d o 1.76 _ a t t e r r Prote cte d i 1.89 u _ m n a _ u t l 1.97 n p i d a u t v 56.49 d a _ e t e u p 58.12 _ d t a h r e t 13.74 _ s t a c o h v 20.57 m r e r e a p e g 3.41 b a _ a e s h r s z 3.31 o _ _ m a l o c e o c 6.13 t p u e De adline m r 9.6 _ u a c l a c 24.18 t u e m u 29.03 p u d l a a 2.78 t e t e _ 3.64 l n a o n t e d i f 10.03 k i y • Micro-Benchmarks: n f g _ 9.31 g c l e h e o a c 2.21 s r k t _ _ u v 4.62 p e • write_scb : 5 µs • read_scb : 4 µs • switch_view: 15 µs h d c i a g 2.81 l t c e e s _ _ 3.66 g c c c h h s e e _ 2.92 c s c k e k _ n 2.5 d g i n c _ p s h u 10.61 g 180 110 _ e c s a t s e r 15.04 _ n t d d b a e t _ 60.28 a a d t _ e 66.92 s f t e r r e r e 3.56 a 550 550 u m d t p 3.57 _ e d s n e _ a n h e t 62.22 d z f _ _ f i m 64.81 t o l y g o _ g u 52.38 n h i f t z n 75 u _ g 59.23 l l l _ _ o l r g o a g o 5.25 t p 350 i e n _ g 4.76 l _ o l o g g o 4.03 i n 110 100 75 75 200 75 75 p g 3.07 p _ e o l r e r 5.22 a f o d _ p _ u 5.55 r p e d c e a 2.5 i t e f v r s e 7.62 k r r y _ p _ m r 5.48 s t e _ s u i 5.09 l e p m d e a 2.36 t t e r y 2.86 e _ s p e m n 1.8 d _ u 3.88 p d a 1.68 t e 2.76
Evaluation: (2)Security Experiments Discovery: Memory Corruption Bugs • 4 new bugs • Side-effect of developing Minion
Evaluation: (2)Security Experiments Attack Cases • Exploits buffer overflow bug in PX4 driver
Evaluation: (3)Memory Space Reduction
Conclusion • Memory protection in RT microcontrollers • Minion : New architecture to bring memory isolation to RT microcontroller systems • Significant memory space reduction with maintained RT responsiveness • Attack cases and vulnerability discovery
Analysis Strengths Weaknesses • Uncovers new security holes in the firmware • Attack windows still exists due to providing limited access control protection between • Real-time guarantees still satisfied views • Requires root access to the microcontroller and redeployment. Threats Opportunities/Future Work • Using trusted execution environments can • View switcher is a single point of failure provide increased isolation guarantees • Calculation of deadlines not explained between RTOS and the View Switcher • Better static/dynamic analysis techniques
Recommend
More recommend