Securing Real-Time Microcontroller Systems through Customized Memory - PowerPoint PPT Presentation

Securing Real-Time Microcontroller Systems through Customized Memory View Switching + * Chung Hwan Kim , Taegyu Kim, Hongjun Choi, Zhongshu Gu , By0ungyoung Lee, Xiangyu Zhang, Dongyan Xu + *

Security of Real-time Microcontrollers • Safety-critical embedded and cyber-physical systems • Security is often overlooked as a trade off • Demand both real-time guarantee and security 2

Missing Memory Protection of RT Microcontrollers • No process memory isolation • No MMU, no virtual memory • Memory space shared by all processes • Memory-mapped I/O (MMIO) Flash ROM SRAM Interrupt Vector Control/Timer Peripherals Peripherals All Code All Data Boot Loader Attack Surface (OS, (Global, System … … Drivers, Static, Libraries, Stack Apps) Data) 0x0 0xFFFFFFFF 3

Control Parameter Attack 4

Missing Memory Protection of RT Microcontrollers • No kernel memory isolation # of Kernel 10000 Type RTOS Manufacturer Unprotected systems isolation • Hardware and RTOS support Kernel memory isolation 3DR, enRoute, 18 Time in μsec (Log-scale) ✗ NuttX Deadline • Privileged and unprivileged … 1000 UAV FreeRTOS Storm Racing processor modes 30 ✗ Drone, RISE, … 120 110 • Memory Protection Unit (MPU) 75 6 ✗ 100 Paparazzi Parrot 2 • Many real-time microcontroller ✗ UGV NuttX Erie Robotics NuttX, BlueRobotics, 2 ✗ systems do not employ it ROV 10 OpenROV OpenROV, … • Verified with 67 commodity systems 3D D-creator, 104.38 726.28 124.02 7 ✗ 52.38 60.28 52.02 Printer Marlin Wombot, … • Impact on real-time constraints 1 FreeRTOS Mongoose, 2 ✗ IoT update_mount gcs_send_heartbeat update_batt_compass Frequent mode switching Particle, … 3 DR IRIS+ UAV 5

Hard Timer Attack 6

Minion : Customized Memory View Enforcement • Key ideas • Break physical memory space into per-process memory views • Use the memory views as access control rules during run-time • Execute RTOS and applications in the same mode (unprivileged) • Run a tiny view switcher in privileged mode to enforce views Production run: Code For each process: Unpriv. MPU A 1 A 2 … RTOS Physical Data Memory memory View Privileged Peripherals View Switcher Program Memory View Analysis Enforcement 7

Memory View Tailoring • Memory view : Memory required for a process to run correctly • Find the physical memory regions essential for each process • Static firmware analysis (LLVM IR) • Code injection/reuse, data corruption, physical device abuse For each process: Access control rules: # Base Size rwx Code Data Device + + Reachability Accessibility Accessibility Analysis Analysis Analysis 8

Code Reachability Analysis • Find all reachable functions Call Call qux main foo from the entry functions Indirect call Indirect call • Entry functions bar irq_handler baz Call • Start function & interrupt handlers • Identified by analyzing a few RTOS Value X PointsTo: { bar } Value Y PointsTo: { foo } functions Value Z PointsTo: { bar } • Indirect calls? 08004970-08004988 main X • Inter-procedural points-to analysis 08088050-080880cc irq_handler X 0800498c-08004a7c foo X • Build a list of executable memory 08004a84-08004ad6 bar X 08004ad8-08004b4c baz X regions for each process 9

Data Accessibility Analysis • Global data LDR r8, GlobA STR r2, GlobA LDR r0, GlobB • Forward slicing based on inter-procedural value flow graph main foo STR r5, GlobB • Build a list of global data for each process bar irq_handler baz • Stack and heap data LDR r2, GlobC • Memory pool size profiling with annotated memory allocator 200010f0-200010f4 GlobA RW 20014618-20014638 GlobB RW • Per-process memory pool 080b3428-080b3440 GlobC R allocation 10

Device Accessibility Analysis • A few patterns cover most MMIO operations • MMIO addresses are embedded in the firmware • Case 1 • Case 2 #define DEVICE_X 0x50000804 #define IRQ_A 1 int enable_irq (int irq) #define IRQ_B 2 { void dev_reset( struct dev *priv) #define NVIC_A 0xe000e100 uint32_t addr, val; { #define NVIC_B 0xe000e104 if (irqinfo(irq, &addr) == OK) { uint32_t val; val = *(uint32_t *) addr ; val = (1 << 2) | (1 << 4); int irqinfo (int irq, val |= (1 << 1); *(uint32_t *)DEVICE_X = val; uint32_t *addr) *(uint32_t *) addr = val; … { } } } if (irq == IRQ_A ) { *addr = NVIC_A; } else if (irq == IRQ_B ) { From NuttX RTOS (simplified) *addr = NVIC_B; … 11

Device Accessibility Analysis • Find load and store instructions with an MMIO address • Backward slicing on inter-procedural value flow graph • Build a list of peripheral-mapped memory regions for each process main enable_irq 50000804-50000808 DEVICE_X W irqinfo NVIC_A e000e100-e000e104 RW e000e104-e000e108 RW NVIC_B dev_reset hw_initialize 12

Run-time Memory View Enforcement Memory view P 1 P 1 P 2 P 2 RTOS Unprivilged Process Privileged # # Base Base Size Size rwx rwx Switch # # Base Base Size Size rwx rwx # # Base Base Size Size rwx rwx P 1 P 2 Re-configure Configure View Switcher MPU 13

Evaluation with Attack Cases • 8 realistic attack cases • Tested on a commodity UAV Name Attack surface Result ✓ Process termination RTOS function 3 DR IRIS+ ✓ Control parameter attack Control parameter ✓ RC disturbance RC configuration ✓ Servo operation Driver function ✓ Soft timer attack Hardware timer • Found 4 new vulnerabilities ✓ Hard timer attack Hardware timer ✓ Memory remapping Flash patch unit in the firmware ✓ Interrupt vector overriding Interrupt vector (confirmed and fixed) • All 8 attack cases blocked • 76 % memory space reduction • Zero violation of real-time constraints 14

Attack Under Minion’s Protection 15

16 Time in μsec (Log-scale) Performance Impact • All deadline constraints satisfied • 31 real-time tasks with deadlines: 2 % overhead 10000 1000 100 10 1 15.55 75 19.57 11.25 130 10.85 Unprotected 200 33.63 35.22 3.32 160 120 2.18 52.02 65.04 3.31 50 50 75 3.45 2.19 1.76 Protected 1.89 1.97 56.49 140 100 90 75 100 90 90 75 75 50 58.12 13.74 20.57 3.41 3.31 6.13 Deadline 9.6 24.18 29.03 2.78 3.64 10.03 9.31 2.21 4.62 2.81 3.66 2.92 2.5 10.61 180 110 15.04 60.28 66.92 3.56 550 550 3.57 62.22 64.81 52.38 75 59.23 5.25 350 4.76 4.03 110 100 75 75 3.07 5.22 5.55 2.5 7.62 5.48 5.09 2.36 200 2.86 1.8 75 75 3.88 1.68 2.76

Conclusion • Memory protection in RT microcontrollers • Minion : New architecture to bring memory isolation to RT microcontroller systems • Significant memory space reduction with maintained RT responsiveness • Attack cases and vulnerability discovery 17

This work is sponsored by ONR. Thank you! Questions? https://github.com/chungkim/minion Chung Hwan Kim <chungkim@nec-labs.com>