epoxy shielding bare metal embedded systems
play

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer - PowerPoint PPT Presentation

Jan 09, 2024 •358 likes •769 views

EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly with Abraham Clements and Saurabh Bagchi http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in

  1. EPOXY: Shielding Bare-Metal Embedded Systems Mathias Payer (@gannimo), Purdue University Jointly with Abraham Clements and Saurabh Bagchi http://hexhive.github.io 1

  2. Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2

  3. Trends in Memory Errors* * Victor van der Veen, https://www.vvdveen.com/memory-errors/, updated Feb. 2017 3

  4. Software is unsafe and insecure* ● Low-level languages (C/C++) trade type safety and memory safety for performance – Our systems are implemented in C/C++ – Too many bugs to find and fix manually Google Chrome: 76 MLoC glibc: 2 MLoC Linux kernel: 14 MLoC * SoK: Eternal War in Memory. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. In IEEE S&P'13 4

  5. Control-Flow Hijack Attack 5

  6. Attack scenario: code injection ● Force memory corruption to set up attack ● Redirect control-flow to injected code Code Heap Stack 6

  7. Attack scenario: code reuse ● Find addresses of gadgets ● Force memory corruption to set up attack ● Redirect control-flow to gadget chain Code Heap Stack 7

  8. Defenses protect desktops/servers ● Address Space Layout Randomization – Shuffles address space, requires information leak ● Data Execution Prevention – Prohibits code injection, requires ROP ● Stack Canaries – Prohibits stack smashing, requires direct write 8

  9. Control-Flow Integrity 9

  10. Control-Flow Integrity (CFI)* ● Restrict a program’s dynamic control-flow to the static control-flow graph – Requires static analysis – Dynamic enforcement mechanism ● Forward edge: virtual calls, function pointers ● Backward edge: function returns * Control-Flow Integrity. Martin Abadi, Mihai Budiu, Ulfar Erlingsson, Jay Ligatti. CCS ‘05 * Control-Flow Integrity: Protection, Security, and Performance. Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, Mathias Payer. ACM CSUR ‘18, preprint: https://nebelwelt.net/publications/files/18CSUR.pdf 10

  11. Control-Flow Integrity (CFI) CHECK(fn); (*fn)(x); CHECK_RET(); Attacker may corrupt memory, return 7 code ptrs. verified when used 11

  12. CFI: limitations ● CFI provides incremental security – Attacker can choose between valid targets – Data-flow attacks are out of scope ● Strength of CFI depends on static analysis – Coarse-grained: all functions are allowed – Fine-grained: arity or function prototype 12

  13. Are we making progress? 2007 2017 13

  14. The State of the IoT 14

  15. Defenses deployed on IoT devices 15

  16. Bare-metal devices (c) dekuNukem, hackaday.io (c) Felix, lowpowerlab.com (c) yenra (c) bunnie, bunniestudios.com 16

  17. Security challenges ● Single application – No separate privilege levels (kernel/user) ● No MMU (virtual memory) – Defenses limited to physical memory space ● Tight constraints – Runtime, memory, battery 17

  18. IoT security stack Bare-metal Application Unused or trivially Security Hardware bypassed Sensitive IO Always accessible IO Vulnerable to: Global Data Stack smashing RAM Stack Code injection Global data corruption Flash Code No ROP defenses Single (Root) execution domain 18

  19. Let’s exploit like in ‘99 (c) MGM 19

  20. EPOXY* * Embedded Privilege Overlay across (X) hardware for anY software 20

  21. EPOXY design ● LLVM-based compiler ● Protects against EPOXY Hardened LLVM-based – Code injection Application compiler – IO manipulation – Control-flow hijack* Sensitive Source – Data corruption* IO Code * Probabilistic, strength may vary (tm) 21

  22. Embedded systems: opportunities ● No separation between “apps” or user/kernel – Only few instructions require privileges ● Small memory size: MBs of Flash, KBs of RAM – Memory is dedicated, may reuse all slack space ● Tight runtime constraints – Execution is interrupt driven, use slack ● Low power requirements – Limit overhead to few instructions 22

  23. Mission 1: privilege separation (c) AMC, Walking Dead 23

  24. Before EPOXY Application Security HW Sensitive IO IO Global Data Stack Code Privileged Execution 24

  25. Privilege separation ● Static analysis identifies restricted operations – Specific instructions per ISA – Sensitive memory-mapped registers (MPU, IO) ● Instrumentation to – Configure MPU to drop privileges – Raise privileges selectively ● Enable security hardware – Enforce W^X code, RW data – Protect access to security hardware, I/O 25

  26. Privilege overlay: benefits Enabled, Security HW Access Restricted Sensitive IO Access Restricted IO Global Data Set to RW, Stops Code Injection Stack Set to RX, Enforces Code Code Integrity Privileged Unprivileged Execution Execution 26

  27. Evaluation: privileged instructions Application Tool Exe Priv Priv % PinLock EPOXY 823K 1.4K 0.17% FreeRTOS-MPU 823K 813K 98.78% FatFS-uSD EPOXY 33.3M 3.9K 0.01% FreeRTOS-MPU 34.1M 33.0M 96.77% TCP-Echo EPOXY 310M 1.5K <0.001% FreeRTOS-MPU 322M 307.0M 95.34%

  28. Mission 2: stop stack smashing (c) Nintendo 28

  29. Stack integrity through SafeStack ● Split stack into safe stack and unsafe stack* ● Move unsafe objects to unsafe stack ● Protects against stack smashing RAM Stack Stack UnSafeStack .data .bss heap Guard Region * V. Kuznetsov et al. , Code Pointer Integrity, OSDI 2014

  30. Mission 3: shuffle

  31. Diversification ● Shuffle globals, stack, and code – Protects against ROP – Protects against global data corruption Seed 1 Binary 1 EPOXY Seed 2 Binary 2 Seed 3 Binary 3 Seed 4 Seed Sources Binary 4

  32. Diversification .data Padding .bss A Stack Stack .data B B b d a a .bss b c c d 2 C heap 1 4 3 UnSafeStack heap D A UnSafeStack B C D E RAM Binary 1 Flash Jumps to handler foo handler bar foo baz foo2 bar2 foo2 bar2 handler bar baz invalid execution

  33. EPOXY: full feature set Hardened Application Enabled, Security HW Access Restricted Sensitive IO Access Restricted IO Isolate Unsafe Data UnSafeStack Set to RW, Stops Global Data Protected Global Data Code Injection Stack Protected stack, ROP Protections Set to RX, Enforces Code ROP Protections Code Integrity Privileged Unprivileged Execution Execution

  34. Evaluation: ROP gadgets # Surviving Across App Total 2 5 25 50 Last PinLock 294K 14K 8K 313 0 48 FatFS-uSD 1,009K 39K 9K 39 0 32 TCP-Echo 676K 22K 9K 985 700 107 Using ROPgadget compiler to identify surviving gadgets across # diversified binaries

  35. Performance impact (BEEP) Runtime SS PO All Min -7.3% -1.3% -11.7% Ave -3.5% 0.1% 1.1% Max 4.4% 2.1% 14.2% Energy SS PO All Min -4.2% -10.3% -10.2% Ave 0.2% -0.2% 2.5% Max 7.3% 2.8% 17.9% SS: SafeStack, PO: Privilege Overlay

  36. Performance impact IoT Apps Runtime IoT Apps Energy 1 5 1 5 S S S S P O P O 1 0 1 0 e I n c r e a s e E n e r g y 5 5 I n c r e a s e R u n t i m 0 0 5 5 % % 1 0 1 0 1 5 1 5 P i n L o c k F a t F S - u S D T C P - E c h o P i n L o c k F a t F S - u S D T C P - E c h o

  37. Conclusion 37

  38. Conclusion ● Embedded systems need protection – Currently no defenses, easy target ● Fast forward embedded security by 3 decades – Privilege separation, mitigate code injection – Safe stack protects against stack smashing – Diversification instead of ASLR ● Meets runtime, memory, energy requirements Source: https://github.com/HexHive/EPOXY 38

  39. Thank you! Questions? Mathias Payer (@gannimo), Purdue University http://hexhive.github.io 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ?

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ?

64 bit Bare Metal Tristan Gingold Programming on RPI-3 gingold@adacore.com What is Bare Metal ? Images: Wikipedia No box What is Bare Metal ? No Operating System Your application is the OS Why Bare Board ? Not enough ressources for an

874 views • 31 slides
Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this

Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this

Bare Metal In The Cloud: Isnt it Ironic? by Dmitry Tantsur and Ilya Etingof, Red Hat In this talk What's bare metal provisioning Ironic introduction and work flows The future of ironic Why bare metal allocation Raw

478 views • 4 slides
Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon

Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon

Running Kubernetes on OpenStack and Bare Metal OpenStack Summit Berlin, November 2018 Ramon Acedo Rodriguez Product Manager, Red Hat OpenStack Team @ramonacedo | racedo@redhat.com Bare Metal On-Trend Bare Metal On-Trend Among users who run

713 views • 34 slides
Nadia Zryanina EMBEDDED SYSTEMS WITH ROBOTICS AND SENSORS USING ERLANG HARDWARE COMPONENTS

Nadia Zryanina EMBEDDED SYSTEMS WITH ROBOTICS AND SENSORS USING ERLANG HARDWARE COMPONENTS

Nadia Zryanina EMBEDDED SYSTEMS WITH ROBOTICS AND SENSORS USING ERLANG HARDWARE COMPONENTS SOFTWARE DEMO FUTURE THE GRISP BOARD SPECS EMBEDDED WIRELESS DEVICE REAL ERLANG ON REAL BARE METAL CONNECTORS FOR SENSORS &amp; ACTUATORS

1.09k views • 53 slides
TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support

TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support

TVM Deep Learning on Bare-Metal Devices Pratyush Patel No OS stack Extend TVM to support bare-metal devices Optimization High-Level Differentiable IR AutoTVM Tensor Expression IR LLVM, CUDA VTA AutoVTA Hardware FPGA ASIC Fleet

1.46k views • 18 slides
Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks Joshua Higgins, Taha Al-Jody and Violeta Holmes HPC Research Group University of Huddersfield, UK HPC Systems Professionals Workshop (HPCSYSPROS18) Outline

211 views • 20 slides
Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa ,

Improving Agility and Elasticity in Bare-metal Clouds Yushi Omote , Takahiro Shinagawa , Kazuhiko Kato University of Tsukuba, The University of Tokyo 1 Bare-metal Clouds An IaaS for high performance and device functionality

230 views • 21 slides
OF EPOXY SYSTEMS FOR CIVIL ENGINEERING FORMULATION OF EPOXY SYSTEMS Sicomin, based in southern

OF EPOXY SYSTEMS FOR CIVIL ENGINEERING FORMULATION OF EPOXY SYSTEMS Sicomin, based in southern

FORMULATION OF EPOXY SYSTEMS FOR CIVIL ENGINEERING FORMULATION OF EPOXY SYSTEMS Sicomin, based in southern France, with 34 years of experience in Epoxy formulation and composite supplies, has 55 employees and a turnover of 20 million USD

320 views • 20 slides
Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized

Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized

Drug-Elu(ng vs. Bare Metal Stents in Saphenous Vein Gra:s: The Prospec(ve Randomized BASKET-SAVAGE Trial Raban V. Jeger, M.D., Ahmed Farah, M.D., Thomas Engstrm, M.D., Sren Gala=us, M.D., Franz Eberli, M.D., Peter Rickenbacher, M.D., David

380 views • 14 slides
Cu@SiO 2 -BaTiO 3 -EPOXY COMPOSITES WITH HIGH PERMITTIVITY FOR EMBEDDED CAPACITORS S.Yu*, S.Luo,

Cu@SiO 2 -BaTiO 3 -EPOXY COMPOSITES WITH HIGH PERMITTIVITY FOR EMBEDDED CAPACITORS S.Yu*, S.Luo,

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS Cu@SiO 2 -BaTiO 3 -EPOXY COMPOSITES WITH HIGH PERMITTIVITY FOR EMBEDDED CAPACITORS S.Yu*, S.Luo, R.Sun Shenzhen Insititutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen, China

520 views • 5 slides
Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2

Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2

Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2 , V. Kvon 1 , D. U. B. Aussems 1 , M. A. van den Berg 1 , K. Bystrov 1 , N.J. Lopes Cardozo 2 and M. C. M. van de Sanden 1 1 Dutch Institute for

509 views • 31 slides
Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2

Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2

Liquid metal vapour shielding in linear plasma devices T.W. Morgan 1 , G.G. van Eden 1 , P. Rindt 2 , V. Kvon 1 , D. U. B. Aussems 1 , M. A. van den Berg 1 , K. Bystrov 1 , N.J. Lopes Cardozo 2 and M. C. M. van de Sanden 1 1 Dutch Institute for

452 views • 43 slides
Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby

Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby

Running on the Bare Metal with GeekOS David Hovemeyer, Jeffrey K. Hollingsworth, and Bobby Bhattacharjee University of Maryland, College Park 1 Outline Motivation Overview Projects Classroom Experience Conclusions 2 OS

365 views • 33 slides
Towards Converged SmartNIC Architecture for Bare Metal &amp; Public Clouds Layong (Larry) Luo,

Towards Converged SmartNIC Architecture for Bare Metal &amp; Public Clouds Layong (Larry) Luo,

Towards Converged SmartNIC Architecture for Bare Metal &amp; Public Clouds Layong (Larry) Luo, Tencent TEG August 8, 2018 Agenda 1 SmartNIC in Bare Metal Cloud 2 SmartNIC in Public Cloud 3 Converged SmartNIC Architecture 4 Tencent

288 views • 28 slides
Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal

Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal

OPEN INFRASTRUCTURE SUMMIT | SHANGHAI, NOVEMBER 4-6 2019 Run Kubernetes on OpenStack and Bare Metal Fast Ramon Acedo Rodriguez 1 Senior Principal Product Manager, Red Hat Open Hybrid Cloud Vision OPTIONAL SECTION MARKER OR TITLE 2 The

1.02k views • 53 slides
Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me

Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me

Programming for Hostile Environments Our adversary: bare metal infrastructure June 2018 About Me Nathan Goulding, SVP Engineering ~15 years frontline engineer for infrastructure/cloud and media companies Currently lead engineering team at

657 views • 27 slides
The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of

The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of

The Rising Tide of Terrorism- Related Civil Litigation What the Justice Against Sponsors of Terrorism Act (JASTA) may mean for your company. Daniel L. Stein Charles S. Hallab Alex C. Lakatos Partner Partner Partner +1 212 506 2646

453 views • 20 slides
RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law

RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law

RLUIPA Defense: Avoiding and Defending RLUIPA Claims Land Use &amp; Sustainable Development Law Institute Bagels with the Boards CLEs Thanks for having us Ted Carey (Boston) Karla Chaffee (Boston) Evan Seeman (Hartford)

329 views • 31 slides
Working with Trauma in AEDP: How we Provide the Corrective Emotional Experience SueAnne Piliero,

Working with Trauma in AEDP: How we Provide the Corrective Emotional Experience SueAnne Piliero,

Working with Trauma in AEDP: How we Provide the Corrective Emotional Experience SueAnne Piliero, Ph.D. Senior Faculty, AEDP Institute May 2013 New York City Immersion Course Core Assumption of AEDP The ability to process experience,

502 views • 21 slides
Leveraging Bankruptcy Preference Defenses: Trade Creditor Payments, Earmarking, Critical Vendors,

Leveraging Bankruptcy Preference Defenses: Trade Creditor Payments, Earmarking, Critical Vendors,

Presenting a live 90-minute webinar with interactive Q&amp;A Leveraging Bankruptcy Preference Defenses: Trade Creditor Payments, Earmarking, Critical Vendors, Claim Waivers, Set-Offs THURSDAY, JUNE 29, 2017 1pm Eastern | 12pm Central |

912 views • 90 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 KU Leuven, ESAT/COSIC and imec (to appear in PoPETS 2017) Talk in the

532 views • 20 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Federal Information Systems Security Education Association Spear Phishing Agenda Definition

Federal Information Systems Security Education Association Spear Phishing Agenda Definition

Federal Information Systems Security Education Association Spear Phishing Agenda Definition of spear phishing Why is spear phishing so valuable to attackers Spear phishing defenses / countermeasures Training concepts and delivery

434 views • 8 slides
Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq.

Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq.

Responding to the Opioid Crisis: Litigation, Regulation, &amp; Reform Track B: The Defense Perspective George Talarico, Esq. Partner (973) 643-5566 | gtalarico@sillscummis.com One Riverfront Plaza Newark, NJ 07102 Giovanni Ciavarra, PhD

973 views • 44 slides

More recommend