rai securing embedded systems with return address
play

RAI: Securing Embedded Systems with Return Address Integrity Naif - PowerPoint PPT Presentation

Mar 04, 2024 •171 likes •771 views

RAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and

  1. μRAI: Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4,5,6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 1 2 3 4 5 6 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned 1 subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

  2. Current State of Security [1] [2] [3] Target: Embedded and IoT devices Running Microcontroller Systems (MCUS) Attack: Control-flow Hijacking [1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/ [2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/ [3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical 2

  3. MCUS Challenges Desktop MCUS  Small physical  Large virtual memory … … memory (GBs) Stack (MBs Flash, KBs RAM) … 0x08999555 0x08055555 (code) Flash … … … …  Basic defenses  Basic defenses … Code 0x08000000 (e.g., ASLR) (e.g., ASLR) Memory Heap 0x08022222 0x08777222 … Stack 0x02050000 …  Smaller code Larger code … Data (Data) 0x08011111 0x08555111 RAM Heap … … Code  DEP  DEP 0x08000000 0x08111000 Data 0x02000000 (Disabled  Fixable) 3

  4. MCUS Defenses for Return Addresses (Conceptual) Special hardware required Without extra hardware Safe Stack Overhead Shadow Shadow + Stack Stack High Software Runtime Overhead + + Fault MPU TEE Isolation 10% Randomized CFI μRAI Safe Stack Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 4

  5. MCUS Defenses for Return Addresses (Related Work) Special hardware required Without extra hardware Overhead CFI CaRE (Shadow stack) High Runtime Overhead [RAID17] RECFISH ACES [ECRTS 2019] [SEC18] 10% SCFP [EuroS&P18] Minion EPOXY C-FLAT uXOM Symbiote μArmor [NDSS18] LiteHAX (SafeStack ) [CCS16] μRAI [SEC19] [RAID11] [EuroS&P19] [ICCAD18] [S&P17] Limited Security Guarantees Usage Location Integrity Security Return Address Integrity + Low runtime overhead + No special hardware 5

  6. Return Address Integrity (RAI) • Every attack requires corrupting a return addresses by overwriting it • Main limitation of defenses  return addresses are in writable memory • Example: Information hiding • Key solution is to prevent an attacker from corrupting return addresses . RAI Property: • Ensure the return address is never writable except by an authorized instruction. • Return addresses are never pushed to the stack or any writable memory by an adversary. 6

  7. Threat Model & μRAI Protection Normal application μRAI main main Unprivileged • Reads from memory • Writes to memory • Knows the code layout Func1 Func2 Func1 Func2 • Targets backward-edges Corrupt Func3 Func3 return address Func4 Func4 Privileged Func5 Func6 MPU, VTOR Func5 Func6 MPU, VTOR Corrupt return address Func7 Func7 or corrupt sensitive Memory Mapped IO (MMIO) : Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI) 7

  8. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 8

  9. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 9

  10. μRAI and the State Register • State Register (SR): • Can be any general-purpose register  exclusively used by μRAI • Never spilled  cannot be overwritten through a memory corruption • Does not contain a return address  encoded values to resolve the return location • Example call graph: SR SR • Each edge  call Func2 reads the SR to resolve main Func1 Func2 the correct return location • How encode SR? SR SR • An XOR chain 10

  11. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … • Function Keys (FKs): Hard-coded keys used to encode the SR 11

  12. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function IDs (FIDs): Possible values of the SR for the function 12

  13. μRAI: Terminology SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Function Lookup Table (FLT): List of FIDs for the function. 13

  14. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Encode the SR and call Func2 14

  15. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 reads the SR and executes the corresponding direct jump 15

  16. μRAI: Transformation SR [Recursive] SR [Recursive] SR [Encoded] SR [Encoded] 0 0 C key1 Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • Func2 returns correctly and the SR is decoded 16

  17. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The previous SR value is restored 17

  18. μRAI: Transformation SR [Recursive] SR [Encoded] 0 C Address <Func1>: Address <Func2>: … SR[Enc] = SR[Enc] key1 … … … Call Func2 … … Func1_1 SR[Enc] = SR[Enc] key1 … … … … … … … SR[Enc] = SR[Enc] key2 … … … Call Func2 … … Func1_2 SR[Enc] = SR[Enc] key2 … … … … … … Function ID (FID) Return Target Function ID (FID) Return Target ⊕ C Jump return_location1 C key1 Jump Func1_1 ⊕ ELSE Jump ERROR C key2 Jump Func1_2 ELSE Jump ERROR • The same happens for other calls. Func1 can then return correctly 18

  19. μRAI: Overview Read + eXecute Jump Table State Jump return_location1 1 Enforces the RAI property Register Jump return_location2 … Protects exception handlers 2 Exception handler software-fault isolation and privileged execution 3 Relative jump target lookup routine Low runtime overhead 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias

Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias

RAI : Securing Embedded Systems with Return Address Integrity Naif Saleh Almakhdhub 1,4 Abraham A. Clements 3 Saurabh Bagchi 1 Mathias Payer 2 1 2 3 4 Sandia National Laboratories is a multimission laboratory managed and operated by National

852 views • 35 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of contents What is an embedded system Examples of research topics Admission Overview of the programme Success rates Master Embedded

814 views • 31 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems pieter.willems@silexinsight.com V2.0 2019 Overview Silex Insight Introduction Embedded security markets and applications Security

590 views • 15 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Trends of RT Embedded Systems

332 views • 10 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State

Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State

Embedded Systems Programming PCI Configuration (Module 10) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU PCI Address Space A PCI target can

288 views • 10 slides
Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment

Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment

Securing Tennessees Future Contract Education: Increasing Tennessees Return on Investment More College Graduates Needed More Tennesseans must reap the benefits of higher education if the state is to enhance its economic viability

294 views • 11 slides
Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split in 2 parts: Lectures: ESE VO (182.721) ECTS: 3.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/esevo Staff: Prof. Radu Grosu,

859 views • 7 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
When Embedded Systems Attack Embedded systems can fail for a variety of reasons

When Embedded Systems Attack Embedded systems can fail for a variety of reasons

22.1 22.2 When Embedded Systems Attack Embedded systems can fail for a variety of reasons Electrical problems Unit 22 Mechanical problems Errors in the programming Incorrectly specified Errors caused by users Embedded

201 views • 5 slides
1 How are embedded systems different Timing and Concurrency than traditional software? Fire

1 How are embedded systems different Timing and Concurrency than traditional software? Fire

What is an Embedded System? Definition of an embedded computer system: Embedded Systems is a digital system. Introduction uses a microprocessor (usually). runs software for some or all of its functions. frequently used as a

158 views • 3 slides
Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE 6780/5780 Al Davis Al Davis Todays topics: logistics - minor synopsis of last lecture software desig finite state machine based

466 views • 19 slides
REINTEGRATION OF RETURNEE MIGRANTS INTO THE NATIONAL LABOUR MARKET IN NEPAL CONTEXT Close to

REINTEGRATION OF RETURNEE MIGRANTS INTO THE NATIONAL LABOUR MARKET IN NEPAL CONTEXT Close to

REINTEGRATION OF RETURNEE MIGRANTS INTO THE NATIONAL LABOUR MARKET IN NEPAL CONTEXT Close to half a million labour permits issued in last fiscal year Majority of migrant workers between the age of 15 to 29 years of age While 36.5%

150 views • 10 slides
Client Care Model Board Meeting April 25, 2012 Outstanding care every person, every day The

Client Care Model Board Meeting April 25, 2012 Outstanding care every person, every day The

Client Care Model Board Meeting April 25, 2012 Outstanding care every person, every day The Client Care Model The Client Care Model is a framework that standardizes how we define, work with, and are accountable for five client

391 views • 21 slides
Impact of hydraulic fracturing on soil microbial functions &amp; community A Spill Scenario Study

Impact of hydraulic fracturing on soil microbial functions &amp; community A Spill Scenario Study

Impact of hydraulic fracturing on soil microbial functions &amp; community A Spill Scenario Study Rai Kookana | Senior Principal Research Scientist | 2 December 2019 Spills of fluids can occur during CSG operations No. of spills Patter

414 views • 27 slides
Mandip Rai, Chief Executive Presentation Background Strengthening LEPs Review July 2018

Mandip Rai, Chief Executive Presentation Background Strengthening LEPs Review July 2018

Leicestershire County Council Scrutiny Commission 12 June 2019 Andy Reed, Deputy Chair Mandip Rai, Chief Executive Presentation Background Strengthening LEPs Review July 2018 LEP Review Implementation Review of 2018/19

433 views • 22 slides
The Regioprop R-80 New Genera3on Turboprop PT Regio

The Regioprop R-80 New Genera3on Turboprop PT Regio

REGIONAL TURBOPROP The Regioprop R-80 New Genera3on Turboprop PT Regio Aviasi Industri, Indonesia November 2015 Background PT REGIO AVIASI INDUSTRI

904 views • 24 slides
Vos Logistics in LNG: a sustainable solution in road transport Copenhagen Annemarie Timmermans

Vos Logistics in LNG: a sustainable solution in road transport Copenhagen Annemarie Timmermans

Vos Logistics in LNG: a sustainable solution in road transport Copenhagen Annemarie Timmermans 26 October 2016 LNG Project Manager Warehousing Regional distribution International Transport Activities, facts &amp; figures Quality Efficiency

710 views • 16 slides
Shahab Sheibani Atomic Energy Organization of Iran, I.R. of Iran Preface: what happened during

Shahab Sheibani Atomic Energy Organization of Iran, I.R. of Iran Preface: what happened during

Production and quality control of radiopharmaceuticals in Iran Shahab Sheibani Atomic Energy Organization of Iran, I.R. of Iran Preface: what happened during past decade Enhancement of National capacity and development of infrastructures for

267 views • 12 slides
Seung-Kon Lee Division of Radioisotope Research Department of HANARO Utilization Research

Seung-Kon Lee Division of Radioisotope Research Department of HANARO Utilization Research

10-13 Sept. 2017 Mo-99 Topical Meeting, Montreal, Canada Seung-Kon Lee Division of Radioisotope Research Department of HANARO Utilization Research Institute of Radiation Science KAERI Contents 1. KJRR Introduction 2. KJRR Updates 3. Fission

513 views • 22 slides

More recommend