Securing Real-Time Microcontroller Systems through Customized Memory - - PowerPoint PPT Presentation

securing real time microcontroller systems through
SMART_READER_LITE
LIVE PREVIEW

Securing Real-Time Microcontroller Systems through Customized Memory - - PowerPoint PPT Presentation

Feb 02, 2024 45 likes •237 views

Slide-deck for Graduate Computer Security (CS563) Fall 2018 University of Illinois Prof. Adam Bates Securing Real-Time Microcontroller Systems through Customized Memory View Switching Wh What are Real-ti time Mi Microcontrollers?

slide-1
SLIDE 1

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Slide-deck for Graduate Computer Security (CS563) Fall 2018 University of Illinois

  • Prof. Adam Bates
slide-2
SLIDE 2

Wh What are Real-ti time Mi Microcontrollers?

  • Application-specific compute unit.
  • Lack of resources (especially RAM)
  • Low Power
  • Lower footprint e.g., kilobytes vs.

megabytes.

  • Runs light-weight OS’es
  • E.g., Automotive, Consumer

Electronics, Sensor Networks

slide-3
SLIDE 3

Features

  • High resolution clocks and timers
  • RT application development requires support of timer services with

resolution ~ µs

  • Static Priority Levels
  • RMA & EDF assume static priorities
  • Dynamic Priorities are used for better response to tasks blocked on I/O
  • Fast task Preemption
  • High priority task on arrival should instantly get CPU from low priority task
  • Predictable and Fast Interrupt Latency
  • Bottom Half
slide-4
SLIDE 4

Features

  • Memory management Requirements
  • Memory Isolation(MI) : Process MI & Kernel MI
  • No Process MI
  • Lack of Virtual Memory support
  • Worst-case vs. Average (tmem)
  • No Kernel Memory Isolation
  • Lack of privilege separation
  • Context switching leads to performance issues.
  • Save memory bits
  • Light-weight system call

SECURITY?

slide-5
SLIDE 5

Memory Protection Units(MPU)

  • Hardware-based memory isolation
  • Can be enabled in the firmware of the microcontroller
  • Access control rules for memory regions(usually 8 to 16)
  • If a memory region is accessed without the required permission, the

processor raises a Protection Fault

slide-6
SLIDE 6

At Attacks are (way too) common!

slide-7
SLIDE 7

Se Security So Solution : MINION

  • Memory View
  • Minimum set of memory

regions essential to correctly

  • perate each process
  • Identified by static program

analysis

  • View Switcher
  • Trusted Compute Base(TCB)
  • Component that loads

memory-views

  • Isolated from RTOS and other

unprivileged processes

slide-8
SLIDE 8

Me Memory View Ta Tailoring

  • Find the physical memory

regions essential , per- process

  • Static firmware analysis
  • Code injection/reuse,
  • Data corruption,
  • Physical device abuse
slide-9
SLIDE 9

Cod Code Reachability An Analysis

  • Find all reachable functions from

the entry functions

  • Entry functions
  • Start function & interrupt

handlers

  • Identified by analyzing a few

RTOS functions

  • Indirect calls are handled by

inter-procedural points-to analysis

  • Build a list of executable memory

regions for each process

slide-10
SLIDE 10

Da Data Reachability An Analysis

  • Global data
  • Forward slicing based on

inter-procedural value flow graph

  • Build a list of global data

for each process

  • Stack and Heap data
  • Memory pool size

profiling with annotated memory allocator

  • Per-process memory pool

allocation GlobA 200010f0-200010f4 RW GlobB 20014618-20014638 RW GlobC 080b3428-080b3440 R main foo bar baz irq_handler LDR r8, GlobA STR r2, GlobA LDR r0, GlobB LDR r2, GlobC STR r5, GlobB

slide-11
SLIDE 11

De Device Reachability An Analysis

  • Find load and store instructions

with an MMIO address

  • Backward slicing on inter-

procedural value flow graph

  • Build a list of peripheral-

mapped memory regions for each process enable_irq irqinfo main dev_reset hw_initialize DEVICE_X 50000804-50000808 W NVIC_A e000e100-e000e104 RW NVIC_B e000e104-e000e108 RW

slide-12
SLIDE 12

Run-time Memory View Enforcement

P1 P2 P2 P1 Unprivilged Privileged RTOS View Switcher

# Base Size rwx

Memory view

# Base Size rwx # Base Size rwx

P1 P2

MPU

# Base Size rwx # Base Size rwx

Process Switch

# Base Size rwx

Re-configure Configure

slide-13
SLIDE 13

Implementation

  • Drone platform, 3DR-IRIS+ based off Pixhawk µC
  • Fail-safe landing feature on illegal memory access
  • 787 LOC : View Switcher
  • 87 LOC : RTOS

3DR IRIS+

slide-14
SLIDE 14

Evaluation: (1)Performance Impact

  • Real-time Benchmarks:
  • 31 real-time tasks with deadlines: 2%
  • verhead (every context switch)
  • All deadline constraints satisfied
  • Micro-Benchmarks:
  • switch_view: 15 µs
  • read_scb : 4 µs
  • write_scb : 5 µs

15.55 11.25 33.63 3.32 52.02 3.31 2.19 1.89 56.49 13.74 3.41 6.13 24.18 2.78 10.03 2.21 2.81 2.92 10.61 60.28 3.56 62.22 52.38 5.25 4.03 5.22 2.5 5.48 2.36 1.8 1.68 19.57 10.85 35.22 2.18 65.04 3.45 1.76 1.97 58.12 20.57 3.31 9.6 29.03 3.64 9.31 4.62 3.66 2.5 15.04 66.92 3.57 64.81 59.23 4.76 3.07 5.55 7.62 5.09 2.86 3.88 2.76 130 75 200 160 120 50 50 75 140 100 90 75 100 90 90 75 75 50 180 110 550 550 75 350 110 100 75 75 200 75 75 1 1 0 1 0 1 0 0 0 1 0 0 0 0

r c _ l

  • p

t h r

  • t

t l e _ l

  • p

u p d a t e _ G P S u p d a t e _

  • p

t i c a l _ f l

  • w

u p d a t e _ b a t t _ c

  • m

p a s s r e a d _ a u x _ s w i t c h e s a r m _ m

  • t
  • r

s _ c h e c k a u t

  • _

t r i m u p d a t e _ a l t i t u d e r u n _ n a v _ u p d a t e s u p d a t e _ t h r _ a v e r a g e t h r e e _ h z _ l

  • p

c

  • m

p a s s _ a c c u m u l a t e b a r

  • m

e t e r _ a c c u m u l a t e u p d a t e _ n

  • t

i f y e k f _ c h e c k l a n d i n g g e a r _ u p d a t e l

  • s

t _ v e h i c l e _ c h e c k g c s _ c h e c k _ i n p u t g c s _ s e n d _ h e a r t b e a t g c s _ s e n d _ d e f e r r e d g c s _ d a t a _ s t r e a m _ s e n d u p d a t e _ m

  • u

n t t e n _ h z _ l

  • g

g i n g _ l

  • p

f i f t y _ h z _ l

  • g

g i n g _ l

  • p

f u l l _ r a t e _ l

  • g

g i n g _ l

  • p

p e r f _ u p d a t e r e a d _ r e c e i v e r _ r s s i r p m _ u p d a t e f r s k y _ t e l e m e t r y _ s e n d e p m _ u p d a t e

Time in μsec (Log-scale) Unprote cte d Prote cte d De adline

slide-15
SLIDE 15

Evaluation: (2)Security Experiments

Discovery: Memory Corruption Bugs

  • 4 new bugs
  • Side-effect of developing Minion
slide-16
SLIDE 16

Evaluation: (2)Security Experiments

Attack Cases

  • Exploits buffer overflow bug in PX4 driver
slide-17
SLIDE 17

Evaluation: (3)Memory Space Reduction

slide-18
SLIDE 18

Conclusion

  • Memory protection in RT microcontrollers
  • Minion: New architecture to bring memory isolation to

RT microcontroller systems

  • Significant memory space reduction with maintained

RT responsiveness

  • Attack cases and vulnerability discovery
slide-19
SLIDE 19

Analysis

Strengths

  • Uncovers new security holes in the firmware
  • Real-time guarantees still satisfied

Weaknesses

  • Attack windows still exists due to providing

limited access control protection between views

  • Requires root access to the microcontroller

and redeployment.

Opportunities/Future Work

  • Using trusted execution environments can

provide increased isolation guarantees between RTOS and the View Switcher

  • Better static/dynamic analysis techniques

Threats

  • View switcher is a single point of failure
  • Calculation of deadlines not explained