uxom efficient execute only memory on cortex m
play

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , - PowerPoint PPT Presentation

Mar 12, 2024 •618 likes •875 views

uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1 , Byoungyoung Lee 1,2 , Yeongpil Cho 3 , Yunheung Paek 1 1 Seoul National University, 2 Purdue University, 3 Soongsil University, 4 Electronics and

  1. uXOM: Efficient eXecute-Only Memory on Cortex-M Donghyun Kwon 1,4 , Jangseop Shin 1 , Giyeol Kim 1 , Byoungyoung Lee 1,2 , Yeongpil Cho 3 , Yunheung Paek 1 1 Seoul National University, 2 Purdue University, 3 Soongsil University, 4 Electronics and Telecommunications Research Institute

  2. eXecute-Only Memory (XOM) ▪ A memory which has only a execute permission – No read and write permission ▪ Purpose – Protect intellectual properties (IPs) – Prohibit obtaining CRA(Code Reuse Attack) gadgets at runtime • [ Stephen et al. S&P’15] ▪ High-end CPU architectures support XOM • X86 – EPT, MPK • AArch64 - MMU uXOM: Efficient eXecute Only Memory on Cortex-M 2

  3. Motivation ▪ ARMv7-M architecture – Used in Cortex-M3/4/7 processors • prominent processor in embedded systems – No MMU – No execute-only permission in MPU (Memory Protection Unit) • Available permissions: NA, RO, RX, RW, RWX ▪ We propose uXOM – New software technique to implement XOM on Cortex-M processors. uXOM: Efficient eXecute Only Memory on Cortex-M 3

  4. Threat model & Assumption ▪ Consider software attacks at runtime – Assume that target firmware has memory vulnerabilities. – Attacker can perform arbitrary memory read and write – Attacker can subvert control-flow • Manipulate function pointer or return address ▪ Not consider offline attacks on firmware ▪ Not consider hardware attacks – Bus probing, memory tampering, etc. ▪ Any software components of the firmware are not trusted – include the exception handlers ▪ All software components are executed in privileged mode – [Abraham el al. S&P’17], [Chung Hwan et al. NDSS’18] uXOM: Efficient eXecute Only Memory on Cortex-M 4

  5. Basic Design … LDR R0, [R1] Code memory uXOM: Efficient eXecute Only Memory on Cortex-M 5

  6. Basic Design 1 Execute the code in Privileged mode … 3 LDRT R0, [R1] Code memory P: RX, U: NA 2 uXOM: Efficient eXecute Only Memory on Cortex-M 6

  7. Basic Design 1 Execute the code in Privileged mode … 3 LDRT R0, [R1] Code memory 4 STRT R2, [R3] P: RX, U: NA 2 Private Peripheral … Bus (PPB) uXOM: Efficient eXecute Only Memory on Cortex-M 7

  8. Challenges ▪ C1. Unconvertible memory instructions – Exclusive memory instructions (LDREX, STREX) – PPB access memory instructions uXOM: Efficient eXecute Only Memory on Cortex-M 8

  9. Challenges ▪ C1. Unconvertible memory instructions – Exclusive memory instructions (LDREX, STREX) – PPB access memory instructions ▪ C2. Malicious indirect branches – Jump to unconverted memory instructions • By manipulating target address register ▪ C3. Malicious exception returns – Return to unconverted memory instructions • By manipulating exception context (PC) in the stack uXOM: Efficient eXecute Only Memory on Cortex-M 9

  10. Challenges ▪ C1. Unconvertible memory instructions – Exclusive memory instructions (LDREX, STREX) – PPB access memory instructions ▪ C2. Malicious indirect branches – Jump to unconverted memory instructions • By manipulating target address register ▪ C3. Malicious exception returns – Return to unconverted memory instructions • By manipulating exception context (PC) in the stack ▪ C4. Malicious data manipulation uXOM: Efficient eXecute Only Memory on Cortex-M 10

  11. Challenges ▪ C1. Unconvertible memory instructions – Exclusive memory instructions (LDREX, STREX) – PPB access memory instructions ▪ C2. Malicious indirect branches – Jump to unconverted memory instructions • By manipulating target address register ▪ C3. Malicious exception returns – Return to unconverted memory instructions • By manipulating exception context (PC) in the stack ▪ C4. Malicious data manipulation ▪ C5. Unintended instructions – Unaligned execution – Execution of embedded data in the code memory uXOM: Efficient eXecute Only Memory on Cortex-M 11

  12. Solving Challenges ▪ Finding Unconvertible Memory Instructions ➔ C1 – Exclusive Memory Instructions • Identified by opcode in the instruction encoding – PPB access instructions • Check if the accessed memory address is belonging to PPB region • Intra-procedure analysis uXOM: Efficient eXecute Only Memory on Cortex-M 12

  13. Solving Challenges ▪ Atomic Verification Technique ➔ C4 – Add the verification routine before the unconverted instruction – Disable exception during the instruction sequence • Protection against an attacker generates an exception after the verification code 1: 1: update_register: update_register: 2: 2: cpsid i 3: 3: 4: 4: 5: 5: Atomic instruction 6: 6: [verification routine] 7: 7: str r1, [r0] str r1, [r0] Sequence 8: 8: 9: 9: 10: 10: 11: 11: cpsie i 12: 12: uXOM: Efficient eXecute Only Memory on Cortex-M 13

  14. Solving Challenges ▪ Atomic Verification Technique (cont’d) ➔ C2, C3 – 1) Use a dedicated register as memory address register of unconverted instructions – 2) Enforce following two invariant properties • IP1) When atomic instruction seq. is executed, the dedicated register holds sensitive address • IP2) When atomic instruction seq. is not executed, the dedicated register holds non-harmful value – ➔ instrumentation for IP2 requires tremendous overhead – ➔ The dedicated register cannot be used in the code except for the atomic verification sequences ▪ Drawback – Increase register spills ➔ Performance Drop uXOM: Efficient eXecute Only Memory on Cortex-M 14

  15. Solving Challenges ▪ Atomic Verification Technique (cont’d) ➔ C2, C3 – 1) Use a SP register as memory address register of unconverted instructions – 2) Enforce following two invariant properties • IP1) When atomic instruction seq. is executed, SP register holds sensitive address • IP2) When atomic instruction seq. is not executed, SP register points non-harmful value – ➔ instrumentation for IP2 could be implemented in a efficient way – ➔ SP register can be used in the code including the atomic verification sequences uXOM: Efficient eXecute Only Memory on Cortex-M 15

  16. Solving Challenges ▪ Atomic Verification Technique (cont’d) 1: 1: update_register: update_register: 2: 2: cpsid i // disable interrupt 3: 3: mov r10, sp // backup the value of sp 4: 4: 5: 5: mov sp, r0 // set sp to a target address (IP1) 6: 6: [verification routine] // verify the subsequent unconverted inst. 7: 7: str r1, [r0] str r1, [sp] // perform an unconverted inst. 8: 8: 9: 9: mov sp, r10 // restore the value of sp 10: 10: [check sp] // check the value of sp (IP2) 11: 11: cpsie i // enable interrupt 12: 12: uXOM: Efficient eXecute Only Memory on Cortex-M 16

  17. Solving Challenges ▪ Handling Unintended Instructions ➔ C5 – Replace the exploitable instruction with safe instruction sequence • Serves the same functionality – Use static binary analysis to find out all exploitable instructions. uXOM: Efficient eXecute Only Memory on Cortex-M 17

  18. Evaluation ▪ Implementation – Code Instrumentation: LLVM 5.0 – Binary analysis: Radare2 ▪ Experiment setup – Arduino-due • Cortex-M3 processor – RIOT-OS – BEEBS benchmark suite uXOM: Efficient eXecute Only Memory on Cortex-M 18

  19. Evaluation uXOM: Efficient eXecute Only Memory on Cortex-M 19

  20. Evaluation uXOM: Efficient eXecute Only Memory on Cortex-M 20

  21. Evaluation uXOM: Efficient eXecute Only Memory on Cortex-M 21

  22. Evaluation uXOM: Efficient eXecute Only Memory on Cortex-M 22

  23. Conclusion ▪ Software technique to implement execute-only memory on Cortex-M processors – MPU, unprivileged memory instructions ▪ Strong threat model – Assuming attacker is able to read/modify the memory and subvert control-flow – Do not assume any software TCB in the system ▪ Evaluation – Better than SFI-based XOM in terms of performance and security – uXOM is compatible with existing XOM-based solutions (Key protection, CRA defense) uXOM: Efficient eXecute Only Memory on Cortex-M 23

  24. Thank you for listening Q & A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ARM Cortex-M4 Programming Model Memory Addressing Instructions References: Textbook Chapter 4,

ARM Cortex-M4 Programming Model Memory Addressing Instructions References: Textbook Chapter 4,

ARM Cortex-M4 Programming Model Memory Addressing Instructions References: Textbook Chapter 4, Sections 4.1-4.5 Chapter 5, Sections 5.1-5.4 ARM Cortex-M Users Manual, Chapter 3 CPU instruction types Data movement operations

898 views • 33 slides
Memory Management and Paging Eric McCreath Address Binding For a program to execute it must be

Memory Management and Paging Eric McCreath Address Binding For a program to execute it must be

Memory Management and Paging Eric McCreath Address Binding For a program to execute it must be copied into main memory at a particular location. Many instructions use 'fixed' addresses which must be bound to 'fixed' locations in the memory.

530 views • 15 slides
CPUs Chapter 3.5 Caches. Memory management. Caches and CPUs address data cache

CPUs Chapter 3.5 Caches. Memory management. Caches and CPUs address data cache

CPUs Chapter 3.5 Caches. Memory management. Caches and CPUs address data cache controller cache main CPU memory address data data ARM Cortex-A9 Configurations ARM Cortex A9 Microarchitecture Main System Memory ARM Cortex-A9

839 views • 34 slides
Neural correlates of auditory short term memory in sensory cortex of the macaque Corrie R.

Neural correlates of auditory short term memory in sensory cortex of the macaque Corrie R.

Neural correlates of auditory short term memory in sensory cortex of the macaque Corrie R. Camalier Laboratory of Neuropsychology National Institute of Mental Health, NIH corrie.camalier@gmail.com CRESCENT Auditory Working Memory Workshop -

416 views • 5 slides
Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term)

Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term)

Efficient and Precise Dynamic Impact Analysis Using Execute-After Sequences Taweesup (Term) Apiwattanapong Alessandro Orso Mary Jean Harrold College of Computing Georgia Institute of Technology National Science Foundation awards CCR-0306372,

419 views • 20 slides
Address Binding For a program to execute it must be copied into main memory at a particular

Address Binding For a program to execute it must be copied into main memory at a particular

Address Binding For a program to execute it must be copied into main memory at a particular location. Many instructions use 'fixed' addresses which must be bound to 'fixed' locations in the memory. This binding of instructions and data to

461 views • 4 slides
Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical

Last class: Virtual Memory Today: Virtual Memory Uses Efficient Use of Physical Memory Through virtual memory N 2 32 -sized address spaces All isolated by default Uses for memory Make a new process Address

516 views • 22 slides
ARM Cortex-M4 Programming Model Arithmetic Instructions References: Textbook Chapter 4, Chapter

ARM Cortex-M4 Programming Model Arithmetic Instructions References: Textbook Chapter 4, Chapter

ARM Cortex-M4 Programming Model Arithmetic Instructions References: Textbook Chapter 4, Chapter 9.1 9.2 ARM Cortex-M Users Manual, Chapter 3 1 CPU instruction types Data movement operations (Chapter 5) memory-to-register and

391 views • 13 slides
ARM Cortex-M4 Programming Model Flow Control Instructions Textbook: Chapter 4, Section 4.9 (CMP

ARM Cortex-M4 Programming Model Flow Control Instructions Textbook: Chapter 4, Section 4.9 (CMP

ARM Cortex-M4 Programming Model Flow Control Instructions Textbook: Chapter 4, Section 4.9 (CMP , TEQ,TST) Chapter 6 ARM Cortex-M Users Manual, Chapter 3 1 CPU instruction types Data movement operations memory-to-register and

905 views • 23 slides
Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1)

Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1)

Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1) Prestriate cortex, Extrastriate cortex (Visual association coretx ) Second level association areas in the temporal and parietal lobes

454 views • 24 slides
Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes

Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes

Habanero Operating Committee January 25 2017 Habanero Overview 1. Execute Nodes 2. Head Nodes 3. Storage 4. Network Execute Nodes Type Quantity Standard 176 High Memory 32 GPU* 14 Total 222 Execute Nodes Standard Node CPU (2 per

637 views • 35 slides
Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory

Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory

Von Neumann Execution Model Fetch: send PC to memory transfer instruction from memory to CPU increment PC Decode & read ALU input sources Execute an ALU operation memory operation branch target calculation

515 views • 22 slides
Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling

Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling

Cornell University Efficient Data Supply for Hardware Accelerators with Prefetching and Access/ Execute Decoupling Tao Chen and G. Edward Suh Computer Systems Laboratory Cornell University Accelerator-Rich Computing Systems Computing

357 views • 23 slides
PRAM Algorithms Parallel Random Access Machine (PRAM) PRAM instructions execute in 3-

PRAM Algorithms Parallel Random Access Machine (PRAM) PRAM instructions execute in 3-

PRAM Algorithms Parallel Random Access Machine (PRAM) PRAM instructions execute in 3- Collection of numbered processors phase cycles Access shared memory Read (if any) from a shared memory cell Each processor could have

518 views • 23 slides
Energy-Efficient In-Memory Data Stores on Hybrid Memory Hierarchies Eleventh International

Energy-Efficient In-Memory Data Stores on Hybrid Memory Hierarchies Eleventh International

Energy-Efficient In-Memory Data Stores on Hybrid Memory Hierarchies Eleventh International Workshop on Data Management on New Hardware June 2015 Ahmad Hassan (SAP), Hans Vandierendonck (QUB) and Dimitrios S. Nikolopoulos (QUB) May 2015

513 views • 30 slides
Decoupled Access/Execute Computer Architectures James E. Smith Presented by Dan Amelang How

Decoupled Access/Execute Computer Architectures James E. Smith Presented by Dan Amelang How

Decoupled Access/Execute Computer Architectures James E. Smith Presented by Dan Amelang How does the DIVA Checker keep up? Decoupled Access/Execute (DEA) Goals Increase ILP Increase issue bandwidth Hide memory latency DEA

308 views • 13 slides
Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural

Integer GEMM (under)performance Marat Dukhan Software Engineer on Ca ff e 2 GEMM in Neural Networks Fully-connected layers im2col+GEMM algorithm for convolution 1x1 convolutional layers Android CPU Landscape Overview of CPU

449 views • 17 slides
Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial

Instructions to reviewers Reference lines Atlanto-planar line (APL) Posterior axial line (PAL) Quantitative assessment Neural canal width (NCW) Basion-axial interval (BAI) Basion Defined for our purposes as the most

334 views • 11 slides
Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder ,

11 September 2018 Standard Lattice-Based Key Encapsulation on Embedded Devices James Howe , Tobias Oder , Markus Krausz , and Tim uneysu . G University of Bristol, UK; Ruhr-Universit at Bochum, Germany; and

890 views • 87 slides
Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

692 views • 55 slides
Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image

Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image

Modeling Visual Cortex V4 in Naturalistic Conditions with Invariant and Sparse Image Representations Bin Yu Departments of Statistics and EECS University of California at Berkeley Rutgers University, May 2, 2014 Modeling Visual Cortex V4 in

861 views • 56 slides
Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami

Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami

Multitasking on Cortex-M(0) class MCU A deepdive into the Chromium-EC scheduler $whoami Embedded Software Engineer at National Instruments We just finished our first product using Chromium-EC and future ones to come Other stuff I

848 views • 42 slides
Modeling and interpretation of extracellular potentials Gaute T . Einevoll 1 , Szymon ski 2

Modeling and interpretation of extracellular potentials Gaute T . Einevoll 1 , Szymon ski 2

CNS2012 Tutorial, 21.03.2012 Modeling and interpretation of extracellular potentials Gaute T . Einevoll 1 , Szymon ski 2 , Espen Hagen 1 1 Computational Neuroscience Group (compneuro.umb.no) Norw. Univ of Life Sci. (UMB), s; Norwegian

540 views • 43 slides
Cortical responses evoked by continuous wrist manipulation Alfred C. Schouten , Martijn P. Vlaar,

Cortical responses evoked by continuous wrist manipulation Alfred C. Schouten , Martijn P. Vlaar,

Cortical responses evoked by continuous wrist manipulation Alfred C. Schouten , Martijn P. Vlaar, Teodoro Solis- Escalante, Yuan Yang, Frans C.T. van der Helm a.c.schouten@tudelft.nl 1 Benchmark data based on two articles 2 Brain as

757 views • 19 slides

More recommend