Memory protection in embedded systems

With reference to an embedded system featuring no support for memory management, we present a model of a protection system based on passwords. At the hardware level, our model takes advantage of a memory protection unit (MPU) interposed between the processor and the complex of the main memory and the input-output devices. The MPU supports both concepts of a protection context and a protection domain. A protection context is a set of access rights for the memory pages; a protection domain is a set of one or more protection contexts. Passwords are associated with protection domains. A process that holds a given password can take advantage of this password to activate the corresponding domain. A small set of protection primitives makes it possible to modify the composition of the domains in a strictly controlled fashion. The proposed protection model is evaluated from a number of important viewpoints, which include password distribution, review and revocation, the memory requirements for storage of the information concerning protection, and the time necessary for password validation

Capability Memory Protection for Embedded Systems

This dissertation explores the use of capability security hardware and software in real-time and latency-sensitive embedded systems, to address existing memory safety and task isolation problems as well as providing new means to design a secure and scalable real-time system. In addition, this dissertation looks into how practical and high-performance temporal memory safety can be achieved under a capability architecture. State-of-the-art memory protection schemes for embedded systems typically present limited and inflexible solutions to memory protection and isolation, and fail to scale as embedded devices become more capable and ubiquitous. I investigate whether a capability architecture is able to provide new angles to address memory safety issues in an embedded scenario. Previous CHERI capability research focuses on 64-bit architectures in UNIX operating systems, which does not translate to typical 32-bit embedded processors with low-latency and real-time requirements. I propose and implement the CHERI CC-64 encoding and the CHERI-64 coprocessor to construct a feasible capability-enabled 32-bit CPU. In addition, I implement a real-time kernel for embedded systems atop CHERI-64. On this hardware and software platform, I focus on exploring scalable task isolation and fine-grained memory protection enabled by capabilities in a single flat physical address space, which are otherwise difficult or impossible to achieve via state-of-the-art approaches. Later, I present the evaluation of the hardware implementation and the software run-time overhead and real-time performance. Even with capability support, CHERI-64 as well as other CHERI processors still expose major attack surfaces through temporal vulnerabilities like use-after-free. A naive approach that sweeps memory to invalidate stale capabilities is inefficient and incurs significant cycle overhead and DRAM traffic. To make sweeping revocation feasible, I introduce new architectural mechanisms and micro-architectural optimisations to substantially reduce the cost of memory sweeping and capability revocation. Another factor of the cost is the frequency of memory sweeping. I explore tradeoffs of memory allocator designs that use quarantine buffers and shadow space tags to prevent frequent unnecessary sweeping. The evaluation shows that the optimisations and new allocator designs reduce the cost of capability sweeping revocation by orders of magnitude, making it already practical for most applications to adopt temporal safety under CHERI.CSC Cambridge Scholarshi

CheriRTOS: A Capability Model for Embedded Devices

Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art se- curity and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI’s capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems

Efficient Memory-Protected Integration of Add-On Software Subsystems in Small Embedded Automotive Applications

Current innovations in the automotive industry evolve mainly in the electronics and software domain. This leads to an increasing integration of additional software subsystems into already existing electronic control units (ECUs) to cope with the raised amount and complexity of present ECUs in modern high-end vehicles. This paper discusses different approaches which are required to integrate such add-on software subsystems in an isolated memory domain, and considers particularly the special needs of small embedded systems—including the limited hardware support. Special focus is brought to the efficient detection of malicious memory accesses, as well as the benefits of a thereupon possible and adaptable failure-handling strategy. All investigations are based on a developed memory-protection framework which has been tailored to the special needs of a sample vehicle dynamics control system. Its usage allows the combination of. integrating additional subsystems without reducing the main application’s availability

Application Memory Isolation on Ultra-Low-Power Mcus

The proliferation of applications that handle sensitive user data on wearable platforms generates a critical need for embedded systems that offer strong security without sacrificing flexibility and long battery life. To secure sensitive information, such as health data, ultra-low-power wearables must isolate applications from each other and protect the underlying system from errant or malicious application code. These platforms typically use microcontrollers that lack sophisticated Memory Management Units (MMU). Some include a Memory Protection Unit (MPU), but current MPUs are inadequate to the task, leading platform developers to software-based memory-protection solutions. In this paper, we present our memory isolation technique, which leverages compiler inserted code and MPU-hardware support to achieve better runtime performance than software-only counterparts

Control-flow Integrity for Real-time Embedded Systems

As embedded systems become more connected and more ubiquitous in mission- and safety-critical systems, embedded devices have become a high- value target for hackers and security researchers. Attacks on real-time embedded systems software can put lives in danger and put our critical infrastructure at risk. Despite this, security techniques for embedded systems have not been widely studied. Many existing software security techniques for general purpose computers rely on assumptions that do not hold in the embedded case. This thesis focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general purpose computer with a rich operating system, CFI cannot provide any security guarantees. This thesis explores a way to use CFI on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection

Efficient and Reliable Simulation, Memory Protection, and Driver Generation in Embedded Network Systems

Embedded systems are widely used, from consumer electronics, to industrial equipment, to spacecraft. With embedded systems becoming more complex, new challenges are presented to application developers. In this dissertation, we focus on three of the most important: (i) Network simulation tools are widely used for sensor network testing and evaluation. Simulation performance affects the efficiency of the application developers who use these tools. The performance of a single host system represents a performance bottleneck for large-scale network simulation. A distributed simulator offering higher performance is needed to support fast, large-scale network simulation. (ii) Single event upsets (SEUs), which occur when a high-energy ionizing particle passes through an integrated circuit, can change the value of a single bit, causing damage and potentially catastrophic system failures. Modern SEU detection and correction approaches typically introduce additional hardware, increasing execution overhead and cost. Given the nature of resource-lean embedded systems, a software-based protection approach must be lightweight. (iii) Writing device drivers for serial-based peripherals is a repetitive task, given that microprocessors operate most such devices in the same way, issuing commands and parsing corresponding responses. A serial device driver generation tool must be capable of accommodating various microprocessors and devices with varying characteristics (e.g., UART settings, device response times, etc.), while producing drivers that offer performance at least as good as functionally equivalent, handwritten drivers. In this dissertation, we focus on the design and implementation of approaches to distributed sensor network simulation, embedded memory protection, and automated serial device driver generation. The first challenge is to effectively emulate sensor network systems with high fidelity using a distributed simulation system. This is achieved by developing a distributed version of SnapSim, D-SnapSim, which runs on a cluster. D-SnapSim relies on multiple physical systems to achieve enhanced speed and scalability, while providing flexibility to execute on clusters of varying size and computational power. The performance of D-SnapSim is evaluated as a function of network size, bitrate, and cluster configuration relative to SnapSim. The second challenge is to protect embedded system memory from SEUs with a software-only approach. Traditional SEU prevention and correction strategies rely on hardware extensions to the target system. We present a software-only approach that detects and corrects SEUs in RAM. This is achieved by extending the AVR-GCC compiler to protect the system stack from SEUs through duplication, validation, and recovery. Four applications are used to verify our approach, and the time and space overhead characteristics are evaluated. The third challenge is to automatically generate serial device drivers, eliminating the repetitive, error-prone work involved in serial device driver development. We present DriverGen, a configuration-based tool developed to provide automated serial device driver generation. Three applications are used to evaluate the performance of the generated drivers, both in terms of space and execution time. A user study is conducted to evaluate the usability of our tool in comparison with driver development in C

Security enhancements for FPGA-based MPSoCs: a boot-to-runtime protection flow for an embedded Linux-based system

International audienceNowadays, embedded systems become more and more complex: the hardware/software codesign approach is a method to create such systems in a single chip which can be based on reconfigurable technologies such as FPGAs (Field-Programmable Gate Arrays). In such systems, data exchanges are a key point as they convey critical and confidential information and data are transmitted between several hardware modules and software layers. In case of an FPGA development life cycle, OS (Operating System) / data updates as runtime communications can be done through an insecure link: attackers can use this medium to make the system misbehave (malicious injection) or retrieve bitstream-related information (eavesdropping). Recent works propose solutions to securely boot a bitstream and the associated OS while runtime transactions are not protected. This work proposes a full boot-to-runtime protection flow of an embedded Linux kernel during boot and confidentiality/integrity protection of the external memory containing the kernel and the main application code/data. This work shows that such a solution with hardware components induces an area occupancy of 10% of a xc6vlx240t Virtex-6 FPGA while having an improved throughput for Linux booting and lowlatency security for runtime protection