Protecting Bare-Metal Embedded Systems with Privilege Overlays

This study discusses the vulnerabilities of bare-metal embedded systems, the challenges they face in terms of security defenses, and introduces EPOXY, an Embedded Privilege Overlay solution that enhances security by creating two privilege levels and protecting against code injection and data corruption. The threat model, requirements, and a comparison before and after implementing EPOXY are also presented.

• Embedded Systems
• Privilege Overlays
• Security Defenses
• Code Injection
• Threat Model

sava774 Follow

Uploaded on Mar 06, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. PROTECTING BARE-METAL EMBEDDED SYSTEMS WITH PRIVILEGE OVERLAYS Abraham A. Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer 1 / 18

2. BARE-METAL SYSTEMS Systems without an OS Constraints Examples Amazon s Dash button Small memory sizes Smart door locks 1 MB Flash, 128 KB s of RAM Tight run-time constraints Engine controllers Low power requirements Single Application SD card controllers WiFi SoC s No kernel/user space seperation Security left out 2 / 18

3. DEFAULT: NO DEFENSES Bare-metal Application Unused or trivially bypassed Security Hardware Sensitive IO Always accessible IO Vulnerable to: Stack smashing Code injection Global data corruption Global Data RAM Stack Flash Code No ROP defenses Single (Root) execution domain 3 / 18

4. DEFENSE CHALLENGES Single application No separation privilege levels (e.g. kernel, user) Systems lack a MMU Defenses are limited to physical memory space Small memory sizes Tight run-time constraints 4 / 18

5. EPOXY Embedded Privilege Overlay across X hardware for Y software LLVM based compiler Protects against EPOXY LLVM-based compiler Code injection Hardened Application Control flow hijacking Data corruption Direct manipulation of IO Privilege Overlays Sensitive IO Creates two privilege levels Source Code Foundation for other defenses 5 / 18

6. THREAT MODEL AND REQUIREMENTS Threat Model Arbitrary memory corruption Attacker goals: Obtain execution Corrupt specific global data Does not have physical access Requirements Hardware support for two execution privilege modes Memory Protection Unit (MPU) Hardware that enforces access permissions on physical memory Memory usage determined a priori 6 / 18

7. BEFORE EPOXY Application Security Hardware Sensitive IO IO Global Data Stack Code Privileged Execution 7 / 18

8. PRIVILEGE OVERLAY Creates multiple privilege levels Enables developer to assume access to everything Restricts privileged operations at run-time Static analysis identifies privileged operations Specific instructions defined by the ISA that require privileges Sensitive memory mapped registers (e.g., MPU configuration , sensitive IO) Created by injecting code to: Configure MPU Enforce DEP and restrict access to sensitive registers Reduce privileges of entire application Request privileges for restricted operations Handle privilege requests 8 / 18

9. PRIVILEGE OVERLAY EXAMPLE Default Privilege Overlay #define UART_RX=0xdeadbeef char menu_option; ... #define UART_RX=0xdeadbeef char menu_option; ... request privileges; menu_option = *(UART_RX) drop privileges; switch (menu_option): case 1 : handle_case_1; break; ... menu_option = *(UART_RX) menu_option = *(UART_RX) drop privileges; switch (menu_option): case 1 : handle_case_1; break; ... Privileged Execution Unprivileged Execution 9 / 18

10. EPOXY AFTER PRIVILEGE OVERLAY Hardened Application Enabled enforcing DEP Access Restricted Security Hardware Sensitive IO Access Restricted IO Global Data Set to RW-NX Stopping Code Injection Stack Set to RX Code Providing Code Integrity Privileged Execution Unprivileged Execution 10 / 18

11. SAFESTACK SafeStack from Code Pointer Integrity * Protects against stack smashing Unsafe variables moved to separate stack We adapted to bare-metal systems RAM Stack Stack UnSafeStack .data .data .bss .bss heap heap UnSafeStack Guard Region * V. Kuznetsov et al., Code Pointer Integrity, OSDI 2014 11 / 18

12. DIVERSIFICATION Further protects against ROP attacks Corruption of specific global data Seed 1 Binary 1 EPOXY Seed 2 Binary 2 Seed 3 Binary 3 Seed 4 Seed Binary 4 Source Code 12 / 18

13. DIVERSIFICATION Further protects against ROP attacks Corruption of specific global data Padding .data .bss A Stack B B b a a d c c heap C 2 1 4 3 UnSafeStack heap D A UnSafeStack E Stack .data .bss b d B C D RAM Binary 1 Flash Jumps to handler foo handler bar baz bar2 foo2 handler bar2 bar foo foo2 baz invalid execution 13 / 18

14. EPOXY ALL PROTECTIONS Hardened Application Enabled enforcing DEP Access Restricted Security Hardware Sensitive IO Access Restricted IO Isolated Unsafe Locals UnSafeStack Set to RW-NX Stopping Code Injection Global Data Protected Global Data Stack Stack Smashing Protection ROP Protections Set to RX ROP Protections Code Providing Code Integrity Privileged Execution Unprivileged Execution 14 / 18

15. PERFORMANCE BEEBs Runtime IoT Apps Runtime IoT Apps Energy 15 15 SS -7.3% -3.5% 4.4% PO -1.3% 0.1% 2.1% All -11.7% 1.1% 14.2% SS PO SS PO Min Ave Max 10 10 % Increase Runtime % Increase Energy 5 5 0 0 BEEBs Power 5 5 SS -4.2% 0.2% 7.3% PO -10.3% -0.2% 2.8% All -10.2% 2.5% 17.9% 10 10 Min Ave Max 15 15 FatFS-uSD FatFS-uSD PinLock PinLock TCP-Echo TCP-Echo SS - SafeStack Only, PO - Privilege Overlay Only 15 / 18

16. ROP COMPILER Used ROPgadget compiler* to identify gadgets across 1000 variants Gadget survives if same instructions (ending with a branch) at same address # Surviving Across 2 5 14K 8K 39K 9K 22K 9K App PinLock FatFS-uSD TCP-Echo Total 294K 1,009K 676K 25 313 39 985 50 Last 0 0 48 32 700 107 * J. Salwan, ROPgadget, http://shell-storm.org/project/ROPgadget/ 16 / 18

17. PRIVILEGED INSTRUCTIONS EXECUTED App Tool Exe 823K 823K 33.3M 34.1M 310M 322M Priv Priv % 0.17% 98.78% 0.01% 96.77% <0.001% 95.34% EPOXY FreeRTOS-MPU EPOXY FreeRTOS-MPU EPOXY FreeRTOS-MPU 1.4K 813K 3.9K 33.0M 1.5K 307.0M PinLock FatFS-uSD TCP-Echo 17 / 18

18. CONCLUSION Fast forwards bare-metal security three decades Provides state-of-the-art protection for bare-metal systems Does not require rewriting application Provides strong stack protections, via an adapted SafeStack Minimizes number of privileged instructions executed Diversifies all memory Meets requirements for run-time, memory, and energy Open Sourced: https://github.com/HexHive/EPOXY 18 / 18