on-chip control flow integrity check for real time embedded systems
DESCRIPTION
On-Chip Control Flow Integrity Check for Real Time Embedded Systems. Fardin Abdi Taghi Abad, Joel Van Der Woude , Yi Lu, Stanley Bak , Marco Caccamo, Lui Sha , Renato Mancuso , Sibin Mohan. Rethinking Embedded System Security. Traditional Embedded Systems - PowerPoint PPT PresentationTRANSCRIPT
1
On-Chip Control Flow Integrity Check forReal Time Embedded Systems
Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui Sha , Renato Mancuso, Sibin Mohan
2
.
Rethinking Embedded System Security
Traditional Embedded Systems• Physically isolated environment• Limited capability• Use of specialized protocols
Modern Embedded Systems• More networked • Increased capability• Open, standard platform• Sensitive/privacy information• More vulnerable to security attacks
Smart Embedd
ed Systems
Smart Grid
Smart Car
Smart Appliances
Smart Phones
3
Challenges in
Embedded System Security
Limited Resources - Computational power, energy, cost
Timing Requirement - Safety, reliability, quality of service
System Upgrade - Verifiability
• they either require components that do not necessary exist in simple embedded system (such as trusted operating system or memory management units)
Components
• the overheads imposed by them is not predictable enough for providing guarantees that are necessary for such systems.
Predictable Overhead
Limitations in Existing Approaches
4
Our Solution1. Extract the control
Flow graph from executable
Block x
Block y
Block zTim
e
2. Store the control flow graph on dedicated hardware
3. Check the run-time control flow with a dedicated hardware unit
5
Why It WorksAt inspection time, the dedicated core validates the execution flow.
Block x
Block y
Block z
MaliciousCode Block
Tim
e
If malicious code gets executed, the control flow graph mutates
...and detection is performed
6
Attacks• Overwrite the return address• Overwrite a control variableBuffer Overflow
• Direct execution towards a libc functionReturn-into-libc
• Overwrite a function return address to chain the execution of small preexisting code fragments to produce arbitrary program behavior
Return-oriented-programming
• Icode into a process with high privileges from a low-privileged one.Code injection
7
Architecture
MonitoringModule
On-Chip Control Flow Monitoring Module (OCFMM)
Block Info
Program Counter
Instruction Register
ProcessorIsolatedOCFMM Memory
Block ID
8
Control Flow Examplemain:
instr_1instr_2
lbl_2: instr_3JEQ lbl_1instr_4instr_5instr_6JMP lbl_2
lbl_1: instr_7instr_8CALL func_1instr_9JMP lbl_2
func_1: instr_f1instr_f2RET
12345678910111213141516
block
D
block
C
block
B
block
A
block
E
n = 4pc = instr_1
An = 4pc = instr_4
B
n = 3pc = instr_7
C
n = 2pc = instr_9
D
n = 3pc = instr_f1
E
Yes
No
Yes/No
Yes/No
Yes/No
Yes/No
For each block, we store:
1. Block ID2. Address of first instruction3. Number of instructions4. Yes-Block5. No-Block
9
InspectionSuppose that the execution is in block A
n = 4pc = instr_1
A 1. Check that PC is between instr_1 + n
n = 4pc = instr_4
B
n = 3pc = instr_7
C
Yes
No2. If not, fetch Yes/No Blocks C & B
from OCFMM memory
3. If execution is not at instr_7 nor at instr_4, raise detection flag
10
Predictable Overhead• Overhead is paid in short blocks where
integrity check is longer than block execution time.
• ei is the minimum execution time of ith instruction in the block
• m is the access time for OCFMM memory• nk is the number of instructions in kth block
Overhead(blockk) =
11
Experiments• Code replacement attack– one of the jump destinations is
different from the expected address resulting
• Return address overwriting in stack– jump to a different return
address
12
Limitations
• Unable to detect attacks that do not alter the CFG– Still attacking the platform is
significantly harder
• Need for ad-hoc platform– The proposed approach is
hardware-based. Custom hardware needed
Effective and Applicable to Embedded Real-Time Systems
• Finite and predictable overhead
• Software updates in embedded/RT systems are relatively rare
• Hardware isolation provides guaranteed protection
14
Implementation
• Replacing on-chip SRAM unit of OCFMM with an external one• CFG profile caching mechanism
Measurements
• Extensive measurements on logic overhead• Measurements on performance overhead with and without block
information caching mechanism
Expansion• Distinguish between multiple tasks and monitor the control flow of
each• Securing the whole system by detecting and securing some critical
components
Future Plan
15
Question?
Thank You