Upload
barbra-hoover
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
1
On-Chip Control Flow Integrity Check forReal Time Embedded Systems
Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui Sha , Renato Mancuso, Sibin Mohan
2
.
Rethinking Embedded System Security
Traditional Embedded Systems• Physically isolated environment• Limited capability• Use of specialized protocols
Modern Embedded Systems• More networked • Increased capability• Open, standard platform• Sensitive/privacy information• More vulnerable to security attacks
Smart Embedd
ed Systems
Smart Grid
Smart Car
Smart Appliances
Smart Phones
3
Challenges in
Embedded System Security
Limited Resources - Computational power, energy, cost
Timing Requirement - Safety, reliability, quality of service
System Upgrade - Verifiability
• they either require components that do not necessary exist in simple embedded system (such as trusted operating system or memory management units)
Components
• the overheads imposed by them is not predictable enough for providing guarantees that are necessary for such systems.
Predictable Overhead
Limitations in Existing Approaches
4
Our Solution1. Extract the control
Flow graph from executable
Block x
Block y
Block zTim
e
2. Store the control flow graph on dedicated hardware
3. Check the run-time control flow with a dedicated hardware unit
5
Why It Works
At inspection time, the dedicated core validates the execution flow.
Block x
Block y
Block z
MaliciousCode Block
Tim
e
If malicious code gets executed, the control flow graph mutates
...and detection is performed
6
Attacks
• Overwrite the return address• Overwrite a control variableBuffer Overflow
• Direct execution towards a libc functionReturn-into-libc
• Overwrite a function return address to chain the execution of small preexisting code fragments to produce arbitrary program behavior
Return-oriented-programming
• Icode into a process with high privileges from a low-privileged one.Code injection
7
Architecture
MonitoringModule
On-Chip Control Flow Monitoring Module (OCFMM)
Block Info
Program Counter
Instruction Register
ProcessorIsolatedOCFMM Memory
Block ID
8
Control Flow Examplemain:
instr_1instr_2
lbl_2: instr_3JEQ lbl_1instr_4instr_5instr_6JMP lbl_2
lbl_1: instr_7instr_8CALL func_1instr_9JMP lbl_2
func_1: instr_f1instr_f2RET
12345678910111213141516
block
D
block
C
block
B
block
A
block
E
n = 4pc = instr_1
An = 4pc = instr_4
B
n = 3pc = instr_7
C
n = 2pc = instr_9
D
n = 3pc = instr_f1
E
Yes
No
Yes/No
Yes/No
Yes/No
Yes/No
For each block, we store:
1. Block ID2. Address of first instruction3. Number of instructions4. Yes-Block5. No-Block
9
InspectionSuppose that the execution is in block A
n = 4pc = instr_1
A1. Check that PC is between instr_1 + n
n = 4pc = instr_4
B
n = 3pc = instr_7
C
Yes
No2. If not, fetch Yes/No Blocks C & B
from OCFMM memory
3. If execution is not at instr_7 nor at instr_4, raise detection flag
10
Predictable Overhead
• Overhead is paid in short blocks where integrity check is longer than block execution time.
• ei is the minimum execution time of ith instruction in the block
• m is the access time for OCFMM memory• nk is the number of instructions in kth block
Overhead(blockk) =
11
Experiments
• Code replacement attack– one of the jump destinations is
different from the expected address resulting
• Return address overwriting in stack– jump to a different return
address
12
Limitations
• Unable to detect attacks that do not alter the CFG– Still attacking the platform is
significantly harder
• Need for ad-hoc platform– The proposed approach is
hardware-based. Custom hardware needed
Effective and Applicable to Embedded Real-Time Systems
• Finite and predictable overhead
• Software updates in embedded/RT systems are relatively rare
• Hardware isolation provides guaranteed protection
14
Implementation
• Replacing on-chip SRAM unit of OCFMM with an external one• CFG profile caching mechanism
Measurements
• Extensive measurements on logic overhead• Measurements on performance overhead with and without block
information caching mechanism
Expansion
• Distinguish between multiple tasks and monitor the control flow of each
• Securing the whole system by detecting and securing some critical components
Future Plan