μRAI: Securing Embedded Systems with Return Address Integrity

1 2 3 4 5 6

Abraham A. Clements3,4,5

Saurabh Bagchi1,4 Mathias Payer2,5

Naif Saleh Almakhdhub1,4,5,6

Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

Current State of Security

[1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/[2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/[3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical

[1] [2]

[3]Target:

Embedded and IoT devicesRunning Microcontroller

Systems (MCUS)

Attack:Control-flow Hijacking

MCUS Challenges

Desktop MCUS

0x08055555

0x08022222

0x08011111

0x08000000

0x08999555

0x08777222

0x08555111

0x08111000

0x08000000

0x02000000

0x02050000

Large virtual memory(GBs)

Basic defenses(e.g., ASLR)

Small physical memory

(MBs Flash, KBs RAM)

Basic defenses(e.g., ASLR)

Smaller code

DEP(Disabled Fixable)

Larger code

MCUS Defenses for Return Addresses (Conceptual)

Security

Usage Location Integrity

Return Address Integrity + Low runtime overhead + No special hardware

Limited Security Guarantees

Shadow Stack

Randomized Safe Stack

Safe Stack +

Software Fault

Isolation

Shadow Stack

Special hardware required

Without extra hardware

MCUS Defenses for Return Addresses (Related Work)

Security

Usage Location Integrity

Return Address Integrity + Low runtime overhead + No special hardware

Limited Security Guarantees

EPOXY(SafeStack)

[S&P17]

CFI CaRE(Shadow stack)

[RAID17]

ACES[SEC18]

Minion[NDSS18]

SCFP[EuroS&P18]

C-FLAT[CCS16] LiteHAX

[ICCAD18]

uXOM[SEC19]

RECFISH[ECRTS 2019]

μArmor[EuroS&P19]

Special hardware required

Without extra hardware

Symbiote[RAID11]

Return Address Integrity (RAI)

• Every attack requires corrupting a return addresses by overwriting it

• Main limitation of defenses return addresses are in writable memory• Example: Information hiding

• Key solution is to prevent an attacker from corrupting return addresses.

RAI Property:

• Ensure the return address is never writable except by an authorized instruction.• Return addresses are never pushed to the stack or any writable memory by an adversary.

Threat Model & μRAI Protection

Normal application

MPU, VTOR

Corrupt return address or corrupt sensitive Memory Mapped IO (MMIO)

Corrupt return address

Func5 MPU, VTOR

: Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI)

• Reads from memory• Writes to memory• Knows the code layout• Targets backward-edges

μRAI: Overview

State Register

Jump Table

Jump return_location1

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

μRAI: Overview

State Register

Jump Table

μRAI and the State Register

• State Register (SR):• Can be any general-purpose register exclusively used by μRAI• Never spilled cannot be overwritten through a memory corruption• Does not contain a return address encoded values to resolve the return location

• Example call graph:• Each edge call

• How encode SR?

• An XOR chain

Func2Func1main

Func2 reads theSR to resolve the correct return location

μRAI: Terminology

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

Address <Func2>:… …… …… …… …… …… …… …… …

• Function Keys (FKs): Hard-coded keys used to encode the SR

SR[Recursive] SR[Encoded]

μRAI: Terminology

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

C key1⊕ Jump Func1_1

ELSE Jump ERROR

• Function IDs (FIDs): Possible values of the SR for the function

μRAI: Terminology

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

• Function Lookup Table (FLT): List of FIDs for the function.

μRAI: Transformation

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

• Encode the SR and call Func2

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

0 C key1

• Func2 reads the SR and executes the corresponding direct jump

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

0 C key1

• Func2 returns correctly and the SR is decoded

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

• The previous SR value is restored

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

ELSE Jump ERROR

• The same happens for other calls. Func1 can then return correctly

μRAI: Overview

State Register

Jump Table

μRAI: Enforce RAI for exception handlers

• Exception handlers execute with privileges• Can disable the MPU enable code injection• Can corrupt exception stack frame break RAI property

• Solution:• Apply SFI only to functions callable by exception handlers• Limit SFI overhead compared to full-SFI

Func1 Func2

Func5Func4

main Exception Handler

MPUVTOR

Safe regionP

rivile

Software-Fault Isolation

μRAI: Overview

State Register

Jump Table

Target Lookup Routine (TLR)

• How can we find the correct direct jump in the FLT efficiently?• Use a relative jump before the FLT• Resolve the correct return location efficiently regardless of FLT size

Address<Func1>:… …… …… …… Jump PC+SR

FID Return Target

1 Jump location1

2 Jump location2

3 Jump ERROR

4 Jump location4

5 Jump location5

Use SR as an indexof a jump table

Align the FLT make SR = 4

Assume the correct return location is

location4

Comparing all FID can be slow!

μRAI: Overview

State Register

Jump Table

Evaluation

• Five MCUS applications on Cortex-M4:• PinLock• FatFs_uSD• FatFs_RAM• LCD_uSD• Animation

• CoreMark benchmark[1]• Standard MCUS performance benchmark

[1] EEMBC, “Coremark - industry-standard benchmarks for embedded systems,” http://www.eembc.org/coremark

Security Evaluation Using PinLock: Unlock The Lock

buffer

Jump Table

Buffer overflow Arbitrary write Stack pivot

buffer

No return address to write to…

Sensitive MMIOand

Safe region

State Register

μRAI prevents all control-flow hijacking attack scenarios targeting return addresses

No return address to pop from the stack

No return address to overflow…

Performance results

• Requiring full-SFI results in high overhead average of 130.5%• μRAI results in low overhead average of 0.1%

μRAI: Conclusion

• Control-flow hijacking on MCUS is a threat

• μRAI secures MCUS against control-flow hijacking• Enforces the RAI property for MCUS protects backward edges• Complemented with type-based CFI end-to-end code pointer protection

• Presents a portable encoding scheme• Does not require special hardware features (only a register and an MPU)

• Applicable to other systems

• Low runtime overhead

https://github.com/embedded-sec/uRAI

Backup Slides

Challenge: Path Explosion

SR[Rec] SR[Enc]

• Func3 has 2 call sites• FLT is size is 4!

Path Explosion Solution: Segmentation

• State register segmentation

• Functions only use the bits in their assigned segment.

Recursion counter(Higher N bits)

Encoded value(Lower 32-N bits)

Segment 1 … Segment K Segment M … Segment 2 Segment 1

Path Explosion Solution: Segmentation

SR[Rec] SR[Enc2] SR[Enc1]

Not used

SR[Rec] SR[Enc2] SR[Enc1]

0 Not used

• Segmentation reducesFLT from 4 to 2

μRAI: Scalability

• What if no more values can be found for the SR?

• Solution:• Partition the call graph if no solution is found

• Entering a new partitionSave and reset the SR to a privileged safe region

• Returning to a previous partition Restore the SR

Func1 Func2

Func5Func4

main Exception Handler

Safe Region

Memory results

• Moderate overhead for large applications

Average15.2%

Average

FLT + Instrmnt.34.6%

EH-SFI9.5%

Type-CFI10%

μRAI vs. backward edge Type-based CFI

• [1] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, “Controlflow bending: On the effectiveness of control-flow integrity,” in USENIX SEC15

• 161–17634

AppType-based CFI Target Set

Max. Ave.

PinLock 8 3

FatFs_uSD 94 21

FatFs_RAM 94 27

LCD_uSD 49 11

Animation 49 11

CoreMark 52 12

Overall Average 58 14

μRAI eliminates the remaining attack surface for control-flow bending attacks[1]

Store Instructions Protected with EH-SFI

App# of Store instruction

Static Total (Static/Total)% Dynamic

PinLock 56 516 10.9 7

FatFs_uSD 99 1,802 5.5 906K

FatFs_RAM 7 1,116 0.6 7

LCD_uSD 99 2,814 3.5 48K

Animation 99 2,760 3.6 66K

CoreMark 56 1,024 5.5 7

SR Layout

• The SR has two parts:• ENC: Encoded value• REC: Recursion counter

SR[Rec] SR[Enc]

Func3main

• Cannot use XOR with recursion• Collision occurs with existing values Func1

before the call after returnIf recursion

ELSE Jump ERROR

Address <Func2>:… SR[Rec]++… Call Func2Func2_1 SR[Rec]--… …… IF SR[Rec] > 0… Jump Func2_1… ELSE… …

ELSE Jump ERROR

• If recursive use a counter (recursion is discouraged in MCUS)

SR[Rec] SR[Enc]

SR Encoding Illustration

• Consider the following call graph with the SR initialized to a value = C

• Each edge call

• XOR before the call and after returning with hardcoded keys• An edge is walked XOR the SR

SR SRSR C SR SR

Func2main Func3

XORing again after returning restores the previous SR

μRAI’s Overview

Source code

Call Graph AnalyzerGenerates caller/callees

for each function

EncoderGenerates function keys

and encodes SR

Instrumentation

μRAI binary

LLVM IR

μRAI: Workflow

• Generates caller/callee list.

• Sets the minimum possible FLT.• Example: Func5 is called from

4 locations → Min. FLT >= 4

Func1 Func2

Func5Func4

Function Min. FLT DFS FLT Segmented FLT

Func1 -

Func2 -

Func3 4

Func4 3

Func5 4

Call Graph Analyzer

Encoder

Instrumentation

μRAI: Workflow

• Performs Depth First Search (DFS) on the call graph to generate initial FLT

Call Graph Analyzer

Encoder

Instrumentation

Func1 - - -

Func2 - - -

Func3 4 4

Func4 3 12

Func5 4 16

Func1 Func2

Func5Func4

μRAI: Workflow

• Performs Depth First Search (DFS) on the call graph to generate initial FLT

• Configures the SR segment size to reduce memory overhead

• Generates FKs/FIDs

Call Graph Analyzer

Encoder

Instrumentation

Func1 - - -

Func2 - - -

Func3 4 4 4

Func4 3 12 3

Func5 4 16 4

Func1 Func2

Func5Func4

Use first SR segment

Use secondSR segment

μRAI: Workflow

• Instruments call sites withencoding/decoding instructions

• Remove any return instruction or uses of the SR

• Example: POP{PC}, PUSH{SR}

• Instruments Target Lookup Routine (TLR) and FLT

Call Graph Analyzer

Encoder

Instrumentation

Address <Func1>:… SR = SR function_key… Call Func2… SR = SR function_key… TLR: Execute the instruction where the FID = SR

FID Return Target

1 Jump location1

2 Jump location2

… …

Microcontroller Systems (MCUS)

• Embedded systems and IoT run on Microcontroller systems (MCUS)

• MCUS:• Run a single static binary application directly on hardware• Can be with/without an lightweight OS (bare-metal)• Direct access to peripherals and processor• Can be standalone device or part of larger system• Advanced hardware features are not commonly available

• Example: Trusted Execution Environment (TEE)

• Examples:• WiFi System on Chip• Cyber-physical systems• UAVs

Security Evaluation Using PinLock

• Attacker tries to unlock the lock using a vulnerability in rx_from_uart

• Attacker can read, write to anywhere in memory

• Attacker knows the entire code layout• Even the current instance of the firmware

Attack Prevented

Buffer overflow Arbitrary write Stack pivot

μRAI prevents all control-flow hijacking attack scenarios targeting return addresses

MCUS Challenges

Desktop MCUS

0x08055555

0x08022222

0x08011111

0x08000000

0x08999555

0x08777222

0x08555111

0x08111000

0x08000000

0x02000000

0x02050000

Virtual memory(MMU)

Large Memory(GB)

Stack cookies

Special HW features(e.g., TEE)

Physical Memory(MPU)

Small Memory(MBs Flash, KBs RAM)

ASLR Stack cookies(Inapplicable, or

have limited security)

DEP(Disabled Fixable)

Smaller Code

Special HW features(Not commonly available)

Control-Flow Hijacking

• Attacker gains arbitrary execution

• Originates from memory corruption vulnerability

• Code pointers:• Forward edges• Backward edges

Normal application

Data (RW)

Code Pointer

Code (RX)

• Forward edges:• Function pointers• Virtual calls (C++)

• Control-Flow Integrity (CFI):• Calculates target set statically• Reduces target set significantly

• Backward edges:• Return addresses

• Current mechanisms:• Limited security guarantees

• Example: Large target set for CFI

• High runtime overhead• Require special hardware

f_ptr() Func1Calls toFunc1

• Effective for MCUS

• Forward edges:• Function pointers• Virtual calls (C++)

• Control-Flow Integrity (CFI):• Calculates target set statically• Reduces target set significantly

• Backward edges:• Return addresses

• Current techniques:• Limited security guarantees

• Example: Large target set for CFI

• High runtime overhead• Require special hardware

f_ptr() Func1Calls toFunc1

• Control-flow hijacking attacks on backward-edges remain a threat.

• Example: Return Oriented Programming (ROP)

• Effective for MCUS

Control-flow hijacking defenses

• Great effort has been done by research community to protect the IoT.• TyTan[DAC15], TrustLite[EurSys14], C-FLAT [CCS16], nesCheck[AsiaCCS17],

SCFP[EuroS&P18], LiteHAX[ICCAD18], CFI CaRE [RAID17], ACES[SEC18],MINION [NDSS18], EPOXY [S&P17]

• Unfortunately, current defenses suffer from one of the following:

Limitation Example of a Defense Mechanism

Information disclosure Randomization

Only limit the attack surface CFI (large target set)

Require extra hardware Shadow stack

High overhead Memory safety

Normal Application

…Sta

Return address

*ptr_at_foo

systemCo

system

Sample call graph

Usage Defenses: Control-Flow Integrity (CFI)

…Sta

Return address

*ptr_at_foo

systemCo

system

Sample call graph

Defense:

Location Defense: Randomization

…Sta

Return address

*ptr_at_foo

systemCo

system

Sample call graph

Defense:

Return address

Disclose the layout

system

Integrity Defenses: Shadow Stack

…Sta

Return address

*ptr_at_foo

systemCo

system

Sample call graph

Defense:

CFIRandomization

Return address

Shadow Stack(Hardware Isolation)

• System keeps 2 copies of return address

• Attacker cannot corrupt shadow stack

• Different return addresses Attack detected

Integrity Defenses: Shadow Stack

…Sta

Return address

*ptr_at_foo

systemCo

system

Sample call graph

Defense:

CFIRandomizationShadow stack

Return address

Shadow Stack(Hardware Isolation)

• TEE not available• High overhead

State Register Layout

• SR layout:

Recursion counter(Higher N bits)

μRAI Protection

• Attacker:• Has arbitrary write and read vulnerability• Knows the code layout, even the current instance of the firmware• Targets backward edges.

• μRAI is complemented with DEP and type-based CFI for forward edge.

Normal application μRAI

Return address

SR = C (some value)

TLR with Segmentation

Address Func1:… …… Genral_Register = SR[Segment2]… Jump PC+General_Register

FID Return Target

1 Jump location1

2 Jump location2

3 Jump ERROR

4 Jump location4

5 Jump location5

Func1 uses segment 1

Let SR = 0x00005FFF

Recursion counter

(Higher 8 bits)

Segment 2(12 bits)

Segment 1(12 bits)

Shift by segmentation

SR Encoding

Xor again after returning

Xor is the inverse of itself

μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

Transcript of μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

Documents

Transcript of μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

Σ(r) MVP E(r) Standard deviation of return C A B Expected return % 15% 10%

TPX2-LIKE PROTEIN 3 is the primary activator of α Aurora ... · 103 chromosome segregation in plants (Demidov et al., 2014; Kurihara et al., 2006) and in securing 104 efficient cell

Risk, Return, and the Optimal Exploitation of Stock ...lamfin.arizona.edu/rsrch/RROEslides.pdf · the Optimal Exploitation of Stock Characteristics Introduction Characteristics and

SYNERGY-Clinical-Data-Infographic-21Jan2016 · SYNERGY Stent vs. Resolute Integrity ™ Stent Primary Endpoints Endothelial Coverage and Neo-Atherosclerosis Compared to RI 3M % struts

CAM POSITIVE RETURN FOLLOWERS BLOCKS - MISUMI · Cam positive return followers CKF R S45C ... Cam positive return Cam positive return blocks CKB（Copper alloy・Special solid lubricant（embedded）type

Chi Square Tests - Kognitiv Tudományi Tanszékktkuser/KURZUSOK/BMETE47MC38/2015_2016_… · Chi-Square Test χ2) ... likely to return survey questionnaires if the questionnaire ...

Acid Affect Membrane Integrity - Semantic Scholar€¦ · α-Synuclein Oligomers Induced by Docosahexaenoic Acid Affect Membrane Integrity Chiara Fecchio 1, Giorgia De Franceschi,

The Relational Data Model 1.Relational Model Concepts 2.Characteristics of Relations 3.Relational Integrity Constraints 3.1Key Constraints 3.2Entity Integrity.

Absence of endothelial α5β1 integrin triggers early onset of ......initiation and maintenance of this pathology [13, 18]. Early in the disease process, the normal high integrity

02696 SKYSCAN 1272 MON32.qxp 210x279 · High-Resolution X-ray Microtomograph SKYSCAN 1272 Innovation with Integrity Microtomography 02696_SKYSCAN_1272_MON32.qxp_210x279 27.02.17 11:25

IN FOCUS THE BANK PRODUCT NEWS AT A GLANCE · PDF fileThe Alpha e-Banking service has changed ... administration continue to represent major hindrances to the undertaking of ... Securing

EUROSYSTEM Special Conference Paper - bankofgreece.gr · In this stage, the return on equity breaks down into two elements, i.e. the return on assets (ROA) and financial leverage

Implied Volatility Surfacefaculty.baruch.cuny.edu/lwu/9797/EMSFLec6ImpliedVol.pdf · Implied volatility smiles and skews indicate that the underlying security return distribution

Evaluation of the Chemical Integrity of Beta-Lactam ...file.scirp.org/pdf/JBM_2015112310515370.pdf · A. Salois et al. 92 Keywords Amoxicillin, Iodine, Chemical Integrity 1. Introduction

CAM POSITIVE RETURN FOLLOWERS BLOCKS · a b Catalog No. W L 15 30 CKF 60 171 191 20 40 80 171 191 Cam positive return followers CKF R S45C 55HRC～ （Induction hardened） 16 32－0.05

D. funcGE return xE1 · 2 days ago · return Nti return ytl return Etl's 5 5 A 7x y Ya Xy y a \x -> e =a> \y -> e[x := y] where not (y in FV(e)) We rename a formal parameter x to

2007 Aircraft Structural Integrity Program ConferenceProgram · PDF file · 2010-06-172007 Aircraft Structural Integrity Program ConferenceProgram Conference ... bending σ bypass

Portfolio Theory. Indifference Curve Expected Return E(r) Standard Deviation σ(r) Increasing Utility Indifference Curve -Represents individual’s willingness.

Βαικός Μηχανιμός Διωήρα Σ 2οφάλουcourseware.mech.ntua.gr/ml23034/lecture_pdfs/LECTURE_05_MHXANI… · Crank and slotted lever quick return mechanism .

Cam Units CHR Schieber CHR Unità a Camme CHR - omcr.it Units CHR-2018-01.pdf · 15 Elastomer Cap Elastomer 92SH 2 16G Gas Spring - Return Type G - 1 16S Spring - Return Type S -

CAM POSITIVE RETURN FOLLOWERS BLOCKS · a b Catalog No. W L 15 30 CKF 60 171 191 20 40 80 171 191 Cam positive return followers CKF R S45C 55HRC～（Induction hardened） 16 32－0.05