μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

59
μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements 3,4,5 Saurabh Bagchi 1,4 Mathias Payer 2,5 Naif Saleh Almakhdhub 1,4,5,6 Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

Transcript of μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems...

Page 1: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Securing Embedded Systems with Return Address Integrity

1

1 2 3 4 5 6

Abraham A. Clements3,4,5

Saurabh Bagchi1,4 Mathias Payer2,5

Naif Saleh Almakhdhub1,4,5,6

Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525. SAND-XXXX

Page 2: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Current State of Security

[1] https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/[2] https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/[3] https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical

2

[1] [2]

[3]Target:

Embedded and IoT devicesRunning Microcontroller

Systems (MCUS)

Attack:Control-flow Hijacking

Page 3: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

MCUS Challenges

3

Desktop MCUS

Code

Fla

sh(c

ode)

Stack

Heap

Data

RA

M(D

ata)

Stack

Heap

Data

Code

Mem

ory

0x08055555

0x08022222

0x08011111

0x08000000

0x08999555

0x08777222

0x08555111

0x08111000

0x08000000

0x02000000

0x02050000

Large virtual memory(GBs)

Basic defenses(e.g., ASLR)

DEP

Small physical memory

(MBs Flash, KBs RAM)

Basic defenses(e.g., ASLR)

Smaller code

DEP(Disabled Fixable)

Larger code

Page 4: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

MCUS Defenses for Return Addresses (Conceptual)

4

Security

Ru

nti

me

Ove

rhea

d

10%

Usage Location Integrity

μRAI

Return Address Integrity + Low runtime overhead + No special hardware

Limited Security Guarantees

Hig

h

Overh

e ad

Shadow Stack

+TEE

Randomized Safe Stack

Safe Stack +

Software Fault

Isolation

Shadow Stack

+MPU

CFI

Special hardware required

Without extra hardware

Page 5: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

MCUS Defenses for Return Addresses (Related Work)

5

Security

Ru

nti

me

Ove

rhea

d

10%

Usage Location Integrity

μRAI

Return Address Integrity + Low runtime overhead + No special hardware

Limited Security Guarantees

Hig

h

Overh

e ad

EPOXY(SafeStack)

[S&P17]

CFI CaRE(Shadow stack)

[RAID17]

ACES[SEC18]

Minion[NDSS18]

SCFP[EuroS&P18]

C-FLAT[CCS16] LiteHAX

[ICCAD18]

uXOM[SEC19]

RECFISH[ECRTS 2019]

μArmor[EuroS&P19]

Special hardware required

Without extra hardware

Symbiote[RAID11]

Page 6: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Return Address Integrity (RAI)

• Every attack requires corrupting a return addresses by overwriting it

• Main limitation of defenses return addresses are in writable memory• Example: Information hiding

• Key solution is to prevent an attacker from corrupting return addresses.

6

RAI Property:

• Ensure the return address is never writable except by an authorized instruction.• Return addresses are never pushed to the stack or any writable memory by an adversary.

Page 7: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Threat Model & μRAI Protection

7

Normal application

Func2

main

Func3

Func1

Func6

Func4

Func7

Func5

Un

pri

vile

ged

Pri

vile

ged

MPU, VTOR

Corrupt return address or corrupt sensitive Memory Mapped IO (MMIO)

Corrupt return address

μRAI

Func2

main

Func3

Func1

Func6

Func4

Func7

Func5 MPU, VTOR

: Normal function : Callable within exception handler : MMIO : State register encoding : Software-Fault Isolation (SFI)

• Reads from memory• Writes to memory• Knows the code layout• Targets backward-edges

Page 8: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

8

μRAI: Overview

State Register

Rea

d +

eX

ecu

te

Jump Table

Jump return_location1

Jump return_location2

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

Page 9: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

9

μRAI: Overview

State Register

Rea

d +

eX

ecu

te

Jump Table

Jump return_location1

Jump return_location2

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

Page 10: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI and the State Register

• State Register (SR):• Can be any general-purpose register exclusively used by μRAI• Never spilled cannot be overwritten through a memory corruption• Does not contain a return address encoded values to resolve the return location

• Example call graph:• Each edge call

• How encode SR?

• An XOR chain

10

Func2Func1main

SRSR

SRSR

Func2 reads theSR to resolve the correct return location

Page 11: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Terminology

11

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

  Address <Func2>:… …… …… …… …… …… …… …… …

• Function Keys (FKs): Hard-coded keys used to encode the SR

SR[Recursive] SR[Encoded]

0 C

Page 12: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Terminology

12

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C

• Function IDs (FIDs): Possible values of the SR for the function

Page 13: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Terminology

13

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C

• Function Lookup Table (FLT): List of FIDs for the function.

Page 14: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

14

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C

• Encode the SR and call Func2

Page 15: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

15

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C key1

SR[Recursive] SR[Encoded]

0

• Func2 reads the SR and executes the corresponding direct jump

Page 16: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

16

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C key1

SR[Recursive] SR[Encoded]

0

• Func2 returns correctly and the SR is decoded

Page 17: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

17

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C

• The previous SR value is restored

Page 18: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

18

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… …… …… …… …… …… …… …… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

SR[Recursive] SR[Encoded]

0 C

• The same happens for other calls. Func1 can then return correctly

Page 19: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

19

μRAI: Overview

State Register

Rea

d +

eX

ecu

te

Jump Table

Jump return_location1

Jump return_location2

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

Page 20: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Enforce RAI for exception handlers

• Exception handlers execute with privileges• Can disable the MPU enable code injection• Can corrupt exception stack frame break RAI property

• Solution:• Apply SFI only to functions callable by exception handlers• Limit SFI overhead compared to full-SFI

20

Func1 Func2

Func3

Func5Func4

main Exception Handler

Func6

MPUVTOR

Safe regionP

rivile

ge

d

Software-Fault Isolation

Page 21: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

21

μRAI: Overview

State Register

Rea

d +

eX

ecu

te

Jump Table

Jump return_location1

Jump return_location2

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

Page 22: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Target Lookup Routine (TLR)

• How can we find the correct direct jump in the FLT efficiently?• Use a relative jump before the FLT• Resolve the correct return location efficiently regardless of FLT size

22

Address<Func1>:… …… …… …… Jump PC+SR

FID Return Target

1 Jump location1

2 Jump location2

3 Jump ERROR

4 Jump location4

5 Jump location5

Use SR as an indexof a jump table

Align the FLT make SR = 4

Assume the correct return location is

location4

Comparing all FID can be slow!

Page 23: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

23

μRAI: Overview

State Register

Rea

d +

eX

ecu

te

Jump Table

Jump return_location1

Jump return_location2

1 Enforces the RAI property

3 Low runtime overhead

2 Protects exception handlers and privileged execution

Exception handler software-fault isolation

Relative jump target lookup routine

Page 24: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Evaluation

• Five MCUS applications on Cortex-M4:• PinLock• FatFs_uSD• FatFs_RAM• LCD_uSD• Animation

• CoreMark benchmark[1]• Standard MCUS performance benchmark

[1] EEMBC, “Coremark - industry-standard benchmarks for embedded systems,” http://www.eembc.org/coremark

24

Page 25: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

RX

Mem

ory

Security Evaluation Using PinLock: Unlock The Lock

25

…RW

Mem

ory

buffer

RW

Mem

ory

ptr

RW

Mem

ory

buff

Jump Table

Jump return_location1

Buffer overflow Arbitrary write Stack pivot

buffer

No return address to write to…

SP

SP

Sensitive MMIOand

Safe region

Pri

vile

ged

State Register

μRAI prevents all control-flow hijacking attack scenarios targeting return addresses

No return address to pop from the stack

No return address to overflow…

Page 26: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Performance results

• Requiring full-SFI results in high overhead average of 130.5%• μRAI results in low overhead average of 0.1%

26

Page 27: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Conclusion

• Control-flow hijacking on MCUS is a threat

• μRAI secures MCUS against control-flow hijacking• Enforces the RAI property for MCUS protects backward edges• Complemented with type-based CFI end-to-end code pointer protection

• Presents a portable encoding scheme• Does not require special hardware features (only a register and an MPU)

• Applicable to other systems

• Low runtime overhead

https://github.com/embedded-sec/uRAI

27

Page 28: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Backup Slides

28

Page 29: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Challenge: Path Explosion

29

Func3

Func1

Func2

main

 

SR[Rec] SR[Enc]

0

[

]

SR[Rec] SR[Enc]

0

 

 

 

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

[

]

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

[

]

SR[Rec] SR[Enc]

0

• Func3 has 2 call sites• FLT is size is 4!  

 

Page 30: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Path Explosion Solution: Segmentation

• State register segmentation

• Functions only use the bits in their assigned segment.

30

Recursion counter(Higher N bits)

Encoded value(Lower 32-N bits)

Segment 1 … Segment K Segment M … Segment 2 Segment 1

Page 31: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Path Explosion Solution: Segmentation

31

Func3

Func1

Func2

main

 

SR[Rec] SR[Enc2] SR[Enc1]

0

[

SR[Rec] SR[Enc2] SR[Enc1]

0

 

 

 

SR[Rec] SR[Enc2] SR[Enc1]

0

SR[Rec] SR[Enc2] SR[Enc1]

0

SR[Rec] SR[Enc2] SR[Enc1]

0

[

]

SR[Rec] SR[Enc2] SR[Enc1]

0

SR[Rec] SR[Enc2] SR[Enc1]

0

[

]

Not used

SR[Rec] SR[Enc2] SR[Enc1]

0 Not used

• Segmentation reducesFLT from 4 to 2  

 

Page 32: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Scalability

• What if no more values can be found for the SR?

• Solution:• Partition the call graph if no solution is found

• Entering a new partitionSave and reset the SR to a privileged safe region

• Returning to a previous partition Restore the SR

32

Func1 Func2

Func3

Func5Func4

main Exception Handler

Func6

Safe Region

Priv

ileg

ed

Page 33: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Memory results

• Moderate overhead for large applications

33

Average15.2%

Average

FLT + Instrmnt.34.6%

EH-SFI9.5%

Type-CFI10%

Page 34: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI vs. backward edge Type-based CFI

• [1] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, “Controlflow bending: On the effectiveness of control-flow integrity,” in USENIX SEC15

• 161–17634

AppType-based CFI Target Set

Max. Ave.

PinLock 8 3

FatFs_uSD 94 21

FatFs_RAM 94 27

LCD_uSD 49 11

Animation 49 11

CoreMark 52 12

Overall Average 58 14

μRAI eliminates the remaining attack surface for control-flow bending attacks[1]

Page 35: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Store Instructions Protected with EH-SFI

35

App# of Store instruction

Static Total (Static/Total)% Dynamic

PinLock 56 516 10.9 7

FatFs_uSD 99 1,802 5.5 906K

FatFs_RAM 7 1,116 0.6 7

LCD_uSD 99 2,814 3.5 48K

Animation 99 2,760 3.6 66K

CoreMark 56 1,024 5.5 7

Page 36: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

SR Layout

• The SR has two parts:• ENC: Encoded value• REC: Recursion counter

36

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

SR[Rec] SR[Enc]

0

Func3main  

• Cannot use XOR with recursion• Collision occurs with existing values Func1  

before the call after returnIf recursion

 

Page 37: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Transformation

37

Address <Func1>:… SR[Enc] = SR[Enc] key1… Call Func2Func1_1 SR[Enc] = SR[Enc] key1… …… SR[Enc] = SR[Enc] key2… Call Func2Func1_2 SR[Enc] = SR[Enc] key2… …

 

Function ID (FID) Return Target

C Jump return_location1

ELSE Jump ERROR

Address <Func2>:… SR[Rec]++… Call Func2Func2_1 SR[Rec]--… …… IF SR[Rec] > 0… Jump Func2_1… ELSE… …

Function ID (FID) Return Target

C key1⊕ Jump Func1_1

C key2⊕ Jump Func1_2

ELSE Jump ERROR

• If recursive use a counter (recursion is discouraged in MCUS)

SR[Rec] SR[Enc]

0 C

Page 38: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

SR Encoding Illustration

• Consider the following call graph with the SR initialized to a value = C

• Each edge call

• XOR before the call and after returning with hardcoded keys• An edge is walked XOR the SR

38

 

SR SRSR C SR SR

SR SR

Func2main Func3

 

 

XORing again after returning restores the previous SR

Page 39: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI’s Overview

39

LLVM

Source code

μRAI

Call Graph AnalyzerGenerates caller/callees

for each function

EncoderGenerates function keys

and encodes SR

Instrumentation

μRAI binary

LLVM IR

Page 40: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Workflow

• Generates caller/callee list.

• Sets the minimum possible FLT.• Example: Func5 is called from

4 locations → Min. FLT >= 4

40

Func1 Func2

Func3

Func5Func4

2 2

43

Function Min. FLT DFS FLT Segmented FLT

Func1 -

Func2 -

Func3 4

Func4 3

Func5 4

Call Graph Analyzer

Encoder

Instrumentation

Page 41: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Workflow

• Performs Depth First Search (DFS) on the call graph to generate initial FLT

41

Call Graph Analyzer

Encoder

Instrumentation

Function Min. FLT DFS FLT Segmented FLT

Func1 - - -

Func2 - - -

Func3 4 4

Func4 3 12

Func5 4 16

Func1 Func2

Func3

Func5Func4

2 2

43

Page 42: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Workflow

• Performs Depth First Search (DFS) on the call graph to generate initial FLT

• Configures the SR segment size to reduce memory overhead

• Generates FKs/FIDs

42

Call Graph Analyzer

Encoder

Instrumentation

Function Min. FLT DFS FLT Segmented FLT

Func1 - - -

Func2 - - -

Func3 4 4 4

Func4 3 12 3

Func5 4 16 4

Func1 Func2

Func3

Func5Func4

2 2

43

Use first SR segment

Use secondSR segment

Page 43: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI: Workflow

• Instruments call sites withencoding/decoding instructions

• Remove any return instruction or uses of the SR

• Example: POP{PC}, PUSH{SR}

• Instruments Target Lookup Routine (TLR) and FLT

43

Call Graph Analyzer

Encoder

Instrumentation

Address <Func1>:… SR = SR function_key… Call Func2… SR = SR function_key… TLR: Execute the instruction where the FID = SR

 

FID Return Target

1 Jump location1

2 Jump location2

… …

Page 44: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Microcontroller Systems (MCUS)

• Embedded systems and IoT run on Microcontroller systems (MCUS)

• MCUS:• Run a single static binary application directly on hardware• Can be with/without an lightweight OS (bare-metal)• Direct access to peripherals and processor• Can be standalone device or part of larger system• Advanced hardware features are not commonly available

• Example: Trusted Execution Environment (TEE)

• Examples:• WiFi System on Chip• Cyber-physical systems• UAVs

44

Page 45: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Security Evaluation Using PinLock

• Attacker tries to unlock the lock using a vulnerability in rx_from_uart

• Attacker can read, write to anywhere in memory

• Attacker knows the entire code layout• Even the current instance of the firmware

45

Attack Prevented

Buffer overflow Arbitrary write Stack pivot

μRAI prevents all control-flow hijacking attack scenarios targeting return addresses

Page 46: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

MCUS Challenges

46

Desktop MCUS

Fla

sh(c

ode)

RA

M(D

ata)

Stack

Heap

Data

Code

Mem

ory

Stack

Heap

Code

Data

0x08055555

0x08022222

0x08011111

0x08000000

0x08999555

0x08777222

0x08555111

0x08111000

0x08000000

0x02000000

0x02050000

Virtual memory(MMU)

Large Memory(GB)

ASLR

Stack cookies

DEP

Special HW features(e.g., TEE)

Physical Memory(MPU)

Small Memory(MBs Flash, KBs RAM)

ASLR Stack cookies(Inapplicable, or

have limited security)

DEP(Disabled Fixable)

Smaller Code

Special HW features(Not commonly available)

Page 47: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Control-Flow Hijacking

• Attacker gains arbitrary execution

• Originates from memory corruption vulnerability

• Code pointers:• Forward edges• Backward edges

47

Normal application

Data (RW)

Code Pointer

ptr

Func1

Func2

Func3

Func4

Func5

Code (RX)

Page 48: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

• Forward edges:• Function pointers• Virtual calls (C++)

• Control-Flow Integrity (CFI):• Calculates target set statically• Reduces target set significantly

• Backward edges:• Return addresses

• Current mechanisms:• Limited security guarantees

• Example: Large target set for CFI

• High runtime overhead• Require special hardware

48

Control-Flow Hijacking

f_ptr() Func1Calls toFunc1

• Effective for MCUS

Page 49: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

• Forward edges:• Function pointers• Virtual calls (C++)

• Control-Flow Integrity (CFI):• Calculates target set statically• Reduces target set significantly

• Backward edges:• Return addresses

• Current techniques:• Limited security guarantees

• Example: Large target set for CFI

• High runtime overhead• Require special hardware

49

Control-Flow Hijacking

f_ptr() Func1Calls toFunc1

• Control-flow hijacking attacks on backward-edges remain a threat.

• Example: Return Oriented Programming (ROP)

• Effective for MCUS

Page 50: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Control-flow hijacking defenses

• Great effort has been done by research community to protect the IoT.• TyTan[DAC15], TrustLite[EurSys14], C-FLAT [CCS16], nesCheck[AsiaCCS17],

SCFP[EuroS&P18], LiteHAX[ICCAD18], CFI CaRE [RAID17], ACES[SEC18],MINION [NDSS18], EPOXY [S&P17]

• Unfortunately, current defenses suffer from one of the following:

50

Limitation Example of a Defense Mechanism

Information disclosure Randomization

Only limit the attack surface CFI (large target set)

Require extra hardware Shadow stack

High overhead Memory safety

Page 51: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Normal Application

51

foo

Func1

Func2

Func4

Func3

Func5

main

buff

…Sta

ck (

RW

Mem

ory

)

Return address

*ptr_at_foo

Func1

Func2

Func3

Func4

Func5

systemCo

de

(RX

Mem

ory

)

system

Sample call graph

Func6

Page 52: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Usage Defenses: Control-Flow Integrity (CFI)

52

foo

Func1

Func2

Func4

Func3

Func5

main

buff

…Sta

ck (

RW

Mem

ory

)

Return address

*ptr_at_foo

Func1

Func2

Func3

Func4

Func5

systemCo

de

(RX

Mem

ory

)

system

Sample call graph

Func6

Defense:

 

Page 53: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Location Defense: Randomization

53

foo

Func1

Func2

Func4

Func3

Func5

main

buff

…Sta

ck (

RW

Mem

ory

)

Return address

*ptr_at_foo

Func1

Func2

Func3

Func4

Func5

Func6

systemCo

de

(RX

Mem

ory

)

system

Sample call graph

Func6

Defense:

CFI 

Return address

Return address

???

Disclose the layout

Func5

Func2

Func4

system

Func3

Func1

Func6

Page 54: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Integrity Defenses: Shadow Stack

54

foo

Func1

Func2

Func4

Func3

Func5

main

buff

…Sta

ck (

RW

Mem

ory

)

Return address

*ptr_at_foo

Func1

Func2

Func3

Func4

Func5

systemCo

de

(RX

Mem

ory

)

system

Sample call graph

Func6

Defense:

CFIRandomization

 

Return address

Shadow Stack(Hardware Isolation)

• System keeps 2 copies of return address

• Attacker cannot corrupt shadow stack

• Different return addresses Attack detected

Page 55: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

Integrity Defenses: Shadow Stack

55

foo

Func1

Func2

Func4

Func3

Func5

main

buff

…Sta

ck (

RW

Mem

ory

)

Return address

*ptr_at_foo

Func1

Func2

Func3

Func4

Func5

systemCo

de

(RX

Mem

ory

)

system

Sample call graph

Func6

Defense:

CFIRandomizationShadow stack

Return address

Shadow Stack(Hardware Isolation)

• TEE not available• High overhead

Page 56: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

State Register Layout

• SR layout:

56

Recursion counter(Higher N bits)

Encoded value(Lower 32-N bits)

Page 57: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

μRAI Protection

• Attacker:• Has arbitrary write and read vulnerability• Knows the code layout, even the current instance of the firmware• Targets backward edges.

• μRAI is complemented with DEP and type-based CFI for forward edge.

57

Normal application μRAI

Sta

ck

Return address

ptr

Sta

ck

ptr

SR = C (some value)

????

Page 58: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

TLR with Segmentation

58

Address Func1:… …… Genral_Register = SR[Segment2]… Jump PC+General_Register

FID Return Target

1 Jump location1

2 Jump location2

3 Jump ERROR

4 Jump location4

5 Jump location5

Func1 uses segment 1

Let SR = 0x00005FFF

Recursion counter

(Higher 8 bits)

Encoded value(Lower 32-N bits)

Segment 2(12 bits)

Segment 1(12 bits)

Shift by segmentation

Page 59: μRAI: Securing Embedded Systems with Return Address Integrity · μRAI: Securing Embedded Systems with Return Address Integrity 1 1 2 3 4 5 6 Abraham A. Clements3,4,5 Saurabh Bagchi1,4

SR Encoding

59

Func3

Func1

Func2

main

 

SR SR

SR SR

SR C

 

 

 

SR SR

SR SR

Xor again after returning

Xor is the inverse of itself