1 / 1

Harbor: Software based Memory Protection for Sensor Nodes

9.5%. 5.8%. 5.1%. Binary Re-Writer. 3.4%. Sandbox Binary. Register exported function. Memory Safe Binary. Memory Map. Control Flow Mgr. Introduction: Memory protection required to build robust sensor software. 0x0200. Run-time Stack. Globals and Heap (Apps., drivers, OS)

cain
Download Presentation

Harbor: Software based Memory Protection for Sensor Nodes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 9.5% 5.8% 5.1% Binary Re-Writer 3.4% Sandbox Binary Register exported function Memory Safe Binary Memory Map Control Flow Mgr. Introduction: Memory protection required to build robust sensor software 0x0200 Run-time Stack Globals and Heap (Apps., drivers, OS) No Protection 0x0000 Sensor Node Address Space Proposed Solution: Software based Fault Isolation Solution Analysis:Memory Protection Primitives Center for Embedded Networked Sensing Harbor: Software based Memory Protection for Sensor Nodes Ram Kumar, Akhilesh Singhania, Eddie Kohler and Mani Srivastava Memory Corruption in Motes MMU is not the solution • MMU hardware requires lot of RAM • Increases area and power consumption • Poor performance - High context switch overhead • Cost is key factor in microcontroller designs • Single address space CPU • Shared by apps., drivers and OS • Many bugs in deployed systems come from memory corruption • Corrupted nodes trigger network-wide failures Challenges System Overview Protection Domains • No static address space partitions • Limited address space - No MMU • Very little physical memory • Harbor’s Approach • Maintain fine-grained map of layout • Validate accesses using map at run-time • Sandbox on desktop • Verify on sensor node Data RAM - Non contiguous partitions Raw Binary Program FLASH - Contiguous partitions Desktop • Domains • Logical partitioning of address space • One or more applications per domain • Protect domains from corrupting one another Binary Verifier Sensor Node Cross Domain Call Memory Map Cross Domain Call Stub 0x0200 Domain A call fooJT foo_ret: Fine-grained layout and ownership information • Verify call into jump table • Compute callee domain ID • Determine return address Partition address space into blocks Domain B foo: … ret Allocate memory in segments (Set of contiguous blocks) fooJT:jmp foo Jump Table User xxx Domain Program Memory Kernel Domain 0x0000 Stack Bounds Safe Stack HEAP and GLOBALS SAFE STACK RUN-TIME STACK Stack Bounds • More protection domains  More bits per block  Larger memory map • Larger protected address range  Larger memory map • Larger block size  Smaller memory map • Larger block size  Greater internal fragmentation Data Memory Stack Grows Down • Stores cross domain call frames • Stores return addresses Resource Utilization Performance Tests Data Collector Application • Experiment Setup • 3-hop linear network simulated in Avrora • Tree Routing and Surge modules • Data pkts. transmitted every 4 seconds • Control packets transmitted every 20 seconds • 1.7% increase in relative CPU utilization • Absolute increase in CPU - 8.41% to 8.56% • 164 run-time checks introduced • Checks executed ~20000 times • Detected and prevented corruption during deployment CPU intensive applications Sandbox has lesser overhead than VM UCLA – UCR – Caltech – USC – CSU – JPL – UC Merced

More Related