1 / 15

On-Chip Control Flow Integrity Check for Real Time Embedded Systems

On-Chip Control Flow Integrity Check for Real Time Embedded Systems. Fardin Abdi Taghi Abad, Joel Van Der Woude , Yi Lu, Stanley Bak , Marco Caccamo, Lui Sha , Renato Mancuso , Sibin Mohan. Rethinking Embedded System Security. Traditional Embedded Systems

marlis
Download Presentation

On-Chip Control Flow Integrity Check for Real Time Embedded Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On-Chip Control Flow Integrity Check forReal Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui Sha , Renato Mancuso, Sibin Mohan

  2. Rethinking Embedded System Security Traditional Embedded Systems • Physically isolated environment • Limited capability • Use of specialized protocols Smart Grid • Smarter, butless secure Smart Car Smart Phones Modern Embedded Systems • More networked • Increased capability • Open, standard platform • Sensitive/privacy information • More vulnerable to security attacks Smart Appliances

  3. Challenges in Embedded System Security Limitations in Existing Approaches

  4. Our Solution Check the run-time control flow with a dedicated hardware unit Time Store the control flow graph on dedicated hardware Extract the control Flow graph from executable

  5. Why It Works • Malicious • Code Block If malicious code gets executed, the control flow graph mutates Time ...and detection is performed At inspection time, the dedicated core validates the execution flow.

  6. Attacks

  7. Architecture Processor On-Chip Control Flow Monitoring Module (OCFMM) Monitoring Module Isolated OCFMM Memory Block ID Program Counter Instruction Register Block Info

  8. Control Flow Example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 main: instr_1 instr_2 lbl_2: instr_3 JEQlbl_1 instr_4 instr_5 instr_6 JMP lbl_2 lbl_1: instr_7 instr_8 CALL func_1 instr_9 JMP lbl_2 func_1: instr_f1 instr_f2 RET n = 3 pc = instr_f1 n = 4 pc = instr_1 n = 2 pc = instr_9 n = 4 pc = instr_4 E A D B No block A Yes/No Yes For each block, we store: Block ID Address of first instruction Number of instructions Yes-Block No-Block n = 3 pc = instr_7 C Yes/No block B block C Yes/No block D block E Yes/No

  9. Inspection n = 4 pc = instr_1 n = 4 pc = instr_4 A B 1. Check that PC is between instr_1 + n n = 3 pc = instr_7 C Yes 2. If not, fetch Yes/No Blocks C & B from OCFMM memory No 3. If execution is not at instr_7 nor at instr_4, raise detection flag Suppose that the execution is in block A

  10. Predictable Overhead Overhead(blockk) = • ei is the minimum execution time of ith instruction in the block • m is the access time for OCFMM memory • nk is the number of instructions in kth block Overhead is paid in short blockswhere integrity check is longer than block execution time.

  11. Experiments • Code replacement attack • one of the jump destinations is different from the expected address resulting • Return address overwriting in stack • jump to a different return address

  12. Limitations • Need for ad-hoc platform • The proposed approach is hardware-based. Custom hardware needed • Unable to detect attacks that do not alter the CFG • Still attacking the platform is significantly harder

  13. Effective and Applicable to Embedded Real-Time Systems

  14. Future Plan

  15. Question? Thank You

More Related