Protecting Bare-metal Embedded Systems With Privilege Overlays

Abraham A Clements (Purdue and Sandia National Labs)
Naif Saleh Almakhdhub (Purdue)
Khaled Saab (Georgia Institute of Technology)
Prashast Srivastava (Purdue)
Jinkyu Koo (Purdue)
Saurabh Bagchi (Purdue)
Mathias Payer (Purdue)

              
Embedded systems are ubiquitous in every aspect of modern life. As the
Internet of Thing expands, our dependence on these systems
increases. Many of these interconnected systems are and will be low
cost bare-metal systems, executing without an operating
system. Bare-metal systems rarely employ any security protection
mechanisms and their development assumptions (unrestricted access to
all memory and instructions), and constraints (runtime, energy, and
memory) makes applying protections challenging.

We present a LLVM-based embedded compiler, that enables code
integrity, prevents control-flow hijacking, and prevents unauthorized
manipulation of IO, within the constraints and assumptions of
bare-metal application development. We do this using a technique
called privilege overlaying. This technique enables enforcement of
privilege separation, e.g., for memorymapped registers, interrupt
vectors, and protected regions. We also adapt control-flow hijacking
defenses based on stack integrity to bare-metal applications. We
design fine-grained randomization schemes for code and global data to
provide protection against control flow and data corruption attacks.

We evaluate the performance of our combined defense mechanisms for a
suite of 38 benchmarks and 3 real-world IoT applications. Our results
for the application case studies show that EDiVirt has on an average a
1.5% increase in execution time, a 0.2% increase in energy usage, a
5.3% increase in code size, and a 3.4% increase in RAM utilization. We
also show that it effectively prevents ROP attacks from scaling across
large sets of devices.