Hardware Support for Secure Processing in Embedded Systems

1
Hardware Support for Secure Processing in
Embedded Systems

• Shufu Mao, Tilman Wolf
• Dept. of Electrical Computer
• Engineering,
• University of Massachusetts
• Amherst, USA

2
Embedded System Security

• Unique vulnerabilities in embedded systems
• Require specialized solutions
• Representative embedded system
• System-on-a-chip uniprocessor
• Simple processor core without complex operating
  system
• Potential attack goals
• Extraction of secret information
• Modification of stored and sensed data
• Denial of service attacks
• Hijacking of hardware platform
• Damaging or destruction of device
• In many cases attack can be observed
• Deviation from programmed system behavior

3
Outline

• Embedded System Security Overview
• Related Work
• Monitors Architecture
• Monitor Graph
• Monitor Ambiguity and Overhead
• Evaluation with Real Attacks
• Static Attacks
• Dynamic Attacks
• Summary and Conclusions

4
Monitor Architecture

• Offline binary analysis
• Monitoring graph extraction
• Online validation of processing
• Information stream from processor
• Comparison to monitoring graph
• Requires call stack for returns
• Interrupt/recovery on deviation
• Choices on what to monitor
• Address
• Vulnerable to code replacement
• Opcode
• Vulnerable to changes in registers
• Control flow
• Vulnerable to code replacement within basic block

5
Monitoring Graph Example

• Example
• MiBench on SimpleScalar simulatior
• Monitoring graph
• Chained basic blocks
• Different information within basic blocks

6
Monitoring Ambiguity

• Ambiguity in monitoring
• Conditional branch
• 1000 instructions from patricia application
• Address monitor
• Only two possible statesafter conditional branch
• Opcode monitor
• Large ambiguity for similar instructions
• Control flow monitor
• Large ambiguity on recursive function calls

7
Monitoring Ambiguity and Overhead

• Cdf of ambiguity duration
• Other MiBench applications
• Cdf shape varies widely with application
• Average ambiguity duration less than 2
  instructions
• Monitoring overhead
• Other MiBench applications
• Roughly 10 of binary

8
Evaluation with Real Attacks

• System Attacks
• Static Attacks change the binary file
• Dynamic Attacks change the run-time program
  behavior

9
Performance of Monitor Static Attack

• Static Attacks - Bit Flip Attack
• Choose one application (gsm) from Mibench
• Random picks one instruction and change one bit
• Results based on 100 simulations

10
Performance of Monitor Dynamic Attack

• Dynamic Attacks
• One program with buffer overflow attack

int count, address, ptr void funct(void)
count0 //to avoid an empty function void
fill_buffer() int buffer10 ptr
buffer for (count 0 countlt20 count)
ptraddress ptr int main
(void) address (int) funct
fill_buffer()
11
Performance of Monitor Dynamic Attack
12
Related Work

• Embedded system attacks
• Proximity attacks (tampering, side-channel,
  FPGAs)
• Remote attacks (mobile phones, sensor nets)
• Processing monitor
• Zhang et al. invariants on kernel data
  structures
• Arora et al. similar monitor, but basic block
  hash
• Suh et al. tracking of information flow in
  system
• Abadi et al. control flow integrity with
  modified binaries
• Other monitors
• Zhuang et al. bus monitor to avoid data leakage
• Chi et al. thermal sensor for performance
  improvement
• Velusamy et al. thermal sensors on FPGA

13
Summary and Conclusions

• Monitoring can be used to detect deviation from
  normal system behavior
• Different patterns are evaluated
• Address pattern
• Opcode pattern
• Load/Store pattern
• Control flow pattern
• Hashed pattern
• Future work
• Different monitor types
• Suitable recovery actions
• Attack benchmark