Title: Harbor: Software based Memory Protection for Sensor Nodes
1Harbor Software based Memory Protection for
Sensor Nodes
Center for Embedded Networked Sensing
Ram Kumar, Akhilesh Singhania, Eddie Kohler and
Mani Srivastava
Memory Corruption in Motes
MMU is not the solution
- MMU hardware requires lot of RAM
- Increases area and power consumption
- Poor performance - High context switch overhead
- Cost is key factor in microcontroller designs
- Single address space CPU
- Shared by apps., drivers and OS
- Many bugs in deployed systems come from memory
corruption - Corrupted nodes trigger network-wide failures
System Overview
Challenges
Protection Domains
- No static address space partitions
- Limited address space - No MMU
- Very little physical memory
- Harbors Approach
- Maintain fine-grained map of layout
- Validate accesses using map at run-time
- Sandbox on desktop
- Verify on sensor node
Data RAM - Non contiguous partitions
Raw Binary
Program FLASH - Contiguous partitions
Desktop
- Domains
- Logical partitioning of address space
- One or more applications per domain
- Protect domains from corrupting one another
Binary Verifier
Sensor Node
Cross Domain Call
Memory Map
Cross Domain Call Stub
0x0200
Domain A call fooJT foo_ret
Fine-grained layout and ownership information
- Verify call into jump table
- Compute callee domain ID
- Determine return address
Partition address space into blocks
Domain B foo ret
Allocate memory in segments (Set of contiguous
blocks)
fooJTjmp foo
Jump Table
User xxx Domain
Program Memory
Kernel Domain
0x0000
Stack Bounds
Safe Stack
RUN-TIME STACK
SAFE STACK
HEAP and GLOBALS
Stack Bounds
- More protection domains ? More bits per block ?
Larger memory map - Larger protected address range ? Larger memory
map - Larger block size ? Smaller memory map
- Larger block size ? Greater internal fragmentation
Data Memory
Stack Grows Down
- Stores cross domain call frames
- Stores return addresses
Resource Utilization
Performance Tests
Data Collector Application
- Experiment Setup
- 3-hop linear network simulated in Avrora
- Tree Routing and Surge modules
- Data pkts. transmitted every 4 seconds
- Control packets transmitted every 20 seconds
- 1.7 increase in relative CPU utilization
- Absolute increase in CPU - 8.41 to 8.56
- 164 run-time checks introduced
- Checks executed 20000 times
- Detected and prevented corruption during
deployment
CPU intensive applications
Sandbox has lesser overhead than VM
UCLA UCR Caltech USC CSU JPL UC
Merced