Skip to main content
SpringerLink
Log in

\(\mu \)IPS: Software-Based Intrusion Prevention for Bare-Metal Embedded Systems

  • Conference paper
  • First Online:
Computer Security – ESORICS 2023 (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14347))

Included in the following conference series:

  • 271 Accesses

Abstract

Many embedded systems are low-cost bare-metal systems where the firmware executes directly on hardware without an OS. Bare-metal systems typically lack many security primitives, including the well-known Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), and their integrity can be compromised using a single vulnerability. Proposed defenses have not yet been deployed due to their requirements for firmware source code availability or hardware modifications. We present \(\mu \)IPS, the first Intrusion Prevention System (IPS) for bare-metal systems that requires no modification to the hardware and can be applied to stripped binaries without access to the source code. \(\mu \)IPS enforces fine-grained control-flow protection targeting both forward and backward edges. To achieve that, \(\mu \)IPS introduces a novel Trusted Execution Environment (TEE) to provide memory isolation at runtime while handling the hardware limitations of bare-metal systems. \(\mu \)IPS also provides Remote Integrity Check (RIC) mechanism to validate the integrity of control-flow protection policies and the TEE code, and secure Over-The-Air (OTA) update mechanism to deploy the updated policies. We evaluate \(\mu \)IPS against ten real-world representative firmware. \(\mu \)IPS imposes a \(31\%\) execution overhead on average on binary instrumented firmware. \(\mu \)IPS reduces exposure to Return-Oriented Programming (ROP) attacks by \(99\%\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340–353. ACM (2005). https://doi.org/10.1145/1102120.1102165

  2. Abbasi, A., Wetzels, J., Holz, T., Etalle, S.: Challenges in designing exploit mitigations for deeply embedded systems. In: Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 31–46. IEEE (2019)

    Google Scholar 

  3. Abera, T., et al.: C-flat: control-flow attestation for embedded systems software. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 743–754 (2016)

    Google Scholar 

  4. IoT for all: The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History. https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities. Accessed May 2023

  5. Almakhdhub, N.S., Clements, A.A., Bagchi, S., Payer, M.: \(\mu \)rai: Securing embedded systems with return address integrity. In: Proceedings of the Network and Distributed Systems Security Symposium (NDSS) (2020)

    Google Scholar 

  6. ARM: Trustzone for cortex-m (2022). https://www.arm.com/technologies/trustzone-for-cortex-m. Accessed May 2023

  7. Brasser, F., El Mahjoub, B., Sadeghi, A.R., Wachsmann, C., Koeberl, P.: Tytan: tiny trust anchor for tiny devices. In: Proceedings of the 52nd Annual Design Automation Conference (DAC), pp. 1–6 (2015)

    Google Scholar 

  8. Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), pp. 289–303. IEEE (2017)

    Google Scholar 

  9. de Clercq, R., et al.: Sofia: software and control flow integrity architecture. In: Proceedings of the 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE) (2016)

    Google Scholar 

  10. Costan, V., Devadas, S.: Intel sgx explained. Cryptology ePrint Archive (2016)

    Google Scholar 

  11. Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: complete control-flow integrity for commodity operating system kernels. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP), pp. 292–307 (2014). https://doi.org/10.1109/SP.2014.26

  12. De, A., Basu, A., Ghosh, S., Jaeger, T.: Hardware assisted buffer protection mechanisms for embedded RISC-V. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 39(12), 4453–4465 (2020)

    Article  Google Scholar 

  13. Dessouky, G., Abera, T., Ibrahim, A., Sadeghi, A.R.: Litehax: lightweight hardware-assisted attestation of program execution. In: Proceedings of the 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD) (2018)

    Google Scholar 

  14. Du, Y., Shen, Z., Dharsee, K., Zhou, J., Walls, R.J., Criswell, J.: Holistic Control-Flow protection on Real-Time embedded systems with kage. In: Proceedings of the USENIX Security Symposium (USENIX Security) (2022)

    Google Scholar 

  15. Insights, I.: Mcclean report 2022 (2022). https://www.icinsights.com/services/mcclean-report/. Accessed May 2023

  16. Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: Trustlite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems, pp. 1–14 (2014)

    Google Scholar 

  17. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-Pointer integrity. In: Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pp. 147–163. USENIX Association (2014). https://www.usenix.org/conference/osdi14/technical-sessions/presentation/kuznetsov

  18. Li, J., Tong, X., Zhang, F., Ma, J.: Fine-CFI: fine-grained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13(6), 1535–1550 (2018). https://doi.org/10.1109/TIFS.2018.2797932

    Article  Google Scholar 

  19. Li, J., Wang, Z., Bletsch, T., Srinivasan, D., Grace, M., Jiang, X.: Comprehensive and efficient protection of kernel control data. IEEE Trans. Inf. Forensics Secur. 6(4), 1404–1417 (2011). https://doi.org/10.1109/TIFS.2011.2159712

    Article  Google Scholar 

  20. McAfee: Emerging ‘Stack Pivoting’ Exploits Bypass Common Security. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emerging-stack-pivoting-exploits-bypass-common-security. Accessed May 2023

  21. Noorman, J., et al.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Proceedings of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 479–498 (2013)

    Google Scholar 

  22. Nunes, I.D.O., Eldefrawy, K., Rattanavipanon, N., Steiner, M., Tsudik, G.: VRASED: a verified hardware/software co-design for remote attestation. In: Proceedings of the 28th USENIX Security Symposium (USENIX Security 19) (2019)

    Google Scholar 

  23. Nyman, T., Ekberg, J.-E., Davi, L., Asokan, N.: CFI CaRE: hardware-supported call and return enforcement for commercial microcontrollers. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 259–284. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_12

    Chapter  Google Scholar 

  24. Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel mpx explained: a cross-layer analysis of the intel mpx system stack. In: Proceedings of the ACM on Measurement and Analysis of Computing Systems 2(2) (2018)

    Google Scholar 

  25. One, A.: Smashing the stack for fun and profit. Phrack magazine 7(49), 14–16 (1996)

    Google Scholar 

  26. Pancake: radare. https://www.radare.org/r/. Accessed May 2023

  27. Post, T.: IoT Attacks Skyrocket, Doubling in 6 Months. https://threatpost.com/iot-attacks-doubling/169224/. Accessed May 2023

  28. Salehi, M., Degani, L., Roveri, M., Hughes, D., Crispo, B.: Discovery and identification of memory corruption vulnerabilities on bare-metal embedded devices. IEEE Trans. Dependable Secure Comput. 20, 1124–1138 (2022)

    Article  Google Scholar 

  29. Salehi, M., Hughes, D., Crispo, B.: Microguard: securing bare-metal microcontrollers against code-reuse attacks. In: Proceedings of the 2019 IEEE Conference on Dependable and Secure Computing (DSC), pp. 1–8. IEEE (2019)

    Google Scholar 

  30. Salehi, M., Hughes, D., Crispo, B.: \(\mu \)SBS: static binary sanitization of bare-metal embedded devices for fault observability. In: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2020)

    Google Scholar 

  31. Schirra, S.: Ropper. https://github.com/sashs/Ropper. Accessed May 2023

  32. Shacham, H.: The geometry of innocent flesh on the bone: return-into-LIBC without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, New York, NY, USA (2007)

    Google Scholar 

  33. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (USENIX Security 01) (2001)

    Google Scholar 

  34. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: Proceedings of the Network and Distributed Systems Security Symposium (NDSS) (2015)

    Google Scholar 

  35. Shoshitaishvili, Y., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE (2016)

    Google Scholar 

  36. Sun, Z., Feng, B., Lu, L., Jha, S.: Oat: Attesting operation integrity of embedded devices. In: Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), pp. 1433–1449. IEEE (2020)

    Google Scholar 

  37. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP). IEEE (2013)

    Google Scholar 

  38. Today, I.W.: IoT Cyberattacks Escalate in 2021, According to Kaspersky. https://www.iotworldtoday.com/2021/09/17/iot-cyberattacks-escalate-in-2021-according-to-kaspersky. Accessed May 2023

  39. Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP), pp. 559–573 (2013). https://doi.org/10.1109/SP.2013.44

  40. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 337–352. USENIX Association (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/Zhang

  41. Zhou, J., Du, Y., Shen, Z., Ma, L., Criswell, J., Walls, R.J.: Silhouette: efficient protected shadow stacks for embedded systems. In: Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), pp. 1219–1236 (2020)

    Google Scholar 

Download references

Acknowledgement

This work is partially funded by the EU under Horizon Europe Programme - GA 101070537 - CrossCon and GA 101086308 - DUCA. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or CINEA). Neither the EU nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

  1. University of Trento, Trento, Italy

    Luca Degani & Bruno Crispo

  2. imec-DistriNet, KU Leuven, Belgium

    Majid Salehi

  3. Nokia Bell Labs, Antwerp, Belgium

    Majid Salehi

  4. Istituto di Informatica e Telematica - Consiglio Nazionale delle Ricerche, Pisa, Italy

    Luca Degani & Fabio Martinelli

Authors
  1. Luca Degani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Majid Salehi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruno Crispo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luca Degani .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Gene Tsudik

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. Delft University of Technology, Delft, The Netherlands

    Georgios Smaragdakis

Appendices

A Firmware Information

We present in Table 7 the detailed information about the real firmware used in our evaluation (Sect. 6).

Table 7. The representative set of firmware used for the evaluation of \(\mu \)IPS.
Full size table

B Security Analysis

To demonstrate the ability of \(\mu \)IPS to prevent any control-flow hijacking attack, we modified the HTTP Server firmware introducing three types of memory corruption vulnerabilities: a buffer overflow [25], a format string enabling arbitrary write [33] and a stack pivot [20]. We analyze each of the three and describe how \(\mu \)IPS prevents the exploitation.

Buffer Overflow. A buffer overflow allows an attacker to overwrite values on the stack. The ARMv7-M architecture can store a return address either in a special register called Link Register (LR) or on the stack. Consequently, since the LR register is not memory mapped, the attacker can tamper with the execution flow by overwriting the return address only when stored on the stack. However, if the attacker succeeds, once the vulnerable function returns, the \(\mu \)IPS instrumentation invokes the TEE to check if the return address equals the one on top of the shadow stack. Since it has been manipulated, this check will fail, and the attack prevented. Furthermore, \(\mu \)IPS blocks shellcode-based buffer overflow attacks as the stack is non-executable due to the W\(\oplus \)X policy enforced by the MPU.

Arbitrary Write. With an arbitrary write, an attacker can precisely overwrite data on arbitrary memory locations, including the stack, flash memory, and even peripheral registers. Like buffer overflow, the attacker can overwrite the saved return address on the stack, but the attack would be detected with the \(\mu \)IPS shadow stack. It is also possible to overwrite the flash memory including the code regions; however, the MPU denies this operation by enforcing the W\(\oplus \)X policy. Additionally, the attacker may attempt to write to the memory-mapped MPU configuration registers to disable or relax the MPU policy. Still, this operation requires privileges that are never granted to potentially vulnerable firmware. An attacker may also attempt to leverage a gadget that pops an address from the stack to the LR, but such a gadget never exists because the LR is written only by branch-with-link instructions. Finally, an attacker may corrupt the exception handler data structure where registers, including the Program Counter (PC), are saved to restore the execution once an interrupt has finished. However, such an operation requires privileges that are never granted to the firmware. As a result, \(\mu \)IPS prevents the attack in all the presented cases.

Stack Pivot. If an attacker controls the position of the stack, e.g., through the Stack Pointer (SP) register, it can relocate it to point to a buffer it controls so that, once the function returns, it pops the return address from the stack. This attack assumes that the return address is stored on the stack, not in the LR. However, the \(\mu \)IPS instrumentation invokes the TEE to validate the return address with the one on top of the shadow stack. Since the two values differ, \(\mu \)IPS prevents the attack.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Degani, L., Salehi, M., Martinelli, F., Crispo, B. (2024). \(\mu \)IPS: Software-Based Intrusion Prevention for Bare-Metal Embedded Systems. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14347. Springer, Cham. https://doi.org/10.1007/978-3-031-51482-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-51482-1_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-51481-4

  • Online ISBN: 978-3-031-51482-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation