D-Box: DMA-enabled Compartmentalization for Embedded Applications

01/13/2022
by   Alejandro Mera, et al.
Northeastern University
0

Embedded and Internet-of-Things (IoT) devices have seen an increase in adoption in many domains. The security of these devices is of great importance as they are often used to control critical infrastructure, medical devices, and vehicles. Existing solutions to isolate microcontroller (MCU) resources in order to increase their security face significant challenges such as specific hardware unavailability, Memory Protection Unit (MPU) limitations and a significant lack of Direct Memory Access (DMA) support. Nevertheless, DMA is fundamental for the power and performance requirements of embedded applications. In this paper, we present D-Box, a systematic approach to enable secure DMA operations for compartmentalization solutions of embedded applications using real-time operating systems (RTOS). D-Box defines a reference architecture and a workflow to protect DMA operations holistically. It provides practical methods to harden the kernel and define capability-based security policies for easy definition of DMA operations with strong security properties. We implemented a D-Box prototype for the Cortex-M3/M4 on top of the popular FreeRTOS-MPU (F-MPU). The D-Box procedures and a stricter security model enabled DMA operations, yet it exposed 41 times less ROP (return-orienting-programming) gadgets when compared with the standard F-MPU. D-Box adds only a 2 peripheral operation benchmarks by 18.2 performance of D-Box were tested and confirmed on a real-world case study of a Programmable Logic Controller (PLC) application.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

08/09/2019

Good Motive but Bad Design: Why ARM MPU Has Become an Outcast in Embedded Systems

As more and more embedded devices are connected to the Internet, leading...
05/13/2020

Grand Challenges for Embedded Security Research in a Connected World

Protecting embedded security is becoming an increasingly challenging res...
10/29/2018

Exploring Security Economics in IoT Standardization Efforts

The Internet of Things (IoT) propagates the paradigm of interconnecting ...
07/09/2021

A Survey on RISC-V Security: Hardware and Architecture

The Internet of Things (IoT) is an ongoing technological revolution. Emb...
03/14/2022

Building Embedded Systems Like It's 1996

Embedded devices are ubiquitous. However, preliminary evidence shows tha...
05/12/2021

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference

The proliferation of Internet of Things (IoT) devices has made people's ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Embedded and IoT devices are increasingly becoming popular [55]. Compared to general-purpose computers, these devices are lightweight, and have the advantage of real-time responsiveness and low power consumption. Such devices have also been adopted in critical areas such as intelligent factories, health care, smart homes, and automotive industry.

Due to the importance of embedded and IoT devices and their often infrastructure-critical nature, they have, unfortunately, become the major targets of various attacks [15, 41, 28, 24, 25, 34, 19]. In fact, attackers can often perform code reuse attacks against these systems by leveraging existing vulnerabilities in the code, and launch control flow hijacking attacks when the least privilege principle is not enforced [58, 15, 14]. These attacks can leak private and critical information, and allow attackers to control the whole MCU, or even the devices connected to it.

To protect embedded and IoT devices, existing work has considered a number of techniques, including firmware analysis [43], fuzzing [26], attestation [9], and compartmentalization [21, 36, 20]. Compared to other techniques, compartmentalization avoids time and resource-consuming analysis, and can provide customized configurations for both verification and protection in real-time.

Despite the benefits of compartmentalization, existing work has faced many challenges in isolating the MCU resources for the rather monolithic firmware structure. For example, the Cortex-M architecture does not provide an address translation mechanism such as the Memory Management Unit (MMU). Instead, it provides the MPU with limited functionality to divide and protect the address space. To offer stronger isolation, ARM has promoted TrustZone-based hardware solutions [13]. Unfortunately, though, TrustZone has yet very limited availability on existing MCU devices as described in our survey in appendix -A.

A more concerning issue is those existing solutions—despite DMA’s ubiquitous support and heavy usage in modern MCUs—have totally ignored DMA compartmentalization ([36, 21, 20]), provide partial solutions ([3, 12]), or propose hardware modifications ([59]) not available beyond the academic boundaries. Extending current MPU-based compartmentalization solutions to support DMA is not a trivial task. That is, DMA transfer compartmentalization is challenging because the intrinsic dynamic characteristic of DMA aggravates the imprecision of static analysis to define boundaries, permissions and the security policy. Also, the currently available MPU is not meant to work in a multi-master environment. Thus, supporting DMA on existing compartmentalization schemes requires a holistic re-design.

In this paper, we present D-Box, a systematic approach to enable secure DMA operations for compartmentalization solutions targeting MCU-based devices that do not implement TrustZone, MMU, and PCIe interfaces. D-Box adopts the concept of capabilities to validate DMA operations, and enforces the least privilege principle for RTOS holistically.

We used the FreeRTOS-MPU (F-MPU) as a basis to build a D-Box prototype due to its wide adoption and growing popularity in the industry. We improved its security with a more secure MPU region configuration, kernel extensions, and a user-friendly security policy definition with explicit support for DMA operations.

We evaluated D-Box’s security and performance with both qualitative and quantitative analysis. The results show that compared with F-MPU, D-Box leverages DMA while reducing the attack surface of embedded applications when looking at six security metrics. Furthermore, D-Box incurred a low overhead to kernel and peripheral operations. Enabling DMA operations by D-Box methods reduced power consumption compared to solutions that do not support it. At the same time, our solution maintained similar RAM and flash requirements as F-MPU. A case study on a real-world PLC application further demonstrates D-Box’s capability in enabling high-performance DMA operations without compromising security.

In summary, this work makes the following contributions:

  • We study and advocate the importance of supporting and protecting DMA-capable peripherals for compartmentalization solutions due to the partial or total lack of DMA support on existing solutions.

  • We present D-Box, a systematic approach to enable secure DMA operations for embedded compartmentalization solutions that support high-performance and a power efficient operation.

  • We implemented a D-Box prototype for the official Cortex-M3/M4 port of FreeRTOS enabling DMA operations while improving its security metrics.

  • We demonstrate that supporting DMA operations allows power and CPU usage reduction, which is highly desirable for battery-powered embedded applications.

  • We present a case study of D-Box on a real-world PLC application; we further discuss D-Box methods generalization, its integration into other compartmentalization solutions, and its limitations.

Ii Threat model and assumptions

We consider an embedded device that has an MPU and one or more DMA-capable peripherals. The device runs a monolithic firmware with the following defects: a confused-deputy vulnerability 111“A confused deputy is a deputy (a program) that has been manipulated into wielding its authority inappropriately” [49] in the managing code of the DMA controller, a malicious third-party software module with rogue usage of DMA (i.e., result of a software supply chain attack), and a vulnerable read/write primitive with access to the DMA controller configuration. Furthermore, the firmware is compiled from multiple first and third-party sources. We assume that first-party code can be buggy, but not malicious, whereas third-party code can be malicious and buggy. The code includes functionality for scheduling, DMA operations, peripheral drivers, third-party libraries and user-space applications. In terms of security, the firmware implements a compartmentalization scheme for memory and privilege separation, but does not consider DMA operations.

If an attacker has access to any of the aforementioned defects, an attack would be devastating. For example, a confused deputy vulnerability can be used to leak sensitive data by abusing the DMA controller authority to read sensitive information (e.g., a password) from kernel space; a malicious task with rogue DMA usage can change the configuration and state of other peripherals such as the GPIO 222Particular acronyms used in this paper are summarized in appendix §-D. controlling the smartlock of a door without triggering any fault; finally having arbitrary read/write access to the DMA controller configuration can compromise the whole system because an attacker can read or write any memory area or peripheral regardless of existing MPU protections.

The assumptions of our threat model are reasonable because several proposed MPU-based compartmentalization schemes have ignored DMA security issues, or treat them as an orthogonal security problem. However, we claim that not considering DMA in an holistic way is insecure. This is because: first, firmware is a monolithic binary that includes all the software routines—DMA operations are not the exception; second, most of the modern MCUs populate and use a DMA controller or other DMA-capable peripheral; and third, DMA-capable peripherals can override MPU-based protections.

Iii Motivation

Embedded and IoT devices execute firmware and use an MCU as their central processing unit. MCUs are low-power, resource-constrained computing units that integrate a core processor, RAM, flash, and multiple peripherals in a single SoC (System on a Chip).

Besides particular MCU hardware and firmware characteristics, embedded devices require compartmentalization methods that cope with specific real-time and low power requirements. In this context, the DMA is a predominant communication method that supports high-performance and reduced power consumption for real-world IoT and embedded applications.

Fig. 1: Architecture of an MCU-based smart watch. 1⃝ Slow MMIO-based data flows, 2⃝ Real-time and high-throughput DMA-based data flows.

Consider the smartwatch of Figure 1. DMA is utilized in high-throughput data flow such as the gyroscope, accelerometer, screen LCD, and Bluetooth (2⃝ in Figure 1). Without DMA, these data flows cannot assure the user experience or functionality (e.g., smooth screen transitions or timing data acquisition for the smartwatch pedometer). Also, the DMA controller can efficiently move data between RAM and peripherals while the core processor is in power-saving mode.

Notice that the MPU arbiters every data flow between the core processor and the MCU resources (1⃝ in Figure 1). This interposition assures that the core processor accesses only the MCU resources granted by the MPU through MMIO (Memory-Mapped I/O) operations. On the other hand, the DMA controller directly accesses peripherals and buffers in RAM (2⃝ in Figure 1).

In this scenario, the DMA controller can write and read any memory location of the MCU without restriction. This capacity has profound security implications. For example, a bug in the code that manages the DMA controller can wrongly command it to write beyond the limits of the designated buffers, thus corrupting heart-beat, distance or other critical information that the smart watch user may rely on.

Iv Background

In this section, we introduce essential concepts to make it easier to comprehend the software and hardware characteristics of compartmentalization solutions for MCUs and the challenges related to DMA. We selected the ARM ARMv7-M [42] as our reference architecture because of its wide adoption and popularity in IoT and embedded applications. Besides this particularity, the concepts are generally applicable to other embedded architectures.

Iv-a The system address map of the Cortex-M

The ARMv7-M supports a single 32-bit address space. This address space is divided into eight 0.5 GB primary partitions: code (flash), SRAM (on-chip RAM), peripherals, two RAM regions, two device regions, and System [42].

The ARMv7-M architecture assigns physical addresses for event entry points (vectors), system control and configuration. The firmware uses these physical addresses to access the entire memory space through Memory-mapped I/O (MMIO) or DMA methods. Vendors (i.e., licensees) of ARMv7-M based devices define SRAM, code and peripheral partitions according to specific characteristics of the MCU.

Iv-B The Memory Protection Unit

The MPU is an optional component of the ARMv7-M architecture that implements a scheme to protect and divide the MCU system address space into different regions. The MPU does not perform address translation to support virtual memory schemes such as the MMU of full-fledged computers. The MPU protection scheme enables the ARMv7-M Protected Memory System Architecture (PMSAv7) that defines a model of privileged and unprivileged software execution [42].

MPU regions are restricted in terms of number, size, and alignment. Usually, the MPU is configured with eight regions, with very few exceptions on high-end MCUs that support 16 regions [47]. The size of a region must be a power of 2, with a minimum size of 32 bytes. Each region must be aligned naturally according to its size (e.g., a 64 bytes long region must start at an address that is a multiple of 64). If regions overlap, the MPU uses the privileges of the region with the higher number to enforce the access permissions (i.e., higher region numbers have higher priority). Additionally, there is a background region (number -1) that, when activated, provides access to the primary partitions of the memory map, but from privileged software only.

Iv-C The DMA controller operation

The DMA controller is an on-chip peripheral with master capabilities optimized to move data from a source to a destination. As a master, the DMA controller can communicate with slaves (peripherals, RAM and flash) without intervention of the core processor, and without interposition of the MPU.

Fig. 2: The 3-step DMA life-cycle including operations that are visible to the core processor and DMA controller domains. Security critical operations occur in Steps 1 and 3—Adapted from [43].

The DMA controller generally operates following a 3-step dynamic life-cycle as depicted in Figure 2. First, the firmware configures a transfer descriptor that defines the source, destination, and transfer size. The core processor stores the transfer descriptors in registers mapped into the DMA controller or RAM. Second, a trigger issued by software or hardware signals the DMA controller to start the data transfer from the source to the destination according to the transfer descriptor. Third, after the transfer finishes, the DMA controller signals the core processor through an interrupt, and invalidates or reloads the transfer descriptor.

The DMA controller requires addressing routines to work with on-chip peripherals implementing communication buses (e.g., SPI and I2C). The communication bus peripherals allow the core processor to communicate with multiple off-chip peripherals (e.g., giroscope, accelerometer, LCD, and Bluetooth connected through SPI in Figure 1). In a communication bus, the DMA controller is not aware of the specific off-chip peripheral that is part of a particular DMA transfer. Therefore, the firmware must select the specific off-chip peripheral as part of the configuration (i.e., Step 1) of the DMA life-cycle. A similar issue is observed in peripherals working as a multiplexer or proxy. For example, the ADC multiplexes various analog input channels and requires selecting a particular channel, or define a sequence of scanned channels before operating with DMA transfers.

Iv-D Open challenges

Besides the compartmentalization efforts to improve the security of embedded applications, there are still challenges that have not been addressed, specifically those related to DMA, and we summarize them below:

Iv-D1 Uncertainty on protections

Current compartmentalization solutions either overexpose regions merging physically adjacent resources, or potentially break functionality due to static analysis imprecision. Both issues are more concerning for DMA operations because they are intrinsically dynamic and executed out of the core processor context. These characteristics preclude the usage of static analysis because there is a semantic gap—due to hardware diversity—between what is dynamically configured in a transfer descriptor and what the DMA controller performs by itself upon that configuration.

Iv-D2 Lack of holistic security solutions

Most of the MPU-based security solutions ignore DMA operations or consider them an orthogonal issue [60]. However, a practical solution must protect and leverage DMA operations to maintain a balance among security, performance and power consumption.

Iv-D3 Hardware availability and diversity

Many compartmentalization efforts rely on specific hardware that is not broadly available. For example, the Platform Secure Architecture (PSA) [13], promoted by ARM, relies on the ARMv8-M TrustZone and a new MPU programming model. Unfortunately, the ARMv8-M architecture is scarce in commercial MCUs. Also, DMA controllers are diverse and implement different programming models precluding generalizations and automation.

Iv-D4 Impractical security policy definition

Current compartmentalization solutions require complex security policy definitions that are not practical, and add a burden to developers. For example, defining the security policy for [20] requires developers to define and optimize security properties in a graph traversal algorithm. Therefore, extending this type of solutions to support DMA is not trivial, and will make the policy definition even more complex.

Iv-D5 Backward compatibility and refactoring

Current solutions require heavy refactoring or compiler-based procedures that can break compatibility with legacy applications. Also, compiler-based solutions can modify the memory layout of the generated firmware binary, which makes validating and defining the boundaries of DMA operations challenging.

V System Design

Fig. 3: D-Box components including a reference architecture and a workflow to enable DMA operations protecting the steps one (Configuration) and three (Signals) of the DMA life-cycle.

D-Box is a systematic approach to enable DMA operations on compartmentalization solutions of embedded applications. Our approach includes a reference architecture built on top of F-MPU, and a workflow (Figure 3) to enable secure DMA operations. It addresses the challenges mentioned earlier with the following goals:

  • Explicit protections: D-Box should define explicit resources to maintain application functionality and avoid uncertainty.

  • Holistic DMA support: D-Box should support DMA operations as an intrinsic characteristic of the compartmentalization schema.

  • Power and performance: D-Box should respect the power, performance and timing constraints required by embedded and real-time applications.

  • Compatibility: D-Box should rely exclusively on commonly-available hardware of MCUs, and it should consider its limitations and diversity.

  • Applicability: D-Box should be pragmatic in terms of security policy definition and usage.

  • Backward support: D-Box should be amenable with legacy applications requiring little or no engineering effort to support them.

V-a D-Box reference architecture

D-Box defines a task as the unit of compartmentalization. A task is a natural partitioning scheme that the developer explicitly defines with the required resources and capabilities (1⃝ and 1⃝’ in Figure 4 ) to implement specific functionality. D-Box uses the security policy (2⃝ in Figure 4 ) to securely override the MPU protections through a trusted DMA task (3⃝ in Figure 4) that configures the DMA controller upon a request. D-Box enforces a role separation, assuring that no single task has enough privileges to configure the DMA controller and control the data of a DMA transfer simultaneously. This means that the DMA task can control from where the DMA controller reads or writes, while the user tasks (Task 1 and Task 2 in Figure 4) control what to read or write within their compartmentalized resources.

Our proposed architecture separates the kernel and the DMA task (i.e., they run on different threads) because of two design considerations: first, it maintains the microkernel architecture of F-MPU with its intrinsic compartmentalization; and second, it makes the solution more generic and extensible by developers. The second reason is essential because the DMA task must implement the drivers for a particular DMA controller, which is not generic. Also, implementing the DMA task functionality directly in the kernel will require low-level development knowledge and precludes the mitigation of the security risk associated with a larger trusted computing base (TCB). We will extend our discussion of the TCB in §VIII.

The downside of this separation is a small overhead due to the extra SVC (SuperVisor Call) to communicate the DMA task and the kernel. Regardless of privilege level, the SVC is mandatory to keep a thread-safe intercommunication through FreeRTOS primitives. Nevertheless, we demonstrate in §VII that the overall performance of our solution is adequate for embedded applications.

Fig. 4: D-Box reference architecture including a software and hardware perspective. “M” and “S” denote master and slave interfaces of the Cortex-M respectively. (*) denotes user-defined regions mapped to MCU resources.

V-B D-Box MPU region definition

D-Box uses the F-MPU explicit definition of MPU regions to avoid the inaccuracy and incompleteness of static and dynamic analysis used by other solutions. The explicit definitions provide certainty about the resources and permissions that tasks access during execution time. This characteristic maintains task’s functionality, assures that the DMA controller configuration is not inadvertently exposed, and provides the means to define a deterministic security policy.

The standard F-MPU MPU region definitions are too permissive. D-Box redefines these regions, as depicted in Figure 5, to implement a stricter compartmentalization scheme that is compatible with DMA operations. The new MPU region definitions and its security properties are as follow:

V-B1 Background region (-1)

This region assures that unprivileged code has no access to any MCU region by default. Specifically, this region protects any DMA-capable peripheral that might be exposed by the former region number 3.

V-B2 Syscalls region (0)

This region grants unprivileged code access to valid syscalls entry points (i.e., SVC in Figure 4). The kernel uses it to avoid task code from asking elevation of privileges from arbitrary code locations—a common symptom of a control flow hijacking attack. This region is similar to the former region number 0 but does not include the task code.

V-B3 Task code region (1)

This region isolates the task code and reduces gadgets for code-reuse attacks. It avoids an attacker controlling a task to reuse artifacts that could diverge DMA operations identified on other task codes. Using this region might require considerable refactoring. Developers will need to allocate all code and constants accessed during execution under a single MPU region. However, this is optional, and developers can define region 1 as the former region 0 to maintain backward compatibility and reduce engineering effort, as per our design goals.

V-B4 Task stack region (2)

This region is not executable to avoid code injection attacks. It also isolates the stack of a task from other memory areas. It detects and prevents out-of-bounds read or write operations. This protection restricts attacks or crashes within the boundaries of a single task. The functionality and properties are similar to the former region 4. Also, this region delineates a valid source or destination for DMA operations.

V-B5 User-defined regions (3), (4), (5)

These regions allow developers to grant or deny task access to peripheral, RAM, and flash similar to the former regions 5, 6, and 7. D-Box’s new region numbering schema prevents user-defined regions from overriding kernel code and memory regions because of higher region number precedence. Simultaneously, the user-defined regions can override the task code, stack, and syscalls regions to deny access to specific sub-regions. For example, a task can initialize variables in the stack or access syscalls only during initialization, and later, use the user-defined regions to grant read-only permission to initialized variables and block access to syscalls—this is a characteristic already supported by F-MPU. Similar to the stack region, user-defined regions delineate valid source and destination locations for DMA operations.

V-B6 Kernel Code, and stack and heap regions (6, and 7)

These regions protect kernel code and memory from unprivileged access. The kernel’s higher region numbers avoid lower-numbered regions to override critical sections—an evident defect in the former schema. The higher region numbers allow keeping immutable task identification data in kernel space to support a capability validation schema of DMA operations that we discuss in §V-E.

Fig. 5: MPU region definitions for F-MPU and D-Box. Execution levels: (P)rivileged, and (U)nprivileged. Permissions: (R)ead, (W)rite, and Execute Never(XN). The highest region number takes priority when regions overlap.

V-C DMA controller reconnaissance

D-Box includes as part of its design a manual reconnaissance phase of the DMA controller to determine its programming model, number of DMA channels, and critical areas where the main core stores the DMA controller configuration. The location is specific to each MCU and might include RAM and peripheral MMIO areas.

The reason to include this phase is the diversity of MCU hardware—an issue largely described by the re-hosting research community [26, 43]. This diversity precludes the use of compiler-based compartmentalization solutions, or secure programming languages that simply fall short without a manual analysis of the MCU hardware. Moreover, the DMA controller is not the only DMA capable peripheral. Modern MCUs populate other peripherals that support DMA by themselves, for example, 2D graphic accelerators [46], USB, and CAN bus controllers. All of these peripherals require reconnaissance to keep the properties of the compartmentalization solution.

V-D Kernel hardening to support DMA operations

D-Box defines DMA protection rules (extensions) that the kernel must enforce during the creation of tasks, and the allocation of memory for the transfer descriptors of the DMA controller. These rules cannot be implemented in the MPU because the kernel re-configures the MPU on each context switch replacing the configuration used by the last task with the configuration of the currently scheduled task. The general protection rules are as follows:

  • User-defined regions cannot be mapped to the DMA controller slave interface because it is used for configuration.

  • Transfer descriptors must be protected either by the previous rule or by keeping these data structures in kernel space.

  • The configuration of the DMA controller is only performed by the trusted DMA task upon a request and a policy verification.

  • The DMA task cannot access the stack of other tasks or user-defined regions.

  • The user-defined regions cannot be mapped to other task stacks.

The last two rules complement the D-Box MPU region definitions to avoid user-defined regions from exposing the stack of other tasks.

V-E DMA policy definition

D-Box defines a capability-based security model [31] for DMA operations. A capability is an immutable reference to an object (RAM, peripherals, or flash) associated with access rights (i.e., read, and write). The possession of a capability grants the owner (i.e., a task) the defined right to interact with the object.

We selected the capability-based model because it can mitigate confused deputy vulnerabilities by design [49]—a known limitation of ACL-based security models. This type of vulnerabilities are difficult to mitigate for current compartmentalization solutions [20] because of the uncertainty of resources exposed to each compartment. However, D-Box uses explicit definition of resources which supports a capability-based policy for DMA operations on peripherals.

D-Box defines DMA capabilities as a combination of an on-chip peripheral (i.e., the object) and Extensible Access Rights (EAR). The EAR includes the standard read and write permissions, and optional parameters to support the addressing schema to select off-chip peripherals, as we described in §IV-C.

D-Box enforces the DMA policy by verifying the source and destination for read or write operations. For a write operation, D-Box verifies that the source (always a buffer) is contained in the task stack or in any user-defined region, and that the destination (always a peripheral) is defined in the capability with the corresponding permission (i.e., write). Similarly, for a read operation, D-Box verifies that the destination (always a buffer) is contained in the task stack or any user-defined region, and that the source (always a peripheral) is defined in the capability with the corresponding permission (i.e., read). For FullDuplex operations, D-Box combines the verification of read and write operations simultaneously.

Notice that a capability does not explicitly define memory ranges because D-Box uses the—already explicit—task MPU configurations of the stack and user-defined regions for this purpose. This characteristic assures that the task has read or write access to peripherals through DMA, and that the memory buffers associated with the DMA operations are also accessible to the task with proper permissions granted by the MPU. Additionally, the DMA capabilities do not require MPU region re-definition to access the associated peripheral because the DMA controller can override the MPU protections. This property allows the definition of an extensive security policy with more flexibility that is aware of, but not limited by the number of available MPU regions.

V-F Signal and exception handling

D-Box handles the signals when a DMA transfer finishes, and the events when a security violations is detected.

V-F1 Signal registration and notification

D-Box defines an automatic method to register a task for signals or notifications derived from the DMA controller interrupts (i.e., step 3 of the DMA life-cycle). The registration occurs after the verification of the security policy for a DMA request. Since the capability-based policy provides certainty about the requester (i.e., a task), D-Box registers the task exclusively to receive a notification when a particular DMA transfer finishes. The notification mechanism manages the Interrupt Service Routine (ISR) of the DMA controller with a minimum code base running in privileged mode. After managing the interrupt, D-Box mechanism notifies the task using the SVC API and drops its privileges. The number of concurrently-registered tasks to receive notifications depends on the number of DMA channels supported by the DMA controller. Technically speaking, each DMA channel serves a single request associated with a unique task. D-Box assures proper resource management according to the characteristics of the DMA controller that were obtained by the reconnaissance phase.

Since FreeRTOS-MPU does not provide any specific interrupt management system, developers can implement notification mechanisms similar to D-Box for other system interrupts. The primary consideration is that the core processor always executes the ISR in privileged level. Therefore, the ISR has to be trusted and its execution deprived of privileges before returning control to the tasks.

V-F2 Exception handling

D-Box exception handling contains faulty operations in the boundaries of a task without affecting other task operations. D-Box considers three types of exceptions: faulty DMA requests, overlapped user-defined regions on stack or DMA controller, and MPU region violations. Only the MPU region violation will trigger a hardware exception—the other two are managed entirely in software.

The first type of exception occurs during the validation of the DMA request parameters. If the request violates the security policy, D-Box rejects the request and notifies the requester. The requester task should implement a method to handle the rejection notification, and continue its execution. The second type of exception can occur during initialization/creation of a task, or during its execution when a task requests to redefine the MPU regions. If the task is already running, D-Box ignores the request to redefine the MPU regions, returns an error message, and lets the task continue its execution. If the task is not running, D-Box voids the initialization/creation of the task and clears it from the scheduler. The third type of exception occurs because of mismatches or permission violations of the MPU regions. D-Box considers this type of exception severe. Hence, it will stop the offending task, and remove it from the scheduler, keeping the rest of task running.

Vi Implementation

We implemented a D-Box prototype for the official Cortex-M3/M4 port of FreeRTOS version 10.4.1. Our implementation is divided into kernel hardening and extensions, and a privileged task that manages the DMA transfers to override the MPU protections according to the security policy of D-Box.

In this section, we refer to the core FreeRTOS kernel and the port layer for the Cortex-M as the “kernel” code. Also, we refer to the MCU vendor-specific code as the “drivers”. Our prototype targets the popular STM32 MCU family of ST Microelectronics for the vendor-specific sections. However, the kernel changes, API, and functions are vendor-agnostic, and compatible with any Cortex-M3/M4 MCU.

Our complete prototype includes three lines of assembly language (for the highly-optimized context switch routine), 1200 lines of C code for the DMA task, drivers and ISR, and 220 lines of C code for the kernel modifications.

Vi-a Kernel hardening and extensions

We modified the F-MPU kernel to support an extra predefined MPU region per task according to region number 1 in Figure 5. With this modification, each execution of the context switch routine configures the MPU to grant access to the task stack, task code, and the three user-defined regions. The regions for the kernel data, kernel code and syscalls are configured once, and maintained during the entire firmware execution.

We extended the structure of the Cortex-M Thread Control Block (TCB) to store a pointer to an array of capabilities for the security policy. This array is a structure passed as a parameter during the initialization of the tasks. Every capability entry in the array contains a peripheral ID (i.e., the physical address of peripheral), a bit field for granted rights flags (e.g., Read, Write, FullDuplex), and an option field for the off-chip addressing schema, which is peripheral-specific.

1static const PeripheralPermission_t xPermission[portTOTAL_NUM_PERMISSIONS] =
2{
3  {(uint32_t *)SPI1,  (eRead | eWrite | eFullDuplex), SS_FRAM_ },
4  {(uint32_t *)I2C2,  (eRead | eWrite | eFullDuplex), 0x08     },
5  {(uint32_t *)ADC1,  (eRead),(ADC_CHANNEL_0 | ADC_CHANNEL_4)  }
6};
Listing 1: Capabilities defined in C code structures

We used simple C language structures to define the capabilities because F-MPU uses similar structures for the user-defined MPU regions. Hence, developers are familiar with them. Also, this scheme saves memory resources without requiring a parsing routine for more sophisticated formats (e.g., json) that would increase the footprint of the solution.

We defined all the kernel changes and extensions with pre-processor C directives to allow the activation or deactivation of D-Box in the original FreeRTOS configuration file. Our changes are also backward compatible with applications developed for the standard F-MPU. For example, developers can choose to use exclusively the user-defined regions to access peripherals and the required memory areas according to the restrictions implemented in the kernel.

Fig. 6: D-Box implementation including the data flows, the independent channel created by the DMA controller, and the notification mechanism.

Vi-B The DMA task and data flow

The DMA task (2⃝ in Figure 6) is a trusted privileged task that manages DMA requests from other tasks (1⃝ in Figure 6). The main functions of the DMA task include the validation of the DMA request, the configuration of peripherals including the DMA controller, and the registration of the requesting task for the notifications. The ISR handles the interrupts from the DMA controller and other peripherals (3⃝ and 4⃝ in Figure 6) and delivers the notification to the requesting task.

The DMA task and the ISR use exclusively standard FreeRTOS primitives (i.e., queues, and notifications for Inter-Process Communication (IPC) through the FreeRTOS SVC interface). This implementation decision assures two properties: First, the IPC is thread-safe. Second, developers can extend D-Box with more peripheral drivers and functionalities without the knowledge of low-level kernel development.

Vii Evaluation

We evaluated D-Box to answer the following questions:

  1. What is the attack surface of an application that supports DMA through D-Box procedures? How does our solution compare to F-MPU and other similar solutions?

  2. What is the impact of D-Box in terms of performance, memory usage, and power consumption for embedded applications?

  3. What are the security and operational benefits of D-Box for real-world embedded applications?

To answer Question 1), we performed a qualitative and quantitative security analysis of D-Box in §VII-A. For Question 2), we conducted performance, memory, and power analyses in §VII-B, §VII-D, and §VII-C , respectively. Finally, we answer Question 3) and present in §VII-E an end-to-end case study that reveals a DMA-enabled compartmentalization solution with negligible overhead and reduced power requirements for real-world applications.

Besides the specificities of each subsection, the common characteristics of our setup environment are as follows:

  • Development board: ST NUCLEO-L152RE.

  • MCU: STM32L152RE Cortex-M3@32Mhz, 512kB flash, 80kB RAM, 154kB peripheral MMIO, 2 DMA controllers.

  • OS: FreeRTOS 10.4.1

  • MPU: 8 regions, 32 bytes minimum region size.

  • Peripheral operations: read and write operations on I2C, USART, SPI and ADC peripherals.

Vii-a Security analysis

Vii-A1 Security metrics

Based on the least-privilege design goal, well-known defense mechanisms, and the security framework BenchIoT [10], we defined the following quantitative and qualitative metrics to assess the security properties of D-Box:

  • Memory region ratio: is a metric that measures the effectiveness of the compartmentalization of MCU resources by computing the ratio of the size of memory areas exposed during a task’s execution slot to the total size of each memory area of the MCU (i.e., RAM), flash and peripherals. A lower ratio represents a better compartmentalization.

  • Number of ROP gadgets: this metric computes the number of code snippets exposed in flash for ROP (i.e., return oriented-programming) attacks during a task’s execution slot. A lower number of ROP gadgets reduces the attacker’s capability to hijack task execution, and perform arbitrary actions on the MCU.

  • Data execution prevention: is a security mechanism that enforces the WX principle. This mechanism precludes the execution of data (payloads) controlled by an attacker.

  • Code execution level segregation: is a security mechanism that differentiates and limits the access to system-critical resources.

  • Stack protection: is a security mechanism that detects and prevents operations outside the boundaries of the task stack. This mechanism prevents a faulty or compromised task from writing or reading beyond the limits of the task’s stack, but it does not detect stack corruption within the valid boundaries.

  • Extensible Access Rights (EAR): is a security mechanism that allows defining security policies for off-chip peripherals for DMA operations.

Vii-A2 Quantitative security analysis

In this section, we analyzed quantitatively the memory region ratio and the number of ROP gadgets for an unprivileged task (i.e., user task) running on F-MPU and D-Box. We considered the regions and subregions of flash, RAM and peripherals, and measured the standard and the worst-case scenarios for each tool. The standard scenario corresponds to a configuration that does not use any of the MPU user-defined regions, whereas the worst-case uses the MPU user-defined regions to expose all possible memory regions to the user task (i.e., maximum exposure).

For the analysis of the number of ROP gadgets, we further divided the flash region into syscalls, kernel, drivers, libc, DMA routines and the user task. To identify the ROP gadgets, we used Ropper [57]. To map the location of ROP gadgets with the code subregions, we used the reverse engineering tool Ghidra [50].

The result of our analysis (Table I) demonstrates that the standard configuration of D-Box can reduce the region ratio to 0% and 1% for standard peripherals and user space flash respectively, compared to F-MPU. Also, D-Box assures (either by MPU region number precedence, API filtering, or security policy) that the kernel, the DMA controller, and the DMA task’s stack are always protected as security critical regions. Conversely, the analysis result exposes a faulty design of the original F-MPU that allows exposing 100% of the kernel to unprivileged tasks through user-defined regions. It is worth noting that accessing system peripherals always requires privileged level of execution, even when the MPU is disabled or unavailable [42]. This is reflected in our results showing both solutions blocking the access to system peripherals regardless of the MPU user-defined regions.

F-MPU D-Box
Region Subregion Std. [%] W-C [%] Std. [%] W-C [%]
Flash Kernel 0 100 0 0
Syscalls 100 100 100 100
User space 100 100 1 100
RAM Kernel 0 100 0 0
User space 6.5 100 6.5 87
Peripherals Sys. periph. 0 0 0 0
Std. periph. 100 100 0 98.7
DMA controller yes yes no no
TABLE I: Memory region ratio for Standard (Std.) and worst-case (W-C) configurations of an unprivileged task running on F-MPU and D-Box. Lower values represent a better protection according to the least-privilege principle.

D-Box exposes only 2.4% (13) of the total number (541) of ROP gadgets for its standard configuration – i.e., 41 times less than F-MPU (Table II). The reason for this drastic difference is the absence of drivers in user space because D-Box accesses peripherals through the kernel primitives (syscalls) and the DMA task that has access to the drivers. Also, D-Box provides the MPU region number 1 to grant access only to the task’s code – which does not include libc – the highest contributor of ROP gadgets according to our analysis. However, we consider that libc is an standard resource used by tasks on real embedded applications. Adding libc to the standard D-Box configuration will expose 71,7% of ROP gadgets, which is still 24.4% less than F-MPU.

F-MPU D-Box
Location Avl. [#] Std. [#] W-C [#] Avl. [#] Std. [#] W-C [#]
Syscalls 7 7 7 7 7 7
Kernel 11 0 11 11 0 0
Drivers 142 142 142 142 0 142
Libc 365 365 365 365 0 365
DMA task n/a n/a n/a 10 0 10
User task 6 6 6 6 6 6
Total 531 520 (98%) 531 (100%) 541 13 (2.4%) 530 (98%)
TABLE II: Number of ROP gadgets available (Avl.) and exposed on specific sections of the flash for standard (Std.) and worst-case (W-C) scenarios. A lower number of gadgets represents a better protection and fewer chances of code-reuse attacks.

Vii-A3 Qualitative Security Analysis

D-Box inherits many security properties from F-MPU, and it adds distinctive protections to support DMA. As described in Table III, the DMA protection is also partially supported by TockOS and uVisor, whereas the capabilities with EAR for off-chip peripherals is only supported by D-Box.

Security feature uVisor TockOS EPOXY MINION ACES F-MPU D-Box
Code isolation o x o x x o xo
Data isolation x x o x x x x
Periph. isolation x xo o x x x x
DMA protection xo xo o o o o x
DEP xo x x x x x x
Exec. level seg. x x x x x x x
Stack protection x x x x x x x
Capability EAR o o o o o o x
x = Yes, o = NO, xo = partial/optional
TABLE III: Comparison of security features supported by D-Box and related tools.

D-Box keeps each task stack in an independent MPU region during its execution. This configuration detects and prevents buffer overflows that may affect surrounding memory areas, but it cannot prevent stack corruptions within the MPU region. The same consideration is maintained for the DMA operations. In this case, a wrong or malicious DMA transfer request can corrupt the stack of the requesting task or the user-defined regions, but D-Box’s immutable capability-based policy assures that the DMA transfer will only affect the requesting task resources. This characteristic, accompanied by the explicit declaration of resources, mitigates the firmware defects described in our threat model, even when the attacker controls the code of a task.

Finally, D-Box supports the protection of DMA with EAR for I2C, SPI and ADC peripherals. This characteristic extends the granularity of the security policy beyond the boundaries of on-chip peripherals, which is not supported by other solutions at all. D-Box does not overload the DMA operation. Rather, it simply enforces the security policy on mandatory configuration parameters that, otherwise, are written on the DMA controller, or managed by critical routines without a systematic verification.

Vii-B Performance analysis

In this section, we present micro and macro benchmarking used to measure D-Box’s overhead on kernel and common peripheral operations, respectively.

Vii-B1 Micro-benchmarking

This analysis shows the overhead of D-Box on specific kernel operations, including the context switch routine, task creation syscall, and DMA validation.

Setup: we measured the overhead introduced by D-Box using the Cortex-M’s cycle count register of the Data Watch Point and Trace Unit (DWT) [11]. We manually added instrumentation to obtain the number of cycles used in each operation. We took 10 samples and averaged the number of cycles for each operation.

Results: D-Box adds a reasonably low overhead to the context switch routine (i.e., 1.74% as described in Table IV) due to the extra MPU region (Task code in Figure 5) modified on each context switch. Also, the creation of tasks shows a linear overhead O(n) because of the validation of each task’s stack and user-defined regions against previously-created tasks, and the DMA controller regions. This validation occurs once during task creation, and does not affect the task at execution time. D-Box uses on average 657 cycles for the DMA transfer validation. This validation overhead differs between peripherals and operations because of the EAR support for off-chip peripherals. We observed the higher overhead on the I2C operations that need the addressing schema of EAR, and the lower overhead on USART operations that do not use this schema.

F-MPU D-Box Overhead
Parameter [# cycles] [# cycles] [%]
Context switch 287 292 1.74
Task creation 0 12730 13047 2.49
Task creation 1 12730 13332 4.73
Task creation 2 12730 13617 6.97
Task creation 3 12730 13902 9.21
DMA validation Min. n/a 569 n/a
DMA validation Avg. n/a 657 n/a
DMA validation Max. n/a 792 n/a
TABLE IV: D-Box micro-benchmarking for context switch, task creation and DMA transfer validation.

Vii-B2 Macro-benchmark of peripheral operations

Fig. 7: Performance overhead [%] of D-Box versus Interrupt (IT), Pooling (Pool) and Insecure DMA (DMA) methods for TX and RX operations ranging from 1 to 100 bytes length, or 1 to 100 samples for ADC. Figure shows a relatively high overhead for small transfer size and low or negative overhead for larger transfers.

To understand the overall effects of D-Box on peripheral operations, we measured and compared the overhead and the core processor usage when a task read (RX) or write (TX) data streams on peripherals using pooling, interrupts, and insecure DMA methods (i.e., we looked at the three possible methods used by firmware to communicate with peripherals).

Setup: for pooling, interrupt and insecure DMA methods, we configured F-MPU with user-defined regions granting access to the tested peripheral and the DMA controller. For D-Box, we configured it with a capability granting read or write privileges on the tested peripheral. We simulated diverse conditions by reading or writing data streams ranging from 1 to 100 bytes on USART, I2C, and SPI peripherals. In the case of ADC, we performed conversions ranging from 1 to 100 samples on different channels. For each data length/sample size, we collected the overhead 10 times and averaged the result. For I2C and SPI, we used an extra development board connected as a dummy slave to our tested device. For USART, we used our workstation connected to the development board through the ST-Link USART bridge.

We measured the overhead by counting the number of cycles using similar instrumentation as described in §VII-B1. To measure the core processor usage, we used more sophisticated instrumentation provided by Percepio Tracealyzer [56]. We also added a secondary communication channel between the MCU and our workstation through a USART and a USB-to-USART bridge. We used this channel for synchronization and collection of our experiments’ results.

Results: the performance overhead of D-Box is inversely proportional to the data length. In Figure 7, we observe that the overhead can be as high as 134% when transmitting a single byte through SPI (SPI TX), and, in the same operation, the overhead is below 10% and trending towards zero when transmitting 50 or more bytes. The reason for this behavior is the costly initialization of a DMA transfer. This initialization includes the policy verification and the DMA controller configuration per transfer (i.e., that the overhead is constant and added per transaction, and not per byte). In the case of ADC, D-Box presents a small positive overhead (4.71% on average) only when compared to the insecure DMA method. The reason for this behavior is the highly-DMA-optimized ADC peripheral populated on our tested MCU. Without DMA, the ADC operations suffer a considerable overhead for IT and Pool methods. The USART RX operation is also a particular case because our workstation’s jitter disguises the overhead of D-Box. The workstation’s timing is not comparable to a real-time device such as the used MCU. We include complete details of the maximum, average and minimum performance results in appendix §-C.

D-Box maintains the scheduler timing constraints adding only 2% of core processor usage compared to insecure DMA on average. Also, it reduces core processor usage by 35.9% and 33.7% compared to pooling and interrupt methods, respectively (Table V). The considerable reduction of core usage for both DMA methods is due to the DMA controller taking care of the data movements between peripheral and RAM on behalf of the core processor.

Operation D-BOX Pool IT DMA
[%] [%] [%] [%]
USART TX 13.5 68.5 -55.0 32.6 -19.1 12.4 1.1
USART RX 13.3 80.6 -67.3 13.5 -0.2 10.9 2.4
SPI TX 18.6 45.6 -27.0 49.8 -31.2 14.0 4.6
SPI RX 18.1 45.5 -27.4 65.2 -47.0 14.0 4.2
I2C TX 17.5 40.5 -22.9 52.8 -35.3 15.8 1.7
I2C RX 17.8 40.1 -22.3 54.7 -37.0 21.6 -3.8
ADC 20.3 49.9 -29.6 86.1 -65.8 16.6 3.7
Average 17.0 52.9 -35.9 50.7 -33.7 15.0 2.0
TABLE V: Core processor usage [%] for peripheral operations relative to the total core capacity. Lower values mean better management of tasks and guarantee of timing constraints. is the processor usage difference compared with D-Box.

Vii-C Power analysis

Setup: For this analysis, we used the same software setup of VII-B2, but without the instrumentation. We only kept the secondary USART channel for synchronization purposes. For each test, we modified the firmware to configure and provide power exclusively to the tested peripheral and the secondary USART channel, keeping the rest of the tested peripherals unpowered. We executed the Read/Write operations for USART, I2C, SPI, and ADC, ranging from 1 to 100 bytes/samples in a continuous loop while taking samples of current and voltage every 100 ms, totaling 1000 samples. To measure the current and voltage, we used the highly accurate power monitor INA226 [35] connected to our workstation through the USB-to-I2C bridge MCP2221A [44]. We configured the electrical connections of the INA226 and the development board to measure exclusively the current and voltage applied to the STM32L152RE MCU.

Operation D-BOX Pool IT DMA
[mW] [mW] [%] [mW] [%] [mW] [%]
USART TX 31.0 37.9 -18.3 38.1 -18.8 38.7 -19.9
USART RX 30.4 37.2 -18.3 37.6 -19.1 38.8 -21.6
SPI TX 31.1 35.8 -13.2 37.1 -16.3 37.5 -17.1
SPI RX 31.0 36.9 -15.9 37.1 -16.6 36.3 -14.8
I2C TX 31.5 37.9 -16.8 38.1 -17.3 38.1 -17.3
I2C RX 31.6 37.7 -16.2 38.1 -17.0 38.3 -17.4
ADC 31.8 36.2 -12.0 38.6 -17.4 39.4 -19.2
Average 31.2 37.1 -15.8 37.8 -17.5 38.1 -18.2
TABLE VI: Average power [mW] required for peripheral operations. [%] is the relative power usage difference compared with D-Box.

Results: D-Box reduces the power requirements on average 15.8%, 17.5%, and 18.2% compared to pooling, interrupt, and insecure DMA methods, respectively (Table VI). The result of insecure DMA seems counter-intuitive at first glance since it is expected to reduce power consumption compared to IT and Pool methods. However, we determined that the vendor’s DMA HAL (Hardware Abstraction Layer) used for insecure DMA is not power efficient. On the other hand, D-Box implementation uses the DMA driver directly and replaces the HAL with the DMA task of our design. Our lean implementation demonstrates that DMA can be secure, and significantly reduce power consumption—a highly desirable characteristic for embedded and IoT applications. We include a graphic representation of our results in appendix §-B.

Vii-D Memory overhead analysis

Setup: To analyze the D-Box memory overhead, we compared the firmware images of F-MPU and D-Box used in VII-C. We also break down the specific requirements of our prototype implementation. We compiled all images with no optimization (-O0) using the GNU Tools (release 7-2018-q2) included in the CubeIDE version 1.5.0.

Result: D-Box, on average, reduces the usage of flash and RAM by -0.12% and -0.07%, respectively (Table VII). This reduction is due to differences in vendors’ driver libraries. F-MPU uses a feature rich HAL library, whereas D-Box uses “low-level” drivers. Note that the RAM requirements are constant for both systems. This is because FreeRTOS reserves and manages its heap statically (i.e., D-Box’s RAM requirements are part of the already reserved heap observable by the compiler). Besides this FreeRTOS characteristic, Table VIII details mandatory and driver-independent memory requirements of our D-Box prototype implementation. Notice that D-Box RAM and flash requirements depend on the number of channels supported by the DMA controller and the number of policy’s capabilities, respectively. In our prototype, the security policy supports 3 capabilities that require 36 bytes in total (12 bytes per capability). In terms of RAM, the DMA request queue needs 320 bytes (32 byte per DMA channel).

RAM [kB] Flash [kB]
Peripheral F-MPU D-Box [%] F-MPU D-Box [%]
USART 40.61 40.58 -0.07 129.68 129.7 0.02
I2C 40.61 40.58 -0.07 128.66 128.98 0.25
SPI 40.61 40.58 -0.07 128.34 128.32 -0.02
ADC 40.61 40.58 -0.07 129.45 128.05 -1.08
Average 40.61 40.58 -0.07 129.03 128.88 -0.12
TABLE VII: D-Box RAM and flash overhead compared to F-MPU.
RAM [Bytes] Flash [Bytes]
Privileged Data 230
DMA request queue 320
System calls 916
DMA task 1024 1648
TCB capabilities 36
Total 1574 2600
TABLE VIII: D-Box RAM and flash requirements

Vii-E Case study: Securing a Programmable Logic Controller

In this section, we present a representative case study that demonstrates how D-Box can improve the security, performance and power consumption in a real-world scenario.

Vii-E1 Programmable Logic Controllers

PLCs are embedded, ruggedized computers used in industrial environments to control critical processes. These devices operate continuously, assuring availability, reliability and performance. Due to PLC’s relationship with critical infrastructure, these devices have been the targets of numerous cybersecurity attacks; usually, resulting in devastating damages [24, 25, 34, 19].

The PLC analyzed in this case study is the Wecom LX3VM 2424M [6]. This PLC has been used in water supply facilities [7], poultry processing plants [5], refrigeration applications [4], and small machines as we describe next.

Vii-E2 Firmware characteristics

The firmware used in this section contains open source libraries and a subset of proprietary code that we acquired from an industrial connection. We adapted the code to run on our development board instead of the original PLC to facilitate metrics evaluation. Nevertheless, the PLC and our development board integrate similar MCUs from ST Microelectronics.

The PLC firmware uses FreeRTOS to implement a motor control system for an automatic molding injection machine—this is an in-house development that replaced the original firmware provided by the PLC vendor. This firmware scans inputs from a rotary encoder (speed feedback), thermocouple conditioner (temperature), and push buttons (local activation). It then executes a PID (Proportional-Integral-Derivative) control loop, and updates the output using PWM (Pulse-Width Modulation) to activate the motor drive (2⃝ in Figure 8). The firmware also integrates the Modbus RTU protocol for remote communication with an SCADA (Supervisory Control And Data Acquisition) system (1⃝ in Figure 8). The PLC has a 10 ms scan cycle (i.e., scanning inputs, executing control logic, and updating outputs must occur every 10 ms).

Vii-E3 Threat analysis

The original firmware is insecure because it does not enforce the least privilege principle. The tasks have access to all data, code and peripherals. There is no distinction between kernel and user space. A bug or a backdoor in the Modbus protocol, for example, can be exploited remotely by an attacker (3⃝ in Figure 8) to hijack the PLC operation and perform malicious actions, causing destruction of facilities, economic loss, or even personal injury.

Vii-E4 Solution

We compartmentalized the PLC firmware by porting it to D-Box using two unprivileged tasks, and with minimal engineering effort. First, we modified the Modbus protocol to run in an unprivileged task using two user-defined regions and a single DMA capability granting read and write rights on USART. The user-defined regions contain the Modbus protocol handlers, and a shared region between the PLC task and the Modbus task. Second, we modified the PLC scan cycle to run in an unprivileged task using three user-defined regions, a DMA capability and an ISR. The first user-defined region is the shared region with the Modbus task. In this region, the PLC task safely exposes data to the Modbus protocol. The second and the third user-defined regions grant access to the Timer 1 and GPIO peripherals, respectively. The DMA capability with EAR grants read access to the off-chip thermocouple conditioner connected through SPI using DMA.

Vii-E5 Evaluation and analysis

We tested the PLC firmware in our development board connected to our workstation, simulating the SCADA system with a Modbus client. The SCADA system sets the PID control loop parameters and the motor speed on the PLC (development board). Then, the SCADA system continuously monitors the speed and temperature of the motor through the Modbus protocol. We collected security, performance, and energy metrics using similar procedures as described in §VII-B and §VII-C.

D-Box improves the PLC security properties, maintains the real-time constraint, and reduces the power and CPU usage as detailed in Table IX. Remote attacks exploiting vulnerabilities in Modbus are contained and will only affect the Modbus task. The compartmentalization will keep the critical PLC task working even when an attacker takes control of the Modbus task and misuses its DMA capability. This case study demonstrates that by securely using the DMA controller, is possible to protect MCU resources while maintaining or improving the performance and power requirements of a practical embedded application.

FreeRTOS D-Box
Flash ratio [%] 100 52 -48.00
RAM ratio [%] 100 25.20 -74.80
Peripheral ratio [%] 100 0.32 -99.68
ROP gadgets [#] 0 0 0
Avg. Scan cycle [mS] 9.99 10 0.01
Avg. power [mW] 41.38 34.94 -15.56
CPU usage [%] 16.79 12.96 -3.83
TABLE IX: Evaluation of PLC firmware implementing D-Box compartmentalization. Lower ratio and ROP represents a better protection. calculated as absolute difference for percentages, and as relative difference for other units.
Fig. 8: Compartmentalization of a PLC-Based motor control system. 1⃝ Modbus protocol for SCADA monitoring, 2⃝ Push buttons, thermocouple, motor drive and encoder connected to on-chip peripherals, 3⃝ Attacker abusing the Modbus protocol.

Viii Discussion

Viii-a The capability-based security model properties and its limitations

The capability-based security model assures two properties: 1) the deputy (DMA task) has no rights to the resources that are affected by a DMA transfer, and 2) it guarantees that a task cannot request DMA operations on a resource without proper rights.

Since the resource and its rights are inseparable, immutable and owned by an identifiable task, it is possible to avoid confused deputy problems that can affect DMA operations by design. However, it is still possible to write insecure applications canceling any of the properties of the capability-based model. For example, if two mutually independent functionalities with different security profiles are structured as a single task, there is no way for the DMA task to discriminate the “correct” rights on resources. Clearly, this example is an obvious design error. At the same time, it is common to find these insecure implementation patterns affecting more than just the DMA operations.

Viii-B D-Box trusted computing base

D-Box TCB includes the kernel, the DMA task (drivers and addressing routines) running at the privileged level. This characteristic requires special care because of the associated risk with a relatively large code base.

D-Box’s separation of the DMA task and kernel supports running the DMA task in unprivileged mode by design, thus mitigating its associated risk. However, running the drivers in unprivileged mode, with only three MPU user-defined regions, requires considerable engineering effort and would make the solution vendor-specific. Regardless of the engineering effort, developers should consider running the DMA task in unprivileged level when the risk profile of the embedded application requires the highest protection.

Viii-C The ARMv8-M security extensions

The ARMv8-M includes hardware support to mitigate many of the issues related to multimaster environments, including DMA. Notably, this architecture provides a bus-level security feature that can verify and propagate the permissions for each bus operation. In this case, the properties of memory regions are enforced system-wide and not exclusively on a specific master interface [8]. In addition, ARMv8-M provides the newly added ”Test Target” (TT) instruction. This instruction accelerates the verification of security access permissions of memory ranges, which is essential to validate DMA operations.

The new system-level security accompanied by TrustZone and a more flexible MPU of the ARMv8-M bring tremendous security improvements as well as performance for low-end devices. Especially when compared to software-based solutions like D-Box. Nevertheless, the design considerations of D-Box are still helpful to implement secure firmware architectures that take advantage of the new hardware security features.

Viii-D Compatibility of D-Box with other solutions

D-Box procedures can be applied to other compartmentalization solutions that define the same compartmentalization unit (granularity) and implement RTOS designs. For example, MINION [36] defines its memory view at a thread level, and it is built on top of NuttX RTOS. On the other hand, solutions such as ACES [20] are not directly compatible (i.e., ACES defines compartments at a function level for firmware implementing baremetal designs). This last design makes it very challenging to validate sources and destinations for DMA operations because the compartment views are the result of an algorithm that does not capture the semantics of operations occurring on a different master (i.e., the DMA controller).

Ix Related Work

Our work intersects DMA protection and resource compartmentalization in embedded devices.

Ix-a DMA protection

Existing works ignore or are limited in supporting secure DMA transfers in embedded devices. EPOXY [21] does not consider DMA as a security-sensitive operation, and its method automatically elevates privileges when accessing a peripheral like the DMA controller. TockOS [40] and uVisor [12] acknowledge the security-critical behavior of the DMA controller, but provide only partial support for secure DMA transfers. TockOS uses the MPU to enforce memory access, and leverages Rust safe types to protect the DMA controller. However, TockOS does not consider the DMA descriptors stored in RAM, which conversely, D-Box protects as security critical structures. uVisor [12] recommends enforced access to the DMA controller through SVC-based APIs, but this reference design is deprecated. Trusted Firmware-M [63] works in a similar fashion and targets exclusively TrustZone-enabled devices (ArmV8-M) or dual-core enabled devices. D-Box targets ArmV7-M devices and considers multimaster environments.

To protect DMA as a general master I/O device, Haglund et. al presented a mechanism [29] based on a runtime monitor to isolate I/O devices from accessing sensitive memory regions. Haglund’s work is limited to NIC operations over DMA. In the context of general purpose computers, several works [64, 68, 67, 65] presented security policies and protection strategies on secure access of master I/O devices. Compared to D-Box, these works do not consider the hardware availability and constraints of embedded devices. Prior work has also considered DMA implications in the security of remote attestation [51], the integrity of software execution [52], and undetectable firmware modifications through DMA abuse [53]. These works require small hardware modifications, but, similarly to D-Box, they expose the need to systematically protect DMA to guarantee the operation and security of deeply embedded devices.

Ix-B Compartmentalization

Ix-B1 Software-based memory compartmentalization

Existing works [21, 20, 30] leverage embedded compilers to create two or more isolated execution environments. EPOXY [21] overlays the MPU to enforce different permissions and execution levels. It creates two distinct domains based on the execution levels. However, EPOXY requires manual annotations and the execution levels cannot be statically identified. ACES [20] creates an instrumented binary to enforce runtime compartmentalization. Similar to D-Box, ACES also takes a developer-specified policy. However, ACES requires a complex graph traversal algorithm for policy definition. In contrast, Hardin et al. [30] leveraged compiler-inserted code to achieve runtime bound-checking. This technique is based on AmuletOS [32], and it can reduce runtime overhead in dynamic checking. However, it still depends on language features and clear OS rules. NesCheck [48] provides compartmentalization by extending the existing TinyOS compiler toolchain [23] with LLVM-based passes, and focuses on runtime checks on nesC programs. Compared with D-Box, compiler-based compartmentalization may involve imprecise analysis to form compartments and cumbersome policy definitions. D-Box makes it easy to define static policies by developers.

Without leveraging compilers, TockOS [40] divides the kernel into a trusted core for critical tasks, and a non-trusted capsule for peripheral drivers and non-system-critical tasks. MINION [36]

constructs a per-process memory view by an offline clustering analysis on the system firmware. MINION is similar to D-Box in using a thread/task as the unit of compartmentalization. However, MINION is inaccurate in approximating the resources required for each thread. MINION’s inaccuracy can lead to unexpected crashes in production environments, whereas D-Box explicit resource definitions assure application functionality and security.

In addition to MPU-assisted compartmentalization, the uXOM [38] uses unprivileged memory instructions to enable efficient execute-only-memory protections on ARM Cortex-M devices. Mate [39] isolates applications through virtualizing the single memory space. SANCTUARY [16] leverages ARM TrustZone Address-Space Controller to enforce hardware-level isolation. These solutions rely on specific hardware, or provide orthogonal protections that can be integrated in a compartmentalization solution where D-Box is implemented. In the context of general purpose computers, existing works [18, 33] provide programming primitives to divide and control accesses to the memory. Shreds [18] isolates fine-grained program segments from others in the same process. It uses the compiler toolchain and the OS module to enable the segment execution. SMV [33] aims at per-thread access control, and divides the virtual memory into multiple domains, and enforces the least privilege principle. Compared to D-Box, these solutions will need to resolve the performance and hardware constraints before they can be applied to embedded devices.

Ix-B2 Hardware-assisted memory isolation

Existing works extend hardware to improve memory isolation. Strackx et. al [62] presented self-protecting modules (SPM) to isolate trusted subsystems sharing the same processor and memory space. They created three hardware instructions to manage the SPM, and provided a memory access control model for subsystems using the program counter. However, SPM must exclude protected memory locations that are accessed by DMA. Toubkal [59] enhances the MPU by adding a new hardware layer to create different access environments for different hardware components. Trustlite [37] presents an execution-aware MPU (EA-MPU) to execute trusted modules. It extends the MPU by providing a means to link code regions to data regions, and validate the address of the executing instruction. Trustlite can isolate data of each module from the other parts of the program. TyTan [17] also protects the memory with an EA-MPU. It isolates tasks with a secure IPC proxy task. Hardware-assisted implementations allow more flexible MPU configuration and better interrupt handling. However, these solutions usually target the generic memory compartmentalization problem, without considering developer-supplied policies nor the least privilege principle. The changes to the hardware are also not available on commercial devices. In contrast, D-Box only uses standard and broadly available hardware.

In the context of x86 CPUs, existing works [66] leveraged various mechanisms for memory compartmentalization and protection, including MMU, MPK, Intel management engine, and Intel SGX. For example, IMIX [27] provides a lightweight in-process memory compartmentalization. It extends the x86 ISA with a security-sensitive memory-access permission. Unlike D-Box, these solutions are not available on low-end hardware of embedded devices.

X Conclusion

In this paper, we presented D-Box, a systematic approach to enable secure DMA operations for compartmentalization solutions of embedded applications—a problem that has been largely ignored that we analyze and expose. D-Box defines a reference architecture and a workflow to holistically protect the DMA life-cycle. D-Box uses a capatibility-based security model to provide strong protections, and pragmatic methods to define a DMA policy compatible with MCU software and hardware constraints.

To evaluate a prototype of D-Box implemented on top of F-MPU, we performed qualitative and quantitative analyses of different benchmark programs. Our results show that D-Box provides secure DMA access while reducing the attack surface of F-MPU for all the 6 security metrics that we used. D-Box incurred a low overhead for kernel and peripheral operations while reducing the overall power requirements. By testing on a real-world PLC application, we further confirmed D-Box’s security improvement, low overhead, and reduced power consumption thanks to its support for secure DMA transfers, and a lean implementation. Lastly, we discuss D-Box’s limitations and its compatibility with existing security solutions.

Acknowledgment

The authors would like to thank the anonymous reviewers and our shepherd Ivan De Oliveira Nunes for their insightful comments. This project was supported by the National Science Foundation (Grants#: CNS-1748334, and CNS-2031390), and the Office of Naval Research (Grant#: N00014-18-1-2043). Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding agencies.

References

  • [1] Nuvoton M261/M262/M263 Series. https://www.nuvoton.com/products/microcontrollers/arm-cortex-m23-mcus/m261-m262-m263-series/.
  • [2] ST-MCU-FINDER - STM32 and STM8 product finder for mobile devices and desktops - STMicroelectronics. https://www.st.com/en/development-tools/st-mcu-finder.html.
  • [3] TockOS, Design. https://www.tockos.org/.
  • [4] Wecon Automatic Control Scheme of alarm system in Food Refrigeration Room. https://www.we-con.com.cn/en/solutions_t/201.html.
  • [5] Wecon Automatic Solution of the Slaughter Line Data Collection Management System. https://www.we-con.com.cn/en/solutions_t/221.html.
  • [6] Wecon LX3VM 2424M/3624M PLC. https://we-con.com.cn/en/product_page/186.html.
  • [7] Wecon Smart Water Supply. https://www.we-con.com.cn/en/solutions_t/41.html.
  • [8] High-End Security Features for Low-End Microcontrollers. Zenodo, March 2017.
  • [9] Tigist Abera, Raad Bahmani, Ferdinand Brasser, Ahmad Ibrahim, Ahmad-Reza Sadeghi, and Matthias Schunter. DIAT: Data Integrity Attestation for Resilient Collaboration of Autonomous Systems. In NDSS, 2019.
  • [10] N. Almakhdhub, A. A. Clements, M. Payer, and S. Bagchi. BenchIoT: A Security Benchmark for the Internet of Things. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 234–246, Los Alamitos, CA, USA, June 2019. IEEE Computer Society.
  • [11] ARM. Cortex-M4 Technical Reference Manual. https://developer.arm.com/documentation/ddi0439/b/Data-Watchpoint-and-Trace-Unit/DWT-Programmers-Model?lang=en.
  • [12] ARM. ARM MBED Uvisor. https://github.com/ARMmbed/uvisor, March 2021.
  • [13] ARM Limited. PSA Security Model 1.0. https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0079_PSA_SM_ALPHA-03_RC01.pdf, February 2020.
  • [14] Nitay Artenstein. BROADPWN: Remotely Compromising Android and IOS via a Bug in the Broadcom Wi-Fi Chipset. In Black Hat, page 31, July 2017.
  • [15] Gal Beniamini. Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices. https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html.
  • [16] Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. SANCTUARY: ARMing TrustZone with user-space enclaves. In NDSS, 2019.
  • [17] Franz Ferdinand Brasser, Brahim El Mahjoub, Ahmad-Reza Sadeghi, Christian Wachsmann, and Patrick Koeberl. TyTAN: Tiny trust anchor for tiny devices. In Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, June 7-11, 2015, pages 34:1–34:6. ACM, 2015.
  • [18] Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. Shreds: Fine-Grained Execution Units with Private Memory. In 2016 IEEE Symposium on Security and Privacy (SP), pages 56–71, May 2016.
  • [19] CISA. Havex ICS Alert (ICS-ALERT-14-176-02A). https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02A, June 2014.
  • [20] Abraham A. Clements, Naif Saleh Almakhdhub, Saurabh Bagchi, and Mathias Payer. ACES: Automatic Compartments for Embedded Systems. In 27th USENIX Security Symposium (USENIX Security 18), pages 65–82, Baltimore, MD, August 2018. USENIX Association.
  • [21] Abraham A. Clements, Naif Saleh Almakhdhub, Khaled S. Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer. Protecting Bare-Metal Embedded Systems with Privilege Overlays. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, pages 289–303. IEEE Computer Society, 2017.
  • [22] Cypress. Microcontroller portfolio Infineon + Cypress. https://www.cypress.com/products/microcontrollers-mcus.
  • [23] Eric Decker. TinyOS. https://github.com/tinyos/tinyos-main.
  • [24] Alessandro Di Pinto, Younes Dragoni, and Andrea Carcano. TRITON: The first ICS cyber attack on safety instrument systems. In Proc. Black Hat USA, pages 1–26, 2018.
  • [25] Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet Dossier. https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf, November 2010.
  • [26] Bo Feng, Alejandro Mera, and Long Lu. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In 29th USENIX Security Symposium (USENIX Security 20), pages 1237–1254. USENIX Association, August 2020.
  • [27] Tommaso Frassetto, Patrick Jauernig, Christopher Liebchen, and Ahmad-Reza Sadeghi. IMIX: In-process memory isolation EXtension. In 27th USENIX Security Symposium (USENIX Security 18), pages 83–97, Baltimore, MD, August 2018. USENIX Association.
  • [28] Andy Greenberg. The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse. https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/.
  • [29] Jonas Haglund and Roberto Guanciale. Trustworthy Isolation of DMA Enabled Devices. In Deepak Garg, N. V. Narendra Kumar, and Rudrapatna K. Shyamasundar, editors, Information Systems Security, pages 35–55, Cham, 2019. Springer International Publishing.
  • [30] Taylor Hardin, Ryan Scott, Patrick Proctor, Josiah Hester, Jacob Sorber, and David Kotz. Application memory isolation on ultra-low-power MCUs. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 127–132, Boston, MA, July 2018. USENIX Association.
  • [31] Norm Hardy. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev., 22(4):36–38, October 1988.
  • [32] Josiah Hester, Travis Peters, Tianlong Yun, Ronald Peterson, Joseph Skinner, Bhargav Golla, Kevin Storer, Steven Hearndon, Kevin Freeman, Sarah Lord, Ryan Halter, David Kotz, and Jacob Sorber. Amulet: An Energy-Efficient, Multi-Application Wearable Platform. In Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM, pages 216–229, Stanford CA USA, November 2016. ACM.
  • [33] Terry Ching-Hsiang Hsu, Kevin Hoffman, Patrick Eugster, and Mathias Payer. Enforcing Least Privilege Memory Views for Multithreaded Applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 393–405, Vienna Austria, October 2016. ACM.
  • [34] SANS Institute. Confirmation of a Coordinated Attack on the Ukrainian Power Grid. https://www.sans.org/blog/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid/, January 2016.
  • [35] Texas Instruments. INA226 High-Side or Low-Side Measurement, Bi-Directional Current and Power Monitor with I2C Compatible Interface. https://www.ti.com/lit/ds/symlink/ina226.pdf?ts=1641228884770&ref_url=https%253A%252F%252Fwww.ti.com%252Fproduct%252FINA226.
  • [36] Chung Hwan Kim, Taegyu Kim, Hongjun Choi, Zhongshu Gu, Byoungyoung Lee, Xiangyu Zhang, and Dongyan Xu. Securing Real-Time Microcontroller Systems through Customized Memory View Switching. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society, 2018.
  • [37] Patrick Koeberl, Steffen Schulz, Ahmad-Reza Sadeghi, and Vijay Varadharajan. TrustLite: A Security Architecture for Tiny Embedded Devices. In Proceedings of the Ninth European Conference on Computer Systems, EuroSys ’14, New York, NY, USA, 2014. Association for Computing Machinery.
  • [38] Donghyun Kwon, Jangseop Shin, Giyeol Kim, Byoungyoung Lee, Yeongpil Cho, and Yunheung Paek. uXOM: Efficient eXecute-Only memory on ARM cortex-m. In 28th USENIX Security Symposium (USENIX Security 19), pages 231–247, Santa Clara, CA, August 2019. USENIX Association.
  • [39] Philip Levis and David Culler. Maté: A tiny virtual machine for sensor networks. ACM SIGPLAN Notices, 37(10):85–95, October 2002.
  • [40] Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. Multiprogramming a 64kB computer safely and efficiently. In Proceedings of the 26th Symposium on Operating Systems Principles, SOSP’17, pages 234–251, New York, NY, USA, October 2017. ACM.
  • [41] Loıc Duflot, Yves-Alexis Perez, and Benjamin Morin. What if you can’t trust your network card? In RAID 2011, 2011.
  • [42] Arm Ltd. ARM v7-M Architecture Reference Manual. https://developer.arm.com/documentation/ddi0403/latest/.
  • [43] Alejandro Mera, Bo Feng, Lu Lu, and Engin Kirda. DICE: Automatic emulation of DMA input channels for dynamic firmware analysis. In 2021 2021 IEEE Symposium on Security and Privacy (SP), pages 302–318, Los Alamitos, CA, USA, May 2021. IEEE Computer Society.
  • [44] Microchip. MCP2221A USB -USART/I2C Bridge. https://www.microchip.com/wwwproducts/en/MCP2221A.
  • [45] Microchip. New/Popular 32-bit Microcontrollers Products - Microchip Technology Inc. https://www.microchip.com/ParamChartSearch/Chart.aspx?branchID=211.
  • [46] ST Microelectronics. Chrom-ART accelerator. https://www.st.com/content/ccc/resource/training/technical/product_training/group0/06/38/cb/60/21/70/4e/d8/STM32F7_System_DMA2D/files/STM32F7_System_DMA2D.pdf/jcr:content/translations/en.STM32F7_System_DMA2D.pdf.
  • [47] ST Microelectronics. Managing memory protection unit in STM32 MCUs. https://www.st.com/resource/en/application_note/dm00272912-managing-memory-protection-unit-in-stm32-mcus-stmicroelectronics.pdf, February 2020.
  • [48] Daniele Midi, Mathias Payer, and Elisa Bertino. Memory Safety for Embedded Devices with NesCheck. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’17, pages 127–139, New York, NY, USA, 2017. Association for Computing Machinery.
  • [49] Mark S Miller, Ka-Ping Yee, and Jonathan Shapiro. Capability Myths Demolished. page 15.
  • [50] NSA. Ghidra. https://ghidra-sre.org/.
  • [51] Ivan De Oliveira Nunes, Karim Eldefrawy, Norrathep Rattanavipanon, Michael Steiner, and Gene Tsudik. VRASED: A Verified Hardware/Software Co-Design for Remote Attestation. In 28th USENIX Security Symposium (USENIX Security 19), pages 1429–1446, 2019.
  • [52] Ivan De Oliveira Nunes, Karim Eldefrawy, Norrathep Rattanavipanon, and Gene Tsudik. APEX: A Verified Architecture for Proofs of Execution on Remote Devices under Full Software Compromise. In 29th USENIX Security Symposium (USENIX Security 20), pages 771–788, 2020.
  • [53] Ivan De Oliveira Nunes, Sashidhar Jakkamsetti, Norrathep Rattanavipanon, and Gene Tsudik. On the TOCTOU problem in remote attestation. In ACM CCS 2021, 2020.
  • [54] NXP. Product Selector — NXP. https://www.nxp.com/products/product-selector:PRODUCT-SELECTOR#/category/c731_c1770.
  • [55] Michele Pelino. Predictions 2021: Technology Diversity Drives IoT Growth. https://go.forrester.com/blogs/predictions-2021-technology-diversity-drives-iot-growth/, October 2020.
  • [56] Percepio. Percepio Tracealyzer - Stop Guessing with Visual Trace Diagnostics. https://percepio.com/tracealyzer/.
  • [57] Schirra Sascha. Ropper - ROP gadget finder and binary information tool. https://scoding.de/ropper/, August 2014.
  • [58] Denis Selianin. Researching Marvell Avastar Wi-Fi: From Zero Knowledge to Over-The-Air Zero-Touch RCE. page 61.
  • [59] A. Sensaoui, D. Hely, and O. Aktouf. Toubkal: A flexible and efficient hardware isolation module for secure lightweight devices. In 2019 15th European Dependable Computing Conference (EDCC), pages 31–38, 2019.
  • [60] Abderrahmane Sensaoui, Oum-El-Kheir Aktouf, David Hely, and Stephane Di Vito. An In-depth Study of MPU-Based Isolation Techniques. Journal of Hardware and Systems Security, 3(4):365–381, December 2019.
  • [61] STMicroelectronics. ST-MCU-FINDER-PC - STM32 and STM8 product finder. https://www.st.com/en/development-tools/st-mcu-finder-pc.html.
  • [62] Raoul Strackx, Frank Piessens, and Bart Preneel. Efficient Isolation of Trusted Subsystems in Embedded Systems. In Sushil Jajodia and Jianying Zhou, editors, Security and Privacy in Communication Networks, pages 344–361, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.
  • [63] TrustedFirmware.org. Trusted Firmware M. https://ci-builds.trustedfirmware.org/static-files/ka6nlDn9dd263kV64sVM-gECWQbVueoH9h5h8dROLD8xNjE2NTEzNjU4NTE5Ojk6YW5vbnltb3VzOmpvYi90Zi1tLWJ1aWxkLWRvY3MtbmlnaHRseS9sYXN0U3RhYmxlQnVpbGQvYXJ0aWZhY3Q=/trusted-firmware-m/build/docs/user_guide/html/docs/introduction/readme.html.
  • [64] Paul Willmann, Scott Rixner, and Alan L. Cox. Protection Strategies for Direct Access to Virtualized I/O Devices. In USENIX 2008 Annual Technical Conference, ATC’08, pages 15–28, USA, 2008. USENIX Association.
  • [65] Miao Yu. An I/O Separation Model and Its Applications to On-demand I/O on Commodity Platforms. PhD thesis, 2019.
  • [66] Fengwei Zhang and Hongwei Zhang. SoK: A Study of Using Hardware-Assisted Isolated Execution Environments for Security. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016, HASP 2016, New York, NY, USA, 2016. Association for Computing Machinery.
  • [67] Zongwei Zhou. On-Demand Isolated I/O for Security-sensitive Applications on Commodity Platforms. PhD thesis, 2014.
  • [68] Zongwei Zhou, Virgil D. Gligor, James Newsome, and Jonathan M. McCune. Building Verifiable Trusted Path on Commodity X86 Computers. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 616–630, USA, 2012. IEEE Computer Society.