Strict Memory Protection for Microcontrollers
Total Page:16
File Type:pdf, Size:1020Kb
Master Thesis Spring 2019 Strict Memory Protection for Microcontrollers Erlend Sveen Supervisor: Jingyue Li Co-supervisor: Magnus Själander Sunday 17th February, 2019 Abstract Modern desktop systems protect processes from each other with memory protection. Microcontroller systems, which lack support for memory virtualization, typically only uses memory protection for areas that the programmer deems necessary and does not separate processes completely. As a result the application still appears monolithic and only a handful of errors may be detected. This thesis presents a set of solutions for complete separation of processes, unleash- ing the full potential of the memory protection unit embedded in modern ARM-based microcontrollers. The operating system loads multiple programs from disk into indepen- dently protected portions of memory. These programs may then be started, stopped, modified, crashed etc. without affecting other running programs. When loading pro- grams, a new allocation algorithm is used that automatically aligns the memories for use with the protection hardware. A pager is written to satisfy additional run-time demands of applications, and communication primitives for inter-process communication is made available. Since every running process is unable to get access to other running processes, not only reliability but also security is improved. An application may be split so that unsafe or error-prone code is separated from mission-critical code, allowing it to be independently restarted when an error occurs. With executable and writeable memory access rights being mutually exclusive, code injection is made harder to perform. The solution is all transparent to the programmer. All that is required is to split an application into sub-programs that operates largely independently. An added benefit of this modularity is that code may also be developed and tested as independent programs. The standard POSIX API is used as the programming interface, allowing programmers to use existing knowledge and code when designing applications. For programs that do not depend on specific hardware, development may be done and tested on a regular desktop system entirely before running it on a microcontroller. ii Acknowledgements Thanks to supervisors Jingyue Li and Magnus Själander for helping with all the formal- ities surrounding the thesis, and giving valuable feedback on the thesis work. The work presented in this thesis would not have been possible without supervision. Also thanks to the students at the Orbit satellite program, which have helped by providing an environment for the thesis in the first place. The satellite program was in need of someone to work on the software, which resulted in both the pre-thesis project and the thesis itself. Students working on the satellite software has provided valuable feedback when using the operating system, helping to improve it. iii Contents List of Figures viii List of Tables ix 1. Introduction1 1.1. Research Drivers...............................1 1.2. Solutions...................................2 1.3. Testing and Evaluation...........................3 1.4. Summary...................................3 1.5. Thesis Structure...............................3 2. Background5 2.1. Memory Protection in Desktop Processors.................5 2.1.1. Overview................................5 2.1.2. History.................................6 2.1.3. Memory Architecture As Seen By Software.............7 2.1.4. Challenges...............................8 2.2. Memory Protection in Microcontrollers.................. 10 2.2.1. History................................. 10 2.2.2. Microcontroller Memory Protection................. 10 2.2.3. Table Size and Table Entry Restrictions............... 11 2.2.4. Allocation Example.......................... 11 3. Related Work 13 3.1. State of the Art............................... 13 3.2. Shared vs Non-Shared Memory Architecture............... 15 3.2.1. Microcontroller Shared Memory Problem Example......... 17 3.2.2. MPU Setup............................... 17 3.2.3. Shortcomings.............................. 18 3.2.4. Privilege Escalation.......................... 18 3.2.5. Summary................................ 19 3.3. Research Motivation............................. 20 3.3.1. Previos Project Work......................... 21 4. Project Scope 23 4.1. Problem Summary.............................. 23 4.1.1. Memory Protection Schemes..................... 23 4.1.2. Key Difficulties............................. 23 iv Contents 4.1.3. Benefits................................. 24 4.1.4. Hardware Popularity and Generalization............... 24 4.2. Research Questions.............................. 25 4.2.1. Question 1: How may memory contents be protected during vari- ous failure modes?........................... 25 4.2.2. Question 2: How may the improvements be made without harming performance?.............................. 25 4.2.3. Summary................................ 26 4.3. Solution Roadmap.............................. 26 4.4. Architecture Overview............................ 27 5. Memory Allocation 29 5.1. Allocation Rules............................... 29 5.1.1. Allocation Rule Summary....................... 30 5.2. Metadata Structures and Multibanking.................. 31 5.3. Allocation Algorithm............................ 33 5.3.1. Algorithm Without MPU Support.................. 33 5.3.2. Algorithm With MPU Support.................... 36 6. Program Loading 41 6.1. Program Structure.............................. 41 6.2. The ELF file format............................. 42 6.3. Relocation.................................. 44 6.4. Load API Selection............................. 45 6.5. Load Procedure................................ 46 6.6. Context Switching.............................. 48 7. Adding Paging 50 7.1. Paging without Virtualization........................ 50 7.2. Adding Paging................................ 50 7.2.1. Architectural Considerations..................... 51 7.2.2. Control Structures........................... 52 7.2.3. System Calls.............................. 53 7.2.4. Page Fault Handler........................... 57 7.2.5. Table Walking Algorithm....................... 58 7.2.6. Replacement Policy.......................... 60 7.2.7. Miscellaneous Page Table Functions................. 60 8. Testing and Verification 62 8.1. Memory Allocation.............................. 62 8.1.1. Performance Considerations...................... 62 8.1.2. Functionality Testing.......................... 63 8.1.3. Test Subjects.............................. 64 8.1.4. Methodology.............................. 64 v Contents 8.1.5. Expected Results............................ 65 8.1.6. Test Execution............................. 66 8.1.7. Discussion................................ 66 8.1.8. Conclusion............................... 68 8.2. Program Loading............................... 68 8.2.1. Performance Considerations...................... 68 8.2.2. Test Subjects.............................. 69 8.2.3. Methodology.............................. 69 8.2.4. Expected Results............................ 71 8.2.5. Test Execution............................. 71 8.2.6. Discussion................................ 72 8.2.7. Conclusion............................... 72 8.3. Paging and Memory Protection....................... 73 8.3.1. Performance Considerations...................... 73 8.3.2. Test Subjects.............................. 74 8.3.3. Methodology.............................. 74 8.3.4. Expected Results and Test Execution................ 76 8.3.5. Discussion................................ 78 8.3.6. Conclusion............................... 79 8.4. Small System Use Case Example...................... 79 8.4.1. Methodology.............................. 79 8.4.2. Test Execution............................. 80 8.4.3. Results................................. 81 8.4.4. Discussion and Conclusion....................... 84 8.5. Memory Copy Speed Test.......................... 85 8.5.1. Methodology.............................. 85 8.5.2. Expected Results............................ 85 8.5.3. Test Execution............................. 86 8.5.4. Discussion and Conclusion....................... 86 8.6. Added Context Switching Overhead.................... 86 8.7. System Call Interface Overhead....................... 87 8.7.1. System Calls.............................. 87 8.7.2. Benefits and Limitations........................ 88 8.7.3. Performance Study........................... 88 8.7.4. Summary................................ 92 9. Discussion 94 9.1. Solution Discussion.............................. 94 9.1.1. Memory Allocation........................... 94 9.1.2. Program Loading............................ 94 9.1.3. Paging Mechanism........................... 95 9.2. Research Question Discussion........................ 95 9.2.1. Research Question 1.......................... 95 9.2.2. Research Question 2.......................... 96 vi Contents 10.Conclusion 98 11.Future Work 99 11.1. Memory Allocation Improvements..................... 99 11.2. Paging Improvements............................ 99 11.3. Memory Sharing Schemes.......................... 99 11.4. Improved Standards Compliance...................... 100 11.5. Hardware Error Handling.......................... 100 11.6. Syscall Data Access Checking........................ 100 11.7. Moving Data Back Into Flash........................ 100 11.8. Test Procedures............................... 101 11.9. Build Automation.............................