What the Stack? on Memory Exploitation and Protection in Resource Constrained Automotive Systems

What the Stack? On Memory Exploitation and Protection in Resource Constrained Automotive Systems

Aljoscha Lautenbach Magnus Almgren Tomas Olovsson

Dept. of Computer Science and Engineering Chalmers University of Technology Gothenburg, Sweden

CRITIS 2017 The International Conference on Critical Information Infrastructures Security

Lucca, Italy

11 October, 2017

A. Lautenbach (CHALMERS) What the Stack? CRITIS 1 / 20 Security perspective Automotive security mostly focuses on communications

Why automotive security?

Connected vehicles Communication systems: Bluetooth, Wireless LAN, IEEE 802.11p, Radio Data System (RDS), telecommunication (3G/4G/soon 5G), ... Intelligent transport systems (ITS) Self-driving cars

A. Lautenbach (CHALMERS) What the Stack? CRITIS 2 / 20 Why automotive security?

Connected vehicles Communication systems: Bluetooth, Wireless LAN, IEEE 802.11p, Radio Data System (RDS), telecommunication (3G/4G/soon 5G), ... Intelligent transport systems (ITS) Self-driving cars

Security perspective Automotive security mostly focuses on communications

A. Lautenbach (CHALMERS) What the Stack? CRITIS 2 / 20 The in-vehicle network

Picture source: Nowdehi N., Lautenbach A., Olovsson T. “In-vehicle CAN message authentication: An evaluation based on industrial criteria”. Vehicular Technology Conference Fall 2017.

A. Lautenbach (CHALMERS) What the Stack? CRITIS 3 / 20 The in-vehicle network

Picture source: Nowdehi N., Lautenbach A., Olovsson T. “In-vehicle CAN message authentication: An evaluation based on industrial criteria”. Vehicular Technology Conference Fall 2017.

A. Lautenbach (CHALMERS) What the Stack? CRITIS 3 / 20 Checkoway et al. (2011) “We also encourage the use of simple anti-exploitation mitigations such as stack cookies and ASLR that can be easily implemented even for simple processors [...]”

Electronic control unit (ECU) security

What is the problem? Exploitation of memory corruption bugs!

A. Lautenbach (CHALMERS) What the Stack? CRITIS 4 / 20 Electronic control unit (ECU) security

What is the problem? Exploitation of memory corruption bugs!

Checkoway et al. (2011) “We also encourage the use of simple anti-exploitation mitigations such as stack cookies and ASLR that can be easily implemented even for simple processors [...]”

A. Lautenbach (CHALMERS) What the Stack? CRITIS 4 / 20 Typical ECU hardware

Typical ranges for resource constrained microcontrollers Hardware Speciﬁcation Most Common RAM 4 KB - 500 KB 40 KB Flash Memory 256 KB - 6 MB 1 MB Processor Speed 16 - 150 MHz 80 MHz

A. Lautenbach (CHALMERS) What the Stack? CRITIS 5 / 20 ECU memory (1)

Types of memory Flash memory: boot loader, OS, tasks RAM Data ﬂash Memory mapped Input/Output

A. Lautenbach (CHALMERS) What the Stack? CRITIS 6 / 20 ECU memory (2)

Memory properties No memory management unit (MMU), i.e., no virtual memory Statically assigned memory Memory protection unit (use optional)

A. Lautenbach (CHALMERS) What the Stack? CRITIS 7 / 20 Linear address space

A. Lautenbach (CHALMERS) What the Stack? CRITIS 8 / 20 Static task memory mapping into RAM

A. Lautenbach (CHALMERS) What the Stack? CRITIS 9 / 20 Memory exploitation and protection

Attacks and defenses 1. Buffer overflows and stack canaries (aka stack cookies or stack-guards) 2. Buffer overflows and non-executable RAM 3. Return oriented programming (ROP) and compile-time randomization

A. Lautenbach (CHALMERS) What the Stack? CRITIS 10 / 20 Exploiting buﬀer overﬂows

A. Lautenbach (CHALMERS) What the Stack? CRITIS 11 / 20 Buﬀer overﬂows and stack canaries

A. Lautenbach (CHALMERS) What the Stack? CRITIS 12 / 20 Stack canaries - pros and cons

Pros Protects against simple buﬀer overﬂow attacks Simple to implement Proven technique (desktops and servers)

Cons Performance degradation

A. Lautenbach (CHALMERS) What the Stack? CRITIS 13 / 20 Buﬀer overﬂows and non-executable RAM

A. Lautenbach (CHALMERS) What the Stack? CRITIS 14 / 20 Non-executable RAM - pros and cons

Pros Protects against all standard buﬀer overﬂow attacks Already supported by MPUs

Cons Sometimes RAM must be executable, e.g., during ﬁrmware upgrades.

A. Lautenbach (CHALMERS) What the Stack? CRITIS 15 / 20 Return oriented programming (ROP)

A. Lautenbach (CHALMERS) What the Stack? CRITIS 16 / 20 Compile-time layout randomization

Standard layout

Randomized layout

A. Lautenbach (CHALMERS) What the Stack? CRITIS 17 / 20 Compile-time layout randomization - pros and cons

Pros Raises the bar for successful ROP attacks

Cons Low entropy Requires production changes (costly) Only of interest once non-executable RAM has been implemented

A. Lautenbach (CHALMERS) What the Stack? CRITIS 18 / 20 Conclusions Stack canaries should be used Non-executable RAM should be used Layout randomization is hard to implement in practice → further research is needed

A. Lautenbach (CHALMERS) What the Stack? CRITIS 19 / 20 Thank you!

A. Lautenbach (CHALMERS) What the Stack? CRITIS 20 / 20