Approaches, Strategies, and Implementations of Memory Safety Defenses in Critical and Constrained Embedded Systems Cyril Bresch To cite this version: Cyril Bresch. Approaches, Strategies, and Implementations of Memory Safety Defenses in Critical and Constrained Embedded Systems. Micro and nanotechnologies/Microelectronics. Université Grenoble Alpes [2020-..], 2020. English. NNT : 2020GRALT043. tel-03118575 HAL Id: tel-03118575 https://tel.archives-ouvertes.fr/tel-03118575 Submitted on 22 Jan 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ GRENOBLE ALPES Spécialité : NANO ELECTRONIQUE ET NANO TECHNOLOGIES Arrêtée ministériel : 25 mai 2016 Présentée par Cyril BRESCH Thèse dirigée par Ioannis Parissis, Université Grenoble Alpes et codirigéee par David Hély, Maitre de Conférence, Université Grenoble Alpes et Stéphanie Chollet, Maitre de Conférence, Université Grenoble Alpes préparée au sein du Laboratoire de Conception et d’Intégration des Sys- tèmes (LCIS) dans l’École Doctorale Electronique, Electrotechnique, Automatique, Traitement du Signal (EEATS) Approches, Stratégies, et Implémentations de Protec- tions Mémoire dans les Systèmes Embarqués Critiques et Contraints. Approaches, Strategies, and Implementations of Memory Safety Defenses in Critical and Constrained Embedded Systems. Thèse soutenue publiquement le 16 noctobre 2020, devant le jury composé de: Monsieur AURELIEN FRANCILLON PROFESSEUR, EURECOM - SOPHIA-ANTIPOLIS, Rapporteur Monsieur SEBASTIEN PILLEMENT PROFESSEUR, UNIVERSITE DE NANTES, Rapporteur Madame MARIE-LAURE POTET PROFESSEUR, GRENOBLE-INP, Examinateur Monsieur GIORGIO DI NATALE DIRECTEUR DE RECHERCHE, CNRS DELEGATION ALPES, Président Monsieur ROMAN LYSECKY PROFESSEUR, UNIVERSITE D’ARIZONA, Invité "To my family, and all my friends around the world, for all the love and support." Acknowledgements Acknowledgements The existence of this work would probably require the writing of a second manuscript to thank all the people who supported it. It is thanks to them, over a time span of three amazing years, that I could complete this work. First of all, I would like to thank my thesis’ jury: Mr. Giogio Di Natale, Mrs. Marie- Laure Potet, Mr. Aurélien Francillon, and Mr. Sébastien Pillement for willing to serve on my thesis committee. They carefully attended my defense, listened to my vision regarding my research, evaluated it, recognized it, and finally, awarded me with the degree of doctor. Their insightful comments, suggestions, and challenging questions have helped me make significant improvements to this thesis and beyond. We had memorable discussions and interesting debates during the defense that will contribute to continuing my education as a young researcher. This thesis would not have been possible without the dedication of my thesis directors, David Hély and Ioannis Parissis, as well as my co-supervisor Stéphanie Chollet. I am delighted to have worked with them, they encouraged me to pursue my interests and provided me the freedom and guidance to explore my topic. Besides their scientific support, they have always been there for support and helpful advice. I particularly appreciated Stéphanie’s rigor and her approach regarding my research. She taught me the skills of a professional researcher such as exposing a scientific problem and approaching it from different perspectives. I obviously can’t forget David’s openness, good mood, and support in all my ideas. He approved my desire to go to the United States and collaborate with other researchers. Besides, I will never forget our sparkling meetings, full of ideas and ambitions during these moments. Working with him has been inspiring. I would also like to thank Roman Lysecky, professor at the University of Arizona in Tucson. He hosted me in his research team during my international exchange in the United States. He treated me as one of his Ph.D. students, and I am immensely grateful for his guidance and assistance during my stay in the United States, and after, while collaborating on various research papers. We’ve accomplished a lot and I’m very happy about that. I also want to take this opportunity to thank the SERENE-IoT project, the Laboratoire de Conception et d’Integration des Systèmes (LCIS) Laboratory, the Grenoble EEATS doc- toral school, Grenoble Alpes Cybersecurity Institute, and IDEX for financially supporting this work, the conferences, and all travel. Last but not least, I would like thanks to all my friends, my colleagues, and my lab- mates. I would like to give a special thanks to both Baptiste Pestourie and Luc Perard, my two friends who spent a lot of time with me in Valence. Thank you Soraya Zahouily and Louise Constant for supporting me, even in the most difficult moments. Finally, I would not forget my family for their continuous love and support throughout all these years. i Contents Acknowledgements . .i Table of contents . iii Introduction 1 1 Background 7 1.1 The Memory Safety Issue in Life-Critical Systems . .8 1.1.1 C a prominent programming language in critical systems . .8 1.1.2 The C programming language weaknesses . .9 1.1.3 Critical systems programming rules . 15 1.2 Exploitation Techniques . 17 1.2.1 Control-flow attacks . 17 1.2.2 Data-oriented attacks . 23 1.2.3 Real-world exploits . 24 1.3 Existing Defenses . 26 1.3.1 Control-flow integrity . 27 1.3.2 Heuristic defenses . 40 1.3.3 Software diversity . 43 1.3.4 Data-flow integrity . 46 1.4 State of the Art Synthesis . 55 1.4.1 Control-flow integrity discussion . 55 1.4.2 Heuristic defenses discussion . 56 1.4.3 Software diversity discussion . 57 1.4.4 Data-flow integrity discussion . 58 1.4.5 State-of-the-art discussion . 59 2 Approach 62 2.1 Problem statement . 63 2.1.1 Why critical medical devices are insecure? . 63 2.1.2 Why current defenses are not implemented in medical devices? . 64 2.2 Important memory safety criteria for medical devices . 68 2.3 Approaches . 70 3 SecPump 74 3.1 Motivation . 75 3.2 Open Source Medical Devices . 77 3.3 SecPump . 81 3.3.1 A wireless pump model . 81 3.3.2 SecPump software model . 82 3.3.3 SecPump variants . 88 iii Table of contents 3.4 Security Assessments . 90 3.4.1 Software Threats . 90 3.4.2 Hardware Threats . 91 3.5 Comparison with other works . 93 3.6 Conclusion . 95 4 TrustFlow 98 4.1 Motivation . 99 4.2 Approach . 102 4.2.1 A trusted environment . 104 4.2.2 A secure toolchain . 105 4.3 Implementation . 108 4.3.1 Environment Implementation . 108 4.3.2 Toolchain implementation . 111 4.4 Evaluation . 116 4.4.1 Security evaluation . 116 4.4.2 Environment evaluation . 117 4.5 Discussion . 122 4.6 Comparison with related work . 124 4.7 Conclusion . 126 5 BackGuard 129 5.1 Motivation . 130 5.2 Approach . 133 5.2.1 Protection concept . 134 5.2.2 Security challenges . 136 5.2.3 Implementation challenges . 139 5.3 Implementation . 141 5.3.1 Compiler implementation strategy . 141 5.3.2 Additional passes . 143 5.3.3 Boot sequence . 144 5.4 Evaluation . 146 5.4.1 Security evaluation . 146 5.4.2 Costs . 148 5.5 Discussion . 152 5.6 Comparison with related work . 154 5.7 Conclusion . 156 Conclusion 159 Perspectives 162 Bibliography I List of Figures XV List of Tables XVIII iv Table of contents A Annex 1 : TrustFlow pipeline XX A.1 Trusted memory integration . .XX A.2 Trusted memory controller . XXIII A.3 Data restoration . XXV B Annexe 2 : RISC-V prologue and epilogue insertion XXVII C Annexe 3 : LLVM ARM backend bitmap pass XXX v Introduction Introduction W ith the emerging technologies in several domains such as artificial intelligence, communication, sensors, and processing power, manufacturers are increasingly developing new ubiquitous connected devices identified as the “Internet of Things” –IoT–. According to Forbes [1], the IoT is a fast-growing market that may even double before 2021. As a result, manufacturers see in IoT a genuine business opportunity that encourages them to increasingly release new smart devices over the coming years. The prime purpose of IoT devices is to operate in an environment by collecting, process- ing, and sharing data over the network with other computers without any human-to-human or human-to-computer interaction. From the consumers’ perspective, smart devices are technological innovations that aim at improving their daily life. One of the most common applications example of the “Internet of Things” is the smart home. In a smart home, a user can monitor some equipment such as the lights, the temperature, and the appliances by only using a smartphone. However, the “Internet of Things” is not limited to smart homes. Several sectors [2] such as agriculture, transport, healthcare, and the military are heavily invested in the development of innovative IoT infrastructures to improve their quality of life and quality of service. This thesis unfolds within the European project SERENE-(IoT Secured & EneRgy EfficieNt hEalth-care solutions for IoT market). SERENE-IoT project is labeled within the framework of PENTA, the EUREKA Cluster for Application and Technology Re- search in Europe on NanoElectronics. The project contributes to developing high quality connected care services and diagnostic tools based on advanced smart health-care IoT de- vices. SERENE-IoT leverages the emergence of the "Internet of Medical Things" -IoMT- to prototype new devices, fully manufactured in Europe, that increases the healthcare quality of service for patients remotely followed by caregivers at a much lower cost than the traditional care.