0628731-Wetzels Msc Thesis Final

0628731-Wetzels Msc Thesis Final

Eindhoven University of Technology MASTER Kintsugi identifying & addressing challenges in embedded binary security Wetzels, A.L.G.M. Award date: 2017 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain KINTSUGI Identifying & addressing challenges in embedded binary security jos wetzels Supervisors: Prof. dr. Sandro Etalle Ali Abbasi, MSc. Department of Mathematics and Computer Science Eindhoven University of Technology (TU/e) June 2017 Jos Wetzels: Kintsugi, Identifying & addressing challenges in embed- ded binary security, © June 2017 To my family Kintsugi ("golden joinery"), is the Japanese art of repairing broken pottery with lacquer dusted or mixed with powdered gold, silver, or platinum. As a philosophy, it treats breakage and repair as part of the history of an object, rather than something to disguise. —[254] ABSTRACT Embedded systems are found everywhere from consumer electron- ics to critical infrastructure. And with the growth of the Internet of Things (IoT), these systems are increasingly interconnected. As a re- sult, embedded security is an area of growing concern. Yet a stream of offensive security research, as well as real-world incidents, contin- ues to demonstrate how vulnerable embedded systems actually are. This thesis focuses on binary security, the exploitation and miti- gation of memory corruption vulnerabilities. We look at the state of embedded binary security by means of quantitative and qualitative analysis and identify several gap areas and show embedded binary security to lag behind the general purpose world significantly. We then describe the challenges and limitations faced by embedded exploit mitigations and identify a clear open problem area that war- rants attention: deeply embedded systems. Next, we outline the cri- teria for a deeply embedded exploit mitigation baseline. Finally, as a first step to addressing this problem area, we designed, implemented and evaluated µArmor : an exploit mitigation baseline for deeply em- bedded systems. v When you want to know how things really work, study them when they’re coming apart. — William Gibson ACKNOWLEDGEMENTS First of all, I would like to thank my supervisors, Prof. dr. Sandro Etalle and Ali Abbasi, MSc., for their assistance and support through- out the process of researching and writing this thesis. Sandro’s guid- ance helped me structure the rather voluminous body of research produced by this thesis while Ali’s continuous feedback and brain- storming helped this work achieve its current depth. Secondly, I am grateful to my family, without whom none of this would have been possible, for their unconditional love and support. Finally, I am thankful to my friends for their moral support and to the many people from the information security field and the outer reaches of the internet who, over the years, have continued to inspire me. Jos Wetzels Eindhoven University of Technology (TU/e) June 2017 vii CONTENTS i embedded binary security1 1 introduction3 1.1 Problem Statement . 3 1.2 Research Goal & Questions . 4 1.3 Contributions . 4 1.4 Outline . 5 2 background7 2.1 Basic Embedded Concepts . 7 2.2 Embedded Security Threat Landscape . 11 2.3 Embedded Patching Issues . 14 2.4 Memory Corruption Vulnerabilities . 17 2.4.1 Language Safety . 18 2.4.2 ’Weird Machines’ & Exploitation . 19 2.5 Exploit Mitigations . 20 3 embedded exploit mitigation baseline 25 3.1 Establishing a Minimum Baseline . 25 3.2 Baseline Mitigations In-Depth . 26 3.2.1 Executable Space Protection (ESP) . 26 3.2.2 Address Space Layout Randomization (ASLR) . 30 3.2.3 Stack Canaries . 34 3.3 Exploit Mitigation Dependencies . 36 3.3.1 ESP Dependencies . 36 3.3.2 ASLR Dependencies . 38 3.3.3 Stack Canary Dependencies . 39 ii analysis of embedded exploit mitigations 41 4 quantitative analysis 43 4.1 Embedded OS mitigation & dependency support . 43 4.2 Embedded hardware feature support . 44 4.3 Conclusions . 48 5 qualitative analysis 53 5.1 QNX ............................. 53 5.1.1 Security History . 55 5.1.2 QNX ESP . 55 5.1.3 QNX ASLR . 56 5.1.4 QNX Stack Canaries . 64 5.1.5 QNX OS CSPRNG . 67 5.2 RedactedOS . 73 5.2.1 RedactedOS OS CSPRNG . 74 5.3 Zephyr . 75 5.3.1 Zephyr Stack Canaries . 77 5.4 Conclusions . 80 ix x contents 6 embedded challenges 83 6.1 Development Practices & Cost Sensitivity . 83 6.2 Resource Constraints . 84 6.3 Safety, Reliability & Real-Time Requirements . 85 6.4 Hardware & OS Limitations . 87 6.4.1 MPUs, MMUs & Hardware ESP . 87 6.4.2 Virtual Memory . 88 6.4.3 Advanced Processor Features . 88 6.4.4 OS CSPRNGs . 89 6.5 Open Problems . 91 6.5.1 Deeply Embedded Exploit Mitigation Criteria . 92 6.5.2 OS CSPRNG Design for Deeply Embedded Sys- tems . 93 iii µarmor design, implementation & evaluation 95 7 µarmor design 97 7.1 Representative Platform . 97 7.2 Attacker Model . 98 7.3 High-Level Design . 98 7.4 µESP Design . 99 7.5 µScramble Design . 101 7.6 µSSP Design . 105 7.7 µRNG Design . 107 8 µarmor implementation 113 8.1 µESP Implementation . 113 8.2 µScramble Implementation . 116 8.3 µSSP Implementation . 118 8.4 µRNG Implementation . 119 9 µarmor evaluation & limitations 121 9.1 Real-Time Compatibility & Safety Issues . 121 9.2 Overhead Evaluation . 121 9.3 Security Evaluation . 129 9.3.1 µESP Security . 129 9.3.2 µScramble Security . 129 9.3.3 µSSP Security . 133 9.3.4 µRNG Security . 134 9.4 Limitations . 136 iv conclusion 137 10 related work 139 10.1 Embedded Mitigation Support & Quality . 139 10.2 Embedded Mitigation Design . 139 11 discussion, conclusions & future work 145 11.1 Discussion . 145 11.2 Conclusions . 147 11.3 Future Work . 148 contents xi v appendix 151 a supplementary data 153 bibliography 165 LISTOFFIGURES Figure 1 Library-Based Operating System Example . 11 Figure 2 Memory corruption exploitation flowchart demon- strating mitigations at different stages based on [390]...................... 23 Figure 3 x86 Page Table Entry (PTE) with NX bit . 29 Figure 4 Address Space Layout Randomization (ASLR) [22] 31 Figure 5 Stack Canary Example . 34 Figure 6 ESP Dependencies . 37 Figure 7 ASLR Dependencies . 38 Figure 8 Stack Canary Dependencies . 39 Figure 9 Embedded OS Exploit Mitigation Support . 44 Figure 10 Embedded OS exploit mitigation dependency support . 47 Figure 11 Core Family dependency support . 48 Figure 12 QNX Architecture [233]............. 54 Figure 13 QNX Private Virtual Memory [220]....... 54 Figure 14 QNX Memory Layout (x86)........... 57 Figure 15 QNX ASLR Memory Object Graph . 60 Figure 16 Simplified QNX Yarrow 6.6 Design . 67 Figure 17 QNX Yarrow Boottime Entropy Collection . 70 Figure 18 QNX Yarrow Restart Boottime Entropy Visual- ization [43]..................... 71 Figure 19 QNX Yarrow Runtime Entropy Collection . 73 Figure 20 RedactedOS PRNG Known Seed Attack . 76 Figure 21 Zephyr Architecture [186]............ 77 Figure 22 µArmor High-Level Design as a subgraph of Figure 2 ....................... 99 Figure 23 µESP Design . 100 Figure 24 µArmor Firmware Distribution Process . 101 Figure 25 µScramble Firmware Diversification . 102 Figure 26 µSSP Design . 105 Figure 27 µRNG Design . 108 Figure 28 µRNG Reseed Control . 108 Figure 29 µScramble LLVM Implementation . 117 xii LISTOFTABLES Table 1 Embedded OS exploit mitigation adoption . 45 Table 2 Embedded OS exploit mitigation dependency support . 46 Table 3 Core Family dependency support . 49 Table 4 Core Family dependency support . 50 Table 5 Core Family dependency support . 51 Table 6 QNX Hardware ESP Support . 56 Table 7 QNX Address Boundaries . 57 Table 8 QNX Default Libc Load Addresses . 58 Table 9 QNX ASLR Memory Object Randomization Sup- port . 59 Table 10 QNX ClockCycles Implementations . 61 Table 11 QNX ASLR Userspace Memory Object Min En- tropy . 62 Table 12 QNX Stack Canary Min Entropy . 66 Table 13 Qualitative Exploit Mitigation Analysis Overview 82 Table 14 µESP Memory Permission Policies . 114 Table 15 TI LM3S6965 MPU µESP Settings, execute-from- flash ......................... 115 Table 16 TI LM3S6965 MPU µESP Settings, execute-from- RAM ........................ 115 Table 17 µESP Overhead Evaluation . 123 Table 18 µSSP Overhead Evaluation . 124 Table 19 µRNG Overhead Evaluation . 124 Table 20 µScramble Overhead wrt. Application . 125 Table 21 µScramble Overhead wrt. Application . 126 Table 22 µScramble Overhead wrt. Resources . 127 Table 23 µScramble Overhead wrt. Resources . 128 Table 24 µRNG Resource Consumption Comparison . 129 Table 25 µScramble Coverage Analysis . 131 Table 26 µScramble Coverage Analysis . 132 Table 27 TRNG support among Zephyr 1.8 supported boards . 154 Table 28 Popular Embedded Development Board Resources155 Table 29 Benchmarks & Applications selected from TACLeBench Suite [357]..................... 156 Table 30 Benchmarks & Applications selected from TACLeBench Suite [357]..................... 157 xiii LISTINGS Listing 1 µESP MPU Setup Pseudo-Code . 114 Listing 2 QNX vmm_mmap Routine . 158 Listing 3 QNX map_create Routine . 158 Listing 4 QNX map_find_va Routine . 159 Listing 5 QNX stack_randomize Routine . 160 Listing 6 QNX Stack Canary Failure Handler (User-Space)160 Listing 7 QNX Stack Canary Generation Handler .

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    215 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us