Abstract
This article addresses the challenges of memory safety in life-critical medical devices. Since the last decade, healthcare manufacturers have embraced the Internet of Things, pushing technological innovations to increase market share. Medical devices, including the most critical ones, tend to be increasingly connected to the Internet. Unfortunately, as critical devices often rely on unsafe programming languages such as C, they are no exception to memory safety issues. Given a memory vulnerability, a skillful attacker can take over a system and perform remote code execution. Combined with the fact that medical devices directly impact the safety of their users, a security vulnerability can lead to disastrous scenarios. To address this issue, this article presents TrustFlow-X, a novel hardware/software co-designed framework that provides efficient fine-grained control-flow integrity protection against memory-based attacks. The TrustFlow-X framework is composed of an LLVM-based compiler toolchain that generates a secure code. This secure code is then executed on an extended RISC-V processor that keeps track of sensitive data using a trusted memory. The obtained results show that the contribution is practical, providing a high level of trust in life-critical embedded systems.
- Martin Abadi. 2009. Control-flow integrity principles, implementations, applications. ACM Trans. Inf. Syst. Sec. 13 (2009), 4.Google Scholar
Digital Library
- Periklis Akritidis, Cristian Cadar, Manuel Costa, and Miguel Castro. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 263--277.Google Scholar
Digital Library
- Manaar Alam, Debapriya Basu Roy, Sarani Bhattacharya, and Vidya Govindan. 2016. SmashClean: A hardware level mitigation to stack smashing attacks in OpenRISC. In Proceedings of the ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE’16). DOI:https://doi.org/10.1109/MEMCOD.2016.7797764Google Scholar
Cross Ref
- ARM. 2015. Mbed TLS. Retrieved from https://tls.mbed.org/.Google Scholar
- Krste Asanovic, Rimas Avizienis, Jonathan Bachrach, Scott Beamer, David Biancolin, Christopher Celio, Henry Cook, Daniel Dabbelt, John Hauser, Adam Izraelevitz, Sagar Karandikar, Ben Keller, Donggyu Kim, John Koenig, Yunsup Lee, Eric Love, Martin Maas, Albert Magyar, Howard Mao, Miquel Moreto, Albert Ou, David A. Patterson, Brian Richards, Colin Schmidt, Stephen Twigg, Huy Vo, and Andrew Waterman. 2016. The Rocket Chip Generator. Technical Report UCB/EECS-2016-17. EECS Department, University of California, Berkeley. Retrieved from http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html.Google Scholar
- Karin Bernsmed, Martin Gilje Jaatun, and Per Håkon Meland. 2018. Safety critical software and security—How low can you go? In Proceedings of the AIAA/IEEE Digital Avionics Systems Conference. 2--7. DOI:https://doi.org/10.1109/DASC.2018.8569579Google Scholar
Cross Ref
- Alex Bradbury, Gavin Ferris, and Robert Mullins. 2014. Tagged memory and minion cores in the lowRISC SoC Tagged memory and minion cores in the lowRISC SoC. Retrieved from https://www.lowrisc.org/downloads/lowRISC-memo-2014-001.pdf.Google Scholar
- Cyril Bresch, Stéphanie Chollet, and David Hély. 2018. Towards an inherently secure run-time environment for medical devices. In Proceedings of the IEEE International Congress on Internet of Things (ICIOT’18). 140--147. DOI:https://doi.org/10.1109/ICIOT.2018.00027Google Scholar
Cross Ref
- Cyril Bresch, David Hely, Stephanie Chollet, and Roman Lysecky. 2020. SecPump: A connected open source infusion pump for security research purposes. IEEE Embed. Syst. Lett. 0663, c (2020), 1--1. DOI:https://doi.org/10.1109/les.2020.2979595Google Scholar
- Cyril Bresch, David Hély, Stéphanie Chollet, and Ioannis Parissis. 2019. TrustFlow: A trusted memory support for data flow integrity. In Proceedings of the IEEE Computer Society Annual Symposium on VLSI (ISVLSI’19). IEEE.Google Scholar
Cross Ref
- Cyril Bresch, David Hély, Athanasios Papadimitriou, Adrien Michelet-Gignoux, Laurent Amato, and Thomas Meyer. 2018. Stack redundancy to Thwart return oriented programming in embedded systems. IEEE Embed. Syst. Lett. 10, 3 (2018), 87--90. DOI:https://doi.org/10.1109/LES.2018.2819983Google Scholar
Cross Ref
- Cyril Bresch, Adrien Michelet, Laurent Amato, Thomas Meyer, and David Hely. 2017. A red team blue team approach towards a secure processor design with hardware shadow stack. In Proceedings of the 2nd International Verification and Security Workshop (IVSW’17). 57--62. DOI:https://doi.org/10.1109/IVSW.2017.8031545.Google Scholar
Cross Ref
- Nicholas Carlini, David Wagner, and Nicholas Carlini. 2014. ROP is still dangerous: Breaking modern defenses ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security’14). 385--399.Google Scholar
- Stephen Cass. 2017. IEEE Spectrum—The 2017 Top Programming Languages. Retrieved from https://spectrum.ieee.org/computing/software/the-2017-top-programming-languages.Google Scholar
- Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. USENIX Association, 147--160.Google Scholar
Digital Library
- Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security. 559. DOI:https://doi.org/10.1145/1866307.1866370Google Scholar
Digital Library
- Nick Christoulakis, George Christou, and Elias Athanasopoulos. 2016. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 38--49.Google Scholar
Digital Library
- Thurston H. Y. Dang and David Wagner. 2015. The performance cost of shadow stacks and stack canaries time of check to time of use. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 555--566.Google Scholar
- Lucas Davi, Debayan Paul, Ahmad-reza Sadeghi, Patrick Koeberl, and Dean Sullivan. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference.Google Scholar
Digital Library
- Asmit De, Aditya Basu, Swaroop Ghosh, and Trent Jaeger. 2019. FIXER: Flow integrity extensions for embedded RISC-V. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’19). 348--353. DOI:https://doi.org/10.23919/DATE.2019.8714980Google Scholar
Cross Ref
- Shay Gal-on and Markus Levy. 2012. Exploring CoreMark—A benchmark maximizing simplicity and efficacy. The Embedded Microprocessor Benchmark Consortium (EEMBC’12). Retrieved from www.eembc.org.Google Scholar
- John L. Henning. 2006. SPEC CPU2006 benchmark description. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1–17.Google Scholar
Digital Library
- Gerard J. Holzmann. 2007. The power of ten—Rules for developing safety-critical code. ACM SIGPLAN Not. 42, 6 (2007), 89--100.Google Scholar
- Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). 969--986. DOI:https://doi.org/10.1109/SP.2016.62Google Scholar
Cross Ref
- Intel. 2016. Control-flow Enforcement Technology Specification. Technical Report. Retrieved from https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.Google Scholar
- Mehmet Kayaalp, Meltem Ozsoy, Nael Abu Ghazaleh, and Dmitry Ponomarev. 2014. Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63, 5 (2014), 1144--1156.Google Scholar
Digital Library
- Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis 8 transformation. In Proceedings of the International Symposium on Code Generation and Optimization (CGO’04). 75--86. DOI:https://doi.org/10.1109/CGO.2004.1281665Google Scholar
Digital Library
- Ankur Limaye and Tosiron Adegbija. 2018. HERMIT: A benchmark suite for the internet of medical things. IEEE Internet Things J. 5, 5 (2018), 4212--4222. DOI:https://doi.org/10.1109/JIOT.2018.2849859.Google Scholar
Cross Ref
- Szekeres Mathias, Payer Tao, and Wei Dawn. 2013. SoK: Eternal war in memory. In Proceedings of the IEEE Symposium on Security and Privacy. 48--62.Google Scholar
- McAfee. 2016. 2017 Threats Predictions. Technical Report. Retrieved from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-threats-predictions-2017.pdf.Google Scholar
- Arjun Menon, Subadra Murugan, Chester Rebeiro, Neel Gala, and Kamakoti Veezhinathan. 2017. Shakti-T: A RISC-V processor with light weight security extensions Shakti-T: A RISC-V processor with light weight security extensions. In Hardware and Architectural Support for Security and Privacy. ACM, New York, NY. DOI:https://doi.org/10.1145/3092627.3092629Google Scholar
- Marius Muench, Jan Stijohann, and Frank Kargl. 2018. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’18).Google Scholar
Cross Ref
- Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM Sigplan Notices 42, 6 (2007), 89–100.Google Scholar
Digital Library
- NSA. 2015. Hardware Control Flow Integrity for an IT Ecosystem. Retrieved from https://github.com/iadgov/Control-Flow-Integrity/ tree/master/paper.Google Scholar
- Oleksii Oleksenko and Dmitrii Kuvaiskii. 2017. Intel MPX explained. arXiv preprint arXiv:1702.00719 (2017).Google Scholar
- Aleph One. 1996. Smashing the stack for fun and profit. Phrack 49 (1996).Google Scholar
- Qualcomm Security. 2017. Pointer Authentication on ARMv8. Retrieved from https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf.Google Scholar
- UC Berkeley Architecture Research. 2015. The RISC-V Instruction Set Architecture. Retrieved from http://riscv.org/.Google Scholar
- Gayou Scott. 2017. Remote Code Execution on the Smiths Medical Medfusion 4000. Retrieved from https://github.com/sgayou/medfusion-4000-research/blob/master/doc/README.md.Google Scholar
- Department of Homeland Security. 2016. Hospira Multiple Products Buffer Overflow Vulnerability. Retrieved from https://www.us-cert.gov/ics/advisories/ICSA-15-337-02.Google Scholar
- Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the IEEE Symposium on Security and Privacy. 574--588. DOI:https://doi.org/10.1109/SP.2013.45.Google Scholar
Digital Library
- Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee, and Yunheung Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 1--17.Google Scholar
Cross Ref
- Shirley Tay. 2019. A serious shortage of cybersecurity experts could cost companies hundreds of millions of dollars. CNBC. Retrieved from https://www.cnbc.com/2019/03/06/cybersecurity-expert-shortage-may-cost-companies-hundreds-of-millions.html.Google Scholar
- Perry Wagle and Crispin Cowa. 2003. Stackguard: Simple stack smash protection for GCC. In Proceedings of the GCC Developers Summit. 243--255.Google Scholar
- Jos Wetzels and Ali Abbasi. 2017. Ghost in the machine. In Proceedings of the Usenix Enigma Conference. DOI:https://doi.org/10.1038/482562a.Google Scholar
- B. Wijnen, E. J. Hunt, G. C. Anzalone, and J. M. Pearce. 2014. Open-source syringe pump library. PLoS ONE 9, 9 (2014). DOI:https://doi.org/10.1371/journal.pone.0107216.Google Scholar
- John Wilander, Nick Nikiforakis, Yves Youan, Mariam Kamkar, and Wouter Joosen.2011. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 41--50.Google Scholar
Index Terms
TrustFlow-X: A Practical Framework for Fine-grained Control-flow Integrity in Critical Systems
Recommendations
HerQules: securing programs via hardware-enforced message queues
ASPLOS '21: Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating SystemsMany computer programs directly manipulate memory using unsafe pointers, which may introduce memory safety bugs. In response, past work has developed various runtime defenses, including memory safety checks, as well as mitigations like no-execute memory,...
Control-Flow Hijacking: Are We Making Progress?
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMemory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today's systems. Over the last 10+ years the security community developed several defenses [4]. Data Execution Prevention (DEP) protects against code ...
Samurai: protecting critical data in unsafe languages
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008Programs written in type-unsafe languages such as C and C++ incur costly memory errors that result in corrupted data structures, program crashes, and incorrect results. We present a data-centric solution to memory corruption called critical memory, a ...






Comments