Description
The increasing prevalence of Microcontroller Units (MCUs) in industry and everyday life
has made their security an important concern. Nevertheless, MCUs still lack many of the
security features commonly found in general-purpose systems. One such feature is Address
Space Layout Randomization (ASLR), a technique that prevents the prediction of memory
addresses and thus increases the difficulty of Code-Reuse Attacks (CRAs). Due to the absence
of a Memory Management Unit (MMU), existing ASLR implementations cannot be applied
to most MCUs, necessitating alternative solutions.
Firmware Layout Randomization (FWLR), suggested by Bogad et al., is an approach that
randomizes the firmware memory layout of ESP32 microcontrollers. During every firmware
update, the algorithm permutes the order of position-independent program parts, so-called
Linker Units, on the MCU. In this thesis, we demonstrate portability of FWLR from Xtensa to
the Arm M-profile architecture. We present FWLR for Arm, an algorithm that randomizes
Linker Units in Armv7-M firmware binaries. We evaluate the binaries generated by our
implementation on the Nucleo-L476RG (Cortex-M4 processor core), the Nucleo-H7S3L8
(Cortex-M7 processor core), and the TM4C123GXL (Cortex-M4F processor core). Our results
indicate that FWLR for Arm causes no significant runtime overhead or increase in firmware
binary size. For firmware binaries larger than 128 KiB, we estimate the security benefits of
FWLR for Arm to be comparable to the benefits of FWLR for ESP. In its current form, the
FWLR design provides limited benefits for small firmware binaries. The frequent occurrence
of such binaries on Arm MCUs suggests the need for further research to improve FWLR for
Arm on small binaries.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching