TrustFlow-X

This article addresses the challenges of memory safety in life-critical medical devices. Since the last decade, healthcare manufacturers have embraced the Internet of Things, pushing technological innovations to increase market share. Medical devices, including the most critical ones, tend to be increasingly connected to the Internet. Unfortunately, as critical devices often rely on unsafe programming languages such as C, they are no exception to memory safety issues. Given a memory vulnerability, a skillful attacker can take over a system and perform remote code execution. Combined with the fact that medical devices directly impact the safety of their users, a security vulnerability can lead to disastrous scenarios. To address this issue, this article presents TrustFlow-X, a novel hardware/software co-designed framework that provides efficient fine-grained control-flow integrity protection against memory-based attacks. The TrustFlow-X framework is composed of an LLVM-based compiler toolchain that generates a secure code. This secure code is then executed on an extended RISC-V processor that keeps track of sensitive data using a trusted memory. The obtained results show that the contribution is practical, providing a high level of trust in life-critical embedded systems.

[1]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[2]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[3]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[4]  David Hely,et al.  SecPump: A Connected Open Source Infusion Pump for Security Research Purposes , 2020 .

[5]  Joshua M. Pearce,et al.  Open-Source Syringe Pump Library , 2014, PloS one.

[6]  Karin Bernsmed,et al.  Safety Critical Software and Security - How Low Can You Go? , 2018, 2018 IEEE/AIAA 37th Digital Avionics Systems Conference (DASC).

[7]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[8]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[9]  Swaroop Ghosh,et al.  FIXER: Flow Integrity Extensions for Embedded RISC-V , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[10]  Gavin Ferris,et al.  Tagged memory and minion cores in the lowRISC SoC , 2014 .

[11]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[12]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Ioannis Parissis,et al.  TrustFlow: A Trusted Memory Support for Data Flow Integrity , 2019, 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[14]  Thomas Meyer,et al.  Stack Redundancy to Thwart Return Oriented Programming in Embedded Systems , 2018, IEEE Embedded Systems Letters.

[15]  Tosiron Adegbija,et al.  HERMIT: A Benchmark Suite for the Internet of Medical Things , 2018, IEEE Internet of Things Journal.

[16]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[18]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[19]  Crispin Cowan,et al.  StackGuard: Simple Stack Smash Protection for GCC , 2004 .

[20]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[21]  P. Petrov,et al.  Enhancing the RISC-V Instruction Set Architecture , 2019 .

[22]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[23]  Chester Rebeiro,et al.  Shakti-T: A RISC-V Processor with Light Weight Security Extensions , 2017, HASP@ISCA.

[24]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[26]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[27]  Gerard J. Holzmann,et al.  The power of 10: rules for developing safety-critical code , 2006, Computer.

[28]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[29]  Mehmet Kayaalp,et al.  Efficiently Securing Systems from Code Reuse Attacks , 2014, IEEE Transactions on Computers.

[30]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[32]  David Hély,et al.  A red team blue team approach towards a secure processor design with hardware shadow stack , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[33]  T. Shallice What ghost in the machine? , 1992, Nature.

[34]  Stéphanie Chollet,et al.  Towards an Inherently Secure Run-Time Environment for Medical Devices , 2018, 2018 IEEE International Congress on Internet of Things (ICIOT).

[35]  Debdeep Mukhopadhyay,et al.  SmashClean: A hardware level mitigation to stack smashing attacks in OpenRISC , 2016, 2016 ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE).

[36]  Christof Fetzer,et al.  Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[37]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.