Harbor: Software-based Memory Protection For Sensor Nodes

Many sensor nodes contain resource constrained microcontrollers where user level applications, operating system components, and device drivers share a single address space with no form of hardware memory protection. Programming errors in one application can easily corrupt the state of the operating system or other applications. In this paper, we propose Harbor, a memory protection system that prevents many forms of memory corruption. We use software based fault isolation ("sandboxing") to restrict application memory accesses and control flow to protection domains within the address space. A flexible and efficient memory map data structure records ownership and layout information for memory regions; writes are validated using the memory map. Control flow integrity is preserved by maintaining a safe stack that stores return addresses in a protected memory region. Run-time checks validate computed control flow instructions. Cross domain calls perform low-overhead control transfers between domains. Checks are introduced by rewriting an application's compiled binary. The sand- boxed result is verified on the sensor node before it is admitted for execution. Harbor's fault isolation properties depend only on the correctness of this verifier and the Harbor runtime. We have implemented and tested Harbor on the SOS operating system. Harbor detected and prevented memory corruption caused by programming errors in application modules that had been in use for several months. Harbor's overhead, though high, is less than that of application-specific virtual machines, and reasonable for typical sensor workloads.

[1]  Matt Welsh,et al.  Sensor networks for emergency response: challenges and opportunities , 2004, IEEE Pervasive Computing.

[2]  Deborah Estrin,et al.  Cyclops, image sensing and interpretation in wireless networks , 2004, SenSys '04.

[3]  Ben L. Titzer Virgil: objects on the head of a pin , 2006, OOPSLA '06.

[4]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[5]  David E. Culler,et al.  Design of a wireless sensor network platform for detecting rare, random, and ephemeral events , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[6]  J. Regehr,et al.  Memory Safety and Untrusted Extensions for TinyOS , 2006 .

[7]  David E. Culler,et al.  Taming the underlying challenges of reliable multihop routing in sensor networks , 2003, SenSys '03.

[8]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[9]  Adam Dunkels,et al.  Run-time dynamic linking for reprogramming wireless sensor networks , 2006, SenSys '06.

[10]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[11]  David E. Culler,et al.  Active sensor networks , 2005, NSDI.

[12]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[13]  John A. Stankovic,et al.  t-kernel: providing reliable OS support to wireless sensor networks , 2006, SenSys '06.

[14]  Jens Palsberg,et al.  Avrora: scalable sensor network simulation with precise timing , 2005, IPSN 2005. Fourth International Symposium on Information Processing in Sensor Networks, 2005..

[15]  Eddie Kohler,et al.  SOS: A Dynamic Operating System for Sensor Networks , 2005 .

[16]  Jonathan W. Hui,et al.  T 2 : A Second Generation OS For Embedded Sensor Networks , 2005 .

[17]  Mani B. Srivastava,et al.  Multi-level software reconfiguration for sensor networks , 2006, EMSOFT '06.

[18]  Mark D. Yarvis,et al.  Design and deployment of industrial sensor networks: experiences from a semiconductor plant and the north sea , 2005, SenSys '05.

[19]  Ben L. T itzer Virgil : Objects on the Head of a Pin , 2006 .