# uXOM: Efficient eXecute-Only Memory on Cortex-M

**Donghyun Kwon<sup>1,4</sup>**, Jangseop Shin<sup>1</sup>, Giyeol Kim<sup>1</sup>, Byoungyoung Lee<sup>1,2</sup>, Yeongpil Cho<sup>3</sup>, Yunheung Paek<sup>1</sup>

<sup>1</sup>Seoul National University, <sup>2</sup>Purdue University, <sup>3</sup>Soongsil University, <sup>4</sup>Electronics and Telecommunications Research Institute





### eXecute-Only Memory (XOM)

- A memory which has only a execute permission
  - No read and write permission
- Purpose
  - Protect intellectual properties (IPs)
  - Prohibit obtaining CRA(Code Reuse Attack) gadgets at runtime
    - [Stephen et al. S&P'15]
- High-end CPU architectures support XOM
  - X86 EPT, MPK
  - AArch64 MMU

#### **Motivation**

- ARMv7-M architecture
  - Used in Cortex-M3/4/7 processors
    - prominent processor in embedded systems
  - No MMU
  - No execute-only permission in MPU (Memory Protection Unit)
    - Available permissions: NA, RO, RX, RW, RWX
- We propose uXOM
  - New software technique to implement XOM on Cortex-M processors.

### **Threat model & Assumption**

- Consider software attacks at runtime
  - Assume that target firmware has memory vulnerabilities.
  - Attacker can perform arbitrary memory read and write
  - Attacker can subvert control-flow
    - Manipulate function pointer or return address
- Not consider offline attacks on firmware
- Not consider hardware attacks
  - Bus probing, memory tampering, etc.
- Any software components of the firmware are not trusted
  - include the exception handlers
- All software components are executed in privileged mode
  - [Abraham el al. S&P'17], [Chung Hwan et al. NDSS'18]

#### **Basic Design**



#### **Basic Design**



#### **Basic Design**



- C1. Unconvertible memory instructions
  - Exclusive memory instructions (LDREX, STREX)
  - PPB access memory instructions

| 0x0       | Code (P:RX, U:NA)                                |            |  |  |
|-----------|--------------------------------------------------|------------|--|--|
|           | <pre>/* unconverted memory instructions */</pre> |            |  |  |
|           | LDR r0, [r1]<br>STR r2, [r3]                     | <b>C</b> 1 |  |  |
|           |                                                  |            |  |  |
|           | Data (P:RW, U:RW)<br>PPB (P:RW, U:RW)            |            |  |  |
| 0xFFFFFFF |                                                  |            |  |  |

- C1. Unconvertible memory instructions
  - Exclusive memory instructions (LDREX, STREX)
  - PPB access memory instructions
- C2. Malicious indirect branches
  - Jump to unconverted memory instructions
    - By manipulating target address register
- C3. Malicious exception returns
  - Return to unconverted memory instructions
    - By manipulating exception context (PC) in the stack



- C1. Unconvertible memory instructions
  - Exclusive memory instructions (LDREX, STREX)
  - PPB access memory instructions
- C2. Malicious indirect branches
  - Jump to unconverted memory instructions
    - By manipulating target address register
- C3. Malicious exception returns
  - Return to unconverted memory instructions
    - By manipulating exception context (PC) in the stack
- C4. Malicious data manipulation



- C1. Unconvertible memory instructions
  - Exclusive memory instructions (LDREX, STREX)
  - PPB access memory instructions
- C2. Malicious indirect branches
  - Jump to unconverted memory instructions
    - By manipulating target address register
- C3. Malicious exception returns
  - Return to unconverted memory instructions
    - By manipulating exception context (PC) in the stack
- C4. Malicious data manipulation
- C5. Unintended instructions
  - Unaligned execution
  - Execution of embedded data in the code memory



- Finding Unconvertible Memory Instructions → C1
  - Exclusive Memory Instructions
    - Identified by opcode in the instruction encoding
  - PPB access instructions
    - Check if the accessed memory address is belonging to PPB region
    - Intra-procedure analysis

- Atomic Verification Technique → C4
  - Add the verification routine before the unconverted instruction
  - Disable exception during the instruction sequence
    - Protection against an attacker generates an exception after the verification code



- Atomic Verification Technique (cont'd) → C2, C3
  - 1) Use a dedicated register as memory address register of unconverted instructions
  - 2) Enforce following two invariant properties
    - IP1) When atomic instruction seq. is executed, the dedicated register holds sensitive address
    - IP2) When atomic instruction seq. is not executed, the dedicated register holds non-harmful value
  - − → instrumentation for IP2 requires tremendous overhead
  - →The dedicated register cannot be used in the code except for the atomic verification sequences
- Drawback
  - − Increase register spills → Performance Drop

- Atomic Verification Technique (cont'd) → C2, C3
  - 1) Use a **SP** register as memory address register of unconverted instructions
  - 2) Enforce following two invariant properties
    - IP1) When atomic instruction seq. is executed, **SP** register holds sensitive address
    - IP2) When atomic instruction seq. is not executed, **SP** register points non-harmful value
  - − → instrumentation for IP2 could be implemented in a efficient way
  - $\rightarrow$  SP register can be used in the code including the atomic verification sequences

Atomic Verification Technique (cont'd)

| 1:  | update_register: | 1:  | update_register:            |                                                       |
|-----|------------------|-----|-----------------------------|-------------------------------------------------------|
| 2:  |                  | 2:  | cpsid i                     | // disable interrupt                                  |
| 3:  |                  | 3:  | mov r10, sp                 | // backup the value of sp                             |
| 4:  |                  | 4:  |                             |                                                       |
| 5:  |                  | 5:  | mov sp, r0                  | <pre>// set sp to a target address (IP1)</pre>        |
| 6:  |                  | 6:  | [verification routine]      | <pre>// verify the subsequent unconverted inst.</pre> |
| 7:  | str r1, [r0]     | 7:  | str r1, [ <mark>sp</mark> ] | <pre>// perform an unconverted inst.</pre>            |
| 8:  |                  | 8:  |                             |                                                       |
| 9:  |                  | 9:  | mov sp, r10                 | <pre>// restore the value of sp</pre>                 |
| 10: |                  | 10: | [check sp]                  | <pre>// check the value of sp (IP2)</pre>             |
| 11: |                  | 11: | cpsie i                     | <pre>// enable interrupt</pre>                        |
| 12: |                  | 12: |                             |                                                       |

- Handling Unintended Instructions → C5
  - Replace the exploitable instruction with safe instruction sequence
    - Serves the same functionality
  - Use static binary analysis to find out all exploitable instructions.



- Implementation
  - Code Instrumentation: LLVM 5.0
  - Binary analysis: Radare2
- Experiment setup
  - Arduino-due
    - Cortex-M3 processor
  - RIOT-OS
  - BEEBS benchmark suite









#### Conclusion

- Software technique to implement execute-only memory on Cortex-M processors
  - MPU, unprivileged memory instructions
- Strong threat model
  - Assuming attacker is able to read/modify the memory and subvert control-flow
  - Do not assume any software TCB in the system
- Evaluation
  - Better than SFI-based XOM in terms of performance and security
  - uXOM is compatible with existing XOM-based solutions (Key protection, CRA defense)

Thank you for listening

**Q & A**