Add optional support for executable space protections #13387
Conversation
nmeum
requested review from
aabadie,
DipSwitch,
fjmolinas,
haukepetersen,
kaspar030,
leandrolanzieri,
MichelRottleuthner,
miri64,
MrKevinWeiss,
smlng and
thomaseichinger
as code owners
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
from
9cfbb1b
to
27f42de
Compare
benpicco
added
Area: security
|
Opps, didn't intended to request a review from so many people, sorry. |
Not your fault, the CODEOWNERS file is responsible for that. |
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
2 times, most recently
from
2a9dd9d
to
25a5b8e
Compare
|
Looks good. Note to myself: need to document the use of MPU regions somewhere. Can you provide a test script that catches the panic (and a possible "I HAVE NOT CRASHED" which would be reached if the MPU did not work as intended)? |
This is technically possible, though the latter will be difficult to do sanely since the code in the buffer on the stack would than need to return control graceful back to the C code, jump to a specific C function or something like that. Also the former would require installing a custom memory management interrupt handler. Maybe that's an improvement which can later be made in a separate PR. Possibly with also updating the |
Thing is, we don't merge test applications anymore which don't come with a test script. |
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
from
25a5b8e
to
8891939
Compare
Alright, converted the |
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
2 times, most recently
from
381a095
to
64fa114
Compare
|
|
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
from
d70b209
to
2136c6b
Compare
Let's just get rid of the memset it's cleaner without anyhow. |
bergzand
removed
the
CI: ready for build
|
Hm? Why was the label removed? The cppcheck warning has been fixed successfully. |
|
Until #13456 is merged all builds will fail now. |
benpicco
added
the
CI: ready for build
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
from
2136c6b
to
7de850f
Compare
The Makefiles have been copied from the mpu_stack_guard test.
From the ARMv7-M ARM section B3.5.3: Where there is an overlap between two regions, the register with the highest region number takes priority. We want to make sure the mpu_noexec_ram region has the lowest priority to allow the mpu_stack_guard region to overwrite the first N bytes of it. This change fixes using mpu_noexec_ram and mpu_stack_guard together.
nmeum
force-pushed
the
mpu_noexec_ram_ng
branch
from
6626354
to
9772f78
Compare
|
Rebased this against #13391. All tests pass on the CI now. Merge? |
benpicco
added
the
CI: run tests
|
Since this adds a new test to CI, we should let CI run the test first 😉 |
benpicco
added
CI: ready for build
|
Did you test this with / without the |
There was a problem hiding this comment.
run_test/examples/suit_update/nrf52dk:gnu keeps failing, but that's unrelated to this PR.
Nice addition, Murdock is happy too.
benpicco
added
CI: skip compile test
Yes, I did. See 59676a1 |
Contribution description
Executable space protections are a protection mechanism for
operating system security which mitigate exploitation of buffer
overflows. The exploit payload, used for exploiting buffer overflows, is
often placed in the buffer itself. As an example, consider the exploit
for
sock_dnsfrom #10739.Considering a stack-based buffer overflow, the attacker can simply
overwrite the function return address with the address of the buffer
thereby causing the code contained in it to be executed. I've worked on
techniques for preventing the overwrite of the function return address
(#13119, #13175) but these can be circumvented. As such, conventional
operating system also mark the text and data segment non-executable to
prevent attackers from placing exploit payloads there (executable space
protections). Enforcing this efficiently requires a memory protection or
memory management unit.
I noticed recently that RIOT already supports the Cortex-M4 MPU. Using
this MPU on the
nucleo-f401reI came up with an implementation ofexecutable space protections for RIOT. The implementation is entirely
optional and must be activated explicitly by using the
mpu_noexec_rampseudomodule. When activated, the entire SRAM section is marked as non
executable, reads- and writes are still allowed.
Kudos to @pyropeter for helping out with this.
Testing procedure
The changes proposed here also include a test for this pseudo module.
The test is further described in
tests/mpu_noexec_ram/README.md. Thetest successfully passed with
BOARD=nucleo-f401re.Issues/PRs references
Executable space protections can be circumvented through code-reuse
attacks (e.g. return-to-libc or ROP in the general case). These attacks
can be mitigated through address randomization techniques such as ASLR.
While ASLR is not deemed employable on constrained devices, a different
address randomization technique, often referred to as link time reordering is.
This technique has been implemented by myself for RIOT in #13176. I
would highly recommended that this is merged as well though this PR does
not technically depend on it.