Embedded bare computer system safety isolation system based on operation
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an embedded bare metal system security isolation system based on operation.
Background
In recent years, the number of embedded devices has increased, and attacks against them have also emerged. The embedded bare metal system, as a subclass of embedded devices, lacks some hardware security features, such as MMU, and has limited hardware resources, so that it is difficult to deploy security protection mechanisms, such as privilege isolation, address randomization, etc., widely used in desktop systems. And the program running on the embedded bare metal system has system function and application logic at the same time, and is not subjected to security isolation. An attacker can control the whole system by utilizing one vulnerability.
The existing security isolation method of the embedded bare metal system has the problem of over-authority. The super-authority problem is divided into super-authority when the isolation domain is divided and super-authority when the program runs. Because global variables are shared among the isolation domains and the number of MPU (micro processing Unit) areas is limited, the current safety isolation method can combine the shared variables accessed by each isolation domain, so that a certain isolation domain can access the global variables of other isolation domains, and the problem of over-authority during isolation domain division is caused; because the current isolation domain segmentation is modular division with code as a center, the execution flow of a program is not considered, for example, a function in a file is formed into an isolation domain, so that a system can span a plurality of isolation domains when executing a task, but all resources in the isolation domain are not used by the task, and the run-time over-permission is caused.
The super-authority problem reduces the effectiveness of the existing embedded bare computer system security isolation method, and an attacker is easy to bypass isolation.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an operation-based embedded bare metal system security isolation system, which solves the problem of over-authority during isolation domain cutting and alleviates the problem of over-authority during program operation. The specific technical scheme is as follows:
an operation-based embedded bare metal system security isolation system, the system comprising a compiler module and a reference monitor module;
the compiler module is used for generating an application program function call graph, sequentially performing function resource dependence analysis, constructing a resource list to be accessed by each operation, generating a configuration file of an MPU (micro processing unit) according to the resource list, inserting an environment initialization code before a program main function, and inserting an operation switching code before and after an operation entry function call point; skipping to the reference monitor module by operating the switching code;
the reference monitor module is used for initializing a program, switching operation and realizing system calling in the running process of the program; the initialization comprises the steps of initializing shared variables of each operation, activating an exception handling function used by a reference monitor, setting resources required by default operation, jumping to an application program in a non-privileged mode and executing, and switching a microprocessor to the non-privileged mode; the operation switching is specifically to store a stack pointer of a previous operation and a shared global variable written back to the previous operation, read the shared global variable of the current operation, calculate a new stack pointer, copy operation entry function parameters, switch MPU configuration, and finally execute an operation entry function; the system call allows non-privileged application code to access registers on the privileged private peripheral bus.
Further, the compiler module uses a static program analysis technology to construct a program function call graph and analyzes to obtain a resource list to be accessed by each function, wherein the resource includes a global variable, an address of an external device and a register on a private peripheral bus.
Further, the compiler module obtains a function included in each operation according to an operation entry function list input by a user, and constructs a resource list to be accessed by each operation for the function.
Further, the compiler module generates a dedicated data area for each operation, which includes the exclusive global variable and a copy of the shared global variable of the operation.
Further, the reference monitor module operates in a privileged mode and the application operates in a non-privileged mode.
Further, the reference monitor module allows each operation to read and write 4 peripheral addresses.
Further, when the shared global variable of the current operation is written back, the reference monitor module performs validity check on the value of the variable.
Further, the reference monitor module implements a system call based on a bus error handling function; when the non-privileged application program code accesses the register on the privileged private bus, a bus error is triggered, a bus error processing function is automatically executed, and the function acquires the address of the register on the private peripheral bus accessed by the application program and checks whether the address is allowed or not; when legal, reading or writing the address of the register; otherwise, reporting an error.
Further, when switching operation, the reference monitor module sets the stack of the previous operation as read-only, and copies the content of the entry function parameter of the current operation to the top of the stack of the current operation.
An embedded bare metal system security isolation method based on operation, when cutting operation, executes the following steps:
(1) generating a function call graph according to the program source code;
(2) analyzing the resources which can be accessed by each function, including global variables and peripherals, and registers on a private peripheral bus;
(3) finding out a function which can be executed by each operation according to the operation entry function list, merging the resources accessed by the functions to obtain the resource which needs to be accessed by each operation, and generating a resource list; generating an MPU configuration file of each operation according to the resource list;
(4) writing the MPU configuration file of each operation into a read-only area of the reinforced program image, performing instrumentation on the program, inserting an initialization code before a main function, inserting an operation switching code before and after the execution of an entry function of each operation, and compiling the codes together with the codes of the reference monitor module to generate the reinforced program image;
when the program runs, the following steps are executed:
(1) environment initialization is performed first:
(1.1) initializing a shared variable of each operation;
(1.2) activating an exception handling function used by the reference monitor;
(1.3) setting resources required for default operation;
(1.4) reducing the authority level of the microcontroller, and jumping to the application program execution of the non-privileged mode;
(2) and operation switching is carried out in the program running process:
(2.1) firstly saving a stack pointer of the previous operation, and writing back the value of the global variable copy shared by the previous operation;
(2.2) writing the value of the shared global variable of the current operation into its copy;
(2.3) calculating a new stack pointer;
(2.4) switching the MPU configuration and executing the operation entry function;
(3) accessing a register on a private peripheral bus;
(3.1) acquiring the address of the register on the accessed private peripheral bus;
(3.2) checking whether the address is legal, and reading or writing the register when the address is legal; otherwise, reporting an error.
The invention has the following beneficial effects:
the present invention uses MPU hardware features already present on the ARMv7-M architecture to limit the resources that can be accessed per operation. Based on the existing hardware, the method realizes high-efficiency privilege isolation and fine-grained resource isolation, can be applied to an embedded bare metal system, improves the safety, and has small influence on the system performance.
Drawings
FIG. 1 is a schematic diagram of an operation-based embedded bare metal system security isolation system of the present invention;
FIG. 2 is a diagram of the shared global variable synchronization of the operation-based embedded bare metal system security isolation system of the present invention;
figure 3 is a schematic diagram of a security-hardened program image generated by the operation-based embedded bare metal system security isolation system of the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and preferred embodiments, and the objects and effects of the present invention will become more apparent, it being understood that the specific embodiments described herein are merely illustrative of the present invention and are not intended to limit the present invention.
As shown in FIG. 1, the operation-based embedded bare metal system security isolation system of the invention comprises a compiler module and a reference monitor module.
And the compiler module is used for generating an application program function call graph by using a static program analysis technology, sequentially performing function resource dependence analysis, constructing a resource list to be accessed by each operation, generating a configuration file of the MPU and performing program instrumentation. The resources include global variables, addresses of external devices, and registers on the private peripheral bus.
The method comprises the following specific steps:
(1) and generating a function call graph according to the program source code.
(2) The resources that each function can access, including global variables and peripherals, and registers on the private peripheral bus are analyzed.
(3) Finding out a function which can be executed by each operation according to an operation entry function list input by a user, merging resources accessed by the functions to obtain resources to be accessed by each operation, and generating a resource list; and generating an MPU configuration file and an operation exclusive data area of each operation according to the resource list, wherein the MPU configuration file and the operation exclusive data area comprise an exclusive global variable and a copy of a shared global variable of the operation. And a special data area is allocated to each operation, so that the super-authority in isolation domain cutting can be avoided.
(4) Writing the MPU configuration file of each operation into a read-only area of the reinforced program image, generating an exclusive data area of each operation, performing instrumentation on the program, inserting an initialization code before a main function, inserting operation switching codes before and after an entry function calling point of each operation, compiling the codes together with the codes of the reference monitor module, and generating the reinforced program image. Jump to the reference monitor module by operating the switching code.
And the reference monitor module is used for initializing the program, switching the operation in the running process of the program and realizing system call. The reference monitor module operates in a privileged mode and the application operates in a non-privileged mode.
The reference monitor module specifically includes the following functions:
(1) and environment initialization, including initializing shared variables of each operation, activating an exception handling function used by the reference monitor, setting resources required by default operation, jumping to the application program execution of the non-privileged mode, and switching the microprocessor to the non-privileged mode.
(2) And (5) switching the operation. When the operation is switched, firstly saving a stack pointer of the previous operation and writing back a shared global variable of the previous operation; reading the value of the shared global variable of the current operation into the exclusive data area of the current operation; then calculating a new stack pointer, and copying an operation entry function parameter; and switching the MPU configuration, and finally executing the operation entry function. When the reference monitor module switches operation, the stack of the previous operation is set to be read only, and the content of the current operation entry function parameter is copied to the stack top of the current operation.
The write back and read of global variables are shown in figure 2. The protection of the application stack is shown in figure 3.
(3) And (5) calling a system. The reference monitor module rewrites the bus error handling function to implement the system call. When the non-privileged application code accesses a register on the privileged private bus, a bus error is triggered, a bus error handling function is executed that obtains the address of the register on the private peripheral bus accessed by the application and checks whether it is allowed. When the address is legal, the address of the register is read or written, otherwise, an error is reported.
The reference monitor module allows up to 4 peripheral addresses to be read and written per operation. The safety isolation system takes ARM Cortex-M3/4 as a development basis, and the MPU of the safety isolation system can set the read, write and execution authorities of at most 8 memory areas; while approximately 75% of the operations access the peripheral less than or equal to 4, as measured. Thus, in order to save configurable memory area for the MPU, setting the reference monitor module allows up to 4 peripheral addresses to be read and written per operation.
When the shared global variable of the current operation is written back, the reference monitor module can check the validity of the value of the variable, so that the difficulty of an attacker in starting data stream attack can be improved.
The operation-based embedded bare computer system security isolation method of the invention executes the following steps when the operation is cut:
(1) generating a function call graph according to the program source code;
(2) analyzing the resources which can be accessed by each function, including global variables and peripherals, and registers on a private peripheral bus;
(3) finding out a function which can be executed by each operation according to the operation entry function list, merging the resources accessed by the functions to obtain the resource which needs to be accessed by each operation, and generating a resource list; generating an MPU configuration file of each operation according to the resource list;
(4) writing the MPU configuration file of each operation into a read-only area of the reinforced program image, performing instrumentation on the program, inserting an initialization code before a main function, inserting an operation switching code before and after the execution of an entry function of each operation, and compiling the codes together with the codes of the reference monitor module to generate the reinforced program image;
when the program runs, the following steps are executed:
(1) environment initialization is performed first:
(1.1) initializing a shared variable of each operation;
(1.2) activating an exception handling function used by the reference monitor;
(1.3) setting resources required for default operation;
(1.4) reducing the authority level of the microcontroller, and jumping to the application program execution of the non-privileged mode;
(2) and operation switching is carried out in the program running process:
(2.1) firstly saving a stack pointer of the previous operation, and writing back the value of the global variable copy shared by the previous operation;
(2.2) writing the value of the shared global variable of the current operation into its copy;
(2.3) calculating a new stack pointer;
(2.4) switching the MPU configuration and executing the operation entry function;
(3) accessing a register on a private peripheral bus;
(3.1) acquiring the address of the register on the accessed private peripheral bus;
(3.2) checking whether the address is legal, and reading or writing the register when the address is legal; otherwise, reporting an error.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and although the invention has been described in detail with reference to the foregoing examples, it will be apparent to those skilled in the art that various changes in the form and details of the embodiments may be made and equivalents may be substituted for elements thereof. All modifications, equivalents and the like which come within the spirit and principle of the invention are intended to be included within the scope of the invention.