Portal de Periódicos da CAPES

$$\mu $$IPS: Software-Based Intrusion Prevention for Bare-Metal Embedded Systems

2024; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-031-51482-1_16

1611-3349

Luca Degani, Majid Salehi, Fabio Martinelli, Bruno Crispo,

Cloud Data Security Solutions

Many embedded systems are low-cost bare-metal systems where the firmware executes directly on hardware without an OS. Bare-metal systems typically lack many security primitives, including the well-known Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), and their integrity can be compromised using a single vulnerability. Proposed defenses have not yet been deployed due to their requirements for firmware source code availability or hardware modifications. We present $$\mu $$ IPS, the first Intrusion Prevention System (IPS) for bare-metal systems that requires no modification to the hardware and can be applied to stripped binaries without access to the source code. $$\mu $$ IPS enforces fine-grained control-flow protection targeting both forward and backward edges. To achieve that, $$\mu $$ IPS introduces a novel Trusted Execution Environment (TEE) to provide memory isolation at runtime while handling the hardware limitations of bare-metal systems. $$\mu $$ IPS also provides Remote Integrity Check (RIC) mechanism to validate the integrity of control-flow protection policies and the TEE code, and secure Over-The-Air (OTA) update mechanism to deploy the updated policies. We evaluate $$\mu $$ IPS against ten real-world representative firmware. $$\mu $$ IPS imposes a $$31\%$$ execution overhead on average on binary instrumented firmware. $$\mu $$ IPS reduces exposure to Return-Oriented Programming (ROP) attacks by $$99\%$$ .