Fast Execute-Only Memory for Embedded Systems

  title={Fast Execute-Only Memory for Embedded Systems},
  author={Zhuojia Shen and John Criswell},
  journal={2020 IEEE Secure Development (SecDev)},
Remote code disclosure attacks threaten embedded systems as they allow attackers to steal intellectual property or to find reusable code for use in control-flow hijacking attacks. Execute-only memory (XOM) prevents remote code disclosures, but existing XOM solutions either require a memory management unit that is not available on ARM embedded systems or incur significant overhead.We present PicoXOM: a fast and novel XOM system for ARMv7-M and ARMv8-M devices which leverages ARM’s Data… 

Figures and Tables from this paper

Aerogel: Lightweight Access Control Framework for WebAssembly-Based Bare-Metal IoT Devices
Aerogel is presented, an access control framework that addresses security gaps between the bare-metal IoT devices and the Wasm execution environment concerning access control for sensors, actuators, processor energy usage, and memory usage and treats the runtime as a multi-tenant environment, where each Wasm-based application is a tenant.


ExOShim: preventing memory disclosure using execute-only kernel code
ExOShim is described: a 325-line, lightweight “shim” layer, using Intel’s commodity virtualization features, that prevents memory disclosures by rendering all kernel code execute-only, and provides complete execute- only protection for kernel code at a runtime-performance overhead of only 0.86%.
µRAI: Securing Embedded Systems with Return Address Integrity
μRAI is presented, a compiler-based mitigation to prevent control-flow hijacking attacks targeting backward edges by enforcing the Return Address Integrity (RAI) property on MCUS, and evaluation shows that μRAI enforces its protection with negligible overhead.
Silhouette: Efficient Protected Shadow Stacks for Embedded Systems
Silhouette provides an incorruptible shadow stack for return addresses using special store instructions found on ARM processors, a compiler-based defense that efficiently guarantees the integrity of return addresses--significantly reducing the attack surface for control-flow hijacking.
NORAX: Enabling Execute-Only Memory for COTS Binaries on AArch64
The design and implementation of NORAX is presented, a practical system that retrofits XOM into stripped COTS binaries on AArch64 platforms and is designed to co-exist with other COTS binary hardening techniques, such as in-place randomization (IPR).
uXOM: Efficient eXecute-Only Memory on ARM Cortex-M
This paper proposes a novel technique, named uXOM, that realizes XOM in a way that is secure and highly optimized to work on Cortex-M, which is a prominent processor series used in low-end embedded devices.
Protecting Bare-Metal Embedded Systems with Privilege Overlays
This work applies a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode, which provides the foundation on which code-integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied.
Memory Safety for Embedded Devices with nesCheck
NesCheck is designed, an approach that combines static analysis and dynamic checking to automatically enforce memory safety on nesC programs without requiring source modifications, and extends the existing TinyOS compiler toolchain with LLVM-based passes.
IskiOS: Lightweight Defense Against Kernel-Level Code-Reuse Attacks
IskiOS is presented, a system that helps to thwart code reuse attacks by providing both execute-only memory and an efficient shadow stack for operating system kernels on the x86 processor and places no restrictions on virtual address space layout.
Control-Flow Integrity for Real-Time Embedded Systems
This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems, and provides techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection.
Architectural support for copy and tamper resistant software
The hardware implementation of a form of execute-only memory (XOM) that allows instructions stored in memory to be executed but not otherwise manipulated is studied, indicating that it is possible to create a normal multi-tasking machine where nearly all applications can be run in XOM mode.