ARM Linux Embedded memory protection techniques
Download as PPT, PDF5 likes5,650 views
The document discusses memory protection features in ARM and Linux, detailing hardware and software security mechanisms. It emphasizes the importance of toolchain integration and proper application building to enable features like execute never (XN) and read-only (RO) protections, while also addressing the Linux handling of page tables and status of security implementations. Additionally, it highlights the role of external security frameworks and mentions the status of memory protection in Android from version 2.3 onwards.
ARM Linux Embedded memory protection techniques
- 1. Prabindh Sundareson Memory Protection Features in ARM and Linux
- 2. Contents • Security features in ARM HW – Memory Protection • Memory Protection Status in Software – Linux – Android • External security frameworks
- 3. Memory Protection Features in ARM • Derived from Page Table entries, applicable to different types of pages – pages, sections … • Consists of Read-Only (RO), and Execute Never (XN) • This is available in ARMv6 and above systems, only with MMU enabled • Memory protection is a combination of HW, Kernel usage of HW features, and information embedded in userland applications by toolchain for region protection
- 4. Execute Never (XN) • Part of First and Second Level Page Table Entries • A15 adds an extra entity - PXN (Privileged XN)
- 5. Read Only (RO) • Part of AP and APX Data Access Permissions in Page Table entry
- 6. ARM First Level Descriptor
- 7. ARM Second Level Descriptor
- 8. Linux handling of Page Tables • Linux standardises Page Table across architectures, independent of specific HW – x86, ARM or other – Linux bit encodings are different from that of ARM Page Table entries, but mapping is straightforward to an extent
- 9. Native Linux – Memory Protection Status Note – 1. All object files in an application have to be built with noexecstack, including assembly. Even if one file is not built with this, the entire application is built without XN for the stack 2. Xorg, some media players in Linux are reported to have issues with XN in stack 3. This status is as of Sep 2012 Desired Mapping x86 Linux Kernel ARM Linux Kernel User Applications TI Confirmed Kernel Code (.text) RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Read Only Data RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Stack XN Yes (CONFIG_DEBUG_RODATA) No NA - User Stack XN NA NA Applications to be rebuilt with noexecstack (all .obj files, including assembly) gcc4.1x, glibc 2.5. noexecstack is default in gcc4.x toolchains - IO Region (Device) XN (MT_DEVICE) Yes Yes NA No relro (Read-Only relocations for shared libraries) RO NA NA Needs to be explicitly enabled in application build. Linker makes text read-only after correct relocation - gcc4.1x, glibc 2.5 No Stack Layout Randomisation randomisation Yes Yes - No String Vulnerability String checks NA NA format-security to be added to application builds explicitly No
- 10. Other Security Techniques • Commonly used are - grsecurity, PaX • These are not in mainline Linux kernel including for ARM, and need to be applied separately • grsecurity provides kernel hardening features (ex devmem, ports) • PaX provides memory protection features (including XN emulation) • These also include patches for toolchains to ensure protection mapping
- 11. Android Status • Starting from Android 2.3 onwards, Android adds – Address space layout (ASLR) randomisations – Support for XN – Other features described in (http://source.android.com/tech/security/)
- 12. References • MT_DEVICE ioremap – http://lkml.indiana.edu/hypermail/linux/kernel/1108.2/02745.html • GCC patch for GNU-STACK – https://android.googlesource.com/toolchain/gcc/+/f68bf0c483879d30c4d97b9eaf8f9eb558ea1c45%5E1..f68bf0c483879d30c4d97b9eaf8f9e • Russell King on .text RO – http://www.spinics.net/lists/arm-kernel/msg120951.html • Bypassing XN/ ASLR – http://www.phrack.org/issues.html?issue=58&id=4#article • Grsecurity Patchset for 3.x – http://mirrors.muarf.org/grsecurity/stable/grsecurity-2.9-3.2.18-201206011935.patch.gz • Gentoo Hardened – http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml • Ubuntu Security – https://wiki.ubuntu.com/Security • ROM filesystems and booting – http://elinux.org/images/b/b1/Filesystems-for-embedded-linux.pdf – http://lugatgt.org/content/booting.inittools/downloads/presentation.pdf – http://processors.wiki.ti.com/index.php/Creating_a_Root_File_System_for_Linux_on_OMAP35x#Configure_the_Linux_Kernel_f or_RAMDISK_support • Loadable Kernel Modules - introduction – http://www.ibm.com/developerworks/linux/library/l-lkm
- 13. Linux Kernel References • ELF loading – arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c, fs/binfmt_elf.c • Contains elf loading and protection settings based on elf information • Page Table operations • archarmincludeasmpgtable-2level-types.h • archarmincludeasmpgtable-2level-hwdef.h • archarmincludeasmpgtable.h • archarmmmmmu.c