Upload File

armv7-m mpu (memory protection unit) xn example

12
12/19/16 1 ARMv7-M Memory Protection Unit (MPU) eXecution Never (XN) demo Louie Lu <[email protected]>

Upload: louie-lu

Post on 16-Apr-2017

144 views

Category:

Technology


1 download

Report

TRANSCRIPT

Page 1: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 1

ARMv7-MMemory Protection Unit

(MPU)eXecution Never (XN) demo

Louie Lu<[email protected]>

Page 2: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 2

BitSec Demo

Memory protection using MPUEach MPU can set 8 region onCortex-M4To achieve program isolationAnd, can set the region toeXecution Never (XN)

Page 3: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 3

BitSec Demo

Page 4: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 4

BitSec Demo

PC 0x08008000

Page 5: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 5

BitSec Demo

PC 0x08008000

If attacker put malicious code at0x20004000, and set PC to

0x20004000

Page 6: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 6

BitSec Demo

Then, CPU will try to fetch0x20004000 value as next instruction

PC 0x20004000

Page 7: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 7

BitSec Demo

Attack done.

PC 0x20004000

Page 8: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 8

BitSec Demo

But If we setting MPU region and set region not to execute

Page 9: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 9

BitSec Demo

But If we setting MPU region and set region not to execute

Base: 0x20004000, Size: 2 ** 12, Attr: 1000Range: 0x20004000 ~ 0x20005000

MPU protect, XN is true

0x20004000

0x20005000

Page 10: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 10

BitSec Demo

When PC value been changed to 0x20004008CPU try to fetch 0x20004008

as next instruction

MPU protect, XN is truePC 0x200040080x20004000

0x20005000

Page 11: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 11

BitSec Demo

This invalid memory access will trigger MPUthen generate a

memory manage fault exception

MPU protect, XN is truePC 0x200040080x20004000

0x20005000

Page 12: ARMv7-M MPU (Memory Protection Unit) XN example

12/19/16 12

BitSec Demo

It will handle bymem_manage_fault_handler

to avoid attack

MPU protect, XN is true

PC 0x0800605Emem manage fault handler

0x20004000

0x20005000


Material MPU

MPU-6000 and MPU-6050 Register Map and Descriptions … · MPU-6000/MPU-6050 Register Map and Descriptions Document Number: RM-MPU-6000A-00 Revision: 4.2 Release Date: 08/19/2013

ACOMPANHAMENTO MPU

ARMv7-M Architecture Reference Manualweb.eecs.umich.edu/.../eecs373-f11/readings/ARMv7-M_ARM.pdfA3.7 Memory access order ..... A3-111 A3.8 Caches and memory hierarchy ..... A3-120

resultado mpu

MPU-6000 and MPU-6050 Register Map and Descriptions Revision 4 - Lestat… · 2019-05-06 · MPU-6000/MPU-6050 Register Map and Descriptions Document Number: RM-MPU-6000A-00 Revision:

CodeWarrior for ARMv7 Targeting Manual · 2020. 10. 15. · CodeWarrior for ARMv7 Targeting Manual Freescale Semiconductor, Inc. Document Number: CW_ARMv7_Targeting_Manual Reference

MPU-6000 and MPU-6050 Product Specification Revision 3jkelec.co.kr/img/sensors/manual/mpu6050_gy521/mpu6050_ds.pdf · 2016. 8. 8. · MPU-6000/MPU-6050 Product Specification Document

Mpu presentation

Strengthening system security on the ARMv7 processor

MPU-6000 and MPU-6050 Register Map and Descriptions Revision 4 · MPU-6000/MPU-6050 Register Map and Descriptions Document Number: RM-MPU-6000A-00 Revision: 4.2 Release Date: 08/19/2013

Der Weg zur bestandenen MPU - mpu-konkret.dempu-konkret.de/.../uploads/mpu-konkret-de_MPU-Grundlagen_eBook.pdf · 3 Herzlich Willkommen! MPU KONKRET bietet Ihnen ein umfassendes Beratungsprogramm,

Logistica MPU

Design of CPU Simulation Software for ARMv7 Instruction

Extensions to the ARMv7-A Architecture

ARMv7-M Architecture Reference Manual · 2018-09-05 · ARM DDI 0403C_errata_v3. Non-Confidential, Unrestricted Access. ... ARMv7-M Architecture Reference Manual. ... Table A3-6 Effect

ARMv7-M Architecture Refrence Manual

uVisor Debugging Facility Improvements for ARM mbed · MPU in ARMv7-M • Set Memory regions – Min: 32 bytes / Max: 4GB • Set as XN –XN=Execute Never –cause MemManage Fault

Mpu Técnico

Mpu assignment

CodeWarrior for ARMv7 Targeting Manual - NXP · PDF file1.5.2 C/C++ Compiler ... Discusses how to use a target initialization file, ... CodeWarrior for ARMv7 Targeting Manual, Rev

Apostila MPU

MPU Legislação

redação MPU

NotedirilascioperDebian8(jessie),ARMv7(EABI hard-floatABI) · NotedirilascioperDebian8(jessie),ARMv7(EABI hard-floatABI) DebianDocumentationProject( 14giugno2020

Snapdragon SoC and ARMv7 Architecture

MPU - Informática

ARMv7-M Architecture Reference Manual

ARMv7-M Architecture Reference Manualweb.eecs.umich.edu/~prabal/teaching/eecs373-f10/readings/ARMv7-M... · This ARM Architecture Reference Manual is protected by copyright and the

MPU-6000 and MPU-6050 Product Specification …...MPU-6000/MPU-6050 Product Specification Document Number: PS-MPU-6000A-00 Revision: 3.1 Release Date: 10/24/2011 5 of 57 1 Revision

ARMv7-M Architecture Reference Manual - PJRC · PDF filecaused and regardless of the theory of liability, ... A7.1 Format of instruction descriptions ... ARMv7-M Architecture Reference

CodeWarrior for ARMv7 Tracing and Analysis User Guide€¦ · CodeWarrior for ARMv7 Tracing and Analysis User Guide, Rev. 10.0.8, 01/2016 Freescale Semiconductor, Inc. 3. ... •

Aumento MPU

The Microcomputer Catalyst - core.ac.uk · wheel"printers,offerletter-qualityoutput.But ... Itwould,however,be presumptuousandalmost MPU MPU IBM IBM. MPU MPU. GTE. THEMICROCOMPUTERCATALYST

A Trustworthy Monadic Formalization of the ARMv7