ARM Linux Embedded memory protection techniques


Published on

ARM Linux embedded memory protection techniques. Also refer to

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ARM Linux Embedded memory protection techniques

  1. 1. Prabindh SundaresonMemory Protection Features in ARM and Linux
  2. 2. Contents• Security features in ARM HW– Memory Protection• Memory Protection Status in Software– Linux– Android• External security frameworks
  3. 3. Memory Protection Features in ARM• Derived from Page Table entries, applicable to different types of pages– pages, sections …• Consists of Read-Only (RO), and Execute Never (XN)• This is available in ARMv6 and above systems, only with MMU enabled• Memory protection is a combination of HW, Kernel usage of HWfeatures, and information embedded in userland applications bytoolchain for region protection
  4. 4. Execute Never (XN)• Part of First and Second Level Page Table Entries• A15 adds an extra entity - PXN (Privileged XN)
  5. 5. Read Only (RO)• Part of AP and APX Data Access Permissions in Page Table entry
  6. 6. ARM First Level Descriptor
  7. 7. ARM Second Level Descriptor
  8. 8. Linux handling of Page Tables• Linux standardises Page Table across architectures, independent ofspecific HW – x86, ARM or other– Linux bit encodings are different from that of ARM Page Table entries, butmapping is straightforward to an extent
  9. 9. Native Linux – Memory Protection StatusNote –1. All object files in an application have to be built with noexecstack, including assembly.Even if one file is not built with this, the entire application is built without XN for the stack2. Xorg, some media players in Linux are reported to have issues with XN in stack3. This status is as of Sep 2012Desired Mapping x86 Linux Kernel ARM Linux Kernel User Applications TI ConfirmedKernel Code (.text) RO Yes (CONFIG_DEBUG_RODATA) No NA -Kernel Read Only Data RO Yes (CONFIG_DEBUG_RODATA) No NA -Kernel Stack XN Yes (CONFIG_DEBUG_RODATA) No NA -User Stack XN NA NAApplications to berebuilt withnoexecstack (all.obj files, includingassembly)gcc4.1x, glibc 2.5.noexecstack isdefault in gcc4.xtoolchains -IO Region (Device) XN (MT_DEVICE) Yes Yes NA Norelro (Read-Onlyrelocations for sharedlibraries) RO NA NANeeds to beexplicitly enabledin application build.Linker makes textread-only aftercorrect relocation -gcc4.1x, glibc 2.5 NoStack LayoutRandomisation randomisation Yes Yes - NoString Vulnerability String checks NA NAformat-security tobe added toapplication buildsexplicitly No
  10. 10. Other Security Techniques• Commonly used are - grsecurity, PaX• These are not in mainline Linux kernel including for ARM, and need tobe applied separately• grsecurity provides kernel hardening features (ex devmem, ports)• PaX provides memory protection features (including XN emulation)• These also include patches for toolchains to ensure protection mapping
  11. 11. Android Status• Starting from Android 2.3 onwards, Android adds– Address space layout (ASLR) randomisations– Support for XN– Other features described in (
  12. 12. References• MT_DEVICE ioremap–• GCC patch for GNU-STACK–• Russell King on .text RO–• Bypassing XN/ ASLR–• Grsecurity Patchset for 3.x–• Gentoo Hardened–• Ubuntu Security–• ROM filesystems and booting–––• Loadable Kernel Modules - introduction–
  13. 13. Linux Kernel References• ELF loading– arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c, fs/binfmt_elf.c• Contains elf loading and protection settings based on elf information• Page Table operations• archarmincludeasmpgtable-2level-types.h• archarmincludeasmpgtable-2level-hwdef.h• archarmincludeasmpgtable.h• archarmmmmmu.c