In ARMv7-M, it support PMSAv7 (Protected Memory System Architecture), MPU support in ARMv7-M is optional, and for example, Cortex-M4 MPU can only set 8 region to protect, this increase the difficulty to used in program. This slide will explain how ARM Cortex-M MPU XN (eXecute Never) can do, and provide a memory attack demo to demo how can XN function in Cortex-M4.

1. 12/19/16 1
ARMv7-M
Memory Protection Unit
(MPU)
eXecution Never (XN) demo
Louie Lu
<me@louie.lu>

2. 12/19/16 2
BitSec Demo
Memory protection using MPU
Each MPU can set 8 region on
Cortex-M4
To achieve program isolation
And, can set the region to
eXecution Never (XN)

3. 12/19/16 3
BitSec Demo

4. 12/19/16 4
BitSec Demo
PC 0x08008000

5. 12/19/16 5
BitSec Demo
PC 0x08008000
If attacker put malicious code at
0x20004000, and set PC to
0x20004000

6. 12/19/16 6
BitSec Demo
Then, CPU will try to fetch
0x20004000 value as next instruction
PC 0x20004000

7. 12/19/16 7
BitSec Demo
Attack done.
PC 0x20004000

8. 12/19/16 8
BitSec Demo
But If we setting MPU region
and set region not to execute

9. 12/19/16 9
BitSec Demo
But If we setting MPU region
and set region not to execute
Base: 0x20004000, Size: 2 ** 12, Attr: 1000
Range: 0x20004000 ~ 0x20005000
MPU protect, XN is true
0x20004000
0x20005000

10. 12/19/16 10
BitSec Demo
When PC value been changed to 0x20004008
CPU try to fetch 0x20004008
as next instruction
MPU protect, XN is true
PC 0x20004008
0x20004000
0x20005000

11. 12/19/16 11
BitSec Demo
This invalid memory access will trigger MPU
then generate a
memory manage fault exception
MPU protect, XN is true
PC 0x20004008
0x20004000
0x20005000

12. 12/19/16 12
BitSec Demo
It will handle by
mem_manage_fault_handler
to avoid attack
MPU protect, XN is true
PC 0x0800605E
mem manage fault handler
0x20004000
0x20005000