RAM No Execute

From DDCIDeos
Jump to navigationJump to search

Description

This project is to enable Deos to boot and run without executing any code from RAM. I.e., to enable a platform to disable execution permission on RAM and boot entirely from non-volatile memory.

The motivation for this is enhanced security, especially on smaller automotive processors, where it is possible to configure the RAM devices to inhibit "execute" access.

At this point in the project lifecycle, we're soliciting topics that must be addressed, and ideas for resolving them. Work on resolving the issues is not authorized.

Issues

Boot

On some platforms Boot copies code to RAM so it can be in the "1-to-1" area.

  • Architectures affected: TBD
  • Possible Mitigation:
    1. On PPC TLBs can be used so this may not be an (serious?) issue there.

ftpserver

FTP server has applet support which can download and execute code from RAM.

  • Architectures affected: all
  • Possible mitigation:
    1. Don't use it.

Kernel

Booting

The kernel copies a small portion of code into RAM to enable address translation (or to switch from the boot address translation regime to the SVAS).

  • Architectures affected: arm, ppc, x86
  • Possible Mitigation: TBD

Exception Vectors

The exception handlers are copied to RAM to be executed.

  • Architectures affected: arm, ppc
  • Possible Mitigation: TBD

PLT

Dynamically linked libraries use a Procedure Linkage Table (PLT) to implement calling functions from other libraries. Some ISAs do not support PC relative loads, and the (industry) chosen solution is to create PLT entries that have runtime generated instructions that load the called function's address from immediate values in the generated instructions.

  • Architectures affected: ppc
  • Possible Mitigation:
    1. Use GCC's -fno-plt.
      • When this switch became available/functional for PPC is unclear. The patch for -fno-plt first appeared in Apr 2015. GCC 5.3 does not support the switch, gcc 7.2 does.
      • Requires recompilation of affected libraries.
    2. Link at fixed addresses.
      • Not sure this would resolve the issue.
    3. Change the kernel to support no-execute on a page by page basis.
    4. Perhaps add a section that could be mapped to a memory pool, and put the PLT in that section/pool.

Intrinsic Functions

Kernel copies intrinsic functions to RAM.

  • Architectures affected: ppc (so far but plan was to propagate to other architectures)
  • Possible Mitigation: TBD

Execute from RAM

The kernel has an "execute from RAM" feature, which would not be supported.

Debugging

When setting a breakpoint, the kernel copies the code page to RAM

  • Architectures affected: arm, ppc, x86
  • Possible Mitigation:
    1. Enable EXE from RAM during development
    2. Use HW breakpoints, perhaps with Lauterbach
Retrieved from "https://ddci.zapto.org/ddciWiki/index.php?title=RAM_No_Execute&oldid=27064"