Through the Window: Exploitation and Countermeasures of the ESP32 Register Window Overflow-Reference-Cited by-同舟云学术

Through the Window: Exploitation and Countermeasures of the ESP32 Register Window Overflow

Published:2023-06-19 Issue:6 Volume:15 Page:217
ISSN:1999-5903
Container-title:Future Internet
language:en
Short-container-title:Future Internet

Author:

Lehniger Kai¹^ORCID,Langendörfer Peter¹²^ORCID

Affiliation:

1. IHP—Leibniz-Institut für Innovative Mikroelektronik, 15236 Frankfurt (Oder), Germany

2. BTU Cottbus-Senftenberg, 03046 Cottbus, Germany

Abstract

With the increasing popularity of IoT (Internet-of-Things) devices, their security becomes an increasingly important issue. Buffer overflow vulnerabilities have been known for decades, but are still relevant, especially for embedded devices where certain security measures cannot be implemented due to hardware restrictions or simply due to their impact on performance. Therefore, many buffer overflow detection mechanisms check for overflows only before critical data are used. All data that an attacker could use for his own purposes can be considered critical. It is, therefore, essential that all critical data are checked between writing a buffer and its usage. This paper presents a vulnerability of the ESP32 microcontroller, used in millions of IoT devices, that is based on a pointer that is not protected by classic buffer overflow detection mechanisms such as Stack Canaries or Shadow Stacks. This paper discusses the implications of vulnerability and presents mitigation techniques, including a patch, that fixes the vulnerability. The overhead of the patch is evaluated using simulation as well as an ESP32-WROVER-E development board. We showed that, in the simulation with 32 general-purpose registers, the overhead for the CoreMark benchmark ranges between 0.1% and 0.4%. On the ESP32, which uses an Xtensa LX6 core with 64 general-purpose registers, the overhead went down to below 0.01%. A worst-case scenario, modeled by a synthetic benchmark, showed overheads up to 9.68%.

Funder

Federal Ministry of Education and Research

Publisher

MDPI AG

Subject

Computer Networks and Communications

Link

https://www.mdpi.com/1999-5903/15/6/217/pdf

Reference33 articles.

1. Cadence Design Systems, Inc. (2019). Xtensa Instruction Set Architecture (ISA) Reference Manual, Cadence Design Systems, Inc.

2. Cadence Design Systems, Inc. (2018). Xtensa Microprocessor Programmer’s Guide, Cadence Design Systems, Inc.

3. Trost, A., Žemva, A., and Skavhaug, A. (2020, January 26–28). Challenges of Return-Oriented-Programming on the Xtensa Hardware Architecture. Proceedings of the Euromicro Conference on Digital System Design, Kranj, Slovenia.

4. Amatov, B., Lehniger, K., and Langendörfer, P. (2022, January 21–25). Return-Oriented Programming Gadget Catalog for the Xtensa Architecture. Proceedings of the 2022 IEEE International Conference on Pervasive Computing and Communications Workshops and Other Affiliated Events (PerCom Workshops), Pisa, Italy.

5. Shacham, H. (October, January 2). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA.