Abstract
Deeply embedded devices powered by microcontrollers are widely deployed. To protect them from exploitation, many lightweight defense mechanisms, such as control flow integrity, have been proposed. However, these defenses cannot provide data integrity—a security property of particular interest in mission-critical tasks. Conversely, existing defenses that provide data integrity are too expensive to deploy in the resourceconstrained context of deeply embedded devices. In this paper, we propose InvisiGuard, a hardware-assisted, low overhead approach for data integrity. InvisiGuard leverages data watchpoints—a commonly available debug feature on microcontrollers—to automatically intercept write operations to critical variables. InvisiGuard then checks the legitimacy of the write instruction against an allowlist stored in a trusted execution environment (e.g., ARM
TrustZone-M). By relying on the hardware to automatically intercept potentially dangerous instructions, InvisiGuard avoids heavy code instrumentation, as required by traditional solutions,
making it suitable for resource-constrained microcontroller devices.
We have implemented InvisiGuard on an ARM Cortex-M based development board and evaluated it with seven realworld firmware samples. Our experiments show that InvisiGuard reduces the runtime overhead by 56.99% and memory overhead by 77.37% compared with state of the art.
TrustZone-M). By relying on the hardware to automatically intercept potentially dangerous instructions, InvisiGuard avoids heavy code instrumentation, as required by traditional solutions,
making it suitable for resource-constrained microcontroller devices.
We have implemented InvisiGuard on an ARM Cortex-M based development board and evaluated it with seven realworld firmware samples. Our experiments show that InvisiGuard reduces the runtime overhead by 56.99% and memory overhead by 77.37% compared with state of the art.
Original language | English |
---|---|
Pages (from-to) | 343-358 |
Number of pages | 16 |
Journal | IEEE Transactions on Dependable and Secure Computing |
Volume | 22 |
Issue number | 1 |
Early online date | 9 May 2024 |
DOIs | |
Publication status | E-pub ahead of print - 9 May 2024 |