Post on 11-Feb-2022
M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles
Arslan Khan†, Hyungsub Kim†, Byoungyoung Lee∗, Dongyan Xu†, Antonio Bianchi†, Dave (Jing) Tian†
†Purdue University ∗ Seoul National University
2
Gyro
MMIO
RTOS
ECU
TaskTask
Timer
Task
WiFi
CAN
SPI/I2C
Real-time operations exhibit deterministic patternsAll
communications go through MMIO
Task
Gyro
ECU
Timer
WiFi
CPS malicious activities may cause anomalies at MMIO level
Motivation
Physical Attacks
Cyber Attacks
3
Example of attack showing I/O anomaly
GPS Spoofing
Higher count of ephemeris message in case of spoofing.
4
More examples of attacks showing I/O anomalies
We are motivated to build an I/O Reference Monitor for CPS.
5
M2MON
M2MON is an MMIO-based
Security Reference Monitor
An untamperable, non-bypassable, always-invoked and evaluable module that controls all accesses to data objects or devices.
6
Middleware/RTOS
Drivers + ISR
Tasks
Libraries
Middleware
Drivers
App 0
App 1
Libraries
Middleware
Drivers
App 0
App 1
Libraries
Middleware
Drivers
App 0
App 1
Libraries
Unused
Privilege Mode
UnprivilegeMode
# Driver Device Interface:No well defined isolation
Design Challenges
Many real-time, low-power CPS have:• No privilege separation
(i.e., user space/kernel space)
• No MMU and Fewer Execution Modes
7
Dev 0
M2MON Microkernel SFI Sandbox(DFI + CFI)
M2MON Design
Tasks
Middleware/RTOS
Drivers + ISR
Libraries
Dev 1 Dev 2
UnprivilegeMode
Privilege Mode
Drivers
Unused
High Overhead
8
Interrupt
M2MON Design
Tasks
M2MON Microkernel
Middleware/RTOS
Drivers + ISR
Libraries
Dev 0 Dev 1 Dev 2
UnprivilegeMode
Privilege Mode
Drivers
ISR
# No Device-Driver Interface:MPU
SFI Sandbox(DFI + CFI)
❶ Non-Bypassable
❷ Tamper Proof
③ Evaluable
9
M2MON Applications
Instantiation of M2MON Microkernel
• To detect multiple types of attacks against drone• Kalman Filter• Access Pattern Filter
• Access Frequency • Access Chain• Access List
Task 1
EKF
Filter
Raw
Values
EKF
Fused Value
acl_reg 0xFE10002C
❶
⓶⓵
⓷❷
❸
Task 2 Task nTask 2
Scheduler Driver Lib
Devices/MMIO
10
• Platform• 3DR IRIS+ UAV platform• Ardupilot
• Evaluation• Performance Evaluation• Security Evaluation
Evaluation
11
Performance Evaluation
1
10
100
1000
rc_loop
throttle_loop
update_GPS
update_optical_flow
update_batt_com
pass
read_aux_switches
arm_motors_check
auto_trim
update_altitude
run_nav_updates
update_thr_average
three_hz_loop
compass_accumulate
barometer_accumulate
update_notify
one_hz_loop
ekf_check
landinggear_update
lost_vehicle_check
gcs_check_input
gcs_send_heartbeat
gcs_send_deferred
gcs_data_stream_send
update_mount
ten_hz_logging_loop
fifty_hz_logging_loop
full_rate_logging_loop
perf_update
read_receiver_rssi
rpm_update
frsky_telemetry_send
epm_update
CleanM2MONDeadline
Average overhead of 8.85%
12
Security Evaluation
Checked by M2MON microkernel
13
Configuration Register
Reload Register
Enable Timer Register
…
…tboot
I/OAccess
M2MON
sh> BLOC_registerRELOAD_REG
Case study (Timer Reload)
14
Limitations
• Complex Rules
0
200
400
600
800
0 64 65 69 74 79 84 89 94
0
50
100
150
200
0 64 65 69 74 79 84 89 940
20
40
60
80
0 64 65 69 74 79 84 89 94
update_batt_compass
rc_loopauto_trim
• Zero-day attacks
15
Conclusion
• CPS attacks against drones usually exhibit MMIO-level anomalies
• M2Mon: a reference monitor for MMIO anomaly detection• MMIO Microkernel• Multiple Applications of MMIO Microkernel• Reasonable overhead on real drone controller• Detect a wide range of attacks
Thank you! Questions?
khan253@purdue.edu
*This work was supported in part by ONR under GrantsN00014-20-1-2128 and N00014-17-1-204. This material is also based on research sponsored by DARPA under contract number N6600120C4031.