m2mon: building an mmio-based security reference monitor

M2MON: Building an MMIO-based Security Reference Monitor for Unmanned Vehicles

Arslan Khan†, Hyungsub Kim†, Byoungyoung Lee∗, Dongyan Xu†, Antonio Bianchi†, Dave (Jing) Tian†

†Purdue University ∗ Seoul National University

2

Gyro

MMIO

RTOS

ECU

TaskTask

Timer

Task

WiFi

CAN

SPI/I2C

Real-time operations exhibit deterministic patternsAll

communications go through MMIO

Task

Gyro

ECU

Timer

WiFi

CPS malicious activities may cause anomalies at MMIO level

Motivation

Physical Attacks

Cyber Attacks

3

Example of attack showing I/O anomaly

GPS Spoofing

Higher count of ephemeris message in case of spoofing.

4

More examples of attacks showing I/O anomalies

We are motivated to build an I/O Reference Monitor for CPS.

5

M2MON

M2MON is an MMIO-based

Security Reference Monitor

An untamperable, non-bypassable, always-invoked and evaluable module that controls all accesses to data objects or devices.

6

Middleware/RTOS

Drivers + ISR

Tasks

Libraries

Middleware

Drivers

App 0

App 1

Libraries

Middleware

Drivers

App 0

App 1

Libraries

Middleware

Drivers

App 0

App 1

Libraries

Unused

Privilege Mode

UnprivilegeMode

# Driver Device Interface:No well defined isolation

Design Challenges

Many real-time, low-power CPS have:• No privilege separation

(i.e., user space/kernel space)

• No MMU and Fewer Execution Modes

7

Dev 0

M2MON Microkernel SFI Sandbox(DFI + CFI)

M2MON Design

Tasks

Middleware/RTOS

Drivers + ISR

Libraries

Dev 1 Dev 2

UnprivilegeMode

Privilege Mode

Drivers

Unused

High Overhead

8

Interrupt

M2MON Design

Tasks

M2MON Microkernel

Middleware/RTOS

Drivers + ISR

Libraries

Dev 0 Dev 1 Dev 2

UnprivilegeMode

Privilege Mode

Drivers

ISR

# No Device-Driver Interface:MPU

SFI Sandbox(DFI + CFI)

❶ Non-Bypassable

❷ Tamper Proof

③ Evaluable

9

M2MON Applications

Instantiation of M2MON Microkernel

• To detect multiple types of attacks against drone• Kalman Filter• Access Pattern Filter

• Access Frequency • Access Chain• Access List

Task 1

EKF

Filter

Raw

Values

EKF

Fused Value

acl_reg 0xFE10002C

❶

⓶⓵

⓷❷

❸

Task 2 Task nTask 2

Scheduler Driver Lib

Devices/MMIO

10

• Platform• 3DR IRIS+ UAV platform• Ardupilot

• Evaluation• Performance Evaluation• Security Evaluation

Evaluation

11

Performance Evaluation

1

10

100

1000

rc_loop

throttle_loop

update_GPS

update_optical_flow

update_batt_com

pass

read_aux_switches

arm_motors_check

auto_trim

update_altitude

run_nav_updates

update_thr_average

three_hz_loop

compass_accumulate

barometer_accumulate

update_notify

one_hz_loop

ekf_check

landinggear_update

lost_vehicle_check

gcs_check_input

gcs_send_heartbeat

gcs_send_deferred

gcs_data_stream_send

update_mount

ten_hz_logging_loop

fifty_hz_logging_loop

full_rate_logging_loop

perf_update

read_receiver_rssi

rpm_update

frsky_telemetry_send

epm_update

CleanM2MONDeadline

Average overhead of 8.85%

12

Security Evaluation

Checked by M2MON microkernel

13

Configuration Register

Reload Register

Enable Timer Register

…

…tboot

I/OAccess

M2MON

sh> BLOC_registerRELOAD_REG

Case study (Timer Reload)

14

Limitations

• Complex Rules

0

200

400

600

800

0 64 65 69 74 79 84 89 94

0

50

100

150

200

0 64 65 69 74 79 84 89 940

20

40

60

80

0 64 65 69 74 79 84 89 94

update_batt_compass

rc_loopauto_trim

• Zero-day attacks

15

Conclusion

• CPS attacks against drones usually exhibit MMIO-level anomalies

• M2Mon: a reference monitor for MMIO anomaly detection• MMIO Microkernel• Multiple Applications of MMIO Microkernel• Reasonable overhead on real drone controller• Detect a wide range of attacks

Thank you! Questions?

khan253@purdue.edu

*This work was supported in part by ONR under GrantsN00014-20-1-2128 and N00014-17-1-204. This material is also based on research sponsored by DARPA under contract number N6600120C4031.