This article presents a hardware-based memory isolation solution for constrained devices. Existing solutions target high-end embedded systems (typically ARM Cortex-A with a Memory Management Unit, MMU) such as seL4 or Pip (formally verified kernels) or target low-end devices such as ACES, MINION, TrustLite, EwoK but with limited flexibility by proposing a single level of isolation. Our approach consists in adapting Pip to inherit its flexibility (multiple levels of isolation) but using the Memory Protection Unit (MPU) instead of the MMU since the MPU is commonly available on constrained embedded systems (typically ARMv7 Cortex-M4 or ARMv8 Cortex-M33 and similar devices). This paper describes our design of Pip-MPU (Pip's variant based on the MPU) and the rationale behind our choices. We validate our proposal with an implementation on an nRF52840 development kit and we perform various evaluations such as memory footprint, CPU cycles and energy consumption. We demonstrate that although our prototyped Pip-MPU causes a 16% overhead on both performance and energy consumption, it can reduce the attack surface of the accessible application memory from 100% down to 2% and the privileged operations by 99%. Pip-MPU takes less than 10 kB of Flash (6 kB for its core components) and 550 B of RAM.
翻译:本篇文章为限制装置提供了一个基于硬件的内存隔离解决方案。 现有解决方案针对高端嵌入系统( 通常有内存管理单元的ARM Cortex- A, MMU), 如 seL4 或 Pip( 正式核查的内核) 或目标低端装置, 如ACES、 MINION、 TrustLite、 EwoK, 但通过提出单一程度的隔离, 具有有限的灵活性。 我们的方法是调整Pip 以继承其灵活性( 多度隔离), 但使用记忆保护股( MPU) 而不是 MMMU, 因为限制嵌入系统( 通常有 ARMv7 Cortex- M4 或 ARMv8 Cortex- M33 和类似装置) 通常可以使用 MMMMU 。 本文描述了我们Pip- MPU (基于 MPPP 的变式) 设计, 以及我们选择的理由。 我们用NRF 52840 开发工具包来验证我们的提案, 我们用诸如记忆足迹、 CPU 周期和能源消耗等各种评价。 我们的PIP- MPU 模式PMU 使得P- 能够将P- 磁段部分从100%的磁段的磁段的磁段的磁段的磁段应用从可达2, 降低到可达2.0%的磁段的磁段的磁段的磁段, 。