#### Application Memory Isolation on Ultra-Low-Power MCUs

#### Taylor Hardin, Ryan Scott, Patrick Proctor, Josiah Hester, Jacob Sorber, David Kotz







#### **Motivation**

 Many wearables and IoT devices utilize ultra-lowpower MCUs to achieve long battery life



#### Motivation

| Hardware Memory Isolation Techniques |                                   | MPU Supported                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Description                                                                                                                                                             |
|--------------------------------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1                                    | Virtualization                    | X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | MPUs do not support virtual to physical address mapping like their MMU counterparts                                                                                     |
| 2                                    | Privilege Levels                  | <ul> <li>Image: A second s</li></ul> | Some MPUs support setting privilege levels for<br>memory segments, but this varies across chips and<br>vendors                                                          |
| 3                                    | Read/Write/Execute<br>Permissions | $\checkmark$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | All MPUs have the ability to set r/w/x permissions for<br>memory segments, but the number of memory<br>segments supported by the MPU varies across chips<br>and vendors |

#### **Our Proposal**

# Utilize MPU to **relax** language restrictions and achieve **better** runtime performance

# System Design: Platform

- Amulet Platform
  - Open-source software & hardware
  - Multi-application
  - Low-power MSP430 MCU
  - Memory isolation via language restrictions and runtime bounds checks



# System Design: MPU Capabilities

- No privilege levels
- **3** variable size memory segments
- Only protects memory addresses **above** 0x4400



#### System Design: Memory Layout



# System Design: Memory Violations

- Memory Accesses
  - Application data
  - Indirect function calls
- Context Switches
  - Passing a pointer to the OS
  - Changing return address

#### System Design: Memory Layout

| 0x23FFF            |                             |                                     |
|--------------------|-----------------------------|-------------------------------------|
| 5725111            | App N Stack & Data          |                                     |
|                    | App <i>N</i> Code           | MPU Segment: 3<br>Permissions: NONE |
|                    |                             |                                     |
|                    | App 1 Stack & Data          | MPU Segment: 2<br>Permissions: RW   |
| 0x10000 -          | App 1 Code                  |                                     |
| 0x0FF80            | Interrupt Vectors           |                                     |
| UXUFF8U            | OS Data                     | MPU Segment: 1<br>Permissions: X    |
| 004400             | OS Code                     |                                     |
| 0x04400            | OS Stack (SRAM)             |                                     |
| 0x01000<br>0x00000 | MCU Configuration Registers |                                     |
| 0100000            |                             |                                     |

# System Design: MPU Model

- MPU prevents memory accesses and indirect calls above the current app's memory space
- Runtime software checks handle accesses and indirect calls **below** the current app's memory space
- Each application has its **own** stack
- Runtime software checks verify return addresses

# System Design: AFT

- Amulet Firmware Toolchain (AFT)
  - Analyze,
  - Transform
  - Merge
  - Compile



#### **Eval: Isolation Models**



### **Eval: Simulation**

- Simulated 9 applications from the Amulet suite using the Amulet Resource Profiler (ARP)
- Each application was simulated using
  - Amulet isolation
  - MPU isolation
  - Software-only isolation

#### **Eval: Simulation Results**



### **Eval: Amulet Deployment Results**



### Summary

- MPU can provide performance benefits for applications with high frequency of memory accesses
- While our approach was not effective for apps with frequent context switches, our MPU approach had, for all applications, less than 0.5% battery impact

### Application Memory Isolation on Ultra-Low-Power MCUs

Contact: Taylor.A.Hardin.GR@dartmouth.edu Amulet Platform: amulet-project.org



This research results from a research program at the Institute for Security, Technology, and Society, supported by the NSF under award numbers CNS-1314281, CNS-1314342, CNS-1619970, and CNS-1619950. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the sponsors.





