Secure Task Management in FreeRTOS

Abstract

The demand for embedded devices, such as intelligent sensors, smartwatches, medical implants, and computing chips in cars, has been rising steadily in the past and is expected to continue for the coming decade. Their high and increasing degree of connectivity expands the attack surface for attackers, which is exaggerated by their physical accessibility. This makes them particularly vulnerable to invasive attacks. Compounding these risks is the growing reliance on third-party software. An example of such risks can be seen in the recent incident where a software solution from the company CrowdStrike, integrated into the Windows Operating System (OS), caused a major global outage that left many airports, hospitals, banks, and government departments worldwide unable to operate. The Guardian reports that this incident affected 8.5 million Windows machines and resulted in an estimated financial loss of 5.4 billion USD for companies in the US alone. Similar risks exist for OSs for embedded devices. These devices do not run general-purpose OSs like Windows, however, in their very nature they are similar. They provide a runtime abstraction for user processes and manage resources for which the OS requires higher privileges. FreeRTOS is a popular embedded OS for resource-constrained devices, also offering real-time capabilities, making it a Real-Time Operating System (RTOS). Meanwhile, RISC-V, a relatively new Instruction Set Architecture (ISA), is gaining popularity due to its open-source philosophy. However, despite the increasing popularity of RISC-V and the widespread use of FreeRTOS, there is a lack of comprehensive security support for FreeRTOS on RISC-V platforms.

This thesis addresses the lack of security for malicious third-party applications and presents a novel FreeRTOS implementation method on a RISC-V embedded system platform. The security of FreeRTOS is enhanced by leveraging the Physical Memory Protection (PMP) feature of RISC-V. The primary contribution involves the FreeRTOS kernel dynamically manage the access rights using PMP, preventing malicious tasks from causing harm. This dramatically improves the security, because the flat memory structure inherent to FreeRTOS is prone to being readily exploited and compromised by attackers. Further, an overview of known attacks on embedded systems and countermeasures is presented, a subset of which are explored in more detail. A secure platform is proposed that aims to demonstrate a holistic approach to integrate the FreeRTOS with PMP support into a System-on-Chip (SoC). Then, the FreeRTOS platform is augmented by a secure boot procedure and a memory encryption unit that ensures the integrity and confidentiality of the external memory. This encryption unit uses the Prince encryption scheme and is elegantly combined with RISC-V’s PMP functionality. Unused bits in the PMP configuration registers are used to control the encryption selectively for single PMP memory regions. Moreover, an address-based encryption mode for this unit is proposed that addresses the weakness that plaintext data is always encrypted to the same ciphertext. This is problematic because an attacker could analyze the structure of the ciphertext and copy the ciphertext of memory cells with known plaintext. The effectiveness of the PMP task isolation is demonstrated by simulating malicious tasks that try to access specific data addresses in the memory of other tasks and the kernel. This setup imitates real-life attack scenarios, assuming the addresses have been exposed to the malicious task through reverse-engineering of the application code. The secure boot is validated by implementing the design on an FPGA and manually tampering the memory, resulting in a failed boot-up. Additionally, the impact of the PMP integration on the real-time capabilities of FreeRTOS is investigated more thoroughly by evaluating real-time metrics: task switch time, access time for shared resources using a mutex (a software construct to avoid access collisions), and dynamic memory allocation. The system design incorporates a RISC-V core named CV32E40S, an open-source core from OpenHW Group. All the security enhancements were run on hardware with a varying number of active PMP regions. In the worst-case scenario, using 64 PMP regions results in a 2.1x increase in task switch time, a 2.4x increase in the time to access shared resources using a mutex, and a 1.7x increase in memory allocation time. The area of the CV32E40S, measured in Look-Up-Tables (LUTs), increases with the number of regions: a 2.2x increase for 16 regions, 3.4x for 32 regions, and 5.4x for 64 regions, compared to the core configuration without PMP. Despite these increases, it remains within an acceptable range relative to the total area of the SoC including cache memory and peripherals.