SlideShare una empresa de Scribd logo

ARM Linux Embedded memory protection techniques

Descargar como PPT, PDF
Prabindh Sundareson
Prabindh Sundareson

ARM Linux embedded memory protection techniques. Also refer to http://www.slideshare.net/prabindh/enabling-two-level-translation-tables-in-armv7-mmu

Tecnología
1 de 13
Prabindh Sundareson Memory Protection Features in ARM and Linux
Contents • Security features in ARM HW – Memory Protection • Memory Protection Status in Software – Linux – Android • External security frameworks
Memory Protection Features in ARM • Derived from Page Table entries, applicable to different types of pages – pages, sections … • Consists of Read-Only (RO), and Execute Never (XN) • This is available in ARMv6 and above systems, only with MMU enabled • Memory protection is a combination of HW, Kernel usage of HW features, and information embedded in userland applications by toolchain for region protection
Execute Never (XN) • Part of First and Second Level Page Table Entries • A15 adds an extra entity - PXN (Privileged XN)
Read Only (RO) • Part of AP and APX Data Access Permissions in Page Table entry
ARM First Level Descriptor
ARM Second Level Descriptor
Linux handling of Page Tables • Linux standardises Page Table across architectures, independent of specific HW – x86, ARM or other – Linux bit encodings are different from that of ARM Page Table entries, but mapping is straightforward to an extent
Native Linux – Memory Protection Status Note – 1. All object files in an application have to be built with noexecstack, including assembly. Even if one file is not built with this, the entire application is built without XN for the stack 2. Xorg, some media players in Linux are reported to have issues with XN in stack 3. This status is as of Sep 2012 Desired Mapping x86 Linux Kernel ARM Linux Kernel User Applications TI Confirmed Kernel Code (.text) RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Read Only Data RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Stack XN Yes (CONFIG_DEBUG_RODATA) No NA - User Stack XN NA NA Applications to be rebuilt with noexecstack (all .obj files, including assembly) gcc4.1x, glibc 2.5. noexecstack is default in gcc4.x toolchains - IO Region (Device) XN (MT_DEVICE) Yes Yes NA No relro (Read-Only relocations for shared libraries) RO NA NA Needs to be explicitly enabled in application build. Linker makes text read-only after correct relocation - gcc4.1x, glibc 2.5 No Stack Layout Randomisation randomisation Yes Yes - No String Vulnerability String checks NA NA format-security to be added to application builds explicitly No
Other Security Techniques • Commonly used are - grsecurity, PaX • These are not in mainline Linux kernel including for ARM, and need to be applied separately • grsecurity provides kernel hardening features (ex devmem, ports) • PaX provides memory protection features (including XN emulation) • These also include patches for toolchains to ensure protection mapping
Android Status • Starting from Android 2.3 onwards, Android adds – Address space layout (ASLR) randomisations – Support for XN – Other features described in (http://source.android.com/tech/security/)
References • MT_DEVICE ioremap – http://lkml.indiana.edu/hypermail/linux/kernel/1108.2/02745.html • GCC patch for GNU-STACK – https://android.googlesource.com/toolchain/gcc/+/f68bf0c483879d30c4d97b9eaf8f9eb558ea1c45%5E1..f68bf0c483879d30c4d97b9eaf8f9e • Russell King on .text RO – http://www.spinics.net/lists/arm-kernel/msg120951.html • Bypassing XN/ ASLR – http://www.phrack.org/issues.html?issue=58&id=4#article • Grsecurity Patchset for 3.x – http://mirrors.muarf.org/grsecurity/stable/grsecurity-2.9-3.2.18-201206011935.patch.gz • Gentoo Hardened – http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml • Ubuntu Security – https://wiki.ubuntu.com/Security • ROM filesystems and booting – http://elinux.org/images/b/b1/Filesystems-for-embedded-linux.pdf – http://lugatgt.org/content/booting.inittools/downloads/presentation.pdf – http://processors.wiki.ti.com/index.php/Creating_a_Root_File_System_for_Linux_on_OMAP35x#Configure_the_Linux_Kernel_f or_RAMDISK_support • Loadable Kernel Modules - introduction – http://www.ibm.com/developerworks/linux/library/l-lkm
Linux Kernel References • ELF loading – arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c, fs/binfmt_elf.c • Contains elf loading and protection settings based on elf information • Page Table operations • archarmincludeasmpgtable-2level-types.h • archarmincludeasmpgtable-2level-hwdef.h • archarmincludeasmpgtable.h • archarmmmmmu.c

Recomendados

Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
asap2013-khoa-presentation
asap2013-khoa-presentationasap2013-khoa-presentation
asap2013-khoa-presentationAbhishek Jain
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandNicola La Gloria
 

Recomendados

Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
asap2013-khoa-presentation
asap2013-khoa-presentationasap2013-khoa-presentation
asap2013-khoa-presentationAbhishek Jain
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Kynetics
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandNicola La Gloria
 
Type of Embedded core
Type of Embedded core Type of Embedded core
Type of Embedded core mukul bhardwaj
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Linux IO
Linux IOLinux IO
Linux IOLiran Ben Haim
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embeddedAlison Chaiken
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module ProgrammingAmir Payberah
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSEKernel TLV
 
Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Accenture
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Tuned
TunedTuned
TunedReanimation Bk
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Multi threaded rtos
Multi threaded rtosMulti threaded rtos
Multi threaded rtosJames Wong
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windowsAccenture
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421Linaro
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-NetworkingEmertxe Information Technologies Pvt Ltd
 
Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)Peter Tröger
 

Más contenido relacionado

La actualidad más candente

Type of Embedded core
Type of Embedded core Type of Embedded core
Type of Embedded core mukul bhardwaj
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embeddedAlison Chaiken
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module ProgrammingAmir Payberah
 
Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Accenture
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Multi threaded rtos
Multi threaded rtosMulti threaded rtos
Multi threaded rtosJames Wong
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windowsAccenture
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421Linaro
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelKernel TLV
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 

La actualidad más candente (20)

Type of Embedded core
Type of Embedded core Type of Embedded core
Type of Embedded core
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Linux IO
Linux IOLinux IO
Linux IO
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embedded
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
 
Linux Module Programming
Linux Module ProgrammingLinux Module Programming
Linux Module Programming
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011Tier 2 net app baseline design standard revised nov 2011
Tier 2 net app baseline design standard revised nov 2011
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Tuned
TunedTuned
Tuned
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Multi threaded rtos
Multi threaded rtosMulti threaded rtos
Multi threaded rtos
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windows
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
 
Hardware Probing in the Linux Kernel
Hardware Probing in the Linux KernelHardware Probing in the Linux Kernel
Hardware Probing in the Linux Kernel
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 

Similar a ARM Linux Embedded memory protection techniques

Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)Peter Tröger
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protectionsShubham Dubey
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Squash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System ProfileSquash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System ProfileSteve Arnold
 
Visual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & VirtualisationVisual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & Virtualisationwangyuanyi
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Ospresentation 120112074429-phpapp02 (1)
Ospresentation 120112074429-phpapp02 (1)Ospresentation 120112074429-phpapp02 (1)
Ospresentation 120112074429-phpapp02 (1)Vivian Vhaves
 
LAS16-400: Mini Conference 3 AOSP (Session 1)
LAS16-400: Mini Conference 3 AOSP (Session 1)LAS16-400: Mini Conference 3 AOSP (Session 1)
LAS16-400: Mini Conference 3 AOSP (Session 1)Linaro
 

Similar a ARM Linux Embedded memory protection techniques (20)

Linux-Internals-and-Networking
Linux-Internals-and-NetworkingLinux-Internals-and-Networking
Linux-Internals-and-Networking
 
Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)Operating Systems 1 (4/12) - Architectures (Windows)
Operating Systems 1 (4/12) - Architectures (Windows)
 
Intro reverse engineering
Intro reverse engineeringIntro reverse engineering
Intro reverse engineering
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protections
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
The Linux System
The Linux SystemThe Linux System
The Linux System
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Squash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System ProfileSquash Those IoT Security Bugs with a Hardened System Profile
Squash Those IoT Security Bugs with a Hardened System Profile
 
Processor types
Processor typesProcessor types
Processor types
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Visual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & VirtualisationVisual comparison of Unix-like systems & Virtualisation
Visual comparison of Unix-like systems & Virtualisation
 
L11-RTOS.ppt
L11-RTOS.pptL11-RTOS.ppt
L11-RTOS.ppt
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
RAC - Test
RAC - TestRAC - Test
RAC - Test
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Ospresentation 120112074429-phpapp02 (1)
Ospresentation 120112074429-phpapp02 (1)Ospresentation 120112074429-phpapp02 (1)
Ospresentation 120112074429-phpapp02 (1)
 
LAS16-400: Mini Conference 3 AOSP (Session 1)
LAS16-400: Mini Conference 3 AOSP (Session 1)LAS16-400: Mini Conference 3 AOSP (Session 1)
LAS16-400: Mini Conference 3 AOSP (Session 1)
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
 

Más de Prabindh Sundareson

Synthetic Data and Graphics Techniques in Robotics
Synthetic Data and Graphics Techniques in RoboticsSynthetic Data and Graphics Techniques in Robotics
Synthetic Data and Graphics Techniques in RoboticsPrabindh Sundareson
 
Machine learning in the Indian Context - IEEE talk at SRM Institute
Machine learning in the Indian Context - IEEE talk at SRM InstituteMachine learning in the Indian Context - IEEE talk at SRM Institute
Machine learning in the Indian Context - IEEE talk at SRM InstitutePrabindh Sundareson
 
ICCE Asia 2017 - Program Outline
ICCE Asia 2017 - Program OutlineICCE Asia 2017 - Program Outline
ICCE Asia 2017 - Program OutlinePrabindh Sundareson
 
Call for Papers - ICCE Asia 2017
Call for Papers - ICCE Asia 2017Call for Papers - ICCE Asia 2017
Call for Papers - ICCE Asia 2017Prabindh Sundareson
 
Technology, Innovation - A Perspective
Technology, Innovation - A PerspectiveTechnology, Innovation - A Perspective
Technology, Innovation - A PerspectivePrabindh Sundareson
 
IEEE - Consumer Electronics Trends Opportunities (2015)
IEEE - Consumer Electronics Trends Opportunities (2015)IEEE - Consumer Electronics Trends Opportunities (2015)
IEEE - Consumer Electronics Trends Opportunities (2015)Prabindh Sundareson
 
GFX part 8 - Three.js introduction and usage
GFX part 8 - Three.js introduction and usageGFX part 8 - Three.js introduction and usage
GFX part 8 - Three.js introduction and usagePrabindh Sundareson
 
GFX Part 7 - Introduction to Rendering Targets in OpenGL ES
GFX Part 7 - Introduction to Rendering Targets in OpenGL ESGFX Part 7 - Introduction to Rendering Targets in OpenGL ES
GFX Part 7 - Introduction to Rendering Targets in OpenGL ESPrabindh Sundareson
 
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ES
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ESGFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ES
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ESPrabindh Sundareson
 
GFX Part 5 - Introduction to Object Transformations in OpenGL ES
GFX Part 5 - Introduction to Object Transformations in OpenGL ESGFX Part 5 - Introduction to Object Transformations in OpenGL ES
GFX Part 5 - Introduction to Object Transformations in OpenGL ESPrabindh Sundareson
 
GFX Part 4 - Introduction to Texturing in OpenGL ES
GFX Part 4 - Introduction to Texturing in OpenGL ESGFX Part 4 - Introduction to Texturing in OpenGL ES
GFX Part 4 - Introduction to Texturing in OpenGL ESPrabindh Sundareson
 
GFX Part 3 - Vertices and interactions in OpenGL
GFX Part 3 - Vertices and interactions in OpenGLGFX Part 3 - Vertices and interactions in OpenGL
GFX Part 3 - Vertices and interactions in OpenGLPrabindh Sundareson
 
GFX Part 2 - Introduction to GPU Programming
GFX Part 2 - Introduction to GPU ProgrammingGFX Part 2 - Introduction to GPU Programming
GFX Part 2 - Introduction to GPU ProgrammingPrabindh Sundareson
 
GFX Part 1 - Introduction to GPU HW and OpenGL ES specifications
GFX Part 1 - Introduction to GPU HW and OpenGL ES specificationsGFX Part 1 - Introduction to GPU HW and OpenGL ES specifications
GFX Part 1 - Introduction to GPU HW and OpenGL ES specificationsPrabindh Sundareson
 
John Carmack talk at SMU, April 2014 - Virtual Reality
John Carmack talk at SMU, April 2014 - Virtual RealityJohn Carmack talk at SMU, April 2014 - Virtual Reality
John Carmack talk at SMU, April 2014 - Virtual RealityPrabindh Sundareson
 

Más de Prabindh Sundareson (20)

Synthetic Data and Graphics Techniques in Robotics
Synthetic Data and Graphics Techniques in RoboticsSynthetic Data and Graphics Techniques in Robotics
Synthetic Data and Graphics Techniques in Robotics
 
Work and Life
Work and Life Work and Life
Work and Life
 
GPU Algorithms and trends 2018
GPU Algorithms and trends 2018GPU Algorithms and trends 2018
GPU Algorithms and trends 2018
 
Machine learning in the Indian Context - IEEE talk at SRM Institute
Machine learning in the Indian Context - IEEE talk at SRM InstituteMachine learning in the Indian Context - IEEE talk at SRM Institute
Machine learning in the Indian Context - IEEE talk at SRM Institute
 
Students Hackathon - 2017
Students Hackathon - 2017Students Hackathon - 2017
Students Hackathon - 2017
 
ICCE Asia 2017 - Program Outline
ICCE Asia 2017 - Program OutlineICCE Asia 2017 - Program Outline
ICCE Asia 2017 - Program Outline
 
Call for Papers - ICCE Asia 2017
Call for Papers - ICCE Asia 2017Call for Papers - ICCE Asia 2017
Call for Papers - ICCE Asia 2017
 
Technology, Innovation - A Perspective
Technology, Innovation - A PerspectiveTechnology, Innovation - A Perspective
Technology, Innovation - A Perspective
 
Open Shading Language (OSL)
Open Shading Language (OSL)Open Shading Language (OSL)
Open Shading Language (OSL)
 
IEEE - Consumer Electronics Trends Opportunities (2015)
IEEE - Consumer Electronics Trends Opportunities (2015)IEEE - Consumer Electronics Trends Opportunities (2015)
IEEE - Consumer Electronics Trends Opportunities (2015)
 
GFX part 8 - Three.js introduction and usage
GFX part 8 - Three.js introduction and usageGFX part 8 - Three.js introduction and usage
GFX part 8 - Three.js introduction and usage
 
GFX Part 7 - Introduction to Rendering Targets in OpenGL ES
GFX Part 7 - Introduction to Rendering Targets in OpenGL ESGFX Part 7 - Introduction to Rendering Targets in OpenGL ES
GFX Part 7 - Introduction to Rendering Targets in OpenGL ES
 
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ES
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ESGFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ES
GFX Part 6 - Introduction to Vertex and Fragment Shaders in OpenGL ES
 
GFX Part 5 - Introduction to Object Transformations in OpenGL ES
GFX Part 5 - Introduction to Object Transformations in OpenGL ESGFX Part 5 - Introduction to Object Transformations in OpenGL ES
GFX Part 5 - Introduction to Object Transformations in OpenGL ES
 
GFX Part 4 - Introduction to Texturing in OpenGL ES
GFX Part 4 - Introduction to Texturing in OpenGL ESGFX Part 4 - Introduction to Texturing in OpenGL ES
GFX Part 4 - Introduction to Texturing in OpenGL ES
 
GFX Part 3 - Vertices and interactions in OpenGL
GFX Part 3 - Vertices and interactions in OpenGLGFX Part 3 - Vertices and interactions in OpenGL
GFX Part 3 - Vertices and interactions in OpenGL
 
GFX Part 2 - Introduction to GPU Programming
GFX Part 2 - Introduction to GPU ProgrammingGFX Part 2 - Introduction to GPU Programming
GFX Part 2 - Introduction to GPU Programming
 
GFX Part 1 - Introduction to GPU HW and OpenGL ES specifications
GFX Part 1 - Introduction to GPU HW and OpenGL ES specificationsGFX Part 1 - Introduction to GPU HW and OpenGL ES specifications
GFX Part 1 - Introduction to GPU HW and OpenGL ES specifications
 
John Carmack talk at SMU, April 2014 - Virtual Reality
John Carmack talk at SMU, April 2014 - Virtual RealityJohn Carmack talk at SMU, April 2014 - Virtual Reality
John Carmack talk at SMU, April 2014 - Virtual Reality
 
GFX2014 OpenGL ES Quiz
GFX2014 OpenGL ES QuizGFX2014 OpenGL ES Quiz
GFX2014 OpenGL ES Quiz
 

Último

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

ARM Linux Embedded memory protection techniques

  • 1. Prabindh Sundareson Memory Protection Features in ARM and Linux
  • 2. Contents • Security features in ARM HW – Memory Protection • Memory Protection Status in Software – Linux – Android • External security frameworks
  • 3. Memory Protection Features in ARM • Derived from Page Table entries, applicable to different types of pages – pages, sections … • Consists of Read-Only (RO), and Execute Never (XN) • This is available in ARMv6 and above systems, only with MMU enabled • Memory protection is a combination of HW, Kernel usage of HW features, and information embedded in userland applications by toolchain for region protection
  • 4. Execute Never (XN) • Part of First and Second Level Page Table Entries • A15 adds an extra entity - PXN (Privileged XN)
  • 5. Read Only (RO) • Part of AP and APX Data Access Permissions in Page Table entry
  • 6. ARM First Level Descriptor
  • 7. ARM Second Level Descriptor
  • 8. Linux handling of Page Tables • Linux standardises Page Table across architectures, independent of specific HW – x86, ARM or other – Linux bit encodings are different from that of ARM Page Table entries, but mapping is straightforward to an extent
  • 9. Native Linux – Memory Protection Status Note – 1. All object files in an application have to be built with noexecstack, including assembly. Even if one file is not built with this, the entire application is built without XN for the stack 2. Xorg, some media players in Linux are reported to have issues with XN in stack 3. This status is as of Sep 2012 Desired Mapping x86 Linux Kernel ARM Linux Kernel User Applications TI Confirmed Kernel Code (.text) RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Read Only Data RO Yes (CONFIG_DEBUG_RODATA) No NA - Kernel Stack XN Yes (CONFIG_DEBUG_RODATA) No NA - User Stack XN NA NA Applications to be rebuilt with noexecstack (all .obj files, including assembly) gcc4.1x, glibc 2.5. noexecstack is default in gcc4.x toolchains - IO Region (Device) XN (MT_DEVICE) Yes Yes NA No relro (Read-Only relocations for shared libraries) RO NA NA Needs to be explicitly enabled in application build. Linker makes text read-only after correct relocation - gcc4.1x, glibc 2.5 No Stack Layout Randomisation randomisation Yes Yes - No String Vulnerability String checks NA NA format-security to be added to application builds explicitly No
  • 10. Other Security Techniques • Commonly used are - grsecurity, PaX • These are not in mainline Linux kernel including for ARM, and need to be applied separately • grsecurity provides kernel hardening features (ex devmem, ports) • PaX provides memory protection features (including XN emulation) • These also include patches for toolchains to ensure protection mapping
  • 11. Android Status • Starting from Android 2.3 onwards, Android adds – Address space layout (ASLR) randomisations – Support for XN – Other features described in (http://source.android.com/tech/security/)
  • 12. References • MT_DEVICE ioremap – http://lkml.indiana.edu/hypermail/linux/kernel/1108.2/02745.html • GCC patch for GNU-STACK – https://android.googlesource.com/toolchain/gcc/+/f68bf0c483879d30c4d97b9eaf8f9eb558ea1c45%5E1..f68bf0c483879d30c4d97b9eaf8f9e • Russell King on .text RO – http://www.spinics.net/lists/arm-kernel/msg120951.html • Bypassing XN/ ASLR – http://www.phrack.org/issues.html?issue=58&id=4#article • Grsecurity Patchset for 3.x – http://mirrors.muarf.org/grsecurity/stable/grsecurity-2.9-3.2.18-201206011935.patch.gz • Gentoo Hardened – http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml • Ubuntu Security – https://wiki.ubuntu.com/Security • ROM filesystems and booting – http://elinux.org/images/b/b1/Filesystems-for-embedded-linux.pdf – http://lugatgt.org/content/booting.inittools/downloads/presentation.pdf – http://processors.wiki.ti.com/index.php/Creating_a_Root_File_System_for_Linux_on_OMAP35x#Configure_the_Linux_Kernel_f or_RAMDISK_support • Loadable Kernel Modules - introduction – http://www.ibm.com/developerworks/linux/library/l-lkm
  • 13. Linux Kernel References • ELF loading – arch/arm/kernel/elf.c b/arch/arm/kernel/elf.c, fs/binfmt_elf.c • Contains elf loading and protection settings based on elf information • Page Table operations • archarmincludeasmpgtable-2level-types.h • archarmincludeasmpgtable-2level-hwdef.h • archarmincludeasmpgtable.h • archarmmmmmu.c