DMA Support for the Sancus Architecture

Computing devices have a predominant role in our lives, changing most of our daily activities. With the advent of the IoT, more and more embedded devices are expected to be connected, with expected numbers around 20 billion of units for the 2020. Nevertheless, the increase in connectivity does not imply an enhancement of security. Programmable devices, especially connected ones, are at risk of being tampered with: recent history has shown many examples of malicious software attacks compromising their security. Considering that embedded device are required to be cheap in terms of resources - such as chip area, chip complexity, power consumption and performance - they are implemented on low-end microcontrollers, which lack of any memory protection technique, making them unsuitable to implement solutions from the high-end world. Hence, researchers have been recently focusing on strategies to provide them with security guarantees that hold even in case of an attacker with full control on the system, including the Operating System (OS). A promising solution is found in Protected (software) Module Architectures (PMAs): security architectures that can execute protected code in an isolated area of the memory, inaccessible to other software. PMAs can support secure execution of small portion of code, the software modules (SMs), even on devices that are, e.g., malware infected. The target architecture of this thesis is Sancus, an open-source, hardware-only PMA, designed for lightweight embedded devices. The objective of the work is to extend the architecture with Direct Memory Access (DMA) support, a feature that provides peripherals with a secondary channel to access the memory without involving the CPU, and to explore what does it entail from a security prospective. Usually lightweight PMAs do not support DMA, as the benefits coming from its inclusion on the system do not comply with security properties of these architectures: protected memory isolation and confidentiality are no longer guaranteed if a secondary channel, that directly access the memory independently from the CPU, is provided. Main achievements of the thesis are to extend the Sancus 2.0 architecture with DMA support, showing how this affects its security properties and providing a secure way to implement DMA. From the discussion of the upcoming chapters, two solutions stood out: the first one is currently implemented on Sancus, and it consists in entirely excluding DMA from accessing protected memory, preserving SMs security guarantees. The second theoretical solution aims to provide the software modules with DMA functionalities, by allowing some security guarantees for a confined regions inside protected memory. The latter solution is discussed in details and some design options are provided, whereas its implementation is deferred as future work.