Publications

* denotes equal contribution and joint lead authorship.


2024

  1. SoK: Where's the ``up''?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems

    USENIX WOOT Conference on Offensive Technologies, 2024

  2. Trusted Execution Environments in Embedded and IoT Systems: A CactiLab Perspective
    Ziming Zhao, Md Armanuzzaman, Xi Tan, and Zheyuan Ma.

    IEEE International Symposium on Secure and Private Execution Environment Design, 2024

  3. InsectACIDE: Debugger-Based Holistic Asynchronous CFI for Embedded System
    Yujie Wang, Cailani Lemieux Mack, Xi Tan, Ning Zhang , Ziming Zhao, Sanjoy Baruah, and Bryan C. Ward.

    IEEE Real-Time and Embedded Technology and Applications Symposium, 2024

    PDF
  4. Is the Canary Dead? On the Effectiveness of Stack Canaries on Microcontroller Systems
    Xi Tan, Sagar Mohan, Md Armanuzzaman, Zheyuan Ma, Gaoxiang Liu, Alex Eastman, Hongxin Hu, and Ziming Zhao.

    ACM/SIGAPP Symposium On Applied Computing, 2024

    PDF

2023

  1. SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded Systems
    Xi Tan, and Ziming Zhao.

    ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023

    Microcontroller-based embedded systems are often programmed in low-level languages and are vulnerable to control-flow hijacking attacks. One approach to prevent such attacks is to enforce control-flow integrity (CFI), but inlined CFI enforcement can pose challenges in embedded systems. For example, it increases binary size and changes memory layout. Trace-based control-flow violation detection (CFVD) offers an alternative that doesn't require instrumentation of the protected software or changes to its memory layout. However, existing CFVD methods used in desktop systems require kernel modifications to store and analyze the trace, which limits their use to monitoring unprivileged applications. But, embedded systems are interrupt-driven, with the majority of processing taking place in the privileged mode. Therefore, it is critical to provide a holistic and system-oriented CFVD solution that can monitor control-flow transfers both within and among privileged and unprivileged components. In this paper, we present Sherloc, a Secure and Holistic ControlFlow Violation Detection mechanism designed for microcontrollerbased embedded systems. Sherloc ensures security by configuring the hardware tracing unit, storing trace records, and executing the violation detection algorithm in a trusted execution environment, which prevents privileged programs from bypassing monitoring or tampering with the trace. We address the challenges of achieving holistic and system-oriented CFVD by formalizing the problem and monitoring forward and backward edges of unprivileged and privileged programs, as well as control-flow transfers among unprivileged and privileged components. Specifically, Sherloc overcomes the challenges of identifying legitimate asynchronous interrupts and context switches at run-time by using an interrupt- and scheduling-aware violation detection algorithm. Our evaluations on the ARMv8-M architecture demonstrate the effectiveness and efficiency of Sherloc.
  2. Return-to-Non-Secure Vulnerabilities on ARM Cortex-M TrustZone: Attack and Defense
    Zheyuan Ma, Xi Tan, Lukasz Ziarek, Ning Zhang, Hongxin Hu, and Ziming Zhao.

    ACM/IEEE Design Automation Conference, 2023

    ARM Cortex-M is one of the most popular microcontroller architectures designed for embedded and Internet of Things (IoT) applications. To facilitate efficient execution, it has some unique hardware optimization. In particular, Cortex-M TrustZone has a fast state switch mechanism that allows direct control-flow transfer from the secure state program to the non-secure state userspace program. In this paper, we demonstrate how this fast state switch mechanism can be exploited for arbitrary code execution with escalated privilege in the non-secure state by introducing a new exploitation technique, namely return-to-non-secure (ret2ns). We experimentally confirmed the feasibility of four variants of ret2ns attacks on two Cortex-M hardware systems. To defend against ret2ns attacks, we design two address sanitizing mechanisms that have negligible performance overhead.

2016

  1. The Vulnerability Analysis and Security Enhancement of Docker
    Wenlin Yang, Xi Tan, Junchen Guo, and Shuo Wang.

    Information Security and Technology 4, 2016