128 lines
No EOL
4.9 KiB
Text
128 lines
No EOL
4.9 KiB
Text
Team number: xohw22-028
|
|
|
|
Project name: Securised processor for IoT - Mitigating buffer overflow based attacks
|
|
|
|
Link to YouTube Video(s): https://youtu.be/r6SniqSB8uo
|
|
|
|
Link to project repository: https://git.etud.insa-toulouse.fr/pfaure/PSI.git
|
|
|
|
|
|
|
|
University name: INSA Toulouse
|
|
|
|
Participant(s): Paul Faure
|
|
|
|
Email: pfaure@insa-toulouse.fr
|
|
|
|
Supervisor name: Daniela Dragomirescu
|
|
|
|
Supervisor e-mail: daniela@laas.fr
|
|
|
|
|
|
|
|
Board used: Basys3
|
|
|
|
Software Version: Vivado 2018.2
|
|
|
|
Brief description of project:
|
|
A secure processor for IoT.
|
|
The processor has two stacks, one of which is reserved for return addresses and context.
|
|
This stack is only accessible by the CALL and RET instructions.
|
|
Thus, a buffer overflow (MOV and COPY instructions) cannot modify this stack.
|
|
It is therefore impossible to divert the program to a malicious function.
|
|
|
|
The project includes the processor and the associated compiler.
|
|
The compilation phase is done in two steps:
|
|
The C file is compiled to a memory-oriented assembly language.
|
|
Then, the cross assembler converts it to the register-oriented assembly language of the processor, then, to a binary program.
|
|
The binary file can then be written in the memory (source code) of the processor.
|
|
It only remains to synthesize, implement, generate the bitstream, and flash the FPGA.
|
|
|
|
|
|
Description of archive (explain directory structure, documents and source files):
|
|
|
|
|
|
├───Documentation
|
|
├───PSI
|
|
│ ├───Compilateur
|
|
│ ├───CrossAssembleur
|
|
│ ├───Interpreteur
|
|
│ ├───InterpreteurRegistres
|
|
│ ├───Processeur
|
|
│ │ Makefile
|
|
│ │ prog_vulnerable.c
|
|
│ │ ReadMe.md
|
|
│ readme.txt
|
|
│ report.pdf
|
|
|
|
The Documentation folder contains diagrams related to each VHDL component, it also contains the list of instructions supported by the processor.
|
|
The PSI folder contains the source codes of the project.
|
|
The PSI/Compilateur folder contains the source codes of the C compiler associated with the processor.
|
|
The PSI/CrossAssembleur folder gathers the source codes of the crossassembler allowing to add the management of the registers.
|
|
The PSI/Interpreteur folder contains the source codes of an interpreter that can interpret the assembly output of the compiler.
|
|
The PSI/InterpreteurRegistres folder gathers the source codes of an interpreter which can interpret the assembly output of the crossassembler
|
|
The PSI/Processeur folder contains the VHDL source codes of the processor.
|
|
In the PSI folder is also provided :
|
|
A Makefile to simplify the use of the project.
|
|
An example of a C program containing a deliberate vulnerability to a buffer overflow attack.
|
|
A ReadMe.md detailing how the project works.
|
|
In the archive is also provided :
|
|
This document.
|
|
A more detailed report of the project.
|
|
|
|
|
|
Instructions to build and test project
|
|
|
|
Step 1: Hardware setup. Connect a keyboard to the USB port and a screen to the VGA port of the FPGA. Connect the FPGA to your PC thanks to USB cable.
|
|
|
|
Step 2: Open a terminal and move to the PSI folder.
|
|
|
|
Step 3: Configure project as unsecure (without double stack). "make unsecure"
|
|
|
|
Step 4: Build all the project. "make build WHAT="all""
|
|
|
|
Step 5: Execute the whole chain (build, crossassemble and load the program). "make exec WHAT="all" SOURCE="prog_vulnerable""
|
|
|
|
Step 6: Open Vivado, load the PSI/Processeur/Processeur.xpr project.
|
|
|
|
Step 7: Run synthesis, run implementation, generate bitstream, open hardware manager, open target, autoconnect, program device.
|
|
|
|
Observation 1: You should see "Program begin" and "Please enter a value:" on screen.
|
|
|
|
Step 8: Enter value 110, this value will be written in a array with a buffer overflow. (110 is the adresse of a malicious function, but you can enter other value if you want)
|
|
|
|
Observation 2: If you have entered 110, you should see:
|
|
|
|
YOU'VE BEEN HACKED
|
|
(__)
|
|
(|) (00)
|
|
|--(__)
|
|
| _| _|\__/
|
|
Yark Yark Yark
|
|
|
|
Step 9: Close Vivado
|
|
|
|
Step 10: Configure project as secure (with double stack). "make secure"
|
|
|
|
Step 11: Build all the project. "make build WHAT="all""
|
|
|
|
Step 12: Execute the whole chain (build, crossassemble and load the program). "make exec WHAT="all" SOURCE="prog_vulnerable""
|
|
|
|
Step 13: Open Vivado, load the PSI/Processeur/Processeur.xpr project.
|
|
|
|
Step 14: Run synthesis, run implementation, generate bitstream, open hardware manager, open target, autoconnect, program device.
|
|
|
|
Observation 3: You should see "Program begin" and "Please enter a value:" on screen.
|
|
|
|
Step 15: Enter value 110, this value will be written in a array with a buffer overflow. (110 is the adresse of a malicious function, but you can enter other value if you want)
|
|
|
|
Observation 4: If you have entered 110, you should see:
|
|
|
|
Legitimate function
|
|
a=0x6E
|
|
|
|
Conclusion: Thanks to our secure processor, it is impossible to divert the program to a malicious function.
|
|
However, buffer overflow can modify some variables because they are stored in the same memory area as the buffer.
|
|
|
|
|
|
... |