Is the Canary Dead? On the Effectiveness of Stack Canaries on Microcontroller Systems
Authors: 
Xi Tan, Sagar Mohan, Md Armanuzzaman, Zheyuan Ma, Gaoxiang Liu, Alex Eastman, 
Hongxin Hu, 
Ziming ZhaoAuthors Info & Claims
Xi Tan, Sagar Mohan, Md Armanuzzaman, Zheyuan Ma, Gaoxiang Liu, Alex Eastman, Hongxin Hu, Ziming ZhaoAuthors Info & ClaimsPages 1350 - 1357
Abstract
Microcontroller units (MCUs) are compact computers tailored for embedded and Internet-of-Things (IoT) applications. MCU-based devices primarily run software systems coded in low-level languages such as C, making them susceptible to memory corruption attacks like stack-based buffer overflows. Stack canaries are a low-overhead buffer overflow detection mechanism that offers a certain level of protection and is frequently used in microprocessor systems in both the kernel and application layers. However, their effectiveness and overhead on microcontroller systems have not been extensively studied. As a result, the community naively assumes that the stack canary mechanism on microcontrollers provides the same level of security as it does on microprocessor systems.
In this paper, we present a study that centers on the implementation and utilization of stack canaries in microcontroller systems. More specifically, we delve into the support for stack canaries across libraries, compilers, and system layers. Our findings suggest that the implementations of stack canaries on microcontroller systems are generally less secure than their counterparts on microprocessors. Additionally, we conducted measurements to assess the overhead of stack canaries within Zephyr, a popular real-time operating system for microcontrollers. We aim for this paper to illustrate the limitations of stack canaries on microcontrollers and advocate for the exploration of alternative solutions.
References
[1]
2023. Apache Mynewt. https://github.com/apache/mynewt-core. (2023).
[2]
2023. Apache NuttX. https://nuttx.apache.org/. (2023).
[3]
2023. ARM Cortex-M. https://www.arm.com/products/silicon-ip-cpu?families=cortex-m&showall=true. (2023).
[4]
2023. Armv8.1-M Pointer Authentication and Branch Target Identification Extension. https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension. (2023).
[5]
2023. Azure RTOS ThreadX. https://github.com/azure-rtos/threadx. (2023).
[6]
2023. Bern RTOS. https://bern-rtos.org/. (2023).
[7]
2023. Best IoT Operating Systems of 2023. https://slashdot.org/software/iot-operating-systems/. (2023).
[8]
2023. Best Real-Time Operating Systems (RTOSs) of 2023. https://slashdot.org/software/real-time-operating-systems-rtos/. (2023).
[9]
2023. Blinky sample. https://docs.zephyrproject.org/latest/samples/basic/blinky/README.html. (2023).
[10]
2023. Contiki-NG: The OS for Next Generation IoT Devices. https://www.contiki-ng.org/. (2023).
[11]
2023. FreeRTOS: Real-time operating system for microcontrollers. https://www.freertos.org/. (2023).
[12]
2023. Ghidra website. https://ghidra-sre.org/. (2023).
[13]
2023. GNU C library. https://elixir.bootlin.com/glibc/glibc-2.38/source. (2023).
[14]
2023. Linux version 6.5.5. https://elixir.free-electrons.com/linux/v6.5.5/source. (2023).
[15]
2023. LitOS Github. https://github.com/LiteOS/LiteOS. (2023).
[16]
2023. Mongoose OS. https://mongoose-os.com/. (2023).
[17]
2023. Multi-threding sample. https://docs.zephyrproject.org/latest/samples/kernel/condition_variables/simple/README.html. (2023).
[18]
2023. NUCLEO-F412ZG board. https://www.st.com/en/evaluation-tools/nucleo-f412zg.html. (2023).
[19]
2023. Object size checking to prevent (some) buffer overflows. https://gcc.gnu.org/legacy-ml/gcc-patches/2004-09/msg02055.html. (2023).
[20]
2023. OpenWrt. https://openwrt.org/start. (2023).
[21]
2023. Producer/consumer sample. https://docs.zephyrproject.org/latest/samples/userspace/prod_consumer/README.html. (2023).
[22]
2023. RIoT. https://github.com/RIOT-OS/RIOT. (2023).
[23]
2023. RT-Thread. https://www.rt-thread.io/. (2023).
[24]
2023. Samsung TizenRT. https://github.com/Samsung/TizenRT. (2023).
[25]
2023. Samsung TizenRT: stack_protector.c. https://github.com/Samsung/TizenRT/blob/1c9e6fdbb53006a50702eca23abbf4b5cca5c1c7/os/board/rtl8730e/src/component/soc/amebad2/atf/lib/stack_protector/stack_protector.c. (2023).
[26]
2023. The Arm ecosystem ships a record 6.7 billion Arm-based chips in a single quarter. https://www.arm.com/company/news/2021/02/arm-ecosystem-ships-record-6-billion-arm-based-chips-in-a-single-quarter. (2023).
[27]
2023. The GNU Compiler Collection. https://gcc.gnu.org/. (2023).
[28]
2023. TI-RTOS (RTOS Kernel) Overview. https://software-dl.ti.com/simplelink/esd/simplelink_cc13x0_sdk/4.10.02.04/exports/docs/proprietary-rf/proprietary-rf-users-guide/proprietary-rf-guide/tirtos-index.html. (2023).
[29]
2023. TinyOS. https://github.com/tinyos/tinyos-main. (2023).
[30]
2023. Zephy. https://github.com/zephyrproject-rtos/zephyr/releases/tag/v3.5.0. (2023).
[31]
Ali Abbasi, Jos Wetzels, Thorsten Holz, and Sandro Etalle. 2019. Challenges in designing exploit mitigations for deeply embedded systems. In European Symposium on Security and Privacy (EuroS&P). IEEE.
[32]
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stack-guard: automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX security symposium.
[33]
Thurston HY Dang, Petros Maniatis, and David Wagner. 2015. The performance cost of shadow stacks and stack canaries. In ACM Symposium on Information, Computer and Communications Security.
[34]
Asmit De, Aditya Basu, Swaroop Ghosh, and Trent Jaeger. 2020. Hardware assisted buffer protection mechanisms for embedded RISC-V. Transactions on Computer-Aided Design of Integrated Circuits and Systems (2020).
[35]
Yufei Du, Zhuojia Shen, Komail Dharsee, Jie Zhou, Robert J Walls, and John Criswell. 2022. Holistic Control-Flow Protection on Real-Time Embedded Systems with Kage. In USENIX Security Symposium.
[36]
Qualcomm Technologies Inc. 2023. Pointer Authentication on ARMv8.3. https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/pointer-auth-v7.pdf. (2023).
[37]
Arslan Khan, Dongyan Xu, and Dave Jing Tian. 2023. Ec: Embedded systems compartmentalization via intra-kernel isolation. In Symposium on Security and Privacy (S&P). IEEE.
[38]
Arslan Khan, Dongyan Xu, and Dave Jing Tian. 2023. Low-cost privilege separation with compile time compartmentalization for embedded systems. In Symposium on Security and Privacy (S&P). IEEE.
[39]
Amit Levy, Bradford Campbell, Branden Ghena, Daniel B Giffin, Pat Pannuto, Prabal Dutta, and Philip Levis. 2017. Multiprogramming a 64kb computer safely and efficiently. In Symposium on Operating Systems Principles.
[40]
Hans Liljestrand, Zaheer Gauhar, Thomas Nyman, Jan-Erik Ekberg, and N. Asokan. 2019. Protecting the Stack with PACed Canaries. In Workshop on System Software for Trusted Execution. ACM.
[41]
Hector Marco-Gisbert and Ismael Ripoll. 2013. Preventing brute force attacks against stack canary protection on networking servers. In International Symposium on Network Computing and Applications. IEEE.
[42]
Ravikanth Pappu, Ben Recht, Jason Taylor, and Neil Gershenfeld. 2002. Physical one-way functions. Science (2002).
[43]
Jiadong Sun, Xia Zhou, Wenbo Shen, Yajin Zhou, and Kui Ren. 2020. PESC: A Per System-Call Stack Canary Design for Linux Kernel. In Data and Application Security and Privacy. ACM.
[44]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. Sok: Eternal war in memory. In Symposium on Security and Privacy. IEEE.
[45]
Zephyr. 2023. Zephyr RTOS. https://zephyrproject.org/. (2023).
[46]
Zephyr Project: compiler_stack_protect.c. 2023. Stack Overflows Detection. https://github.com/zephyrproject-rtos/zephyr/blob/078967671c9038367edeb60818c0e69015320e32/kernel/compiler_stack_protect.c. (2023).
[47]
Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J Walls. 2020. Silhouette: Efficient protected shadow stacks for embedded systems. In USENIX Security Symposium.
[48]
Wei Zhou, Le Guan, Peng Liu, and Yuqing Zhang. 2019. Good motive but bad design: Why ARM MPU has become an outcast in embedded systems. arXiv preprint arXiv:1908.03638 (2019).
[49]
Wei Zhou, Zhouqi Jiang, and Le Guan. 2023. Understanding MPU Usage in Microcontroller-based Systems in the Wild. (2023).
Index Terms
- Is the Canary Dead? On the Effectiveness of Stack Canaries on Microcontroller Systems
Recommendations
The Performance Cost of Shadow Stacks and Stack Canaries
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityControl flow defenses against ROP either use strict, expensive, but strong protection against redirected RET instructions with shadow stacks, or much faster but weaker protections without. In this work we study the inherent overheads of shadow stack ...
Protecting the stack with PACed canaries
SysTEX '19: Proceedings of the 4th Workshop on System Software for Trusted ExecutionStack canaries remain a widely deployed defense against memory corruption attacks. Despite their practical usefulness, canaries are vulnerable to memory disclosure and brute-forcing attacks. We propose PCan, a new approach based on ARMv8.3-A pointer ...
Pythia: Compiler-Guided Defense Against Non-Control Data Attacks
ASPLOS '24: Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3Modern C/C++ applications are susceptible to Non-Control Data Attacks, where an adversary attempts to exploit memory corruption vulnerabilities for security breaches such as privilege escalation, control-flow manipulation, etc. One such popular class of ...
Comments
Information & Contributors
Information
Published In
April 2024
1898 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- NSF
- NCAE
Conference
SAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Upcoming Conference
SAC '25
- Sponsor:
- sigapp
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 81Total Downloads
- Downloads (Last 12 months)81
- Downloads (Last 6 weeks)17
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in