New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RTOS is running with uVisor privileges #235

Patater opened this Issue Jun 3, 2016 · 2 comments


None yet
3 participants

Patater commented Jun 3, 2016

When we integrated uVisor and an RTOS in the 'dev' branch, we did not yet de-privilege the RTOS. All RTOS-specific code, like mutexes, the scheduler, timers, and so forth currently run with uVisor privileges. Some uVisor-to-RTOS glue code in uvisor-lib also runs with uVisor privileges. This is not final and we must fix it.

Ideally, no code would run privileged outside the reproducibly built uVisor binary. This enables us to make security promises because all privileged code would run inside a the reproducible uVisor binary.

Furthermore, removing uVisor privileges from the RTOS will reduce the attack surface of systems built with uVisor.


This comment has been minimized.

jdfarm commented Aug 16, 2016

This is particularly critical because much of the RTOS makes no effort at security whatsoever. For example, SVC_Handler trusts r12 as a function pointer to branch to while privileged. PoC below.

    ldr r12, = privileged
    svc 0
    // muhahahaha
    mov r0, 0
    ldr r1, = MPU_CTRL
    str r0, r1


This comment has been minimized.

jdfarm commented Aug 16, 2016

(Also, just for reference, note the massive security hole in the form of the unprotected osEventObs function pointers in rt_osEventObserver.c)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment