NESL Technical Report #: 2006-11-1
Abstract: Many sensor nodes contain resource constrained microcontrollers where user level applications, operating system components and device drivers reside within single address space with no form of memory protection. Programming errors in one application can easily corrupt the state of the operating system and other applications on the node. In this paper, we propose Harbor, a memory protection system that prevents corruption of state by buggy applications. We use software based fault isolation (“sandboxing”) to restrict memory accesses and control flow of applications to protection domains within the address space. Limited memory on sensor nodes precludes static partitioning of the address space into different domains. We have designed Memory map, a flexible and efficient data structure for recording ownership and layout information of entire address space. Control flow integrity is preserved by maintaining a safe stack that stores return addresses in a protected memory region. Cross domain calls perform low overhead domain switch within single address space. Checks are introduced in an application through a re-write of the compiled binary. The sandboxed binary is verified on sensor node before it is admitted for execution. Sensor nodes only need to trust the correctness of the verifier in the overall system. We have implemented and tested Harbor on SOS operating system. Our experiments were able to detect and prevent memory corruption caused due to programming errors in application modules that have been in use for several months. Our evaluations show that despite high overhead, Harbor does not degrade application level performance of the system under typical workloads.
Publication Forum: 2006
Public Document?: Yes
NESL Document?: Yes
Document category: Report