實體記憶體保護（PMP）是RISC-V提供的一種硬體保護機制，用於限制使用者模式（U模式）和管理模式（S模式）不同區域的存取權限。但是，PMP 無法限制機器模式（M 模式）軟體的存取。因此，提出了增強實體記憶體保護（ePMP） 來為M模式軟體提供存取控制。 ePMP的主要任務之一是保護垂直共享數據，即儲存在U模式區域中並在M模式安全監視器和U模式區域之間共享的數據。使用ePMP，必須在 PMP 條目中精確配置垂直共享數據，以便安全監視器可以存取它們。
然而，當系統使用ePMP時，必須進行必要的修改，因為在M模式上針對不匹配位址強制執行的存取規則發生了變化。在這項工作中，我們提出了兩種安全監視器控制垂直共享資料存取的方法：靜態共享映射和動態共享映射。靜態共用映射將受保護區域的配置儲存到區域清單中。動態共享映射僅在需要時計算配置。我們進行了實驗，以針對不同任務採用所提出的方法來測量中斷退出的指令。結果表明，靜態共享映射比動態共享映射更有效率。我們還將討論兩種提議方法的安全性。也提供了與 RISC-V 提出的相關方法的比較。

Physical memory protection (PMP) is a hardware protection mechanism, provided by RISC-V, to restrict user mode (U-mode) and supervisor mode (S-mode) access permission of different regions. However, PMP cannot restrict the access from machine mode (M-mode) software. Thus, enhanced physical memory protection (ePMP) is proposed to provide access control to M-mode software. One of the major tasks of ePMP is to protect the vertical shared data, which are the data stored in the U-mode zones and shared between the M-mode secure monitor and the U-mode zones. With ePMP, vertical shared data must be precisely configured in the PMP entries to make them accessible to the secure monitor.
However, when the system uses ePMP, necessary modifications must be done since accessing rules enforced on the M mode for non-matched addresses are changed. In this work, we proposed two methods for the secure monitor to control the access to vertical shared data: static shared mapping and dynamic shared mapping. The static shared mapping stores the configuration of the protected region into zone manifests.
The dynamic shared mapping computes the configurations only when needed. We conducted experiments to measure the instructions retired of interrupts adopting the proposed methods for different tasks. The result shows that the static shared mapping is more efficient than the dynamic shared mapping. We will also discuss the security of the two proposed methods. Comparisons to the related methods proposed by RISC-V are also provided.

中文摘要 1
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Background and Related Work . . . . . . . . . . . . . . . . . . 9
2.1 Trusted Execution Environment . . . . . . . . . . . . . . . . 9
2.2 Arm Memory Protection Unit . . . . . . . . . . . . . . . . . 10
2.3 RISC-V Physical Memory Protection . . . . . . . . . . . . . . 11
2.4 RISC-V Enhanced Physical Memory Protection . . . . . . . . . 12
2.5 TEE Architecture . . . . . . . . . . . . . . . . . . . . . . 13
2.6 Vertical Shared Data . . . . . . . . . . . . . . . . . . . . 13
2.7 RISC-V Modify Privilege Bit . . . . . . . . . . . . . . . . . 14
3 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Proposed Methods . . . . . . . . . . . . . . . . . . . . . . 15
3.2.1 Static Shared Mapping . . . . . . . . . . . . . . . . . . . 16
3.2.2 Dynamic Shared Mapping . . . . . . . . . . . . . . . . . . .18
4 Analysis on the Proposed Methods 21
4.1 Code Size . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Security Guarantee . . . . . . . . . . . . . . . . . . . . . .22
4.2.1 Secure Monitor Cannot Access Vertical Shared Data of Other
Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.2 Secure Monitor Cannot Access Vertical Shared Data of The
Currently Executing Zone . . . . . . . . . . . . . . . . . . . . 23
4.2.3 The Currently Executing Zone Cannot Access Vertical Shared
Data of Other Zones . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 PMP Entries . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Performance . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5 Applicability . . . . . . . . . . . . . . . . . . . . . . . . 24
5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.1 Performance Comparison of Proposed Methods . . . . . . . . . 25
5.2 Comparison with MPRV . . . . . . . . . . . . . . . . . . . . 28
5.2.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.2 Performance . . . . . . . . . . . . . . . . . . . . . . . . 28
6 Conclusion and Future Work . . . . . . . . . . . . . . . . . . 30
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

[1] Tinshu Sasi et al. “A comprehensive survey on IoT attacks: Taxonomy, detection mechanisms and challenges”. Journal of Information and Intelligence (2023). issn: 2949-7159. doi: https://doi.org/10.1016/j.jiixd.2023.12. 001. URL: https://www.sciencedirect.com/science/article/
pii/S2949715923000793.
[2] Dorottya Papp, Zhendong Ma, and Levente Buttyan. “Embedded systems security: Threats, vulnerabilities, and attack taxonomy”. 2015 13th Annual Conference on Privacy, Security and Trust (PST). 2015, pp. 145–152. doi: 10.1109/
PST.2015.7232966.
[3] Mohamed Razmy Mohamed Kasim. “Security of The Embedded and IoT Systems: Threats, Attacks, and Countermeasures”. 2021. url: https://api.semanticscholar.org/CorpusID:237345137.
[4] Andy Greenberg. Hackers Remotely Kill a Jeep on the Highway—With Me in It.
2015. url: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
[5] Michael Bartock et al. Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases. Tech. rep. NIST Interagency or Internal Reports (IR) 8320. Gaithersburg, MD: National Institute of Standards and Technology, 2022. doi: 10.6028/NIST.IR.8320.
[6] Biometrics | Android Open Source Project. 2024. url: https://source.android.com/docs/security/features/biometric.
[7] Gal Beniamini. QSEE privilege escalation vulnerability and exploit (CVE-2015-6639). 2016. url: https://bits- please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html.
[8] The RISC-V Instruction Set Manual Volume II: Privileged Architecture. RISC-V Foundation. 2024.
[9] Dayeol Lee et al. “Keystone: An Open Framework for Architecting Trusted Execution Environments”. Proceedings of the Fifteenth European Conference on Computer Systems. EuroSys ’20. 2020.
[10] Erhu Feng et al. “Scalable Memory Protection in the PENGLAI Enclave”. 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI21). USENIX Association, July 2021, pp. 275–294. isbn: 978-1-939133-22-9. url: https://www.usenix.org/conference/osdi21/presentation/feng.
[11] Gal Beniamini. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322). 2015. url: http://bits-please.blogspot.com/2015/08/android-linux-kernel-privilege.html.
[12] Mohamed Sabt, Mohammed Achemlal, and Abdelmadjid Bouabdallah. “Trusted Execution Environment: What It is, and What It is Not”. 2015 IEEE Trustcom/BigDataSE/ISPA. Vol. 1. 2015, pp. 57–64. doi: 10.1109/Trustcom.2015.357.
[13] Learn the architecture - TrustZone for AArch64. Arm. 2024.
[14] ARMv6-M Architecture Reference Manual. Arm. 2010.
[15] Wei Zhou et al. Good Motive but Bad Design: Why ARM MPU Has Become an Outcast in Embedded Systems. 2019. arXiv: 1908.03638 [cs.CR].
[16] Armv8-M Memory Model and Memory Protection User Guide. Arm. 2022.
[17] PMP Enhancements for memory access and execution prevention on Machine mode (Smepmp). RISC-V TEE Task Group. 2021.
[18] RISC-V IOPMP Architecture Specification. RISC-V IOPMP Task Group. 2024.
[19] Jakub Szefer. “Principles of Secure Processor Architecture Design”. 1st ed. Springer Cham, Oct. 2018. Chap. 1, pp. 1–2.
[20] Michele Grisafi, Mahmoud Ammar, and Bruno Crispo. “On the (in)security of Memory Protection Units : A Cautionary Note”. 2022 IEEE International Conference on Cyber Security and Resilience (CSR). 2022, pp. 157–162. doi:
10.1109/CSR54599.2022.9850322.
[21] Deukjo Hong et al. “LEA: A 128-Bit Block Cipher for Fast Encryption on Common Processors”. Jan. 2013, pp. 3–27. isbn: 978-3-319-05148-2. doi: 10.1007/978-3-319-05149-9_1.