Our Solution

CoreGuard Overview

CoreGuard™ is unique. It is the only cybersecurity solution that can prevent the exploitation of software vulnerabilities and stop entire classes of network-based attacks.

CoreGuard silicon IP integrates with all RISC architectures to provide a separate, sentry processor that acts as a bodyguard to protect embedded systems from cyberattacks. It monitors every instruction executed by the host processor to ensure that it complies with a defined set of security, safety, and privacy rules. If an instruction violates an existing rule, CoreGuard stops it from executing before any damage can be done.

Read Overview

How It Works

CoreGuard provides protection at the lowest possible level by using a hardware interlock. The hardware interlock controls the communication between the host processor and the rest of the system to ensure nothing is written to memory or sent out peripherals without first being verified by the CoreGuard Policy Enforcer.

Updatable security, safety, and privacy rules, called micropolicies, are installed on the SoC. They give CoreGuard information it needs to distinguish between good and bad instructions. CoreGuard collections application information usually discarded by the compiler to create indentifiable metadata about every piece of data, and every instruction, executed by the host processor.

The CoreGuard Policy Executor (PEX) crosschecks the metadata of every instruction against an installed set of micropolicies. If an instruction violates an existing micropolicy, CoreGuard issues a violation and stops it from executing before any damage can be done. If there is no micropolicy violation, the host processor executes the instruction normally.

Download Diagram

At the Core of CoreGuard

  • Rules
    Micropolicies
    Micropolicies define security, safety, and privacy rules that enable CoreGuard hardware to determine which instructions to execute and which to block. Micropolicies are designed to stop entire classes of attacks, including buffer overflows, code injection, data exfiltration, and even safety violations.
  • Information
    Metadata
    CoreGuard maintains metadata for every piece of data and every instruction that is handled by the host processor. The combination of micropolicy rules and metadata is what gives CoreGuard the knowledge it needs to make informed decisions about the safety of each instruction the host processor attempts to execute.
  • Enforcement
    Policy Enforcer
    The Policy Enforcer is CoreGuard’s hardware mechanism for monitoring and protecting the host processor. It is implemented as part of the processor’s silicon design, and it enables CoreGuard to check every instruction for compliance with micropolicies. When an instruction violates a micropolicy, the Policy Enforcer blocks it from executing.
Read White Paper

Base Set of Micropolicies

CoreGuard micropolicies are designed to stop entire classes of attacks—not just specific attacks. Because of this, CoreGuard can dynamically block malicious behaviors from both known and unknown sources, and can even defend against zero-day attacks that exploit software vulnerabilities unknown to the software maker or user.
CoreGuard comes with a base set of micropolicies that together can stop over 90 percent of all network-based attacks—with absolutely no alteration to your application.
For even more protection, we can work with you to create custom micropolicies that meet the unique security, safety, and privacy requirements of your systems. The result is fine-grained protection against cyberattacks, flawed software, device malfunctions, and safety violations.
Get CoreGuard

Base Micropolicies Included with CoreGuard SDK

Read-Write-Execute (RWX) Micropolicy

The RWX Micropolicy uses CoreGuard to provide the functionality of a hardware Memory Protection Unit, but at a much more granular level. Unlike an MPU that can only assign permission and memory attributes to a predefined set of memory regions, the RWX Micropolicy can label each word in memory with metadata that indicates whether it is readable, writable, and/or executable.

The RWX Micropolicy is designed to block attacks that try to manipulate data in a way they shouldn’t. For example, a code injection attack can exploit a software vulnerability (such as a buffer overflow) to introduce arbitrary code that will change the system’s course of execution. The injected code may try to write to an area of memory that is read-only, or execute code when it should be reading data.

 

Heap Micropolicy

The Heap Micropolicy prevents buffer overflows and protects heap memory. A buffer overflow is the most common type of memory violation. It occurs when an instruction writes more data to a buffer than the buffer is designed to hold; data fills the intended buffer, and then overflows into the adjacent buffer. Attackers will intentionally overflow a buffer’s boundary to replace data in the adjacent buffer with malicious code.

The Heap Micropolicy prevents buffer overflows by assigning a color to the buffer in which data resides, as well as a pointer to the buffer. For example, blue for the username buffer and its pointer, and yellow for the password buffer and its pointer. The Heap Micropolicy dictates that an instruction cannot write data to a buffer with a color that doesn’t match the color of the pointer to the buffer.

 

Stack Micropolicy

The Stack Micropolicy enforces memory safety by protecting the control structure of the stack frame. A stack is a fixed-length region of memory that stores temporary variables created by each function running in a program. A stack frame is a portion within the stack dedicated to a specific function; it includes a function’s return address, which tells the program what to do next.

The Stack Micropolicy is designed to block a type of buffer overflow attack known as a “stack smashing attack.” During a stack smashing attack, the attacker writes more data to a stack buffer than it is designed to hold. This overflow data can include carefully constructed data that overwrites the function’s return address with a specific address that points to other code in memory that the program was not intended to execute. Modifying the return address enables the attacker to employ a simple hacking technique called Return-Oriented Programming. With ROP, the attacker can hijack a program to execute system-level commands that delete files, change passwords, shut down servers, and do other serious damage.

A function in C contains three sections of code: Prologue, Body, and Epilogue. With the Stack Micropolicy, CoreGuard uses metadata to tag a function’s code and its data on the stack. It then blocks any instructions that attempt to violate the structure defined by the Stack metadata.

 

Control Flow Integrity Micropolicy

The CFI Micropolicy stops attackers from redirecting the execution flow of a program. A code reuse attack is a security exploit that enables an attacker to execute arbitrary code on a compromised system. Rather than injecting their own code, attackers reuse fragments of code that already exist in memory. In other words, attackers cherry-pick chunks of existing code and repurpose them to do their bidding.

The CFI Micropolicy enforces that all control transfers adhere to a fixed control flow. Metadata for the CFI Micropolicy distinguishes the memory locations that contain instructions, as well as the sources and targets of jumps. All CFI metadata is generated when the application is compiled and is not altered during runtime. If an instruction attempts to jump to a location in memory that is not tagged as a legal location to which the program can jump, CoreGuard will block the instruction from executing.

 

The CoreGuard Advantage

Security in Silicon

CoreGuard is unassailable because it is hardwired directly into the silicon as hardware, and unlike software, hardware cannot be subverted over the network.

Customizable & Updatable

Protected micropolicy rules can be customized to fit your system and are securely updated as needed.

Compartmentalization +

Provides and strengthens compartmentalization by protecting applications within each compartment or zone.

Eliminate Zero Day Threats

Blocks entire classes of network-based attacks to eliminate the exploitation of still unknown vulnerabilities.

Isolate & Protect

CoreGuard isolates its micropolicies and metadata from the application software and operating system. This means only CoreGuard hardware can see and run CoreGuard micropolicies.

Compatible Design

Integrates with RISC processor architectures and supports existing operating systems and applications.

How It’s Delivered

When you sign a Design License for CoreGuard you receive two distinct deliverables.

CoreGuard SDK

The CoreGuard SDK includes an operating system based on the FreeRTOS kernel (a real-time operating system kernel ideal for embedded systems applications). The SDK also includes an embedded systems software simulator, compiler toolchain, a base set of CoreGuard micropolicies, sample applications, and technical documentation.

CoreGuard Policy Enforcer

The CoreGuard Policy Enforcer RTL is licensed and delivered as a set of hardware system Verilog design files. It can include custom modifications specific to each customer’s desired processor, such as pipelining to fit performance and area targets, or custom processor extension support. We provide full integration support and RTL instantiation consultation.

See Workflow