CoreGuard® is unique. It is the only cybersecurity solution that can prevent the exploitation of software vulnerabilities and stop entire classes of network-based attacks.
CoreGuard silicon IP integrates with all RISC architectures to provide a separate, sentry processor that acts as a bodyguard to protect embedded systems from cyberattacks. It monitors every instruction executed by the host processor to ensure that it complies with a defined set of security, safety, and privacy rules. If an instruction violates an existing rule, CoreGuard stops it from executing before any damage can be done.
How It Works
CoreGuard provides protection at the lowest possible level by using a hardware interlock. The hardware interlock controls the communication between the host processor and the rest of the system to ensure nothing is written to memory or sent out peripherals without first being verified by the CoreGuard Policy Enforcer.
Updatable security, safety, and privacy rules, called micropolicies, are installed on the SoC. They give CoreGuard information it needs to distinguish between good and bad instructions. CoreGuard collects application information usually discarded by the compiler to create identifiable metadata about every piece of data, and every instruction, executed by the host processor.
The CoreGuard Policy Executor (PEX) crosschecks the metadata of every instruction against an installed set of micropolicies. If an instruction violates an existing micropolicy, CoreGuard issues a violation and stops it from executing before any damage can be done. If there is no micropolicy violation, the host processor executes the instruction normally.
At the Core of CoreGuard
RulesMicropoliciesMicropolicies define security, safety, and privacy rules that enable CoreGuard hardware to determine which instructions to execute and which to block. Micropolicies are designed to stop entire classes of attacks, including buffer overflows, code injection, data exfiltration, and even safety violations.
InformationMetadataCoreGuard maintains metadata for every piece of data and every instruction that is handled by the host processor. The combination of micropolicy rules and metadata is what gives CoreGuard the knowledge it needs to make informed decisions about the safety of each instruction the host processor attempts to execute.
EnforcementPolicy EnforcerThe Policy Enforcer is CoreGuard’s hardware mechanism for monitoring and protecting the host processor. It is implemented as part of the processor’s silicon design, and it enables CoreGuard to check every instruction for compliance with micropolicies. When an instruction violates a micropolicy, the Policy Enforcer blocks it from executing.
Base Set of Micropolicies
Base Micropolicies Included with CoreGuard SDK
READ-WRITE-EXECUTE (RWX) MICROPOLICY
The RWX Micropolicy uses CoreGuard to provide the functionality of a hardware Memory Protection Unit, but at a much more granular level. Unlike an MPU that can only assign permission and memory attributes to a predefined set of memory regions, the RWX Micropolicy can label each word in memory with metadata that indicates whether it is readable, writable, and/or executable.
The RWX Micropolicy is designed to block attacks that try to manipulate data in a way they shouldn’t. For example, a code injection attack can exploit a software vulnerability (such as a buffer overflow) to introduce arbitrary code that will change the system’s course of execution. The injected code may try to write to an area of memory that is read-only, or execute code when it should be reading data.
The Heap Micropolicy prevents buffer overflows and protects heap memory. A buffer overflow is the most common type of memory violation. It occurs when an instruction writes more data to a buffer than the buffer is designed to hold; data fills the intended buffer, and then overflows into the adjacent buffer. Attackers will intentionally overflow a buffer’s boundary to replace data in the adjacent buffer with malicious code.
The Heap Micropolicy prevents buffer overflows by assigning a color to the buffer in which data resides, as well as a pointer to the buffer. For example, blue for the username buffer and its pointer, and yellow for the password buffer and its pointer. The Heap Micropolicy dictates that an instruction cannot write data to a buffer with a color that doesn’t match the color of the pointer to the buffer.
The Stack Micropolicy enforces memory safety by protecting the control structure of the stack frame. A stack is a fixed-length region of memory that stores temporary variables created by each function running in a program. A stack frame is a portion within the stack dedicated to a specific function; it includes a function’s return address, which tells the program what to do next.
The Stack Micropolicy is designed to block a type of buffer overflow attack known as a “stack smashing attack.” During a stack smashing attack, the attacker writes more data to a stack buffer than it is designed to hold. This overflow data can include carefully constructed data that overwrites the function’s return address with a specific address that points to other code in memory that the program was not intended to execute. Modifying the return address enables the attacker to employ a simple hacking technique called Return-Oriented Programming. With ROP, the attacker can hijack a program to execute system-level commands that delete files, change passwords, shut down servers, and do other serious damage.
A function in C contains three sections of code: Prologue, Body, and Epilogue. With the Stack Micropolicy, CoreGuard uses metadata to tag a function’s code and its data on the stack. It then blocks any instructions that attempt to violate the structure defined by the Stack metadata.
CONTROL FLOW INTEGRITY MICROPOLICY
The CFI Micropolicy stops attackers from redirecting the execution flow of a program. A code reuse attack is a security exploit that enables an attacker to execute arbitrary code on a compromised system. Rather than injecting their own code, attackers reuse fragments of code that already exist in memory. In other words, attackers cherry-pick chunks of existing code and repurpose them to do their bidding.
The CFI Micropolicy enforces that all control transfers adhere to a fixed control flow. Metadata for the CFI Micropolicy distinguishes the memory locations that contain instructions, as well as the sources and targets of jumps. All CFI metadata is generated when the application is compiled and is not altered during runtime. If an instruction attempts to jump to a location in memory that is not tagged as a legal location to which the program can jump, CoreGuard will block the instruction from executing.
The CoreGuard Advantage
Security in Silicon
Customizable & Updatable
Eliminate Zero Day Threats
Isolate & Protect
How It’s Delivered
When you sign a Design License for CoreGuard you receive two distinct deliverables.
The CoreGuard SDK includes an operating system based on the FreeRTOS kernel (a real-time operating system kernel ideal for embedded systems applications). The SDK also includes an embedded systems software simulator, compiler toolchain, a base set of CoreGuard micropolicies, sample applications, and technical documentation.
CoreGuard Policy Enforcer
The CoreGuard Policy Enforcer RTL is licensed and delivered as a set of hardware system Verilog design files. It can include custom modifications specific to each customer’s desired processor, such as pipelining to fit performance and area targets, or custom processor extension support. We provide full integration support and RTL instantiation consultation.