Taking a Look into Execute-Only Memory

TL;DR

This paper critically examines the security of execute-only memory (XOM) in microcontrollers, demonstrating that shared hardware resources can be exploited to recover protected firmware and bypass read restrictions.

Contribution

The paper introduces a novel method to infer firmware instructions from shared hardware state transitions, exposing vulnerabilities in XOM implementations.

Findings

XOM is insufficient for firmware protection due to shared resource vulnerabilities.

The proposed attack can recover firmware from various microcontroller devices.

Some devices have implementation flaws that allow bypassing read restrictions.

Abstract

The development process of microcontroller firmware often involves multiple parties. In such a scenario, the Intellectual Property (IP) is not protected against adversarial developers which have unrestricted access to the firmware binary. For this reason, microcontroller manufacturers integrate eXecute-Only Memory (XOM) which shall prevent an unauthorized read-out of third-party firmware during development. The concept allows execution of code but disallows any read access to it. Our security analysis shows that this concept is insufficient for firmware protection due to the use of shared resources such as the CPU and SRAM. We present a method to infer instructions from observed state transitions in shared hardware. We demonstrate our method via an automatic recovery of protected firmware. We successfully performed experiments on devices from different manufacturers to confirm the practicability of our attack. Our research also reveals implementation flaws in some of the analyzed devices which enables an adversary to bypass the read-out restrictions. Altogether, the paper shows the insufficient security of the XOM concept as well as several implementations.