From MMU to MPU: adaptation of the Pip kernel to constrained devices

TL;DR

This paper adapts the Pip kernel to constrained devices by replacing its MMU with an MPU, enabling flexible memory isolation with minimal overhead, suitable for resource-limited embedded systems.

Contribution

It introduces Pip-MPU, a variant of the Pip kernel that uses an MPU instead of an MMU, providing flexible isolation for constrained devices.

Findings

16% overhead in performance and energy consumption

Reduces attack surface from 100% to 2%

Uses less than 10 kB of Flash and 550 B of RAM

Abstract

This article presents a hardware-based memory isolation solution for constrained devices. Existing solutions target high-end embedded systems (typically ARM Cortex-A with a Memory Management Unit, MMU) such as seL4 or Pip (formally verified kernels) or target low-end devices such as ACES, MINION, TrustLite, EwoK but with limited flexibility by proposing a single level of isolation. Our approach consists in adapting Pip to inherit its flexibility (multiple levels of isolation) but using the Memory Protection Unit (MPU) instead of the MMU since the MPU is commonly available on constrained embedded systems (typically ARMv7 Cortex-M4 or ARMv8 Cortex-M33 and similar devices). This paper describes our design of Pip-MPU (Pip's variant based on the MPU) and the rationale behind our choices. We validate our proposal with an implementation on an nRF52840 development kit and we perform various evaluations such as memory footprint, CPU cycles and energy consumption. We demonstrate that although our prototyped Pip-MPU causes a 16% overhead on both performance and energy consumption, it can reduce the attack surface of the accessible application memory from 100% down to 2% and the privileged operations by 99%. Pip-MPU takes less than 10 kB of Flash (6 kB for its core components) and 550 B of RAM.