SoC
  • Home
  • Arm
  • Arm Cortex M0/M0+
  • Arm Cortex M4
  • Arm Cortex M3
  • Contact
Reading: NULL Pointer Protection with ARM Cortex-M MPU with Examples
SUBSCRIBE
SoCSoC
Font ResizerAa
  • Home
  • Arm
  • Arm Cortex M0/M0+
  • Arm Cortex M4
Search
  • Home
  • Arm
  • Arm Cortex M0/M0+
  • Arm Cortex M4
Have an existing account? Sign In
Follow US
  • Looking for Something?
  • Privacy Policy
  • About Us
  • Sitemap
  • Contact Us
© S-O-C.ORG, All Rights Reserved.
Arm

NULL Pointer Protection with ARM Cortex-M MPU with Examples

Javier Massey
Last updated: September 14, 2023 7:42 am
Javier Massey 5 Min Read
Share
SHARE

NULL pointer dereferences are a common source of bugs and security vulnerabilities in embedded systems built on ARM Cortex-M CPUs. Enabling the Memory Protection Unit (MPU) on Cortex-M3 and above devices provides an effective mitigation by preventing access to address 0x00000000, the NULL pointer address. This article explains how to configure the MPU regions to protect against NULL pointer dereferences on Cortex-M devices.

Contents
What is a NULL Pointer?NULL Pointer Protection with MPUMPU Region ConfigurationEnabling MPU and NULL Pointer ProtectionExample CodeConclusion

What is a NULL Pointer?

A NULL pointer is a pointer variable that does not point to a valid memory location. It has a value of 0x00000000. Dereferencing a NULL pointer to read or write data will result in a fault or undefined behavior. This is a frequent cause of crashes and security exploits.

For example, consider the following C code snippet:


int *ptr = NULL;
*ptr = 10; // NULL pointer dereference!

Here, dereferencing ptr will try to write to address 0x00000000 and cause a fault. Attackers can exploit this to redirect control flow and execute malicious code.

NULL Pointer Protection with MPU

The Memory Protection Unit (MPU) available on ARM Cortex-M3 and above devices can be used to prevent NULL pointer dereferences. The MPU allows configuring memory access permissions for different regions of memory.

To protect against NULL pointers, we can configure an MPU region for the NULL address range 0x00000000 to 0x00001000 with no access permissions. This will cause a fault on any access to NULL.

MPU Region Configuration

Here is an example of how to configure the MPU to protect the NULL address range against reads and writes in C:


MPU->RBAR = 0x00000000; // NULL address
MPU->RASR = 0x00000001; // 1kB region size, no access

This sets up an MPU region starting at 0x00000000 that is 1kB large. The RASR value 0x00000001 means no permissions (no read, write or execute access).

We can also protect a larger NULL range by increasing the region size field in RASR. For example, to protect the 8kB NULL range:


MPU->RBAR = 0x00000000;
MPU->RASR = 0x00000801; // 8kB region size, no access  

This MPU configuration will cause a HardFault whenever the CPU tries to read or write to the NULL address range. The application can handle the resulting exception and take appropriate action.

Enabling MPU and NULL Pointer Protection

After configuring the MPU regions, we need to enable the MPU globally using:


MPU->CTRL = 1;

The full steps are:

  1. Configure MPU regions for NULL range protection
  2. Enable MPU globally
  3. Handle HardFaults caused by NULL pointer access

This will activate the MPU and protect against NULL pointer exploits. The NULL pointer region should be configured early during application startup.

Example Code

Here is example code to set up an MPU region for NULL pointer protection on a Cortex-M device:


#include "stm32xyz.h" // Device header

// MPU configuration
#define NULL_REGION_SIZE 4096  

// Fault handling  
void HardFault_Handler(void) {
  // Handle NULL pointer fault  
  while(1); 
}

int main(void) {

  // Configure NULL pointer MPU region
  MPU->RBAR = 0x00000000;
  MPU->RASR = NULL_REGION_SIZE | 0x01; // 4kB, no access

  // Enable MPU
  MPU->CTRL = 1; 

  // Application code...

  return 0;
}

This configures a 4kB NULL region with no access, enables the MPU globally, and implements a HardFault handler to catch NULL pointer faults.

The application code can now safely dereference pointers without worrying about NULL pointer crashes. Any NULL pointer bugs will be caught by the MPU.

Conclusion

The Cortex-M Memory Protection Unit provides an efficient hardware mechanism to protect against common NULL pointer bugs. Configuring an MPU region covering the NULL address range with no permissions allows catching NULL pointer accesses, preventing crashes or exploits.

Combined with proper input validation and other software practices, MPU NULL pointer protection can significantly improve robustness and security of embedded applications built on ARM Cortex-M devices.

Newsletter Form (#3)

More ARM insights right in your inbox

 


Share This Article
Facebook Twitter Email Copy Link Print
Previous Article ARM Cortex-M compiler differences (Keil, IAR, Linaro, Yagarto and GNU Tools for ARM Embedded Processors)
Next Article ARM Cortex-M interrupt handler: directly call a C++ object functions when a interrupt occurs
Leave a comment Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

2k Followers Like
3k Followers Follow
10.1k Followers Pin
- Sponsored-
Ad image

You Might Also Like

What is the watchdog in ARM Cortex series?

The watchdog is a critical component in the ARM Cortex…

8 Min Read

How to Program ARM Cortex M4

The ARM Cortex M4 is a powerful 32-bit processor optimized…

5 Min Read

How to Correctly Configure Linker Options for Cortex-M23 in uVision5?

Configuring the linker options correctly is crucial for building efficient…

5 Min Read

Arm vs x86 Performance

The battle between Arm and x86 architectures has been going…

8 Min Read
SoCSoC
  • Looking for Something?
  • Privacy Policy
  • About Us
  • Sitemap
  • Contact Us
Welcome Back!

Sign in to your account