ESP32 Forum

Hi

I have an application where user-provided code has to be loaded and executed (not flashed, only executed from RAM using espressif/elf_loader).
It has to be assumed that this code is malicious, and doing everything it can to destroy the device. I am especially worried about flash and efuses. The absolute minimum that i have to guarantee is that malicious code cannot:
- overwrite the factory app
- break the chip's configuration by messing with efuses

everything else (crashing, corrupting OTA app) is acceptable (though obviously better if it is also prevented).

Is the world controller secure enough for such a use-case? I was thinking about locking the flash chip after boot (but before running the untrusted code), to prevent overwriting of firmware. however it seems that esp32s3 integrated flash doesn't have this feature?

i then thought about using external, lockable flash, but realized the same problem exists with efuses.

the untrusted code will not have any syscall access, it will just read from a pre-defined memory range, and write to another pre-defined memory range. it will also be able to execute firmware-provided functions (still in untrusted mode though - those are all pure side-effect free functions like std::sin for example)

what do you think? is this possible with world controller? is there a better approach?

We have some code for it here https://github.com/espressif/esp-privilege-separation but you may need to finnick with it a bit before it works, it's not really production-quality code.

Something that might be easier to get working is to integrate a webassembly interpreter into your firmware, then have the third party compile their code to webassembly.

(Either that or some domain-specific code - if you can explain a bit better what the code is supposed to do I may have a better suggestion)

thanks for your response!

I don't mind having to spend (even significant) development time to get it running reliably. I only worry whether world controller alone is secure enough to protect the flash/efuses from malicious access.

My application is the execution of user-provided "shader" functions written in c++ which are used for 3d visualisations. elf_loader is perfect for this because I really do need the absolute best performance possible, and want to avoid interpreter overhead.

Check. From what I know, the world controller is designed to stop the 'user' program from accessing all that - see the repo I linked earlier for examples.