Article

FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation

Authors:

Abhijith ReddyAuthors Info & Claims

Runtime Verification: 19th International Conference, RV 2019, Porto, Portugal, October 8–11, 2019, Proceedings

Pages 221 - 238

https://doi.org/10.1007/978-3-030-32079-9_13

Published: 08 October 2019 Publication History

Abstract

Control Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, which forms a non-trivial hurdle to the application of CFI. We develop FastCFI, an FPGA based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. The measurement results show an average of 0.36% performance overhead on SPEC 2006 benchmarks.

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: ACM Conference on Computer and Communications Security, pp. 340–353 (2005)

[2]

Arora D, Ravi S, Raghunathan A, and Jha NK Hardware-assisted run-time monitoring for secure program execution on embedded processors IEEE Trans. Very Large Scale Integr. Syst. 2006 14 12 1295-1308

[3]

Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security, pp. 30–40 (2011)

[4]

Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H.R.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (2014)

[5]

Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: Hardware-enforced Control-Flow Integrity. In: ACM Conference on Data and Application Security and Privacy, pp. 38–49 (2016)

[6]

CoreSight™ Program Flow Trace™. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0035b/IHI0035B_cs_pft_v1_1_architecture_spec.pdf

[7]

Das S, Liu Y, Zhang W, and Mahinthan C Semantics-based online malware detection: towards efficient real-time protection against malware IEEE Trans. Inf. Forensics Secur. 2016 11 2 289-302

[8]

Das S, Zhang W, and Liu Y A fine-grained control flow integrity approach against runtime memory attacks for embedded systems IEEE Trans. Very Large Scale Integr. Syst. 2016 24 11 3193-3207

[9]

Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security (2012)

[10]

Davi, L., et al.: HAFIX: Hardware-assisted Flow Integrity Extension. In: Annual Design Automation Conference, pp. 74:1–74: 6 (2015)

[11]

Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Conference on Security, pp. 401–416 (2014)

[12]

de Clercq R, Gtzfried J, Bler D, Maene P, and Verbauwhede I SOFIA: Software and Control Flow Integrity Architecture Comput. Secur. 2017 68 C 16-35

[13]

Ding, R., Qian, C., Song, C., Harris, B., Kim, T., Lee, W.: Efficient protection of path-sensitive control security. In: USENIX Conference on Security, pp. 131–148 (2017)

[14]

Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: ACM Workshop on Secure Execution of Untrusted Code, pp. 19–26 (2009)

[15]

Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using Intel Processor trace. In: International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 585–598 (2017)

[16]

Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using Intel Processor Trace. In: ACM Conference on Data and Application Security and Privacy, pp. 173–184 (2017)

[17]

Guo, Z., Bhakta, R., Harris, I.G.: Control-flow checking for intrusion detection via a real-time debug interface. In: International Conference on Smart Computing Workshops, pp. 87–92 (2014)

[18]

Huang, J., Rajagopalan, A.K.: Precise and maximal race detection from incomplete traces. In: ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 462–476 (2016)

[19]

IDA. https://www.hex-rays.com/products/ida/index.shtml

[20]

Intel CET. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

[21]

Intel Quartus Prime. https://fpgasoftware.intel.com/17.1/?edition=lite

[22]

Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Annual International Symposium on Computer Architecture, pp. 94–105 (2012)

[23]

Kayaalp M, Ozsoy M, Abu-Ghazaleh N, and Ponomarev D Efficiently securing systems from code reuse attacks IEEE Trans. Comput. 2014 63 5 1144-1156

[24]

Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: architecture for signature-based protection from code reuse attacks. In: IEEE International Symposium on High Performance Computer Architecture, pp. 258–269 (2013)

[25]

Lee, Y., Lee, J., Heo, I., Hwang, D., Paek, Y.: Integration of ROP/JOP Monitoring IPs in an ARM-based SoC. In: Conference on Design, Automation & Test in Europe, pp. 331–336 (2016)

[26]

Lee Y, Lee J, Heo I, Hwang D, and Paek Y Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC ACM Trans. Des. Autom. Electron. Syst. 2017 22 3 52:1-52:25

[27]

Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with Intel processor trace. In: IEEE International Symposium on High Performance Computer Architecture, pp. 529–540 (2017)

[28]

Mao, S., Wolf, T.: Hardware support for secure processing in embedded systems. In: Annual Design Automation Conference, pp. 483–488 (2007)

[29]

Ozdoganoglu H, Vijaykumar TN, Brodley CE, Kuperman BA, and Jalote A SmashGuard: a hardware solution to prevent security attacks on the function return address IEEE Trans. Comput. 2006 55 10 1271-1285

[30]

Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Conference on Security, pp. 447–462 (2013)

[31]

Putnam A et al. A reconfigurable fabric for accelerating large-scale datacenter services IEEE Micro 2015 35 3 10-22

[32]

Rahmatian M, Kooti H, Harris IG, and Bozorgzadeh E Hardware-assisted detection of malicious software in embedded systems IEEE Embedd. Syst. Lett. 2012 4 4 94-97

[33]

RIPE. https://github.com/johnwilander/RIPE

[34]

Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security, pp. 552–561 (2007)

[35]

Source Code of FastCFI. https://github.com/flwave/FastCFI

[36]

SPEC CPU 2006 Benchmark. https://www.spec.org/cpu2006/

[37]

Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Annual Design Automation Conference, pp. 1–6 (2016)

[38]

Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Annual Computer Security Applications Conference, pp. 41–50 (2011)

[39]

Write XOR Execute. https://en.wikipedia.org/wiki/W%5EX

[40]

Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12 (2012)

[41]

Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security, pp. 337–352 (2013)

Cited By

Tauner S(2022)RIPEMB: A framework for assessing hardware-assisted software security schemes in embedded systemsProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3539013(1-6)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3539013

Index Terms

FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation

Index terms have been assigned to the content through auto-classification.

Recommendations

FastCFI: Real-time Control-Flow Integrity Using FPGA without Code Instrumentation
Control-Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely ...
Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Despite decades of sustained effort, memory corruption attacks continue to be one of the most serious security threats faced today. They are highly sought after by attackers, as they provide ultimate control --- the ability to execute arbitrary low-...
Enforcing Unique Code Target Property for Control-Flow Integrity
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

The goal of control-flow integrity (CFI) is to stop control-hijacking attacks by ensuring that each indirect control-flow transfer (ICT) jumps to its legitimate target. However, existing implementations of CFI have fallen short of this goal because ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Runtime Verification: 19th International Conference, RV 2019, Porto, Portugal, October 8–11, 2019, Proceedings

Oct 2019

423 pages

ISBN:978-3-030-32078-2

DOI:10.1007/978-3-030-32079-9

Editors:
Bernd Finkbeiner
Universität des Saarlandes, Saarbrücken, Germany
,
Leonardo Mariani
University of Milano Bicocca, Milan, Italy

© Springer Nature Switzerland AG 2019.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 08 October 2019

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tauner S(2022)RIPEMB: A framework for assessing hardware-assisted software security schemes in embedded systemsProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3539013(1-6)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3539013

View Options

View options

Media

Figures

Other

Tables

View Table of Contents