research-article

LO-FAT: Low-Overhead Control Flow ATtestation in Hardware

Authors:

Ghada Dessouky,

Shaza Zeitouni,

Patrick Koeberl,

Ahmad-Reza SadeghiAuthors Info & Claims

DAC '17: Proceedings of the 54th Annual Design Automation Conference 2017

Article No.: 24, Pages 1 - 6

https://doi.org/10.1145/3061639.3062276

Published: 18 June 2017 Publication History

Abstract

Attacks targeting software on embedded systems are becoming increasingly prevalent. Remote attestation is a mechanism that allows establishing trust in embedded devices. However, existing attestation schemes are either static and cannot detect control-flow attacks, or require instrumentation of software incurring high performance overheads. To overcome these limitations, we present LO-FAT, the first practical hardware-based approach to control-flow attestation. By leveraging existing processor hardware features and commonly-used IP blocks, our approach enables efficient control-flow attestation without requiring software instrumentation. We show that our proof-of-concept implementation based on a RISC-V SoC incurs no processor stalls and requires reasonable area overhead.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity Principles, Implementations, and Applications. ACM Trans. Inf. Syst. Secur., pages 4:1--4:40, 2009.

Digital Library

[2]

T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, and G. Tsudik. C-FLAT: Control-Flow Attestation for Embedded Systems Software. In ACM CCS, 2016.

Digital Library

[3]

J. Backer, D. Hely, and R. Karri. On Enhancing the Debug Architecture of a System-on-Chip (SoC) to Detect Software Attacks. In IEEE DFT, 2015.

[4]

K. A. Bailey and S. W. Smith. Trusted Virtual Containers on Demand. In ACM-CCS-STC, 2010.

Digital Library

[5]

A. Basak, S. Bhunia, and S. Ray. A Flexible Architecture for Systematic Implementation of SoC Security Policies. In ACM/IEEE DAC, 2015.

[6]

A. Basak, S. Bhunia, and S. Ray. Exploiting Design-for-Debug for Flexible SoC Security Architecture. In ACM/IEEE DAC, 2016.

Digital Library

[7]

F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and P. Koeberl. TyTAN: Tiny Trust Anchor for Tiny Devices. In ACM/IEEE DAC, 2015.

Digital Library

[8]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Security, 2005.

Digital Library

[9]

R. D. Clercq, R. D. Keulenaer, B. Coppens, B. Yang, P. Maene, K. D. Bosschere, B. Preneel, B. D. Sutter, and I. Verbauwhede. SOFIA: Software and Control Flow Integrity Architecture. In ACM/IEEE DATE, 2016.

Digital Library

[10]

L. Davi, A.-R. Sadeghi, and M. Winandy. Dynamic Integrity Measurement and Attestation: Towards Defense Against Return-Oriented Programming Attacks. In ACM CCS-STC, 2009.

Digital Library

[11]

K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito. SMART: Secure and Minimal Architecture for (Establishing Dynamic) Root of Trust. In ISOC NDSS, 2012.

[12]

A. Francillon and C. Castelluccia. Code Injection Attacks on Harvard-architecture Devices. In ACM CCS, 2008.

Digital Library

[13]

H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-Oriented Programming: On The Effectiveness of Non-Control Data Attacks. In IEEE S&P, 2016.

[14]

Intel. Intel 64 and IA-32 Architectures Software Developer's Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C, Chapter 36 Intel Processor Trace. https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf, 2016.

[15]

C. Kil, E. Sezer, A. Azab, P. Ning, and X. Zhang. Remote attestation to Dynamic System Properties: Towards Providing Complete System Integrity Evidence. In IEEE/IFIP DSN, 2009.

[16]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In USENIX OSDI, 2014.

Digital Library

[17]

L. Le. ARM Exploitation ROPMap. BlackHat USA, 2011.

[18]

Pulpino. An Open-Source Microcontroller System based on RISC-V. https://github.com/pulp-platform/pulpino.

[19]

RISC-V. The Free and Open RISC Instruction Set Architecture. https://riscv.org/specifications, 2016.

[20]

A.-R. Sadeghi and C. Stüble. Property-based Attestation for Computing Platforms: Caring About Properties, Not Mechanisms. In NSPW, 2004.

Digital Library

[21]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In USENIX Security, 2004.

Digital Library

[22]

A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla. SWATT: Software-based Attestation for Embedded Devices. In IEEE S&P, 2004.

[23]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM CCS, 2007.

Digital Library

[24]

M. L. Soffa, K. R. Walcott, and J. Mars. Exploiting Hardware Advances for Software Testing and Debugging (NIER Track). In ACM/IEEE ICSE, 2011.

Digital Library

[25]

J. Viega and H. Thompson. The State of Embedded-Device Security (Spoiler Alert: It's Bad). IEEE S&P, 10(5):68--70, 2012.

Digital Library

[26]

X. Wang, Y. Zheng, A. Basak, and S. Bhunia. IIPS: Infrastructure IP for Secure SoC Design. IEEE Transactions on Computers, Aug 2015.

Cited By

Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Peng AFang DGuan LKouwe ELi YWang WSun LZhang Y(2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3672460
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
Show More Cited By

Recommendations

Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Referencing outside the bounds of an array or buffer is a common source of bugs and security vulnerabilities in today's software. We can enforce spatial safety and eliminate these violations by inseparably associating bounds with every pointer (fat ...
Efficient Java exception handling in just-in-time compilation
Research Articles

Java uses exceptions to provide elegant error handling capabilities during program execution. However, the presence of exception handlers complicates the job of the just-in-time (JIT) compiler, while exceptions are rarely used in most programs. This ...
No-FAT: architectural support for low overhead memory safety checks
ISCA '21: Proceedings of the 48th Annual International Symposium on Computer Architecture

Memory safety continues to be a significant software reliability and security problem, and low overhead and low complexity hardware solutions have eluded computer designers. In this paper, we explore a pathway to deployable memory safety defenses. Our ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '17: Proceedings of the 54th Annual Design Automation Conference 2017

June 2017

533 pages

ISBN:9781450349277

DOI:10.1145/3061639

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

EDAC: Electronic Design Automation Consortium
SIGDA: ACM Special Interest Group on Design Automation
IEEE-CEDA

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

DAC '17

Sponsor:

EDAC
SIGDA

DAC '17: The 54th Annual Design Automation Conference 2017

June 18 - 22, 2017

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

71
Total Citations
View Citations
707
Total Downloads

Downloads (Last 12 months)90
Downloads (Last 6 weeks)9

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
Peng AFang DGuan LKouwe ELi YWang WSun LZhang Y(2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3672460
Grisafi MAmmar MRoveri MCrispo B(2024)FLAShadow: A Flash-based Shadow Stack for Low-end Embedded SystemsACM Transactions on Internet of Things10.1145/36704135:3(1-29)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3670413
De Vaere PStöger FPerrig ATsudik GQuek TGao DZhou JCardenas A(2024)The SA4P Framework: Sensing and Actuation as a PrivilegeProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3657006(873-885)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3657006
Weng JYao SDu YHuang JWeng JWang C(2024)Proof of Unlearning: Definitions and InstantiationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335899319(3309-3323)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3358993
Chilese MMitev ROrenbach MThorburn RAtamli ASadeghi A(2024)One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00251(3346-3364)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00251
Johnson WHousley JGhafoor SProwell S(2024)Toward Profiling IoT Processes for Remote Service Attestation2024 23rd International Symposium on Parallel and Distributed Computing (ISPDC)10.1109/ISPDC62236.2024.10705398(1-8)Online publication date: 8-Jul-2024
https://doi.org/10.1109/ISPDC62236.2024.10705398
Gonzalez-Gomez JNassar HBauer LHenkel J(2024)LightFAt: Mitigating Control-Flow Explosion via Lightweight PMU-Based Control-Flow Attestation2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HOST55342.2024.10545348(222-226)Online publication date: 6-May-2024
https://doi.org/10.1109/HOST55342.2024.10545348
Lee DShin OCha YLee JYun TKim JOh HNicopoulos CLee S(2024)A Hardware-Based Correct Execution Environment Supporting Virtual MemoryIEEE Access10.1109/ACCESS.2024.344350912(114008-114022)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3443509
Varan EHanifi KErdemli AUnal MTat YTekinoglu DCetin OFuladi RYilmaz C(2024)Using Page Offsets for Detecting Control-Flow AnomaliesInnovative Security Solutions for Information Technology and Communications10.1007/978-3-031-52947-4_2(13-25)Online publication date: 21-Jan-2024
https://doi.org/10.1007/978-3-031-52947-4_2
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents