A CFI Verification System based on the RISC-V Instruction Trace Encoder

Control-Flow Integrity (CFI) is used to check a program execution flow and detect whether it is correctly executed and not altered by software or physical attacks. This paper presents a CFI verification system for programs executed on RISC- V cores. Our solution is based on the RISC- V instruction Trace Encoder (TE). The TE provides information about the execution path of the user program. Two approaches are proposed. One is consistent with the RISC- V TE standard. It permits to detect instruction skip attacks on function calls, on their returns and on branch instructions. The second implies an evolution of the RISC- V TE specifications to detect more complex fault models as the corruption of any discontinuity instruction. We implemented both approaches on a RISC-V core and simulated their efficiency against Fault Injection Attacks (FIA). Compared to existing CFI solutions, our methodology does not modify the user application code nor the RISC- V compiler.

[1]  Damien Couroussé,et al.  SCI-FI: Control Signal, Code, and Control Flow Integrity against Fault Injection Attacks , 2022, Design, Automation and Test in Europe.

[2]  Patrick Schaumont,et al.  Rewrite to Reinforce: Rewriting the Binary to Apply Countermeasures against Fault Injection , 2020, 2021 58th ACM/IEEE Design Automation Conference (DAC).

[3]  Swaroop Ghosh,et al.  FIXER: Flow Integrity Extensions for Embedded RISC-V , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[4]  Mario Werner,et al.  Protecting RISC-V Processors against Physical Attacks , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Guy Gogniat,et al.  A small and adaptive coprocessor for information flow tracking in ARM SoCs , 2018, 2018 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[6]  Gaël Thomas,et al.  Hardware-Assisted Program Execution Integrity: HAPEI , 2018, NordSec.

[7]  Karine Heydemann,et al.  CCFI-Cache: A Transparent and Flexible Hardware Protection for Code and Control-Flow Integrity , 2018, 2018 21st Euromicro Conference on Digital System Design (DSD).

[8]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[9]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[10]  Ahmad-Reza Sadeghi,et al.  ATRIUM: Runtime attestation resilient under memory attacks , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[11]  Andrew Waterman,et al.  The RISC-V Reader: An Open Architecture Atlas , 2017 .

[12]  Niek Timmers,et al.  Escalating Privileges in Linux Using Voltage Fault Injection , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[13]  Ingrid Verbauwhede,et al.  A survey of Hardware-based Control Flow Integrity (CFI) , 2017, ArXiv.

[14]  Thanh-Ha Le,et al.  FISSC: A Fault Injection and Simulation Secure Collection , 2016, SAFECOMP.

[15]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[16]  Johannes Götzfried,et al.  SOFIA: Software and control flow integrity architecture , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[17]  Thomas R. Gross,et al.  Fine-Grained Control-Flow Integrity Through Binary Hardening , 2015, DIMVA.

[18]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[19]  Dirmanto Jap,et al.  Laser Profiling for the Back-Side Fault Attacks: With a Practical Laser Skip Instruction Attack on AES , 2015, CPSS@ASIACSS.

[20]  Reetuparna Das,et al.  Getting in control of your control flow with control-data isolation , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[21]  Simon J. Hollis,et al.  BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms , 2013, ArXiv.

[22]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[24]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[25]  Jean-Jacques Quisquater,et al.  Faults, Injection Methods, and Fault Attacks , 2007, IEEE Design & Test of Computers.

[26]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[27]  Calton Pu,et al.  TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study , 2005, FAST'05.

[28]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[29]  Ajay Joshi,et al.  Nile: A Programmable Monitoring Coprocessor , 2018, IEEE Computer Architecture Letters.

[30]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[31]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .