FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation

Control Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, which forms a non-trivial hurdle to the application of CFI. We develop FastCFI, an FPGA based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. The measurement results show an average of 0.36% performance overhead on SPEC 2006 benchmarks.

[1]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.

[2]  Shufu Mao,et al.  Hardware Support for Secure Processing in Embedded Systems , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[3]  Wei Zhang,et al.  A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems , 2016, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[4]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[5]  Johannes Götzfried,et al.  SOFIA: Software and control flow integrity architecture , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[6]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[7]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[8]  Zhiqiang Lin,et al.  PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace , 2017, CODASPY.

[9]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[10]  Carla E. Brodley,et al.  SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address , 2006, IEEE Transactions on Computers.

[11]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[12]  William R. Harris,et al.  Efficient Protection of Path-Sensitive Control Security , 2017, USENIX Security Symposium.

[13]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[14]  Claude Castelluccia,et al.  Defending embedded systems against control flow attacks , 2009, SecuCode '09.

[15]  Ian G. Harris,et al.  Control-flow checking for intrusion detection via a real-time debug interface , 2014, 2014 International Conference on Smart Computing Workshops.

[16]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[17]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[18]  Yutao Liu,et al.  Transparent and Efficient CFI Enforcement with Intel Processor Trace , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[19]  Wei Zhang,et al.  Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware , 2016, IEEE Transactions on Information Forensics and Security.

[20]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[21]  James R. Larus,et al.  A Reconfigurable Fabric for Accelerating Large-Scale Datacenter Services , 2015, IEEE Micro.

[22]  Yunheung Paek,et al.  Integration of ROP/JOP monitoring IPs in an ARM-based SoC , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[23]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[24]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[25]  Per Larsen,et al.  Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[27]  Yunheung Paek,et al.  Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC , 2017, ACM Trans. Design Autom. Electr. Syst..

[28]  Mehmet Kayaalp,et al.  Efficiently Securing Systems from Code Reuse Attacks , 2014, IEEE Transactions on Computers.

[29]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[30]  Trent Jaeger,et al.  GRIFFIN: Guarding Control Flows Using Intel Processor Trace , 2017, ASPLOS.

[31]  Srivaths Ravi,et al.  Hardware-Assisted Run-Time Monitoring for Secure Program Execution on Embedded Processors , 2006, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[32]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.