Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation

Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide sufficient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of control-flow integrity (CFI) as a general defense against runtime attacks. However, existing solutions either suffer from performance overhead or only enforce coarse-grain CFI policies that a sophisticated adversary can undermine. In this paper, we tackle these limitations and present the design of novel security hardware mechanisms to enable fine-grained CFI checks. Our CFI proposal is based on a state model and a per-function CFI label approach. In particular, our CFI policies ensure that function returns can only transfer control to active call sides (i.e, return landing pads of functions currently executing). Further, we restrict indirect calls to target the beginning of a function, and lastly, deploy behavioral heuristics for indirect jumps.

[1]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[2]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[3]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[4]  Vladimir Getov,et al.  Extreme-Scale Computing–Where 'Just More of the Same' Does Not Work , 2009, Computer.

[5]  Srivaths Ravi,et al.  Security as a new dimension in embedded system design , 2004, Proceedings. 41st Design Automation Conference, 2004..

[6]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[7]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[8]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Srivaths Ravi,et al.  Security in embedded systems: Design challenges , 2004, TECS.

[10]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[11]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[12]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[13]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[15]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[16]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[17]  Jared D. DeMott,et al.  Bypassing EMET 4.1 , 2015, IEEE Security & Privacy.

[18]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[19]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.