HCIC: Hardware-Assisted Control-Flow Integrity Checking

Recently, code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threats. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying the compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-assisted control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying the compiler or leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the linear encryption/decryption operation (XOR) between the PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% runtime overhead and 0.78% binary size overhead on average.

[1]  Yongqiang Lyu,et al.  Control Flow Integrity Based on Lightweight Encryption Architecture , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[3]  Kevin W. Hamlen,et al.  Binary stirring: self-randomizing instruction addresses of legacy x86 binary code , 2012, CCS.

[4]  Johannes Götzfried,et al.  SOFIA: Software and control flow integrity architecture , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Yongqiang Lyu,et al.  A PUF-FSM Binding Scheme for FPGA IP Protection and Pay-Per-Device Licensing , 2015, IEEE Transactions on Information Forensics and Security.

[6]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[7]  Fatemeh Tehranipoor,et al.  DRAM based Intrinsic Physical Unclonable Functions for System Level Security , 2015, ACM Great Lakes Symposium on VLSI.

[8]  Mingwei Zhang,et al.  Control Flow and Code Integrity for COTS binaries: An Effective Defense Against Real-World ROP Attacks , 2015, ACSAC 2015.

[9]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[10]  Yongqiang Lyu,et al.  Physical unclonable functions-based linear encryption against code reuse attacks , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[11]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[12]  Srinivas Devadas,et al.  Slender PUF Protocol: A Lightweight, Robust, and Secure Authentication by Substring Matching , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[13]  Martín Abadi,et al.  Architectural support for software-based protection , 2006, ASID '06.

[14]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[15]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[16]  Farinaz Koushanfar,et al.  Provably Secure Active IC Metering Techniques for Piracy Avoidance and Digital Rights Management , 2012, IEEE Transactions on Information Forensics and Security.

[17]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[19]  Bing Mao,et al.  DROP: Detecting Return-Oriented Programming Malicious Code , 2009, ICISS.

[20]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[21]  Zheng Qin,et al.  T2FA: Transparent Two-Factor Authentication , 2018, IEEE Access.

[22]  Wei Zhang,et al.  No-jump-into-basic-block: Enforce basic block CFI on the fly for real-world binaries , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[23]  Gang Qu,et al.  Reconfigurable Binding against FPGA Replay Attacks , 2015, TODE.

[24]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Donald Yeung,et al.  BioBench: A Benchmark Suite of Bioinformatics Applications , 2005, IEEE International Symposium on Performance Analysis of Systems and Software, 2005. ISPASS 2005..

[26]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[27]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[28]  Ramesh Karri,et al.  Feasibility study of dynamic Trusted Platform Module , 2010, 2010 IEEE International Conference on Computer Design.

[29]  Mehmet Kayaalp,et al.  Efficiently Securing Systems from Code Reuse Attacks , 2014, IEEE Transactions on Computers.

[30]  Chao Zhang,et al.  VTrust: Regaining Trust on Virtual Calls , 2016, NDSS.

[31]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[32]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[34]  Qiang Zhou,et al.  A Survey on Silicon PUFs and Recent Advances in Ring Oscillator PUFs , 2014, Journal of Computer Science and Technology.

[35]  Bing Mao,et al.  Automatic construction of jump-oriented programming shellcode (on the x86) , 2011, ASIACCS '11.

[36]  Srinivas Devadas,et al.  Physical Unclonable Functions and Applications: A Tutorial , 2014, Proceedings of the IEEE.

[37]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[38]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[39]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[40]  Gang Qu,et al.  A highly flexible ring oscillator PUF , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[41]  Jiliang Zhang,et al.  A Practical Logic Obfuscation Technique for Hardware Security , 2016, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[42]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[43]  Qiang Zhou,et al.  Crossover Ring Oscillator PUF , 2017, 2017 18th International Symposium on Quality Electronic Design (ISQED).

[44]  Patrick Schaumont,et al.  A novel microprocessor-intrinsic Physical Unclonable Function , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[45]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[46]  Wei Zhang,et al.  A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems , 2016, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[47]  Ahmad-Reza Sadeghi,et al.  HAFIX: Hardware-Assisted Flow Integrity eXtension , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[48]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[49]  Per Larsen,et al.  Strategy without tactics: Policy-agnostic hardware-enhanced control-flow integrity , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).