A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems

Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However, previous CFI implementations suffer from coarse granularity (which can be circumvented by an advanced attack model) and high-performance overhead. In this paper, first, we present an approach to enforce fine-grained CFI at a basic block level, named basic block CFI (BB-CFI), which aims to defend against aforesaid attacks. The key idea is to verify the target address (TA) of control flow instructions (CFINs) (e.g., call, ret, and imp), which may be modified by the adversary. BB-CFI contains two stages: 1) offline profiling of the program-to extract the control flow information and 2) runtime control flow checking-to verify the TA of CFINs using the extracted information. We also handle the exceptional cases (e.g., multithreading, C++ exception, and longjump) that are found in complex binaries. Second, we propose an architectural design of control flow checker (CFC), which monitors the program execution during runtime to enforce BB-CFI. For proof of concept, we implement the CFC in field-programmable gate array (FPGA). Our method does not require the modification of the source code or the instruction set architecture. The experimental results demonstrate that BB-CFI is effective against runtime attacks, with 100% verification accuracy. The CFC implementation on FPGA shows <;1% performance overhead and a small dynamic power consumption of 78 mW, with very small area footprint.

[1]  Wei Zhang,et al.  Reconfigurable Dynamic Trusted Platform Module for Control Flow Checking , 2014, 2014 IEEE Computer Society Annual Symposium on VLSI.

[2]  Dan Boneh,et al.  Architectural Support For Copy And Tamper-Resistant Software PhD Thesis , 2003 .

[3]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[4]  Ramesh Karri,et al.  A high-performance, low-overhead microarchitecture for secure program execution , 2012, 2012 IEEE 30th International Conference on Computer Design (ICCD).

[5]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Zhi Wang,et al.  Defeating return-oriented rootkits with "Return-Less" kernels , 2010, EuroSys '10.

[7]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[8]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Xuxian Jiang,et al.  Analyzing and improving Linux kernel memory protection: a model checking approach , 2010, ACSAC '10.

[10]  Niraj K. Jha,et al.  Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system , 2011, 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services.

[11]  Mehmet Kayaalp,et al.  Branch regulation: Low-overhead protection from code reuse attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[12]  Donald Yeung,et al.  BioBench: A Benchmark Suite of Bioinformatics Applications , 2005, IEEE International Symposium on Performance Analysis of Systems and Software, 2005. ISPASS 2005..

[13]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[14]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.

[15]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[16]  Hessam Kooti,et al.  Hardware-Assisted Detection of Malicious Software in Embedded Systems , 2012, IEEE Embedded Systems Letters.

[17]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[18]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[19]  Edward J. McCluskey,et al.  Control-Flow Checking Using Watchdog Assists and Extended-Precision Checksums , 1990, IEEE Trans. Computers.

[20]  Yutao Liu,et al.  CFIMon: Detecting violation of control flow integrity using performance counters , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[21]  Ramesh Karri,et al.  Architecture Support for Dynamic Integrity Checking , 2012, IEEE Transactions on Information Forensics and Security.

[22]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[23]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[24]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[25]  John Paul Shen,et al.  Processor Control Flow Monitoring Using Signatured Instruction Streams , 1987, IEEE Transactions on Computers.

[26]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[27]  Ruby B. Lee,et al.  Runtime execution monitoring (REM) to detect and prevent malicious code execution , 2004, IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004. ICCD 2004. Proceedings..

[28]  David R. Kaeli,et al.  Multi2Sim: A simulation framework for CPU-GPU computing , 2012, 2012 21st International Conference on Parallel Architectures and Compilation Techniques (PACT).

[29]  Divya ARORAa,et al.  Architectural Enhancements for Secure Embedded Processing , 2006 .

[30]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[31]  Non eXcutable PAYLOAD ALREADY INSIDE : DATA REUSE FOR ROP EXPLOITS , 2010 .

[32]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[33]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Meng Zhang,et al.  A defense framework against malware and vulnerability exploits , 2014, International Journal of Information Security.

[35]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[36]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.