Control-Flow Integrity for Real-Time Embedded Systems

Attacks on real-time embedded systems can endanger lives and critical infrastructure. Despite this, techniques for securing embedded systems software have not been widely studied. Many existing security techniques for general-purpose computers rely on assumptions that do not hold in the embedded case. This paper focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general-purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general-purpose computer with a rich operating system, CFI cannot provide any security guarantees. This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection. We empirically evaluate RECFISH and its performance implications for real-time systems. Our results suggest RECFISH can be directly applied to binaries without compromising real-time performance; in a test of over six million realistic task systems running FreeRTOS, 85% were still schedulable after adding RECFISH.

[1]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[2]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[3]  Lui Sha,et al.  On task schedulability in real-time control systems , 1996, 17th IEEE Real-Time Systems Symposium.

[4]  Rakesh Bobba,et al.  Exploring Opportunistic Execution for Integrating Security into Legacy Hard Real-Time Systems , 2016, 2016 IEEE Real-Time Systems Symposium (RTSS).

[5]  Amir Roth,et al.  Using DISE to protect return addresses from attack , 2005, CARN.

[6]  Robert Walls,et al.  A Random Number Generator Built from Repurposed Hardware in Embedded Systems , 2019, ArXiv.

[7]  Ben Niu Practical Control-Flow Integrity , 2016 .

[8]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[9]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[10]  Simon J. Hollis,et al.  BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms , 2013, ArXiv.

[11]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[12]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[13]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[14]  Richard Earnshaw Procedure Call Standard for the ARM ® Architecture , 2006 .

[15]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[16]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[17]  James W. Layland,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[18]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[19]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[20]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[21]  John P. Lehoczky,et al.  The rate monotonic scheduling algorithm: exact characterization and average case behavior , 1989, [1989] Proceedings. Real-Time Systems Symposium.

[22]  Ahmad-Reza Sadeghi,et al.  MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones , 2012, NDSS.

[23]  Rainer Schoenen,et al.  DSPs, GPPs, and Multimedia Applications - An Evaluation Using DSPstone , 1995 .

[24]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[25]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[26]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[27]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[28]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[29]  Patrick C. Hickey,et al.  TrackOS: A Security-Aware Real-Time Operating System , 2016, RV.

[30]  Man-Ki Yoon,et al.  A generalized model for preventing information leakage in hard real-time systems , 2015, 21st IEEE Real-Time and Embedded Technology and Applications Symposium.

[31]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[32]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[33]  Per Larsen,et al.  SoK: Automated Software Diversity , 2014, 2014 IEEE Symposium on Security and Privacy.

[34]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[35]  James H. Anderson,et al.  Scheduling and locking in multiprocessor real-time operating systems , 2011 .

[36]  Man-Ki Yoon,et al.  Real-Time Systems Security through Scheduler Constraints , 2014, 2014 26th Euromicro Conference on Real-Time Systems.

[37]  Lui Sha,et al.  TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[38]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[39]  Michael Backes,et al.  Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing , 2014, USENIX Security Symposium.

[40]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[41]  James H. Anderson,et al.  Optimizing Preemption-Overhead Accounting in Multiprocessor Real-Time Systems , 2014, RTNS.

[42]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[43]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .