Silhouette: Efficient Protected Shadow Stacks for Embedded Systems

Microcontroller-based embedded systems are increasingly used for applications that can have serious and immediate consequences if compromised--including automobile control systems, smart locks, drones, and implantable medical devices. Due to resource and execution-time constraints, C is the primary language used for programming these devices. Unfortunately, C is neither type-safe nor memory-safe, and control-flow hijacking remains a prevalent threat. This paper presents Silhouette: a compiler-based defense that efficiently guarantees the integrity of return addresses--significantly reducing the attack surface for control-flow hijacking. Silhouette provides an incorruptible shadow stack for return addresses using special store instructions found on ARM processors. Specifically, Silhouette transforms regular store instructions into unprivileged equivalents, restricting the untrusted subset of the program's memory accesses to unprivileged memory while simultaneously allowing security instrumentation to access security-critical data structures--all without the need for expensive context switching, hardware changes, or information hiding. Combined with its checks on forward control flow and memory access configuration, Silhouette ensures that all functions return to the correct caller. We implemented Silhouette for the ARMv7-M architecture, but our techniques are applicable to other common embedded ARM architectures. Our evaluation shows that Silhouette incurs a geometric mean of 1.2% and 3.6% performance overhead on two benchmark suites. Furthermore, we prototyped Silhouette-Invert, an alternative implementation of Silhouette, which incurs just 0.2% and 1.9% performance overhead, at the cost of a minor hardware change.

[1]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[2]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[4]  N. Asokan,et al.  CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers , 2017, RAID.

[5]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[6]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[7]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Bryan C. Ward,et al.  Control-Flow Integrity for Real-Time Embedded Systems , 2019, ECRTS.

[9]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[10]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[11]  Saurabh Bagchi,et al.  µRAI: Securing Embedded Systems with Return Address Integrity , 2020, NDSS.

[12]  Vikram S. Adve,et al.  KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels , 2014, 2014 IEEE Symposium on Security and Privacy.

[13]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[14]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[15]  Robert Szewczyk,et al.  System architecture directions for networked sensors , 2000, ASPLOS IX.

[16]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[17]  Saurabh Bagchi,et al.  ACES: Automatic Compartments for Embedded Systems , 2018, USENIX Security Symposium.

[18]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[19]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[20]  Simon J. Hollis,et al.  BEEBS: Open Benchmarks for Energy Measurements on Embedded Platforms , 2013, ArXiv.

[21]  user surfaces,et al.  Data Execution Prevention , 2011 .

[22]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[23]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[25]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[26]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[27]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[28]  Yunheung Paek,et al.  Instruction-level data isolation for the kernel on ARM , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[29]  Yunheung Paek,et al.  uXOM: Efficient eXecute-Only Memory on ARM Cortex-M , 2019, USENIX Security Symposium.

[30]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[31]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[32]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[33]  Elisa Bertino,et al.  Memory Safety for Embedded Devices with nesCheck , 2017, AsiaCCS.

[34]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[35]  Yeping He,et al.  Baggy Bounds with Accurate Checking , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering Workshops.

[36]  Grant Hernandez,et al.  Smart Nest Thermostat A Smart Spy in Your Home , 2014 .

[37]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[38]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[39]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[40]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[41]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[42]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[43]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[44]  Zhongshu Gu,et al.  Securing Real-Time Microcontroller Systems through Customized Memory View Switching , 2018, NDSS.

[45]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[46]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[47]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[48]  Mathias Payer,et al.  SoK: Shining Light on Shadow Stacks , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[49]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[50]  Martin Hopkins,et al.  An overview of the PL.8 compiler , 1982, SIGP.

[51]  David E. Culler,et al.  TinyOS: An Operating System for Sensor Networks , 2005, Ambient Intelligence.

[52]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[53]  Zhengyang Liu,et al.  Flexible and efficient memory object metadata , 2017, ISMM.

[54]  Ahmad-Reza Sadeghi,et al.  Security and privacy challenges in industrial Internet of Things , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[55]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[56]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[57]  Tong Zhang,et al.  BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free , 2019, ASPLOS.