A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems

Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However, previous CFI implementations suffer from coar...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on very large scale integration (VLSI) systems Vol. 24; no. 11; pp. 3193 - 3207
Main Authors: Das, Sanjeev, Wei Zhang, Yang Liu
Format: Journal Article
Language:English
Published: New York IEEE 01.11.2016
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Buffer overflow
Code reuse
control flow integrity (CFI)
Data mining
embedded security
Embedded systems
Field programmable gate arrays
jump-oriented programming (JOP)
Libraries
Pumps
return-oriented programming (ROP)
Runtime
Security
ISSN:1063-8210, 1557-9999
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However, previous CFI implementations suffer from coarse granularity (which can be circumvented by an advanced attack model) and high-performance overhead. In this paper, first, we present an approach to enforce fine-grained CFI at a basic block level, named basic block CFI (BB-CFI), which aims to defend against aforesaid attacks. The key idea is to verify the target address (TA) of control flow instructions (CFINs) (e.g., call, ret, and imp), which may be modified by the adversary. BB-CFI contains two stages: 1) offline profiling of the program-to extract the control flow information and 2) runtime control flow checking-to verify the TA of CFINs using the extracted information. We also handle the exceptional cases (e.g., multithreading, C++ exception, and longjump) that are found in complex binaries. Second, we propose an architectural design of control flow checker (CFC), which monitors the program execution during runtime to enforce BB-CFI. For proof of concept, we implement the CFC in field-programmable gate array (FPGA). Our method does not require the modification of the source code or the instruction set architecture. The experimental results demonstrate that BB-CFI is effective against runtime attacks, with 100% verification accuracy. The CFC implementation on FPGA shows <;1% performance overhead and a small dynamic power consumption of 78 mW, with very small area footprint.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1063-8210
1557-9999
DOI:10.1109/TVLSI.2016.2548561