Abstract
Control Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, which forms a non-trivial hurdle to the application of CFI. We develop FastCFI, an FPGA based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. The measurement results show an average of 0.36% performance overhead on SPEC 2006 benchmarks.
This work is partially supported by NSF (CNS-1618824).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: ACM Conference on Computer and Communications Security, pp. 340–353 (2005)
Arora, D., Ravi, S., Raghunathan, A., Jha, N.K.: Hardware-assisted run-time monitoring for secure program execution on embedded processors. IEEE Trans. Very Large Scale Integr. Syst. 14(12), 1295–1308 (2006)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security, pp. 30–40 (2011)
Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H.R.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (2014)
Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: Hardware-enforced Control-Flow Integrity. In: ACM Conference on Data and Application Security and Privacy, pp. 38–49 (2016)
CoreSightâ„¢ Program Flow Traceâ„¢. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0035b/IHI0035B_cs_pft_v1_1_architecture_spec.pdf
Das, S., Liu, Y., Zhang, W., Mahinthan, C.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)
Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. Syst. 24(11), 3193–3207 (2016)
Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security (2012)
Davi, L., et al.: HAFIX: Hardware-assisted Flow Integrity Extension. In: Annual Design Automation Conference, pp. 74:1–74: 6 (2015)
Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Conference on Security, pp. 401–416 (2014)
de Clercq, R., Gtzfried, J., Bler, D., Maene, P., Verbauwhede, I.: SOFIA: Software and Control Flow Integrity Architecture. Comput. Secur. 68(C), 16–35 (2017)
Ding, R., Qian, C., Song, C., Harris, B., Kim, T., Lee, W.: Efficient protection of path-sensitive control security. In: USENIX Conference on Security, pp. 131–148 (2017)
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: ACM Workshop on Secure Execution of Untrusted Code, pp. 19–26 (2009)
Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using Intel Processor trace. In: International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 585–598 (2017)
Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using Intel Processor Trace. In: ACM Conference on Data and Application Security and Privacy, pp. 173–184 (2017)
Guo, Z., Bhakta, R., Harris, I.G.: Control-flow checking for intrusion detection via a real-time debug interface. In: International Conference on Smart Computing Workshops, pp. 87–92 (2014)
Huang, J., Rajagopalan, A.K.: Precise and maximal race detection from incomplete traces. In: ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 462–476 (2016)
Intel Quartus Prime. https://fpgasoftware.intel.com/17.1/?edition=lite
Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Annual International Symposium on Computer Architecture, pp. 94–105 (2012)
Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63(5), 1144–1156 (2014)
Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: architecture for signature-based protection from code reuse attacks. In: IEEE International Symposium on High Performance Computer Architecture, pp. 258–269 (2013)
Lee, Y., Lee, J., Heo, I., Hwang, D., Paek, Y.: Integration of ROP/JOP Monitoring IPs in an ARM-based SoC. In: Conference on Design, Automation & Test in Europe, pp. 331–336 (2016)
Lee, Y., Lee, J., Heo, I., Hwang, D., Paek, Y.: Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC. ACM Trans. Des. Autom. Electron. Syst. 22(3), 52:1–52:25 (2017)
Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with Intel processor trace. In: IEEE International Symposium on High Performance Computer Architecture, pp. 529–540 (2017)
Mao, S., Wolf, T.: Hardware support for secure processing in embedded systems. In: Annual Design Automation Conference, pp. 483–488 (2007)
Ozdoganoglu, H., Vijaykumar, T.N., Brodley, C.E., Kuperman, B.A., Jalote, A.: SmashGuard: a hardware solution to prevent security attacks on the function return address. IEEE Trans. Comput. 55(10), 1271–1285 (2006)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Conference on Security, pp. 447–462 (2013)
Putnam, A., et al.: A reconfigurable fabric for accelerating large-scale datacenter services. IEEE Micro 35(3), 10–22 (2015)
Rahmatian, M., Kooti, H., Harris, I.G., Bozorgzadeh, E.: Hardware-assisted detection of malicious software in embedded systems. IEEE Embedd. Syst. Lett. 4(4), 94–97 (2012)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security, pp. 552–561 (2007)
Source Code of FastCFI. https://github.com/flwave/FastCFI
SPEC CPU 2006 Benchmark. https://www.spec.org/cpu2006/
Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Annual Design Automation Conference, pp. 1–6 (2016)
Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Annual Computer Security Applications Conference, pp. 41–50 (2011)
Write XOR Execute. https://en.wikipedia.org/wiki/W%5EX
Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12 (2012)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security, pp. 337–352 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Feng, L., Huang, J., Hu, J., Reddy, A. (2019). FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation. In: Finkbeiner, B., Mariani, L. (eds) Runtime Verification. RV 2019. Lecture Notes in Computer Science(), vol 11757. Springer, Cham. https://doi.org/10.1007/978-3-030-32079-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-32079-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32078-2
Online ISBN: 978-3-030-32079-9
eBook Packages: Computer ScienceComputer Science (R0)