Skip to main content
SpringerLink
Log in

FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation

  • Conference paper
  • First Online:
Runtime Verification (RV 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11757))

Included in the following conference series:

Abstract

Control Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, which forms a non-trivial hurdle to the application of CFI. We develop FastCFI, an FPGA based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. The measurement results show an average of 0.36% performance overhead on SPEC 2006 benchmarks.

This work is partially supported by NSF (CNS-1618824).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: ACM Conference on Computer and Communications Security, pp. 340–353 (2005)

    Google Scholar 

  2. Arora, D., Ravi, S., Raghunathan, A., Jha, N.K.: Hardware-assisted run-time monitoring for secure program execution on embedded processors. IEEE Trans. Very Large Scale Integr. Syst. 14(12), 1295–1308 (2006)

    Article  Google Scholar 

  3. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security, pp. 30–40 (2011)

    Google Scholar 

  4. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, H.R.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (2014)

    Google Scholar 

  5. Christoulakis, N., Christou, G., Athanasopoulos, E., Ioannidis, S.: HCFI: Hardware-enforced Control-Flow Integrity. In: ACM Conference on Data and Application Security and Privacy, pp. 38–49 (2016)

    Google Scholar 

  6. CoreSightâ„¢ Program Flow Traceâ„¢. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0035b/IHI0035B_cs_pft_v1_1_architecture_spec.pdf

  7. Das, S., Liu, Y., Zhang, W., Mahinthan, C.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)

    Article  Google Scholar 

  8. Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. Syst. 24(11), 3193–3207 (2016)

    Article  Google Scholar 

  9. Davi, L., et al.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: Symposium on Network and Distributed System Security (2012)

    Google Scholar 

  10. Davi, L., et al.: HAFIX: Hardware-assisted Flow Integrity Extension. In: Annual Design Automation Conference, pp. 74:1–74: 6 (2015)

    Google Scholar 

  11. Davi, L., Sadeghi, A.-R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: USENIX Conference on Security, pp. 401–416 (2014)

    Google Scholar 

  12. de Clercq, R., Gtzfried, J., Bler, D., Maene, P., Verbauwhede, I.: SOFIA: Software and Control Flow Integrity Architecture. Comput. Secur. 68(C), 16–35 (2017)

    Article  Google Scholar 

  13. Ding, R., Qian, C., Song, C., Harris, B., Kim, T., Lee, W.: Efficient protection of path-sensitive control security. In: USENIX Conference on Security, pp. 131–148 (2017)

    Google Scholar 

  14. Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: ACM Workshop on Secure Execution of Untrusted Code, pp. 19–26 (2009)

    Google Scholar 

  15. Ge, X., Cui, W., Jaeger, T.: GRIFFIN: guarding control flows using Intel Processor trace. In: International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 585–598 (2017)

    Google Scholar 

  16. Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using Intel Processor Trace. In: ACM Conference on Data and Application Security and Privacy, pp. 173–184 (2017)

    Google Scholar 

  17. Guo, Z., Bhakta, R., Harris, I.G.: Control-flow checking for intrusion detection via a real-time debug interface. In: International Conference on Smart Computing Workshops, pp. 87–92 (2014)

    Google Scholar 

  18. Huang, J., Rajagopalan, A.K.: Precise and maximal race detection from incomplete traces. In: ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 462–476 (2016)

    Google Scholar 

  19. IDA. https://www.hex-rays.com/products/ida/index.shtml

  20. Intel CET. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

  21. Intel Quartus Prime. https://fpgasoftware.intel.com/17.1/?edition=lite

  22. Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Branch regulation: low-overhead protection from code reuse attacks. In: Annual International Symposium on Computer Architecture, pp. 94–105 (2012)

    Google Scholar 

  23. Kayaalp, M., Ozsoy, M., Abu-Ghazaleh, N., Ponomarev, D.: Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63(5), 1144–1156 (2014)

    Article  MathSciNet  Google Scholar 

  24. Kayaalp, M., Schmitt, T., Nomani, J., Ponomarev, D., Abu-Ghazaleh, N.: SCRAP: architecture for signature-based protection from code reuse attacks. In: IEEE International Symposium on High Performance Computer Architecture, pp. 258–269 (2013)

    Google Scholar 

  25. Lee, Y., Lee, J., Heo, I., Hwang, D., Paek, Y.: Integration of ROP/JOP Monitoring IPs in an ARM-based SoC. In: Conference on Design, Automation & Test in Europe, pp. 331–336 (2016)

    Google Scholar 

  26. Lee, Y., Lee, J., Heo, I., Hwang, D., Paek, Y.: Using CoreSight PTM to Integrate CRA Monitoring IPs in an ARM-Based SoC. ACM Trans. Des. Autom. Electron. Syst. 22(3), 52:1–52:25 (2017)

    Google Scholar 

  27. Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with Intel processor trace. In: IEEE International Symposium on High Performance Computer Architecture, pp. 529–540 (2017)

    Google Scholar 

  28. Mao, S., Wolf, T.: Hardware support for secure processing in embedded systems. In: Annual Design Automation Conference, pp. 483–488 (2007)

    Google Scholar 

  29. Ozdoganoglu, H., Vijaykumar, T.N., Brodley, C.E., Kuperman, B.A., Jalote, A.: SmashGuard: a hardware solution to prevent security attacks on the function return address. IEEE Trans. Comput. 55(10), 1271–1285 (2006)

    Article  Google Scholar 

  30. Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Conference on Security, pp. 447–462 (2013)

    Google Scholar 

  31. Putnam, A., et al.: A reconfigurable fabric for accelerating large-scale datacenter services. IEEE Micro 35(3), 10–22 (2015)

    Article  Google Scholar 

  32. Rahmatian, M., Kooti, H., Harris, I.G., Bozorgzadeh, E.: Hardware-assisted detection of malicious software in embedded systems. IEEE Embedd. Syst. Lett. 4(4), 94–97 (2012)

    Article  Google Scholar 

  33. RIPE. https://github.com/johnwilander/RIPE

  34. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security, pp. 552–561 (2007)

    Google Scholar 

  35. Source Code of FastCFI. https://github.com/flwave/FastCFI

  36. SPEC CPU 2006 Benchmark. https://www.spec.org/cpu2006/

  37. Sullivan, D., Arias, O., Davi, L., Larsen, P., Sadeghi, A.-R., Jin, Y.: Strategy without tactics: policy-agnostic hardware-enhanced control-flow integrity. In: Annual Design Automation Conference, pp. 1–6 (2016)

    Google Scholar 

  38. Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: RIPE: Runtime Intrusion Prevention Evaluator. In: Annual Computer Security Applications Conference, pp. 41–50 (2011)

    Google Scholar 

  39. Write XOR Execute. https://en.wikipedia.org/wiki/W%5EX

  40. Xia, Y., Liu, Y., Chen, H., Zang, B.: CFIMon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–12 (2012)

    Google Scholar 

  41. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security, pp. 337–352 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Texas A&M University, College Station, TX, 77843, USA

    Lang Feng, Jiang Hu & Abhijith Reddy

  2. Department of Computer Science and Engineering, Texas A&M University, College Station, TX, 77843, USA

    Jeff Huang & Jiang Hu

Authors
  1. Lang Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jeff Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiang Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abhijith Reddy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lang Feng .

Editor information

Editors and Affiliations

  1. Universität des Saarlandes, Saarbrücken, Germany

    Bernd Finkbeiner

  2. University of Milano Bicocca, Milan, Italy

    Leonardo Mariani

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Feng, L., Huang, J., Hu, J., Reddy, A. (2019). FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation. In: Finkbeiner, B., Mariani, L. (eds) Runtime Verification. RV 2019. Lecture Notes in Computer Science(), vol 11757. Springer, Cham. https://doi.org/10.1007/978-3-030-32079-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-32079-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-32078-2

  • Online ISBN: 978-3-030-32079-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation