Abstract
Protecting safety-critical Cyber-Physical Systems (CPS) against security threats is becoming a growing necessity. Due to the high level of network integration, CPS pose new targets to remote code-reuse attacks, such as Return-Oriented Programming (ROP). An effective mechanism to detect code-reuse attacks is Control-Flow Integrity (CFI). However, because of the intrusiveness of most current CFI solutions, i.e., their requirement for program instrumentation and run-time interference, we cannot directly apply them to safety-critical CPS. To the best of our knowledge, there is no CFI solution designed for CPS; and more specifically, we are not aware of any solution that fully monitors the forward-edges and backward-edges of an application’s control-flow, while providing independence and freedom from interference guarantees. Hence, for the first time, we propose a safety certifiable, separation kernel-based partitioning architecture to integrate CFI monitoring in a safety-critical system to protect applications with real-time constraints. Our solution leverages ARM CoreSight to transparently enforce both forward-edge and backward-edge CFI for an application at run-time. Despite imposing a significant overhead on the overall system, our approach reliably protects the control-flow of the monitored application, while guaranteeing its real-time constraints. We evaluate our solution by analyzing its timing impact and discussing the resulting considerations for the integration and practical deployment in a safety-critical CPS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See IEC 61508 Part 2.
- 2.
See ISO 26262 Part 3, Annex D.
- 3.
See IEC 61508 Part 3, Annex F.
- 4.
See DO-178 Sect. 2.4.1.
- 5.
This is not a limitation of our CFI monitoring solution, as providing randomization details to the monitor would suffice to support memory layout randomization.
- 6.
- 7.
- 8.
- 9.
Note: In the industry, WCET computation is performed using sophisticated static analysis tools such as aiT from Absint that give tight bounds on the computed values.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. In: CCS. ACM (2005)
Abeni, L., Buttazzo, G.: Integrating multimedia applications in hard real-time systems. In: RTSS. IEEE (1998)
Abera, T., et al.: C-FLAT: control-flow attestation for embedded systems software. In: CCS. ACM (2016)
Almakhdhub, N.S., Clements, A.A., Bagchi, S., Payer, M.: \(\mu \)RAI: securing embedded systems with return address integrity. In: NDSS. Internet Society (2020)
Alves-Foss, J., Oman, P.W., Taylor, C., Harrison, S.: The MILS architecture for high-assurance embedded systems. Int. J. Embed. Syst. 2(3/4), 239–247 (2006)
Arm Holdings: Mbed OS MPU management. https://os.mbed.com/docs/mbed-os/v5.15/apis/mpu-management.html. Accessed 10 Sep 2020
Arm Holdings: ARM CoreSight SoC-400 Technical Reference Manual (June 2016)
Arm Holdings: Juno ARM Development Platform SoC Technical Reference Manual (June 2016)
Baruah, S.K., Burns, A., Davis, R.I.: Response-time analysis for mixed criticality systems. In: RTSS. IEEE (2011)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS. ACM (2011)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: CCS. ACM (2008)
Burns, A., Davis, R.: Mixed criticality systems–a review. Department of Computer Science, University of York, Technical Report (2013)
Burow, N., et al.: Control-flow integrity: Precision, security, and performance. ACM Comput. Surv. (CSUR) 50(1), 1–33 (2017)
Burow, N., Zhang, X., Payer, M.: SoK: shining light on shadow stacks. In: S&P. IEEE (2019)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS. ACM (2010)
Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: S&P. IEEE (2017)
Clements, A.A., Almakhdhub, N.S., Bagchi, S., Payer, M.: ACES: automatic compartments for embedded systems. In: USENIX Security. USENIX Association (2018)
Davi, L., et al.: HAFIX: hardware-assisted flow integrity extension. In: DAC. ACM (2015)
Davi, L., Koeberl, P., Sadeghi, A.R.: Hardware-assisted fine-grained control-flow integrity: towards efficient protection of embedded systems against software exploitation. In: DAC. ACM (2014)
Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: ASIACCS. ACM (2011)
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: CCS. ACM (2008)
Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using Intel processor trace. In: CODASPY. ACM (2017)
Hu, H., et al.: Enforcing unique code target property for control-flow integrity. In: CCS. ACM (2018)
Humayed, A., Lin, J., Li, F., Luo, B.: Cyber-physical systems security-a survey. IEEE Int. Things J. 4(6), 1802–1831 (2017)
Jang, D., Tatlock, Z., Lerner, S.: SafeDispatch: securing C++ virtual calls from memory corruption attacks. In: NDSS. Internet Society (2014)
John, R.: Partitioning in avionics architectures: Requirements, mechanisms, and assurance. Technical Report, SRI International Computer Science Laboratory (1999)
Kath, O., Schreiner, R., Favaro, J.: Safety, security, and software reuse: A model-based approach. In: RESAFE. Springer (2009)
Kim, C.H., et al.: Securing real-time microcontroller systems through customized memory view switching. In: NDSS. Internet Society (2018)
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX OSDI. USENIX Association (2014)
Kwon, D., Shin, J., Kim, G., Lee, B., Cho, Y., Paek, Y.: uXOM: efficient eXecute-only memory on ARM Cortex-M. In: USENIX Security. USENIX Association (2019)
Lee, Y., Heo, I., Hwang, D., Kim, K., Paek, Y.: Towards a practical solution to detect code reuse attacks on ARM mobile devices. In: HASP. ACM (2015)
Lehoczky, J.P., Sha, L., Strosnider, J.K.: Enhanced aperiodic responsiveness in hard real-time environments. In: Unknown Host Publication Title. IEEE (1987)
Liedtke, J.: On micro-kernel construction. ACM SIGOPS Oper. Syst. Rev. 29(5), 237–250 (1995)
Liu, C.L., Layland, J.W.: Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM (JACM) 20(1), 46–61 (1973)
Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with Intel processor trace. In: HPCA. IEEE (2017)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, 91 (2015)
Niu, B., Tan, G.: Per-input control-flow integrity. In: CCS. ACM (2015)
Nyman, Thomas., Ekberg, Jan-Erik., Davi, Lucas, Asokan, N.: CFI CaRE: hardware-supported call and return enforcement for commercial microcontrollers. In: Dacier, Marc, Bailey, Michael, Polychronakis, Michalis, Antonakakis, Manos (eds.) RAID 2017. LNCS, vol. 10453, pp. 259–284. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_12
Payer, Mathias., Barresi, Antonio, Gross, Thomas R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, Magnus, Gulisano, Vincenzo, Maggi, Federico (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8
Real Time Engineers Ltd.: FreeRTOS memory protection unit (MPU) support. https://www.freertos.org/FreeRTOS-MPU-memory-protection-unit.html. Accessed 10 Sep 2020
Rico, J.E., Bañón, M., Ortega, A., Hametner, R., Blasum, H., Hager, M.: Compositional security certification methodology. Zenodo (2018)
Rubio, J.E., Alcaraz, C., Roman, R., Lopez, J.: Current cyber-defense trends in industrial control systems. Comput. Secur. 87, 101561 (2019)
Rushby, J.: The design and verification of secure systems. In: Eighth ACM Symposium on Operating System Principles. ACM (1981)
Schlehuber, C., Heinrich, M., Vateva-Gurova, T., Katzenbeisser, S., Suri, N.: Challenges and approaches in securing safety-relevant railway signalling. In: EuroS & PW. IEEE (2017)
Schulz, T., Gries, C., Golatowski, F., Timmermann, D.: Strategy for security certification of high assurance industrial automation and control systems. In: SIES. IEEE (2018)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS. ACM (2007)
Sinnhofer, A.D., Raschke, W., Steger, C., Kreiner, C.: Evaluation paradigm selection according to common criteria for an incremental product development. In: MILS@HiPEAC. Zenodo (2015)
Sprunt, B., Sha, L., Lehoczky, J.: Aperiodic task scheduling for hard-real-time systems. Real-Time Systems 1(1), (1989)
Strosnider, J.K., Lehoczky, J.P., Sha, L.: The deferrable server algorithm for enhanced aperiodic responsiveness in hard real-time environments. IEEE Transactions on Computers 44(1), (1995)
SYSGO GmbH: PikeOS hypervisor webpage. https://www.sysgo.com/products/pikeos-hypervisor/, retrieved September 10, 2020
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: Eternal war in memory. In: S&P. IEEE (2013)
Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security. USENIX Association (2014)
Tverdyshev, S., Blasum, H., Langenstein, B., Maebe, J., De Sutter, B., Leconte, B., Triquet, B., Müller, K., Paulitsch, M., Söding-Freiherr von Blomberg, A., Tillequin, A.: MILS architecture. Zenodo (2013)
van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrdia, C.: The dynamics of innocent flesh on the bone: Code reuse ten years later. In: CCS. ACM (2017)
van der Veen, V., Göktaş, E., Contag, M., Pawoloski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E., Giuffrida, C.: A tough call: Mitigating advanced code-reuse attacks at the binary level. In: S&P. IEEE (2016)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security. USENIX Association (2013)
Zieris, P., Horsch, J.: A leak-resilient dual stack scheme for backward-edge control-flow integrity. In: ASIACCS. ACM (2018)
Acknowledgement
We thank Philipp Gorski, Alez Züpke, and Holger Blasum, as well as the anonymous reviewers for their helpful comments and suggestions. This work was partially funded by the EU H2020 under the FORA project with the Marie Skłodowska-Curie grant agreement no. 764785 and under the ADMORPH project with grant agreement no. 871259. In addition, this work was supported by the German Federal Ministry of Education and Research (BMBF) under the IUNO Insec project with grant agreement no. 16KIS0933K.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kuzhiyelil, D., Zieris, P., Kadar, M., Tverdyshev, S., Fohler, G. (2020). Towards Transparent Control-Flow Integrity in Safety-Critical Systems. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-62974-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62973-1
Online ISBN: 978-3-030-62974-8
eBook Packages: Computer ScienceComputer Science (R0)