Skip to main content
SpringerLink
Log in

Towards Transparent Control-Flow Integrity in Safety-Critical Systems

  • Conference paper
  • First Online:
Information Security (ISC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12472))

Included in the following conference series:

Abstract

Protecting safety-critical Cyber-Physical Systems (CPS) against security threats is becoming a growing necessity. Due to the high level of network integration, CPS pose new targets to remote code-reuse attacks, such as Return-Oriented Programming (ROP). An effective mechanism to detect code-reuse attacks is Control-Flow Integrity (CFI). However, because of the intrusiveness of most current CFI solutions, i.e., their requirement for program instrumentation and run-time interference, we cannot directly apply them to safety-critical CPS. To the best of our knowledge, there is no CFI solution designed for CPS; and more specifically, we are not aware of any solution that fully monitors the forward-edges and backward-edges of an application’s control-flow, while providing independence and freedom from interference guarantees. Hence, for the first time, we propose a safety certifiable, separation kernel-based partitioning architecture to integrate CFI monitoring in a safety-critical system to protect applications with real-time constraints. Our solution leverages ARM CoreSight to transparently enforce both forward-edge and backward-edge CFI for an application at run-time. Despite imposing a significant overhead on the overall system, our approach reliably protects the control-flow of the monitored application, while guaranteeing its real-time constraints. We evaluate our solution by analyzing its timing impact and discussing the resulting considerations for the integration and practical deployment in a safety-critical CPS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See IEC 61508 Part 2.

  2. 2.

    See ISO 26262 Part 3, Annex D.

  3. 3.

    See IEC 61508 Part 3, Annex F.

  4. 4.

    See DO-178 Sect. 2.4.1.

  5. 5.

    This is not a limitation of our CFI monitoring solution, as providing randomization details to the monitor would suffice to support memory layout randomization.

  6. 6.

    https://llvm.org/docs/TypeMetadata.html.

  7. 7.

    https://www.capstone-engine.org/.

  8. 8.

    https://github.com/Linaro/OpenCSD.

  9. 9.

    Note: In the industry, WCET computation is performed using sophisticated static analysis tools such as aiT from Absint that give tight bounds on the computed values.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity: principles, implementations, and applications. In: CCS. ACM (2005)

    Google Scholar 

  2. Abeni, L., Buttazzo, G.: Integrating multimedia applications in hard real-time systems. In: RTSS. IEEE (1998)

    Google Scholar 

  3. Abera, T., et al.: C-FLAT: control-flow attestation for embedded systems software. In: CCS. ACM (2016)

    Google Scholar 

  4. Almakhdhub, N.S., Clements, A.A., Bagchi, S., Payer, M.: \(\mu \)RAI: securing embedded systems with return address integrity. In: NDSS. Internet Society (2020)

    Google Scholar 

  5. Alves-Foss, J., Oman, P.W., Taylor, C., Harrison, S.: The MILS architecture for high-assurance embedded systems. Int. J. Embed. Syst. 2(3/4), 239–247 (2006)

    Article  Google Scholar 

  6. Arm Holdings: Mbed OS MPU management. https://os.mbed.com/docs/mbed-os/v5.15/apis/mpu-management.html. Accessed 10 Sep 2020

  7. Arm Holdings: ARM CoreSight SoC-400 Technical Reference Manual (June 2016)

    Google Scholar 

  8. Arm Holdings: Juno ARM Development Platform SoC Technical Reference Manual (June 2016)

    Google Scholar 

  9. Baruah, S.K., Burns, A., Davis, R.I.: Response-time analysis for mixed criticality systems. In: RTSS. IEEE (2011)

    Google Scholar 

  10. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ASIACCS. ACM (2011)

    Google Scholar 

  11. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: CCS. ACM (2008)

    Google Scholar 

  12. Burns, A., Davis, R.: Mixed criticality systems–a review. Department of Computer Science, University of York, Technical Report (2013)

    Google Scholar 

  13. Burow, N., et al.: Control-flow integrity: Precision, security, and performance. ACM Comput. Surv. (CSUR) 50(1), 1–33 (2017)

    Article  Google Scholar 

  14. Burow, N., Zhang, X., Payer, M.: SoK: shining light on shadow stacks. In: S&P. IEEE (2019)

    Google Scholar 

  15. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: CCS. ACM (2010)

    Google Scholar 

  16. Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: S&P. IEEE (2017)

    Google Scholar 

  17. Clements, A.A., Almakhdhub, N.S., Bagchi, S., Payer, M.: ACES: automatic compartments for embedded systems. In: USENIX Security. USENIX Association (2018)

    Google Scholar 

  18. Davi, L., et al.: HAFIX: hardware-assisted flow integrity extension. In: DAC. ACM (2015)

    Google Scholar 

  19. Davi, L., Koeberl, P., Sadeghi, A.R.: Hardware-assisted fine-grained control-flow integrity: towards efficient protection of embedded systems against software exploitation. In: DAC. ACM (2014)

    Google Scholar 

  20. Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: ASIACCS. ACM (2011)

    Google Scholar 

  21. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: CCS. ACM (2008)

    Google Scholar 

  22. Gu, Y., Zhao, Q., Zhang, Y., Lin, Z.: PT-CFI: transparent backward-edge control flow violation detection using Intel processor trace. In: CODASPY. ACM (2017)

    Google Scholar 

  23. Hu, H., et al.: Enforcing unique code target property for control-flow integrity. In: CCS. ACM (2018)

    Google Scholar 

  24. Humayed, A., Lin, J., Li, F., Luo, B.: Cyber-physical systems security-a survey. IEEE Int. Things J. 4(6), 1802–1831 (2017)

    Article  Google Scholar 

  25. Jang, D., Tatlock, Z., Lerner, S.: SafeDispatch: securing C++ virtual calls from memory corruption attacks. In: NDSS. Internet Society (2014)

    Google Scholar 

  26. John, R.: Partitioning in avionics architectures: Requirements, mechanisms, and assurance. Technical Report, SRI International Computer Science Laboratory (1999)

    Google Scholar 

  27. Kath, O., Schreiner, R., Favaro, J.: Safety, security, and software reuse: A model-based approach. In: RESAFE. Springer (2009)

    Google Scholar 

  28. Kim, C.H., et al.: Securing real-time microcontroller systems through customized memory view switching. In: NDSS. Internet Society (2018)

    Google Scholar 

  29. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX OSDI. USENIX Association (2014)

    Google Scholar 

  30. Kwon, D., Shin, J., Kim, G., Lee, B., Cho, Y., Paek, Y.: uXOM: efficient eXecute-only memory on ARM Cortex-M. In: USENIX Security. USENIX Association (2019)

    Google Scholar 

  31. Lee, Y., Heo, I., Hwang, D., Kim, K., Paek, Y.: Towards a practical solution to detect code reuse attacks on ARM mobile devices. In: HASP. ACM (2015)

    Google Scholar 

  32. Lehoczky, J.P., Sha, L., Strosnider, J.K.: Enhanced aperiodic responsiveness in hard real-time environments. In: Unknown Host Publication Title. IEEE (1987)

    Google Scholar 

  33. Liedtke, J.: On micro-kernel construction. ACM SIGOPS Oper. Syst. Rev. 29(5), 237–250 (1995)

    Article  Google Scholar 

  34. Liu, C.L., Layland, J.W.: Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM (JACM) 20(1), 46–61 (1973)

    Article  MathSciNet  Google Scholar 

  35. Liu, Y., Shi, P., Wang, X., Chen, H., Zang, B., Guan, H.: Transparent and efficient CFI enforcement with Intel processor trace. In: HPCA. IEEE (2017)

    Google Scholar 

  36. Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, 91 (2015)

    Google Scholar 

  37. Niu, B., Tan, G.: Per-input control-flow integrity. In: CCS. ACM (2015)

    Google Scholar 

  38. Nyman, Thomas., Ekberg, Jan-Erik., Davi, Lucas, Asokan, N.: CFI CaRE: hardware-supported call and return enforcement for commercial microcontrollers. In: Dacier, Marc, Bailey, Michael, Polychronakis, Michalis, Antonakakis, Manos (eds.) RAID 2017. LNCS, vol. 10453, pp. 259–284. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_12

    Chapter  Google Scholar 

  39. Payer, Mathias., Barresi, Antonio, Gross, Thomas R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, Magnus, Gulisano, Vincenzo, Maggi, Federico (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_8

    Chapter  Google Scholar 

  40. Real Time Engineers Ltd.: FreeRTOS memory protection unit (MPU) support. https://www.freertos.org/FreeRTOS-MPU-memory-protection-unit.html. Accessed 10 Sep 2020

  41. Rico, J.E., Bañón, M., Ortega, A., Hametner, R., Blasum, H., Hager, M.: Compositional security certification methodology. Zenodo (2018)

    Google Scholar 

  42. Rubio, J.E., Alcaraz, C., Roman, R., Lopez, J.: Current cyber-defense trends in industrial control systems. Comput. Secur. 87, 101561 (2019)

    Article  Google Scholar 

  43. Rushby, J.: The design and verification of secure systems. In: Eighth ACM Symposium on Operating System Principles. ACM (1981)

    Google Scholar 

  44. Schlehuber, C., Heinrich, M., Vateva-Gurova, T., Katzenbeisser, S., Suri, N.: Challenges and approaches in securing safety-relevant railway signalling. In: EuroS & PW. IEEE (2017)

    Google Scholar 

  45. Schulz, T., Gries, C., Golatowski, F., Timmermann, D.: Strategy for security certification of high assurance industrial automation and control systems. In: SIES. IEEE (2018)

    Google Scholar 

  46. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: CCS. ACM (2007)

    Google Scholar 

  47. Sinnhofer, A.D., Raschke, W., Steger, C., Kreiner, C.: Evaluation paradigm selection according to common criteria for an incremental product development. In: MILS@HiPEAC. Zenodo (2015)

    Google Scholar 

  48. Sprunt, B., Sha, L., Lehoczky, J.: Aperiodic task scheduling for hard-real-time systems. Real-Time Systems 1(1), (1989)

    Google Scholar 

  49. Strosnider, J.K., Lehoczky, J.P., Sha, L.: The deferrable server algorithm for enhanced aperiodic responsiveness in hard real-time environments. IEEE Transactions on Computers 44(1), (1995)

    Google Scholar 

  50. SYSGO GmbH: PikeOS hypervisor webpage. https://www.sysgo.com/products/pikeos-hypervisor/, retrieved September 10, 2020

  51. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: Eternal war in memory. In: S&P. IEEE (2013)

    Google Scholar 

  52. Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in GCC & LLVM. In: USENIX Security. USENIX Association (2014)

    Google Scholar 

  53. Tverdyshev, S., Blasum, H., Langenstein, B., Maebe, J., De Sutter, B., Leconte, B., Triquet, B., Müller, K., Paulitsch, M., Söding-Freiherr von Blomberg, A., Tillequin, A.: MILS architecture. Zenodo (2013)

    Google Scholar 

  54. van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrdia, C.: The dynamics of innocent flesh on the bone: Code reuse ten years later. In: CCS. ACM (2017)

    Google Scholar 

  55. van der Veen, V., Göktaş, E., Contag, M., Pawoloski, A., Chen, X., Rawat, S., Bos, H., Holz, T., Athanasopoulos, E., Giuffrida, C.: A tough call: Mitigating advanced code-reuse attacks at the binary level. In: S&P. IEEE (2016)

    Google Scholar 

  56. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Security. USENIX Association (2013)

    Google Scholar 

  57. Zieris, P., Horsch, J.: A leak-resilient dual stack scheme for backward-edge control-flow integrity. In: ASIACCS. ACM (2018)

    Google Scholar 

Download references

Acknowledgement

We thank Philipp Gorski, Alez Züpke, and Holger Blasum, as well as the anonymous reviewers for their helpful comments and suggestions. This work was partially funded by the EU H2020 under the FORA project with the Marie Skłodowska-Curie grant agreement no. 764785 and under the ADMORPH project with grant agreement no. 871259. In addition, this work was supported by the German Federal Ministry of Education and Research (BMBF) under the IUNO Insec project with grant agreement no. 16KIS0933K.

Author information

Authors and Affiliations

  1. SYSGO GmbH, Mainz, Germany

    Don Kuzhiyelil & Marine Kadar

  2. Fraunhofer AISEC, Munich, Germany

    Philipp Zieris

  3. TU Kaiserslautern, Kaiserslautern, Germany

    Gerhard Fohler

  4. Mainz, Germany

    Sergey Tverdyshev

Authors
  1. Don Kuzhiyelil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philipp Zieris
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marine Kadar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sergey Tverdyshev
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gerhard Fohler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Don Kuzhiyelil .

Editor information

Editors and Affiliations

  1. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  3. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Yannan Li

  5. Informatics, Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kuzhiyelil, D., Zieris, P., Kadar, M., Tverdyshev, S., Fohler, G. (2020). Towards Transparent Control-Flow Integrity in Safety-Critical Systems. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62974-8_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62973-1

  • Online ISBN: 978-3-030-62974-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation