Control Flow Integrity

Against Runtime Memory Attacks

Asrar Mohammed
Ahmed Bajaber

Best services for writing your paper according to Trustpilot

Premium Partner
From $18.00 per page
4,8 / 5
Writers Experience
Recommended Service
From $13.90 per page
4,6 / 5
Writers Experience
From $20.00 per page
4,5 / 5
Writers Experience
* All Partners were chosen among 50+ writing services by our Customer Satisfaction Team



Embedded systems
have become common today and Spread in a large number of devices. However,
due to resource constraints, they fail to provide adequate security, and they are
susceptible to runtime attacks such as code injection and code reuse attacks
(CRAs). The previous works have introduce the enforcement of control-ow
integrity (CFI) as a technique to defense against these attacks. Nevertheless, the
existing solutions either have their own limitations, some needs to modify the Instruction
Set Architecture (ISA). And the others need binary rewriting (which increases
the code size), or suffer from performance overhead. In this paper, the proposed
idea is CFI solution adapts the concept proposed by 1 basic block control
flow integrity BB_CFI which is tackle the recursive call.




(Keywords: Control flow
integrity, control flow graph(CFG),
return oriented programming(ROP), Code Reuse Attack (CRA)  )

1. Introduction

Embedded systems
have proliferated at present and have been prevalent in a wide range of applications
1. The security has become a concern in these systems because of the expanded
the private and critical information. Lately, adversaries have mostly targeted
at these systems either to make a malicious actions or to get the user’s private
data. The primary challenge in embedded systems security is the resource
constraints such as energy, storage and limited computation. The main reason that
these systems are liable to exploits is because using unsafe languages, such as
C/C++. Runtime attacks, like buffer overflow
based stack smashing and CRAs, are common due to lack of bounds checking in
these languages. Though data execution protection (DEP) can protect against the
stack smashing, which requires code injection, CRAs, such as return oriented
programming (ROP) and jump-oriented programming (JOP), can still be performed
and are predominant presently. Generally, ROP and JOP use gadget – small
sequences of instructions- present in the existing code to perform arbitrary
computation, thus avoiding the need for code injection. In fact, to protect the
memory from these attacks, the CFI has been proposed.


2. Problem Statement

Embedded systems
have developed during the last years. It is usually programmed using C or
assembly language which are considered as unsafe languages. Thus, it is suffer
from vulnerabilities that can be exploited by the attackers during runtime. The
memory runtime attacks, like buffer overflow based stack smashing and CRAs, are
popular in embedded systems .Generally, such runtime attacks divert the desired
control-flow of embedded system by exploiting bugs 1.

Control flow integrity (CFI) implementation is an
approach to protect the embedded systems from runtime attacks. In the execution,
CFI enforces the program to follow control flow graph (CFG), which is
predetermined at the compilation time. Any deviation of the program execution
from the normal CFG is considered as an attack. Unlike DEP, a proper CFI
enforcement can defend against stack smashing attack as well as ROP and JOP,
because these attacks deviate the control flow of the program from the normal
CFG. However, previous CFI implementations suffer from high-performance
overhead or have their own limitations 1.


3. Literature Review

Over the last years
a number of defense approaches have been proposed to protect the embedded
systems from runtime attacks. In contrast to many ad-hoc solutions the most
general defense, and the focus of this paper, is based on the principle of CFI.
That tackles runtime attacks regardless of their specific origin.


Figure 1: Design of Hardware-Enforced
ROP Detection2



The authors in 2
present the design of security hardware mechanisms to enable Fine-grained CFI protection
against ROP attack. Their CFI 
is based on a state model and a per-function CFI label approach which is
enforce the processor to switch to a new state called function entry after
function call. In particular, their CFI policies ensure that function returns
can only transfer control to active call sides (i.e., return landing pads of functions
currently executing). Further, they restrict indirect calls to target the
beginning of a function, and lastly, deploy behavioral heuristics for indirect
jumps. The main idea of this mechanism is to enforce CFI based on label state,
and decouple source from destination labels. For this the authors distinguish
between four states as shown in Figure 1.: (0) for ordinary program execution,
(1) function entry, (2) function exit, and (3) CFI exception state when an
attack is detected. To enforce the CFI label approach they envision the
introduction of two new CFI label instructions, namely CFIBR and CFIRET. As the
names imply, they use one label instruction for function calls and another one
for returns. This distinction allows them to deploy different policies for
calls and returns, and at the same time ensures that an indirect call cannot
target a label instruction used for returns and vice versa 2. The approach
has several limitations: it requires ISA modification, compiler extensions, and
binary rewriting (which increases the code size) 2.


Figure 2: HAFIX
design 3.


HAFIX 3 proposed a stateful, fine-grained backward-edge to keep
track of valid returns, a unique label is assigned to each function and a
one-bit table entry is used for each label(Figure 3 Show HAFIX design). During
a function call the calling function’s label is activated, while a return leads
to the deactivation of the target function’s label. During a return, if the
target function’s label is inactive, an exception is raised. To enforce this
policy, HAFIX used special instructions inserted in the binary to
activate/deactivate the labels. The ISA was modified to only allow function
returns to a special landing pad instruction which performs the check.
Recursive function calls are supported by counting the number of times a
function has been called. HAFIX is integrated into the processor’s pipeline
stages. The major hardware components of the design is the CFI control logic
and the label state memory, which consists of a hardware buffer with a one-bit
entry for each function. The authors evaluated the HAFIX implementation
using standard embedded benchmarks (including Dhrystone and CoreMark), and show
that it only adds 2% of performance overhead on average. Moreover, they provide
a security evaluation to demonstrate that HAFIX reduces the available gadget
space to 19.82% on average. 3. In fact The HAFIX
need to extend the ISA which is limit their work.



Figure 3: BB-CFI design


BB-CFI 1 present
an approach to enforce fine-grained CFI at a basic block level, named basic
block CFI (BB-CFI), which aims to defend against runtime attacks. The key idea
is to verify the target address (TA) of control flow instructions (CFINs) such
as call, ret, and jmp, which may be modified by the adversary. The BB-CFI
contains two stages (As shown in Figure 3): first is an offline profiling of
the program which extract the control flow information, the second stage is
runtime control flow checking which verify the TA of control flow instructions CFINs
using the extracted information. The authors are also handle the exceptional
cases like multithreading, C++ exception, and longjump that are found in
complex binaries. They also propose an architectural design of control flow
checker (CFC) which monitors the program execution during runtime to enforce
BB-CFI. For proof of concept, they implement the CFC in field-programmable gate
array (FPGA). Their method does not require the modification of the source code
or the instruction set architecture.

The experimental
results demonstrate that BB-CFI is effective against runtime attacks, with 100%
verification accuracy. The CFC implementation on FPGA shows <1% performance overhead and a small dynamic power consumption of 78 m W, with very small area footprint.     4. Proposed solution The proposed idea is CFI solution adapts the concept proposed by 1 basic block control flow integrity BB_CFI which is tackle recursive function calls. These lead to a number of store operations of the same label, since a recursive function invokes itself several times before each instance returns. To solve this problem, only store the label once and record the number of invocations in a separate (hidden) register.   5. Conclusion This paper talk about the run time attacks on embedded systems. The CFI is an approach to protect the memory from run time attacks. The proposed solution in this paper is tackle the recursive function call based on the proposed approach provided by authors in 1.     References   1   Sanjeev Das, Wei Zhang, and Yang Liu. 2016. A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems. IEEE Trans. Very Large Scale Integr. Syst. 24, 11 (Nov. 2016), 3193–3207.   2   L. Davi, P. Koeberl, and A.-R. Sadeghi, "Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation," in Proc. DAC, Jun. 2014, pp. 1–6.   3  Lucas Davi, Matthias Hanreich, Debayan Paul, Ahmad-Reza Sadeghi, Patrick Koeberl, Dean Sullivan, Orlando Arias, and Yier Jin. 2015. HAFIX: Hardware-assisted Flow Integrity Extension. In Proceedings of the 52Nd Annual Design Automation Conference (DAC '15). ACM, New York, NY, USA.


I'm Niki!

Would you like to get a custom essay? How about receiving a customized one?

Check it out