scholarly journals DExIE - An IoT-Class Hardware Monitor for Real-Time Fine-Grained Control-Flow Integrity

2022 ◽  
Author(s):  
Christoph Spang ◽  
Yannick Lavan ◽  
Marco Hartmann ◽  
Florian Meisel ◽  
Andreas Koch
Keyword(s):  
Real Time ◽  
Control Flow ◽  
Performance Impact ◽  
Fine Grained ◽  
Control Flow Integrity ◽  
Flow Information ◽  
Performance Penalty ◽  
Automated Programming ◽  
Dynamic Execution ◽  
Size And Structure

AbstractThe Dynamic Execution Integrity Engine (DExIE) is a lightweight hardware monitor that can be flexibly attached to many IoT-class processor pipelines. It is guaranteed to catch both inter- and intra-function illegal control flows in time to prevent any illegal instructions from touching memory. The performance impact of attaching DExIE to a core depends on the concrete pipeline structure. In some especially suitable cases, extending a processor with DExIE will have no performance penalty. DExIE is real-time capable, as it causes no or only up to 10.4 % additional and then predictable pipeline stalls. Depending on the monitored processor’s size and structure, DExIE is faster than software-based monitoring and often smaller than a separate guard processor. We present not just the hardware architecture, but also the automated programming flow, and discuss compact adaptable storage formats to hold fine-grained control flow information.

FastCFI: Real-time Control-Flow Integrity Using FPGA without Code Instrumentation

2021 ◽  
Vol 26 (5) ◽  
pp. 1-39
Author(s):  
Lang Feng ◽  
Jeff Huang ◽  
Jiang Hu ◽  
Abhijith Reddy
Keyword(s):  
Real Time ◽  
Cyber Attacks ◽  
Control Flow ◽  
Compression Algorithm ◽  
Real Time Control ◽  
Fine Grained ◽  
Generation Technique ◽  
Time Control ◽  
Control Flow Integrity ◽  
Code Instrumentation

Control-Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, forming a non-trivial hurdle to the application of CFI. Taking advantage of the tradeoff between computing efficiency and flexibility of FPGA, we develop FastCFI, an FPGA-based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI, and a compression algorithm for reducing the hardware expense. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. When using FastCFI on prevalent benchmarks, we demonstrate its capability to detect fine-grained CFI violations in unmodified binaries, while incurring an average of 0.36% overhead and a maximum of 2.93% overhead.

scholarly journals Reconciling optimization with secure compilation

2021 ◽  
Vol 5 (OOPSLA) ◽  
pp. 1-30
Author(s):  
Son Tuan Vu ◽  
Albert Cohen ◽  
Arnaud De Grandmaison ◽  
Christophe Guillon ◽  
Karine Heydemann
Keyword(s):  
Side Effects ◽  
Control Flow ◽  
Partial Ordering ◽  
Input Output ◽  
Machine Code ◽  
Fine Grained ◽  
Control Flow Integrity ◽  
Correct Execution ◽  
Source Level ◽  
And Performance

Software protections against side-channel and physical attacks are essential to the development of secure applications. Such protections are meaningful at machine code or micro-architectural level, but they typically do not carry observable semantics at source level. This renders them susceptible to miscompilation, and security engineers embed input/output side-effects to prevent optimizing compilers from altering them. Yet these side-effects are error-prone and compiler-dependent. The current practice involves analyzing the generated machine code to make sure security or privacy properties are still enforced. These side-effects may also be too expensive in fine-grained protections such as control-flow integrity. We introduce observations of the program state that are intrinsic to the correct execution of security protections, along with means to specify and preserve observations across the compilation flow. Such observations complement the input/output semantics-preservation contract of compilers. We introduce an opacification mechanism to preserve and enforce a partial ordering of observations. This approach is compatible with a production compiler and does not incur any modification to its optimization passes. We validate the effectiveness and performance of our approach on a range of benchmarks, expressing the secure compilation of these applications in terms of observations to be made at specific program points.

scholarly journals Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS

2018 ◽  
Vol 2018 ◽  
pp. 1-11 ◽  
Author(s):  
Weizhong Qiang ◽  
Shizhen Wang ◽  
Hai Jin ◽  
Jiangying Zhong
Keyword(s):  
Security Analysis ◽  
Control Flow ◽  
Security And Privacy ◽  
Code Reuse ◽  
Fine Grained ◽  
Function Calls ◽  
Legitimate Target ◽  
Control Flow Integrity ◽  
Target Set ◽  
And Performance

A cyber-physical system (CPS) is known as a mix system composed of computational and physical capabilities. The fast development of CPS brings new security and privacy requirements. Code reuse attacks that affect the correct behavior of software by exploiting memory corruption vulnerabilities and reusing existing code may also be threats to CPS. Various defense techniques are proposed in recent years as countermeasures to emerging code reuse attacks. However, they may fail to fulfill the security requirement well because they cannot protect the indirect function calls properly when it comes to dynamic code reuse attacks aiming at forward edges of control-flow graph (CFG). In this paper, we propose P-CFI, a fine-grained control-flow integrity (CFI) method, to protect CPS against memory-related attacks. We use points-to analysis to construct the legitimate target set for every indirect call cite and check whether the target of the indirect call cite is in the legitimate target set at runtime. We implement a prototype of P-CFI on LLVM and evaluate both its functionality and performance. Security analysis proves that P-CFI can mitigate the dynamic code reuse attack based on forward edges of CFG. Performance evaluation shows that P-CFI can protect CPS from dynamic code reuse attacks with trivial time overhead between 0.1% and 3.5% (Copyright © 2018 John Wiley & Sons, Ltd.).

scholarly journals Corrigendum to “Fine-Grained Control-Flow Integrity Based on Points-to Analysis for CPS”

2018 ◽  
Vol 2018 ◽  
pp. 1-1
Author(s):  
Weizhong Qiang ◽  
Shizhen Wang ◽  
Hai Jin ◽  
Jiangying Zhong
Keyword(s):  
Control Flow ◽  
Fine Grained ◽  
Control Flow Integrity

Trusted Control Flow Integrity for JVM-Based Application

2014 ◽  
Vol 511-512 ◽  
pp. 1219-1224
Author(s):  
Song Zhu Mei ◽  
Hai He Ba ◽  
Jiang Chun Ren ◽  
Zhi Ying Wang ◽  
Jun Ma
Keyword(s):  
Virtual Machine ◽  
Trusted Computing ◽  
Control Flow ◽  
Java Virtual Machine ◽  
Performance Impact ◽  
Trusted Platform Module ◽  
Java Application ◽  
Control Flow Integrity ◽  
Trusted Platform ◽  
Full Consideration

This paper gives out a novel way, TCFI4J, to enforce the control flow integrity to the Java applications based on Java virtual machine. TCFI4J combines the trusted computing technology and Java virtual machine together. It takes full advantage of the Trusted Platform Module (TPM) and gives full consideration to the memory organization of the JVM. TCFI4J takes the integrity of part of JVMs memory image into account for the control flow integrity enforcement. The method presented in this paper can provide the user information about an applications behavior. It can significantly improve the security of a Java application with a tolerable performance impact.

ABCFI: Fast and Lightweight Fine-Grained Hardware-Assisted Control-Flow Integrity

2020 ◽  
Vol 39 (11) ◽  
pp. 3165-3176
Author(s):  
Jinfeng Li ◽  
Liwei Chen ◽  
Gang Shi ◽  
Kai Chen ◽  
Dan Meng
Keyword(s):  
Control Flow ◽  
Fine Grained ◽  
Control Flow Integrity
Sign in / Sign up

Export Citation Format

Share Document