Abstract |
Exploitation of software becomes more and more common, as computer
systems span across many areas of our lives. Over the recent years, attacks on software
become more sophisticated. Deployed countermeasures tend to not provide sufficient
protection. Effective countermeasures require thorough checks which are
computationally expensive.
One such countermeasure is Control-Flow Integrity (CFI); a policy developed to defend
against Control-flow hijacking, the principal method for code-
reuse techniques
like
Return-oriented Programming (ROP) and Jump-oriented Programming (JOP). The community proposed CFI, a technique capable of preventing exploitation by verifying that
every (indirect) control-flow transfer points to a legitimate address. Enabling CFI in real
world systems is not straightforward, since in many cases the actual Control-flow Graph
(CFG) of a program can be only approximated. Even in the case that there is perfect
knowledge of the CFG, ensuring that all return instructions will return to their actual call
sites, without employing a shadow stack, is questionable. On the other hand, the
community has expressed concerns related to significant overheads stemming from
deploying a shadow stack.
In this work,
we acknowledge the importance of pushing
security in the hardware domain,
in order to strengthen and accelerate security mechanisms. We project, that implementing a full-featured CFI-enabled Instruction Set Architecture (ISA) in actual
hardware with an in-chip secure memory can be efficiently carried out and the prototype
experiences negligible overheads. For supporting our case, we implement Control-Flow
Integrity Extensions (CFIX) by modifying a SPARC SoC and evaluate the prototype on an
FPGA board by running SPECInt benchmarks instrumented with a fine-grained CFI policy.
The evaluation shows that CFIX can effectively protect applications from code-reuse
attacks, while adding less than 1% runtime overhead and 2% power consumption
overhead, making it particularly suitable for embedded systems.
|