A Fine-Grained Control Flow Integrity Approach Against Runtime Memory Attacks for Embedded Systems

摘要

Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However, previous CFI implementations suffer from coarse granularity (which can be circumvented by an advanced attack model) and high-performance overhead. In this paper, first, we present an approach to enforce fine-grained CFI at a basic block level, named basic block CFI (BB-CFI), which aims to defend against aforesaid attacks. The key idea is to verify the target address (TA) of control flow instructions (CFINs) (e.g., call, ret, and imp), which may be modified by the adversary. BB-CFI contains two stages: 1) offline profiling of the program-to extract the control flow information and 2) runtime control flow checking-to verify the TA of CFINs using the extracted information. We also handle the exceptional cases (e.g., multithreading, C++ exception, and longjump) that are found in complex binaries. Second, we propose an architectural design of control flow checker (CFC), which monitors the program execution during runtime to enforce BB-CFI. For proof of concept, we implement the CFC in field-programmable gate array (FPGA). Our method does not require the modification of the source code or the instruction set architecture. The experimental results demonstrate that BB-CFI is effective against runtime attacks, with 100% verification accuracy. The CFC implementation on FPGA shows <;1% performance overhead and a small dynamic power consumption of 78 mW, with very small area footprint.