1

On-Chip Control Flow Integrity Check forReal Time Embedded Systems

Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui Sha , Renato Mancuso, Sibin Mohan

2

.

Rethinking Embedded System Security

Traditional Embedded Systems• Physically isolated environment• Limited capability• Use of specialized protocols

Modern Embedded Systems• More networked • Increased capability• Open, standard platform• Sensitive/privacy information• More vulnerable to security attacks

Smart Embedd

ed Systems

Smart Grid

Smart Car

Smart Appliances

Smart Phones

3

Challenges in

Embedded System Security

Limited Resources - Computational power, energy, cost

Timing Requirement - Safety, reliability, quality of service

System Upgrade - Verifiability

• they either require components that do not necessary exist in simple embedded system (such as trusted operating system or memory management units)

Components

• the overheads imposed by them is not predictable enough for providing guarantees that are necessary for such systems.

Predictable Overhead

Limitations in Existing Approaches

4

Our Solution1. Extract the control

Flow graph from executable

Block x

Block y

Block zTim

e

2. Store the control flow graph on dedicated hardware

3. Check the run-time control flow with a dedicated hardware unit

5

Why It WorksAt inspection time, the dedicated core validates the execution flow.

Block x

Block y

Block z

MaliciousCode Block

Tim

e

If malicious code gets executed, the control flow graph mutates

...and detection is performed

6

Attacks• Overwrite the return address• Overwrite a control variableBuffer Overflow

• Direct execution towards a libc functionReturn-into-libc

• Overwrite a function return address to chain the execution of small preexisting code fragments to produce arbitrary program behavior

Return-oriented-programming

• Icode into a process with high privileges from a low-privileged one.Code injection

7

Architecture

MonitoringModule

On-Chip Control Flow Monitoring Module (OCFMM)

Block Info

Program Counter

Instruction Register

ProcessorIsolatedOCFMM Memory

Block ID

8

Control Flow Examplemain:

instr_1instr_2

lbl_2: instr_3JEQ lbl_1instr_4instr_5instr_6JMP lbl_2

lbl_1: instr_7instr_8CALL func_1instr_9JMP lbl_2

func_1: instr_f1instr_f2RET

12345678910111213141516

block

D

block

C

block

B

block

A

block

E

n = 4pc = instr_1

An = 4pc = instr_4

B

n = 3pc = instr_7

C

n = 2pc = instr_9

D

n = 3pc = instr_f1

E

Yes

No

Yes/No

Yes/No

Yes/No

Yes/No

For each block, we store:

1. Block ID2. Address of first instruction3. Number of instructions4. Yes-Block5. No-Block

9

InspectionSuppose that the execution is in block A

n = 4pc = instr_1

A 1. Check that PC is between instr_1 + n

n = 4pc = instr_4

B

n = 3pc = instr_7

C

Yes

No2. If not, fetch Yes/No Blocks C & B

from OCFMM memory

3. If execution is not at instr_7 nor at instr_4, raise detection flag

10

Predictable Overhead• Overhead is paid in short blocks where

integrity check is longer than block execution time.

• ei is the minimum execution time of ith instruction in the block

• m is the access time for OCFMM memory• nk is the number of instructions in kth block

Overhead(blockk) =

11

Experiments• Code replacement attack– one of the jump destinations is

different from the expected address resulting

• Return address overwriting in stack– jump to a different return

address

12

Limitations

• Unable to detect attacks that do not alter the CFG– Still attacking the platform is

significantly harder

• Need for ad-hoc platform– The proposed approach is

hardware-based. Custom hardware needed

Effective and Applicable to Embedded Real-Time Systems

• Finite and predictable overhead

• Software updates in embedded/RT systems are relatively rare

• Hardware isolation provides guaranteed protection

14

Implementation

• Replacing on-chip SRAM unit of OCFMM with an external one• CFG profile caching mechanism

Measurements

• Extensive measurements on logic overhead• Measurements on performance overhead with and without block

information caching mechanism

Expansion• Distinguish between multiple tasks and monitor the control flow of

each• Securing the whole system by detecting and securing some critical

components

Future Plan

15

Question?

Thank You