Skip to main content
SpringerLink
Log in

CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.arm.com/products/processors/cortex-m/cortex-m23-processor.php.

  2. 2.

    https://www.arm.com/products/processors/cortex-m/cortex-m33-processor.php.

  3. 3.

    Also referred to as the secure world and normal world.

  4. 4.

    http://www.keil.com/support/man/docs/armclang_link/armclang_link_pge1444644885613.htm.

  5. 5.

    CWE-134: Use of Externally-Controlled Format String https://cwe.mitre.org/data/definitions/134.html.

  6. 6.

    https://www.embedded-world.de/en/ausstellerprodukte/embwld17/product-9863796/numicro-m2351-series-microcontroller.

  7. 7.

    A call graph is a control-flow graph which represents the calling relationships between subroutines in a program.

  8. 8.

    http://www.capstone-engine.org/.

  9. 9.

    In Cortex-M processors that implement the floating point extensions, the context stack frame may also contain the values of floating point registers.

  10. 10.

    Half-word alignment for branch instruction target addresses is enforced by the hardware itself.

  11. 11.

    https://www.spec.org/benchmarks.html.

  12. 12.

    http://www.eembc.org/coremark/about.php.

References

  1. ARM compiler version 6.4 software development guide. http://infocenter.arm.com/help/topic/com.arm.doc.dui0773e (2015)

  2. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009). http://doi.acm.org/10.1145/1609956.1609960

    Article  Google Scholar 

  3. ARM Ltd.: Procedure Call Standard for the ARM Architecture (2009). http://infocenter.arm.com/help/topic/com.arm.doc.ihi0042d

  4. ARM Ltd.: ARMv8-M Architecture Reference Manual.(2016). http://infocenter.arm.com/help/topic/com.arm.doc.ddi0553a.b

  5. Brown, N.: Control-flow Integrity for Real-time Embedded Systems. Master’s thesis, Worcester Polytechnic Institute, Worcester, MA, USA (2017)

    Google Scholar 

  6. Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 27–38. ACM, New York (2008). http://doi.acm.org/10.1145/1455770.1455776

  7. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: Proceedings of the 24th USENIX Conference on Security Symposium. SEC 2015, pp. 161–176. USENIX Association, Berkeley (2015). http://dl.acm.org/citation.cfm?id=2831143.2831154

  8. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. CCS 2010, pp. 559–572. ACM, New York (2010). http://doi.acm.org/10.1145/1866307.1866370

  9. Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections. EVT/WOTE 2009, p. 6. USENIX Association, Berkeley (2009). http://dl.acm.org/citation.cfm?id=1855491.1855497

  10. Chiueh, T.C., Hsu, F.H.: Rad: a compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems, pp. 409–417, April 2001

    Google Scholar 

  11. de Clercq, R., Keulenaer, R.D., Coppens, B., Yang, B., Maene, P., d. Bosschere, K., Preneel, B., De Sutter, B., Verbauwhede, I.: Sofia: software and control flow integrity architecture. In: 2016 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1172–1177, March 2016

    Google Scholar 

  12. de Clercq, R., Piessens, F., Schellekens, D., Verbauwhede, I.: Secure interrupts on low-end microcontrollers. In: 2014 IEEE 25th International Conference on Application-Specific Systems, Architectures and Processors, pp. 147–152, June 2014

    Google Scholar 

  13. Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993). http://dx.doi.org/10.1016/0167-4048(93)90054–9

    Article  Google Scholar 

  14. Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ASIA CCS 2015, pp. 555–566. ACM, New York (2015). http://doi.acm.org/10.1145/2714576.2714635

  15. Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., NĂ¼rnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA (2012). http://www.internetsociety.org/mocfi-framework-mitigate-control-flow-attacks-smartphones

  16. Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: hardware-assisted flow integrity extension. In: Proceedings of the 52Nd Annual Design Automation Conference. DAC 2015, pp. 74:1–74:6. ACM, New York (2015). http://doi.acm.org/10.1145/2744769.2744847

  17. Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ASIACCS 2011, pp. 40–51. ACM, New York (2011). http://doi.acm.org/10.1145/1966913.1966920

  18. Eldefrawy, K., Francillon, A., Perito, D., Tsudik, G.: SMART: secure and minimal architecture for (Establishing a Dynamic) root of trust. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA, February 2012. http://www.eurecom.fr/publication/3536

  19. Ericssson: Ericsson Mobility Report (2015). http://www.ericsson.com/res/docs/2015/mobility-report/ericsson-mobility-report-nov-2015.pdf

  20. Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. OSDI 2006, pp. 75–88. USENIX Association, Berkeley (2006). http://dl.acm.org/citation.cfm?id=1298455.1298463

  21. Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 15–26. ACM, New York (2008). http://doi.acm.org/10.1145/1455770.1455775

  22. Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code. SecuCode 2009, pp. 19–26. ACM, New York (2009). http://doi.acm.org/10.1145/1655077.1655083

  23. Gartner: Gartner Says Managing Identities and Access Will Be Critical to the Success of the Internet of Things (2015). http://www.gartner.com/newsroom/id/2985717

  24. Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Proceedings of the 11th USENIX Security Symposium, pp. 61–79. USENIX Association, Berkeley (2002). http://dl.acm.org/citation.cfm?id=647253.720282

  25. Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium. NDSS 2004 (2004)

    Google Scholar 

  26. Eclipse IoT Working Group, IEEE IoT, AGILE IoT and IoT Council: IoT Developer Survey 2017 (2017). https://ianskerrett.wordpress.com/2017/04/19/iot-developer-trends-2017-edition/

  27. Habibi, J., Panicker, A., Gupta, A., Bertino, E.: DisARM: mitigating buffer overflow attacks on embedded devices. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408. Springer, Cham (2015). doi:10.1007/978-3-319-25645-0_8

    Chapter  Google Scholar 

  28. Hewlett-Packard: Data Execution Prevention (2006). http://h10032.www1.hp.com/ctg/Manual/c00387685.pdf

  29. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22–26, 2016, pp. 969–986 (2016). http://doi.ieeecomputersociety.org/10.1109/SP.2016.62

  30. Intel: Control-flow Enforcement Technology Preview (2016). https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

  31. Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: TrustLite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems. EuroSys 2014, pp. 10:1–10:14. ACM, New York (2014). http://doi.acm.org/10.1145/2592798.2592824

  32. Kornau, T.: Return Oriented Programming for the ARM Architecture. Master’s thesis, Ruhr-University Bochum (2009). http://static.googleusercontent.com/media/www.zynamics.com/en//downloads/kornau-tim-diplomarbeit-rop.pdf

  33. Kumar, R., Singhania, A., Castner, A., Kohler, E., Srivastava, M.: A system for coarse grained memory protection in tiny embedded processors. In: Proceedings of the 44th Annual Design Automation Conference. DAC 2007, pp. 218–223. ACM, New York (2007). http://doi.acm.org/10.1145/1278480.1278534

  34. Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 276–291. IEEE Computer Society, Washington, DC (2014). http://dx.doi.org/10.1109/SP.2014.25

  35. Le, L.: ARM Exploitation ROPMap. BlackHat USA (2011)

    Google Scholar 

  36. Lian, W., Shacham, H., Savage, S.: Too LeJIT to quit: extending JIT spraying to ARM. In: Kirda, E. (ed.) Proceedings of NDSS 2015. Internet Society, February 2015

    Google Scholar 

  37. Microsoft: Enhanced Mitigation Experience Toolkit (2016). https://www.microsoft.com/emet

  38. Nebenzahl, D., Sagiv, M., Wool, A.: Install-time vaccination of windows executables to defend against stack smashing attacks. IEEE Trans. Dependable Secur. Comput. 3(1), 78–90 (2006). http://dx.doi.org/10.1109/TDSC.2006.14

    Article  Google Scholar 

  39. Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS 2015, pp. 914–926. ACM, New York (2015). http://doi.acm.org/10.1145/2810103.2813644

  40. Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., Piessens, F.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Proceedings of the 22nd USENIX Conference on Security. SEC 2013, pp. 479–494. USENIX Association, Berkeley (2013). http://dl.acm.org/citation.cfm?id=2534766.2534808

  41. Pastrana, S., Tapiador, J., Suarez-Tangil, G., Peris-LĂ³pez, P.: AVRAND: a software-based defense against code reuse attacks for AVR embedded devices. In: Caballero, J., Zurutuza, U., RodrĂ­guez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 58–77. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_4

    Google Scholar 

  42. Prasad, M., Chiueh, T.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 211–224 (2003)

    Google Scholar 

  43. Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. (2017). https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf

  44. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. CCS 2007, pp. 552–561. ACM, New York (2007). http://doi.acm.org/10.1145/1315245.1315313

  45. Designer, S.: lpr LIBC RETURN exploit (1997). http://insecure.org/sploits/linux.libc.return.lpr.sploit.html

  46. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. SP 2013, pp. 48–62. IEEE Computer Society, Washington, DC (2013). http://dx.doi.org/10.1109/SP.2013.13

  47. Weicker, R.P.: Dhrystone: a synthetic systems programming benchmark. Commun. ACM 27(10), 1013–1030 (1984). http://doi.acm.org/10.1145/358274.358283

    Article  Google Scholar 

  48. Yiu, J.: ARMv8-M architecture technical overview (2015). https://community.arm.com/docs/DOC-10896

Download references

Acknowledgments

This work was supported by the German Science Foundation (project S2, CRC 1119 CROSSING), Tekes—the Finnish Funding Agency for Innovation (CloSer project), and the Intel Collaborative Research Institute for Secure Computing (ICRI-SC).

Author information

Authors and Affiliations

  1. Aalto University, Espoo, Finland

    Thomas Nyman & N. Asokan

  2. Trustonic, Helsinki, Finland

    Thomas Nyman & Jan-Erik Ekberg

  3. University of Duisburg-Essen, Duisburg, Germany

    Lucas Davi

Authors
  1. Thomas Nyman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan-Erik Ekberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lucas Davi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. N. Asokan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Nyman .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Nyman, T., Ekberg, JE., Davi, L., Asokan, N. (2017). CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation