Abstract
With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
Also referred to as the secure world and normal world.
- 4.
- 5.
CWE-134: Use of Externally-Controlled Format String https://cwe.mitre.org/data/definitions/134.html.
- 6.
- 7.
A call graph is a control-flow graph which represents the calling relationships between subroutines in a program.
- 8.
- 9.
In Cortex-M processors that implement the floating point extensions, the context stack frame may also contain the values of floating point registers.
- 10.
Half-word alignment for branch instruction target addresses is enforced by the hardware itself.
- 11.
- 12.
References
ARM compiler version 6.4 software development guide. http://infocenter.arm.com/help/topic/com.arm.doc.dui0773e (2015)
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009). http://doi.acm.org/10.1145/1609956.1609960
ARM Ltd.: Procedure Call Standard for the ARM Architecture (2009). http://infocenter.arm.com/help/topic/com.arm.doc.ihi0042d
ARM Ltd.: ARMv8-M Architecture Reference Manual.(2016). http://infocenter.arm.com/help/topic/com.arm.doc.ddi0553a.b
Brown, N.: Control-flow Integrity for Real-time Embedded Systems. Master’s thesis, Worcester Polytechnic Institute, Worcester, MA, USA (2017)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 27–38. ACM, New York (2008). http://doi.acm.org/10.1145/1455770.1455776
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: Proceedings of the 24th USENIX Conference on Security Symposium. SEC 2015, pp. 161–176. USENIX Association, Berkeley (2015). http://dl.acm.org/citation.cfm?id=2831143.2831154
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. CCS 2010, pp. 559–572. ACM, New York (2010). http://doi.acm.org/10.1145/1866307.1866370
Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections. EVT/WOTE 2009, p. 6. USENIX Association, Berkeley (2009). http://dl.acm.org/citation.cfm?id=1855491.1855497
Chiueh, T.C., Hsu, F.H.: Rad: a compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems, pp. 409–417, April 2001
de Clercq, R., Keulenaer, R.D., Coppens, B., Yang, B., Maene, P., d. Bosschere, K., Preneel, B., De Sutter, B., Verbauwhede, I.: Sofia: software and control flow integrity architecture. In: 2016 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1172–1177, March 2016
de Clercq, R., Piessens, F., Schellekens, D., Verbauwhede, I.: Secure interrupts on low-end microcontrollers. In: 2014 IEEE 25th International Conference on Application-Specific Systems, Architectures and Processors, pp. 147–152, June 2014
Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993). http://dx.doi.org/10.1016/0167-4048(93)90054–9
Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ASIA CCS 2015, pp. 555–566. ACM, New York (2015). http://doi.acm.org/10.1145/2714576.2714635
Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., NĂ¼rnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA (2012). http://www.internetsociety.org/mocfi-framework-mitigate-control-flow-attacks-smartphones
Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: hardware-assisted flow integrity extension. In: Proceedings of the 52Nd Annual Design Automation Conference. DAC 2015, pp. 74:1–74:6. ACM, New York (2015). http://doi.acm.org/10.1145/2744769.2744847
Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ASIACCS 2011, pp. 40–51. ACM, New York (2011). http://doi.acm.org/10.1145/1966913.1966920
Eldefrawy, K., Francillon, A., Perito, D., Tsudik, G.: SMART: secure and minimal architecture for (Establishing a Dynamic) root of trust. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA, February 2012. http://www.eurecom.fr/publication/3536
Ericssson: Ericsson Mobility Report (2015). http://www.ericsson.com/res/docs/2015/mobility-report/ericsson-mobility-report-nov-2015.pdf
Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. OSDI 2006, pp. 75–88. USENIX Association, Berkeley (2006). http://dl.acm.org/citation.cfm?id=1298455.1298463
Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 15–26. ACM, New York (2008). http://doi.acm.org/10.1145/1455770.1455775
Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code. SecuCode 2009, pp. 19–26. ACM, New York (2009). http://doi.acm.org/10.1145/1655077.1655083
Gartner: Gartner Says Managing Identities and Access Will Be Critical to the Success of the Internet of Things (2015). http://www.gartner.com/newsroom/id/2985717
Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Proceedings of the 11th USENIX Security Symposium, pp. 61–79. USENIX Association, Berkeley (2002). http://dl.acm.org/citation.cfm?id=647253.720282
Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium. NDSS 2004 (2004)
Eclipse IoT Working Group, IEEE IoT, AGILE IoT and IoT Council: IoT Developer Survey 2017 (2017). https://ianskerrett.wordpress.com/2017/04/19/iot-developer-trends-2017-edition/
Habibi, J., Panicker, A., Gupta, A., Bertino, E.: DisARM: mitigating buffer overflow attacks on embedded devices. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408. Springer, Cham (2015). doi:10.1007/978-3-319-25645-0_8
Hewlett-Packard: Data Execution Prevention (2006). http://h10032.www1.hp.com/ctg/Manual/c00387685.pdf
Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22–26, 2016, pp. 969–986 (2016). http://doi.ieeecomputersociety.org/10.1109/SP.2016.62
Intel: Control-flow Enforcement Technology Preview (2016). https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: TrustLite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems. EuroSys 2014, pp. 10:1–10:14. ACM, New York (2014). http://doi.acm.org/10.1145/2592798.2592824
Kornau, T.: Return Oriented Programming for the ARM Architecture. Master’s thesis, Ruhr-University Bochum (2009). http://static.googleusercontent.com/media/www.zynamics.com/en//downloads/kornau-tim-diplomarbeit-rop.pdf
Kumar, R., Singhania, A., Castner, A., Kohler, E., Srivastava, M.: A system for coarse grained memory protection in tiny embedded processors. In: Proceedings of the 44th Annual Design Automation Conference. DAC 2007, pp. 218–223. ACM, New York (2007). http://doi.acm.org/10.1145/1278480.1278534
Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 276–291. IEEE Computer Society, Washington, DC (2014). http://dx.doi.org/10.1109/SP.2014.25
Le, L.: ARM Exploitation ROPMap. BlackHat USA (2011)
Lian, W., Shacham, H., Savage, S.: Too LeJIT to quit: extending JIT spraying to ARM. In: Kirda, E. (ed.) Proceedings of NDSS 2015. Internet Society, February 2015
Microsoft: Enhanced Mitigation Experience Toolkit (2016). https://www.microsoft.com/emet
Nebenzahl, D., Sagiv, M., Wool, A.: Install-time vaccination of windows executables to defend against stack smashing attacks. IEEE Trans. Dependable Secur. Comput. 3(1), 78–90 (2006). http://dx.doi.org/10.1109/TDSC.2006.14
Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS 2015, pp. 914–926. ACM, New York (2015). http://doi.acm.org/10.1145/2810103.2813644
Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., Piessens, F.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Proceedings of the 22nd USENIX Conference on Security. SEC 2013, pp. 479–494. USENIX Association, Berkeley (2013). http://dl.acm.org/citation.cfm?id=2534766.2534808
Pastrana, S., Tapiador, J., Suarez-Tangil, G., Peris-LĂ³pez, P.: AVRAND: a software-based defense against code reuse attacks for AVR embedded devices. In: Caballero, J., Zurutuza, U., RodrĂguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 58–77. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_4
Prasad, M., Chiueh, T.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 211–224 (2003)
Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. (2017). https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. CCS 2007, pp. 552–561. ACM, New York (2007). http://doi.acm.org/10.1145/1315245.1315313
Designer, S.: lpr LIBC RETURN exploit (1997). http://insecure.org/sploits/linux.libc.return.lpr.sploit.html
Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. SP 2013, pp. 48–62. IEEE Computer Society, Washington, DC (2013). http://dx.doi.org/10.1109/SP.2013.13
Weicker, R.P.: Dhrystone: a synthetic systems programming benchmark. Commun. ACM 27(10), 1013–1030 (1984). http://doi.acm.org/10.1145/358274.358283
Yiu, J.: ARMv8-M architecture technical overview (2015). https://community.arm.com/docs/DOC-10896
Acknowledgments
This work was supported by the German Science Foundation (project S2, CRC 1119 CROSSING), Tekes—the Finnish Funding Agency for Innovation (CloSer project), and the Intel Collaborative Research Institute for Secure Computing (ICRI-SC).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nyman, T., Ekberg, JE., Davi, L., Asokan, N. (2017). CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)