CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers

  • Thomas NymanEmail author
  • Jan-Erik Ekberg
  • Lucas Davi
  • N. Asokan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)


With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.


Control Flow Integrity (CFI) Monitor Branch Shadow Stack Code-reuse Attacks Indirect Branch 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by the German Science Foundation (project S2, CRC 1119 CROSSING), Tekes—the Finnish Funding Agency for Innovation (CloSer project), and the Intel Collaborative Research Institute for Secure Computing (ICRI-SC).

Supplementary material

440190_1_En_12_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 1 KB)


  1. 1.
    ARM compiler version 6.4 software development guide. (2015)
  2. 2.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 4:1–4:40 (2009). CrossRefGoogle Scholar
  3. 3.
    ARM Ltd.: Procedure Call Standard for the ARM Architecture (2009).
  4. 4.
    ARM Ltd.: ARMv8-M Architecture Reference Manual.(2016).
  5. 5.
    Brown, N.: Control-flow Integrity for Real-time Embedded Systems. Master’s thesis, Worcester Polytechnic Institute, Worcester, MA, USA (2017)Google Scholar
  6. 6.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 27–38. ACM, New York (2008).
  7. 7.
    Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: Proceedings of the 24th USENIX Conference on Security Symposium. SEC 2015, pp. 161–176. USENIX Association, Berkeley (2015).
  8. 8.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. CCS 2010, pp. 559–572. ACM, New York (2010).
  9. 9.
    Checkoway, S., Feldman, A.J., Kantor, B., Halderman, J.A., Felten, E.W., Shacham, H.: Can dres provide long-lasting security? the case of return-oriented programming and the AVC advantage. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections. EVT/WOTE 2009, p. 6. USENIX Association, Berkeley (2009).
  10. 10.
    Chiueh, T.C., Hsu, F.H.: Rad: a compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems, pp. 409–417, April 2001Google Scholar
  11. 11.
    de Clercq, R., Keulenaer, R.D., Coppens, B., Yang, B., Maene, P., d. Bosschere, K., Preneel, B., De Sutter, B., Verbauwhede, I.: Sofia: software and control flow integrity architecture. In: 2016 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1172–1177, March 2016Google Scholar
  12. 12.
    de Clercq, R., Piessens, F., Schellekens, D., Verbauwhede, I.: Secure interrupts on low-end microcontrollers. In: 2014 IEEE 25th International Conference on Application-Specific Systems, Architectures and Processors, pp. 147–152, June 2014Google Scholar
  13. 13.
    Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993).–9 CrossRefGoogle Scholar
  14. 14.
    Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ASIA CCS 2015, pp. 555–566. ACM, New York (2015).
  15. 15.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nürnberger, S., Sadeghi, A.R.: MoCFI: a framework to mitigate control-flow attacks on smartphones. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA (2012).
  16. 16.
    Davi, L., Hanreich, M., Paul, D., Sadeghi, A.R., Koeberl, P., Sullivan, D., Arias, O., Jin, Y.: Hafix: hardware-assisted flow integrity extension. In: Proceedings of the 52Nd Annual Design Automation Conference. DAC 2015, pp. 74:1–74:6. ACM, New York (2015).
  17. 17.
    Davi, L., Sadeghi, A.R., Winandy, M.: Ropdefender: a detection tool to defend against return-oriented programming attacks. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ASIACCS 2011, pp. 40–51. ACM, New York (2011).
  18. 18.
    Eldefrawy, K., Francillon, A., Perito, D., Tsudik, G.: SMART: secure and minimal architecture for (Establishing a Dynamic) root of trust. In: 19th Annual Network and Distributed System Security Symposium. NDSS 2012, February 5–8, San Diego, USA, February 2012.
  19. 19.
  20. 20.
    Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. OSDI 2006, pp. 75–88. USENIX Association, Berkeley (2006).
  21. 21.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. CCS 2008, pp. 15–26. ACM, New York (2008).
  22. 22.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code. SecuCode 2009, pp. 19–26. ACM, New York (2009).
  23. 23.
    Gartner: Gartner Says Managing Identities and Access Will Be Critical to the Success of the Internet of Things (2015).
  24. 24.
    Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: Proceedings of the 11th USENIX Security Symposium, pp. 61–79. USENIX Association, Berkeley (2002).
  25. 25.
    Giffin, J.T., Jha, S., Miller, B.P.: Efficient context-sensitive intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium. NDSS 2004 (2004)Google Scholar
  26. 26.
    Eclipse IoT Working Group, IEEE IoT, AGILE IoT and IoT Council: IoT Developer Survey 2017 (2017).
  27. 27.
    Habibi, J., Panicker, A., Gupta, A., Bertino, E.: DisARM: mitigating buffer overflow attacks on embedded devices. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds.) NSS 2015. LNCS, vol. 9408. Springer, Cham (2015). doi: 10.1007/978-3-319-25645-0_8 CrossRefGoogle Scholar
  28. 28.
    Hewlett-Packard: Data Execution Prevention (2006).
  29. 29.
    Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22–26, 2016, pp. 969–986 (2016).
  30. 30.
  31. 31.
    Koeberl, P., Schulz, S., Sadeghi, A.R., Varadharajan, V.: TrustLite: a security architecture for tiny embedded devices. In: Proceedings of the Ninth European Conference on Computer Systems. EuroSys 2014, pp. 10:1–10:14. ACM, New York (2014).
  32. 32.
    Kornau, T.: Return Oriented Programming for the ARM Architecture. Master’s thesis, Ruhr-University Bochum (2009).
  33. 33.
    Kumar, R., Singhania, A., Castner, A., Kohler, E., Srivastava, M.: A system for coarse grained memory protection in tiny embedded processors. In: Proceedings of the 44th Annual Design Automation Conference. DAC 2007, pp. 218–223. ACM, New York (2007).
  34. 34.
    Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 276–291. IEEE Computer Society, Washington, DC (2014).
  35. 35.
    Le, L.: ARM Exploitation ROPMap. BlackHat USA (2011)Google Scholar
  36. 36.
    Lian, W., Shacham, H., Savage, S.: Too LeJIT to quit: extending JIT spraying to ARM. In: Kirda, E. (ed.) Proceedings of NDSS 2015. Internet Society, February 2015Google Scholar
  37. 37.
    Microsoft: Enhanced Mitigation Experience Toolkit (2016).
  38. 38.
    Nebenzahl, D., Sagiv, M., Wool, A.: Install-time vaccination of windows executables to defend against stack smashing attacks. IEEE Trans. Dependable Secur. Comput. 3(1), 78–90 (2006). CrossRefGoogle Scholar
  39. 39.
    Niu, B., Tan, G.: Per-input control-flow integrity. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS 2015, pp. 914–926. ACM, New York (2015).
  40. 40.
    Noorman, J., Agten, P., Daniels, W., Strackx, R., Van Herrewege, A., Huygens, C., Preneel, B., Verbauwhede, I., Piessens, F.: Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. In: Proceedings of the 22nd USENIX Conference on Security. SEC 2013, pp. 479–494. USENIX Association, Berkeley (2013).
  41. 41.
    Pastrana, S., Tapiador, J., Suarez-Tangil, G., Peris-López, P.: AVRAND: a software-based defense against code reuse attacks for AVR embedded devices. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 58–77. Springer, Cham (2016). doi: 10.1007/978-3-319-40667-1_4 Google Scholar
  42. 42.
    Prasad, M., Chiueh, T.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 211–224 (2003)Google Scholar
  43. 43.
    Qualcomm Technologies Inc: Pointer Authentication on ARMv8.3. (2017).
  44. 44.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security. CCS 2007, pp. 552–561. ACM, New York (2007).
  45. 45.
    Designer, S.: lpr LIBC RETURN exploit (1997).
  46. 46.
    Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy. SP 2013, pp. 48–62. IEEE Computer Society, Washington, DC (2013).
  47. 47.
    Weicker, R.P.: Dhrystone: a synthetic systems programming benchmark. Commun. ACM 27(10), 1013–1030 (1984). CrossRefGoogle Scholar
  48. 48.
    Yiu, J.: ARMv8-M architecture technical overview (2015).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Thomas Nyman
    • 1
    • 2
    Email author
  • Jan-Erik Ekberg
    • 2
  • Lucas Davi
    • 3
  • N. Asokan
    • 1
  1. 1.Aalto UniversityEspooFinland
  2. 2.TrustonicHelsinkiFinland
  3. 3.University of Duisburg-EssenDuisburgGermany

Personalised recommendations