A CFI Verification System based on the RISC-V Instruction Trace Encoder

Abstract: Control-Flow Integrity (CFI) is used to check a program execution flow and detect whether it is correctly executed and not altered by software or physical attacks. This paper presents a CFI verification system for programs executed on RISC-V cores. Our solution is based on the RISC-V instruction Trace Encoder (TE). The TE provides information about the execution path of the user program. Two approaches are proposed. One is consistent with the RISC-V TE standard. It permits to detect instruction skip attacks o… Show more

“…Instruction trace detection allows for the analysis of instruction execution details during processor execution, independent of source code. By utilizing built-in instruction trace modules such as PTM [37] in ARM processors, PT [47] in Intel processors, and TE [48] in RISCV processors known for their open-source nature, this approach eliminates additional execution overhead and resource consumption associated with code instrumentation. It enables the recording of contextual program execution details and facilitates stateful program verification, thereby enhancing CFI security.…”

“…Subsequently, researchers analyze the decompressed data to gain insights into the program's control flow during execution, a crucial process for CFI validation. TE [48] is an open-source RISC-V processor instruction tracking compression module that compresses executed instructions into data packets. These packets are analyzed by researchers to obtain the program's control flow during execution, providing insights into its behavior.…”

“…Hardware auxiliary modules such as instruction tracking modules PTM [37], PT [47], TE [48], and co-processors are the key to implementing CFI based on instruction tracing detection. They obtain the current program transfer path by analyzing the processor instruction execution information and detecting whether the current path complies with CFG.…”

“…Certain endeavors were established based on Intel's processor trace [47], [87], [88] while others implemented CFI through utilization of processor debug tools [89], [90]. Furthermore, there has been significant interest in implementing CFI using processor auxiliary modules, as demonstrated by examples such as the CFI scheme relying on processor counters [84] and its implementation on the open-source RISC-V processor [48]. FastCFI [37] ingeniously employed FPGA resources to design a dedicated hardware detection circuit for CFI, effectively analyzing and verifying control flow-related instructions dispatched by the instruction execution information tracking module PTM [37] of ARM processors.…”

“…In the context of FastCFI [37], PTM establishes data communication with the FPGA-based CFI detection module through the Trace Port Interface Unit (TPIU) interface. While relying on CFG, this approach diverges from Anthony et al's [48] methodology which involved storing indexable and searchable metadata in RAM after CFG processing. The designer of Fast-CFI [37] developed an automated tool capable of extracting the CFG from the binary file of the target program, which serves as input for generating a Verilog HDL file.…”

Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation Technology

“…Instruction trace detection allows for the analysis of instruction execution details during processor execution, independent of source code. By utilizing built-in instruction trace modules such as PTM [37] in ARM processors, PT [47] in Intel processors, and TE [48] in RISCV processors known for their open-source nature, this approach eliminates additional execution overhead and resource consumption associated with code instrumentation. It enables the recording of contextual program execution details and facilitates stateful program verification, thereby enhancing CFI security.…”

“…Subsequently, researchers analyze the decompressed data to gain insights into the program's control flow during execution, a crucial process for CFI validation. TE [48] is an open-source RISC-V processor instruction tracking compression module that compresses executed instructions into data packets. These packets are analyzed by researchers to obtain the program's control flow during execution, providing insights into its behavior.…”

“…Hardware auxiliary modules such as instruction tracking modules PTM [37], PT [47], TE [48], and co-processors are the key to implementing CFI based on instruction tracing detection. They obtain the current program transfer path by analyzing the processor instruction execution information and detecting whether the current path complies with CFG.…”

“…Certain endeavors were established based on Intel's processor trace [47], [87], [88] while others implemented CFI through utilization of processor debug tools [89], [90]. Furthermore, there has been significant interest in implementing CFI using processor auxiliary modules, as demonstrated by examples such as the CFI scheme relying on processor counters [84] and its implementation on the open-source RISC-V processor [48]. FastCFI [37] ingeniously employed FPGA resources to design a dedicated hardware detection circuit for CFI, effectively analyzing and verifying control flow-related instructions dispatched by the instruction execution information tracking module PTM [37] of ARM processors.…”

“…In the context of FastCFI [37], PTM establishes data communication with the FPGA-based CFI detection module through the Trace Port Interface Unit (TPIU) interface. While relying on CFG, this approach diverges from Anthony et al's [48] methodology which involved storing indexable and searchable metadata in RAM after CFG processing. The designer of Fast-CFI [37] developed an automated tool capable of extracting the CFG from the binary file of the target program, which serves as input for generating a Verilog HDL file.…”

Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation Technology

A CCFI Verification Scheme Based on the RISC-V Trace Encoder

Experimental EMFI detection on a RISC-V core using the Trace Verifier solution