$\mu$RAI: Securing Embedded Systems with Return Address Integrity

Abstract: Embedded systems are deployed in security critical environments and have become a prominent target for remote attacks. Microcontroller-based systems (MCUS) are particularly vulnerable due to a combination of limited resources and low level programming which leads to bugs. Since MCUS are often a part of larger systems, vulnerabilities may jeopardize not just the security of the device itself but that of other systems as well. For example, exploiting a WiFi System on Chip (SoC) allows an attacker to hijack the s… Show more

“…As each function return address has to be pushed, compared with the stack top value, and popped from the shadow stack, the runtime overhead varies drastically from one shadow stack technique implementation to another depending on how efficient this process is implemented. Depending on the count of operations (instructions), which need to be performed (1)(2)(3), some research-based shadow techniques have high performance overheads (around 10%; see Dang et al [17] for more details), making them infeasible for deployment in production software. For these reasons, researchers have looked for approaches to do these operations with a minimal number of steps (see GCC's and Clang's shadow stack implementations for more details), such that the overhead is as low as possible and no memory leaks are generated.…”

“…This is because these techniques are optimized for performance, and some of the return edges remain unprotected, due to their imprecision. Furthermore, the checks of harvested addresses are slow due to: (1) the high volume of data flowing through the CPU, (2) the need to collect and analyze this data, and (3) the relatively low speed of the continuous reads. As such, these techniques are mostly inefficient against attacks which use backward edges (see Schuster et al [46]).…”

“…In general, there are two main approaches to protect the integrity of backward edges during runtime: (1) check-based approaches including µRAI [2], PittyPat [18], CFL [7], PT-CFI [25], τ CFI [34], which check if the function ret instruction targets the legitimate return address; and (2) stack-discipline-based approaches including SafeStack [15], RAD [13], Microsoft's RFG [52], Zieris et al [55], Shadesmar [11], BinCFI [54], GCC's ShadowStack [19], and double stacks [17]. However, most shadow stack techniques rely on information hiding for security.…”

“…However, most shadow stack techniques rely on information hiding for security. Unfortunately, information hiding (disclosure) based defenses are generally vulnerable [2] to information disclosure [21,42], profiling attacks [45] and to at least four other attacks [22], which can be used independently to bypass shadow stacks.…”

“…Re-purposed registers. µRAI [2] protects backward edges also without shadow stacks in microcontroller-based systems (MCUS) by using a specific register to memorize where the legitimate return address resides. µRAI's technique relies on moving return addresses from writable memory to readable and executable memory.…”

ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings

“…As each function return address has to be pushed, compared with the stack top value, and popped from the shadow stack, the runtime overhead varies drastically from one shadow stack technique implementation to another depending on how efficient this process is implemented. Depending on the count of operations (instructions), which need to be performed (1)(2)(3), some research-based shadow techniques have high performance overheads (around 10%; see Dang et al [17] for more details), making them infeasible for deployment in production software. For these reasons, researchers have looked for approaches to do these operations with a minimal number of steps (see GCC's and Clang's shadow stack implementations for more details), such that the overhead is as low as possible and no memory leaks are generated.…”

“…This is because these techniques are optimized for performance, and some of the return edges remain unprotected, due to their imprecision. Furthermore, the checks of harvested addresses are slow due to: (1) the high volume of data flowing through the CPU, (2) the need to collect and analyze this data, and (3) the relatively low speed of the continuous reads. As such, these techniques are mostly inefficient against attacks which use backward edges (see Schuster et al [46]).…”

“…In general, there are two main approaches to protect the integrity of backward edges during runtime: (1) check-based approaches including µRAI [2], PittyPat [18], CFL [7], PT-CFI [25], τ CFI [34], which check if the function ret instruction targets the legitimate return address; and (2) stack-discipline-based approaches including SafeStack [15], RAD [13], Microsoft's RFG [52], Zieris et al [55], Shadesmar [11], BinCFI [54], GCC's ShadowStack [19], and double stacks [17]. However, most shadow stack techniques rely on information hiding for security.…”

“…However, most shadow stack techniques rely on information hiding for security. Unfortunately, information hiding (disclosure) based defenses are generally vulnerable [2] to information disclosure [21,42], profiling attacks [45] and to at least four other attacks [22], which can be used independently to bypass shadow stacks.…”

“…Re-purposed registers. µRAI [2] protects backward edges also without shadow stacks in microcontroller-based systems (MCUS) by using a specific register to memorize where the legitimate return address resides. µRAI's technique relies on moving return addresses from writable memory to readable and executable memory.…”

ρFEM: Efficient Backward-edge Protection Using Reversed Forward-edge Mappings

Towards Transparent Control-Flow Integrity in Safety-Critical Systems

CEFI: Command Execution Flow Integrity for Embedded Devices