RAGuard: A hardware based mechanism for backward-edge control-flow integrity
Paper in proceedings, 2017

Control-flow integrity (CFI) is considered as a general and promising method to prevent code-reuse attacks, which utilize benign code sequences to realize arbitrary computation. Cur rent approaches can efficiently protect Control-flow transfers caused by indirect jumps and function calls (forward-edge CFI). However, they cannot effectively protect Control-flow caused by the function return (backward-edge CFI). The reason is that the set of return addresses of the functions that are frequently called can be very large, which might bend the backward-edge CFI. We address this backward-edge CFI problem by proposing a novel hardware-assisted mechanism (RAGuard) that binds a message authentication code to each return address and enhances security via a physical unclonable function and a hardware hash function. The message authentication codes can be stored on the program stack with return address. RAGuard hardware automatically verifies the integrity of return addresses. Our experiments show that for a subset of the SPEC CPU2006 benchmarks, RAGuard incurs 1.86% runtime overheads on average with no need for OS support.

Backward-edge control-flow integrity

Return oriented programming

Return address

Hardware hash function

Physical unclonable function

Message authentication code

Author

J. Zhang

Chinese Academy of Sciences

Rui Hou

Chinese Academy of Sciences

J. Fan

Open Security Research

K. Liu

Chinese Academy of Sciences

L. Zhang

Chinese Academy of Sciences

Sally A McKee

Chalmers, Computer Science and Engineering (Chalmers), Computer Engineering (Chalmers)

14th ACM International Conference on Computing Frontiers, CF 2017, Siena, Italy, 15-17 May 2017

27-34

Subject Categories

Computer Engineering

DOI

10.1145/3075564.3075570

ISBN

978-1-4503-4487-6