CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

Researchers

Research units

  • Trustonic
  • University of Duisburg-Essen

Abstract

With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.

Details

Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions, and Defenses
Subtitle of host publication20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings
EditorsMarc Dacier, Michael Bailey, Michalis Polychronakis, Manos Antonakakis
Publication statusPublished - 18 Sep 2017
MoE publication typeA4 Article in a conference publication
EventInternational Symposium on Research in Attacks, Intrusions, and Defenses - Georgia Tech Hotel and Conference Center, Atlanta, United States
Duration: 18 Sep 201720 Sep 2017
Conference number: 20
https://www.raid2017.org/

Publication series

Name Lecture Notes in Computer Science
PublisherSpringer
Volume10453
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceInternational Symposium on Research in Attacks, Intrusions, and Defenses
Abbreviated titleRAID
CountryUnited States
CityAtlanta
Period18/09/201720/09/2017
Internet address

ID: 15915766