CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity

Jean Luc Danger; Adrien Facon; Sylvain Guilley; Karine Heydemann; Ulrich Kuhne; Abdelmalek Si Merabet; Michael Timbert

doi:10.1109/DSD.2018.00093

CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity

Jean Luc Danger, Adrien Facon, Sylvain Guilley, Karine Heydemann, Ulrich Kuhne, Abdelmalek Si Merabet, Michael Timbert

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In this paper we present a hardware based solution to verify simultaneously Code and Control-Flow Integrity (CCFI), aiming at protecting microcontrollers against both cyber-and physical attacks. This solution is non-intrusive as it does not require any modification of the CPU core. It relies on two additional hardware blocks external to the CPU: The first one - called CCFI-cache - acts as a dedicated cache for the storage of information to check the code and control-flow integrity, and the second one - CCFI-checker - performs control-flow and code integrity verification. Based on a RISC-V platform implementation, we show that the proposed scheme is able to perform online CCFI validation at the price of a small hardware area overhead and doubling the size of the. text section. In most cases, the impact on the run-time performance is on average 32 percent, offering for the first time a generic and practical hardware-enabled cyber-security solution.

Original language	English
Title of host publication	Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018
Editors	Nikos Konofaos, Martin Novotny, Amund Skavhaug
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	529-536
Number of pages	8
ISBN (Electronic)	9781538673768
DOIs	https://doi.org/10.1109/DSD.2018.00093
Publication status	Published - 12 Oct 2018
Externally published	Yes
Event	21st Euromicro Conference on Digital System Design, DSD 2018 - Prague, Czech Republic Duration: 29 Aug 2018 → 31 Aug 2018

Publication series

Name	Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018

Conference

Conference	21st Euromicro Conference on Digital System Design, DSD 2018
Country/Territory	Czech Republic
City	Prague
Period	29/08/18 → 31/08/18

Keywords

Code Integrity
Control Flow Graph
Control-Flow Integrity
Cybersecurity
Hardware Protection
Hardware security
Instruction Hashing

Access to Document

10.1109/DSD.2018.00093

Cite this

Danger, J. L., Facon, A., Guilley, S., Heydemann, K., Kuhne, U., Si Merabet, A., & Timbert, M. (2018). CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity. In N. Konofaos, M. Novotny, & A. Skavhaug (Eds.), Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018 (pp. 529-536). Article 8491864 (Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSD.2018.00093

Danger, Jean Luc ; Facon, Adrien ; Guilley, Sylvain et al. / CCFI-Cache : A transparent and flexible hardware protection for code and control-flow integrity. Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018. editor / Nikos Konofaos ; Martin Novotny ; Amund Skavhaug. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 529-536 (Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018).

@inproceedings{e1fab3a406984a58a2e7db19056f798b,

title = "CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity",

abstract = "In this paper we present a hardware based solution to verify simultaneously Code and Control-Flow Integrity (CCFI), aiming at protecting microcontrollers against both cyber-and physical attacks. This solution is non-intrusive as it does not require any modification of the CPU core. It relies on two additional hardware blocks external to the CPU: The first one - called CCFI-cache - acts as a dedicated cache for the storage of information to check the code and control-flow integrity, and the second one - CCFI-checker - performs control-flow and code integrity verification. Based on a RISC-V platform implementation, we show that the proposed scheme is able to perform online CCFI validation at the price of a small hardware area overhead and doubling the size of the. text section. In most cases, the impact on the run-time performance is on average 32 percent, offering for the first time a generic and practical hardware-enabled cyber-security solution.",

keywords = "Code Integrity, Control Flow Graph, Control-Flow Integrity, Cybersecurity, Hardware Protection, Hardware security, Instruction Hashing",

author = "Danger, \{Jean Luc\} and Adrien Facon and Sylvain Guilley and Karine Heydemann and Ulrich Kuhne and \{Si Merabet\}, Abdelmalek and Michael Timbert",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 21st Euromicro Conference on Digital System Design, DSD 2018 ; Conference date: 29-08-2018 Through 31-08-2018",

year = "2018",

month = oct,

day = "12",

doi = "10.1109/DSD.2018.00093",

language = "English",

series = "Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "529--536",

editor = "Nikos Konofaos and Martin Novotny and Amund Skavhaug",

booktitle = "Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018",

}

Danger, JL, Facon, A, Guilley, S, Heydemann, K, Kuhne, U, Si Merabet, A & Timbert, M 2018, CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity. in N Konofaos, M Novotny & A Skavhaug (eds), Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018., 8491864, Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018, Institute of Electrical and Electronics Engineers Inc., pp. 529-536, 21st Euromicro Conference on Digital System Design, DSD 2018, Prague, Czech Republic, 29/08/18. https://doi.org/10.1109/DSD.2018.00093

CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity. / Danger, Jean Luc; Facon, Adrien; Guilley, Sylvain et al.
Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018. ed. / Nikos Konofaos; Martin Novotny; Amund Skavhaug. Institute of Electrical and Electronics Engineers Inc., 2018. p. 529-536 8491864 (Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - CCFI-Cache

T2 - 21st Euromicro Conference on Digital System Design, DSD 2018

AU - Danger, Jean Luc

AU - Facon, Adrien

AU - Guilley, Sylvain

AU - Heydemann, Karine

AU - Kuhne, Ulrich

AU - Si Merabet, Abdelmalek

AU - Timbert, Michael

PY - 2018/10/12

Y1 - 2018/10/12

N2 - In this paper we present a hardware based solution to verify simultaneously Code and Control-Flow Integrity (CCFI), aiming at protecting microcontrollers against both cyber-and physical attacks. This solution is non-intrusive as it does not require any modification of the CPU core. It relies on two additional hardware blocks external to the CPU: The first one - called CCFI-cache - acts as a dedicated cache for the storage of information to check the code and control-flow integrity, and the second one - CCFI-checker - performs control-flow and code integrity verification. Based on a RISC-V platform implementation, we show that the proposed scheme is able to perform online CCFI validation at the price of a small hardware area overhead and doubling the size of the. text section. In most cases, the impact on the run-time performance is on average 32 percent, offering for the first time a generic and practical hardware-enabled cyber-security solution.

AB - In this paper we present a hardware based solution to verify simultaneously Code and Control-Flow Integrity (CCFI), aiming at protecting microcontrollers against both cyber-and physical attacks. This solution is non-intrusive as it does not require any modification of the CPU core. It relies on two additional hardware blocks external to the CPU: The first one - called CCFI-cache - acts as a dedicated cache for the storage of information to check the code and control-flow integrity, and the second one - CCFI-checker - performs control-flow and code integrity verification. Based on a RISC-V platform implementation, we show that the proposed scheme is able to perform online CCFI validation at the price of a small hardware area overhead and doubling the size of the. text section. In most cases, the impact on the run-time performance is on average 32 percent, offering for the first time a generic and practical hardware-enabled cyber-security solution.

KW - Code Integrity

KW - Control Flow Graph

KW - Control-Flow Integrity

KW - Cybersecurity

KW - Hardware Protection

KW - Hardware security

KW - Instruction Hashing

U2 - 10.1109/DSD.2018.00093

DO - 10.1109/DSD.2018.00093

M3 - Conference contribution

AN - SCOPUS:85056461281

T3 - Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018

SP - 529

EP - 536

BT - Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018

A2 - Konofaos, Nikos

A2 - Novotny, Martin

A2 - Skavhaug, Amund

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 29 August 2018 through 31 August 2018

ER -

Danger JL, Facon A, Guilley S, Heydemann K, Kuhne U, Si Merabet A et al. CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity. In Konofaos N, Novotny M, Skavhaug A, editors, Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018. Institute of Electrical and Electronics Engineers Inc. 2018. p. 529-536. 8491864. (Proceedings - 21st Euromicro Conference on Digital System Design, DSD 2018). doi: 10.1109/DSD.2018.00093

CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this