skip to main content
research-article

TrustFlow-X: A Practical Framework for Fine-grained Control-flow Integrity in Critical Systems

Published:26 September 2020Publication History
Skip Abstract Section

Abstract

This article addresses the challenges of memory safety in life-critical medical devices. Since the last decade, healthcare manufacturers have embraced the Internet of Things, pushing technological innovations to increase market share. Medical devices, including the most critical ones, tend to be increasingly connected to the Internet. Unfortunately, as critical devices often rely on unsafe programming languages such as C, they are no exception to memory safety issues. Given a memory vulnerability, a skillful attacker can take over a system and perform remote code execution. Combined with the fact that medical devices directly impact the safety of their users, a security vulnerability can lead to disastrous scenarios. To address this issue, this article presents TrustFlow-X, a novel hardware/software co-designed framework that provides efficient fine-grained control-flow integrity protection against memory-based attacks. The TrustFlow-X framework is composed of an LLVM-based compiler toolchain that generates a secure code. This secure code is then executed on an extended RISC-V processor that keeps track of sensitive data using a trusted memory. The obtained results show that the contribution is practical, providing a high level of trust in life-critical embedded systems.

References

  1. Martin Abadi. 2009. Control-flow integrity principles, implementations, applications. ACM Trans. Inf. Syst. Sec. 13 (2009), 4.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Periklis Akritidis, Cristian Cadar, Manuel Costa, and Miguel Castro. 2008. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 263--277.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Manaar Alam, Debapriya Basu Roy, Sarani Bhattacharya, and Vidya Govindan. 2016. SmashClean: A hardware level mitigation to stack smashing attacks in OpenRISC. In Proceedings of the ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE’16). DOI:https://doi.org/10.1109/MEMCOD.2016.7797764Google ScholarGoogle ScholarCross RefCross Ref
  4. ARM. 2015. Mbed TLS. Retrieved from https://tls.mbed.org/.Google ScholarGoogle Scholar
  5. Krste Asanovic, Rimas Avizienis, Jonathan Bachrach, Scott Beamer, David Biancolin, Christopher Celio, Henry Cook, Daniel Dabbelt, John Hauser, Adam Izraelevitz, Sagar Karandikar, Ben Keller, Donggyu Kim, John Koenig, Yunsup Lee, Eric Love, Martin Maas, Albert Magyar, Howard Mao, Miquel Moreto, Albert Ou, David A. Patterson, Brian Richards, Colin Schmidt, Stephen Twigg, Huy Vo, and Andrew Waterman. 2016. The Rocket Chip Generator. Technical Report UCB/EECS-2016-17. EECS Department, University of California, Berkeley. Retrieved from http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html.Google ScholarGoogle Scholar
  6. Karin Bernsmed, Martin Gilje Jaatun, and Per Håkon Meland. 2018. Safety critical software and security—How low can you go? In Proceedings of the AIAA/IEEE Digital Avionics Systems Conference. 2--7. DOI:https://doi.org/10.1109/DASC.2018.8569579Google ScholarGoogle ScholarCross RefCross Ref
  7. Alex Bradbury, Gavin Ferris, and Robert Mullins. 2014. Tagged memory and minion cores in the lowRISC SoC Tagged memory and minion cores in the lowRISC SoC. Retrieved from https://www.lowrisc.org/downloads/lowRISC-memo-2014-001.pdf.Google ScholarGoogle Scholar
  8. Cyril Bresch, Stéphanie Chollet, and David Hély. 2018. Towards an inherently secure run-time environment for medical devices. In Proceedings of the IEEE International Congress on Internet of Things (ICIOT’18). 140--147. DOI:https://doi.org/10.1109/ICIOT.2018.00027Google ScholarGoogle ScholarCross RefCross Ref
  9. Cyril Bresch, David Hely, Stephanie Chollet, and Roman Lysecky. 2020. SecPump: A connected open source infusion pump for security research purposes. IEEE Embed. Syst. Lett. 0663, c (2020), 1--1. DOI:https://doi.org/10.1109/les.2020.2979595Google ScholarGoogle Scholar
  10. Cyril Bresch, David Hély, Stéphanie Chollet, and Ioannis Parissis. 2019. TrustFlow: A trusted memory support for data flow integrity. In Proceedings of the IEEE Computer Society Annual Symposium on VLSI (ISVLSI’19). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  11. Cyril Bresch, David Hély, Athanasios Papadimitriou, Adrien Michelet-Gignoux, Laurent Amato, and Thomas Meyer. 2018. Stack redundancy to Thwart return oriented programming in embedded systems. IEEE Embed. Syst. Lett. 10, 3 (2018), 87--90. DOI:https://doi.org/10.1109/LES.2018.2819983Google ScholarGoogle ScholarCross RefCross Ref
  12. Cyril Bresch, Adrien Michelet, Laurent Amato, Thomas Meyer, and David Hely. 2017. A red team blue team approach towards a secure processor design with hardware shadow stack. In Proceedings of the 2nd International Verification and Security Workshop (IVSW’17). 57--62. DOI:https://doi.org/10.1109/IVSW.2017.8031545.Google ScholarGoogle ScholarCross RefCross Ref
  13. Nicholas Carlini, David Wagner, and Nicholas Carlini. 2014. ROP is still dangerous: Breaking modern defenses ROP is still dangerous: Breaking modern defenses. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security’14). 385--399.Google ScholarGoogle Scholar
  14. Stephen Cass. 2017. IEEE Spectrum—The 2017 Top Programming Languages. Retrieved from https://spectrum.ieee.org/computing/software/the-2017-top-programming-languages.Google ScholarGoogle Scholar
  15. Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation. USENIX Association, 147--160.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security. 559. DOI:https://doi.org/10.1145/1866307.1866370Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Nick Christoulakis, George Christou, and Elias Athanasopoulos. 2016. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 38--49.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Thurston H. Y. Dang and David Wagner. 2015. The performance cost of shadow stacks and stack canaries time of check to time of use. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 555--566.Google ScholarGoogle Scholar
  19. Lucas Davi, Debayan Paul, Ahmad-reza Sadeghi, Patrick Koeberl, and Dean Sullivan. 2015. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Asmit De, Aditya Basu, Swaroop Ghosh, and Trent Jaeger. 2019. FIXER: Flow integrity extensions for embedded RISC-V. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’19). 348--353. DOI:https://doi.org/10.23919/DATE.2019.8714980Google ScholarGoogle ScholarCross RefCross Ref
  21. Shay Gal-on and Markus Levy. 2012. Exploring CoreMark—A benchmark maximizing simplicity and efficacy. The Embedded Microprocessor Benchmark Consortium (EEMBC’12). Retrieved from www.eembc.org.Google ScholarGoogle Scholar
  22. John L. Henning. 2006. SPEC CPU2006 benchmark description. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1–17.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Gerard J. Holzmann. 2007. The power of ten—Rules for developing safety-critical code. ACM SIGPLAN Not. 42, 6 (2007), 89--100.Google ScholarGoogle Scholar
  24. Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, and Zhenkai Liang. 2016. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). 969--986. DOI:https://doi.org/10.1109/SP.2016.62Google ScholarGoogle ScholarCross RefCross Ref
  25. Intel. 2016. Control-flow Enforcement Technology Specification. Technical Report. Retrieved from https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.Google ScholarGoogle Scholar
  26. Mehmet Kayaalp, Meltem Ozsoy, Nael Abu Ghazaleh, and Dmitry Ponomarev. 2014. Efficiently securing systems from code reuse attacks. IEEE Trans. Comput. 63, 5 (2014), 1144--1156.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis 8 transformation. In Proceedings of the International Symposium on Code Generation and Optimization (CGO’04). 75--86. DOI:https://doi.org/10.1109/CGO.2004.1281665Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Ankur Limaye and Tosiron Adegbija. 2018. HERMIT: A benchmark suite for the internet of medical things. IEEE Internet Things J. 5, 5 (2018), 4212--4222. DOI:https://doi.org/10.1109/JIOT.2018.2849859.Google ScholarGoogle ScholarCross RefCross Ref
  29. Szekeres Mathias, Payer Tao, and Wei Dawn. 2013. SoK: Eternal war in memory. In Proceedings of the IEEE Symposium on Security and Privacy. 48--62.Google ScholarGoogle Scholar
  30. McAfee. 2016. 2017 Threats Predictions. Technical Report. Retrieved from https://www.mcafee.com/enterprise/en-us/assets/reports/rp-threats-predictions-2017.pdf.Google ScholarGoogle Scholar
  31. Arjun Menon, Subadra Murugan, Chester Rebeiro, Neel Gala, and Kamakoti Veezhinathan. 2017. Shakti-T: A RISC-V processor with light weight security extensions Shakti-T: A RISC-V processor with light weight security extensions. In Hardware and Architectural Support for Security and Privacy. ACM, New York, NY. DOI:https://doi.org/10.1145/3092627.3092629Google ScholarGoogle Scholar
  32. Marius Muench, Jan Stijohann, and Frank Kargl. 2018. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’18).Google ScholarGoogle ScholarCross RefCross Ref
  33. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM Sigplan Notices 42, 6 (2007), 89–100.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. NSA. 2015. Hardware Control Flow Integrity for an IT Ecosystem. Retrieved from https://github.com/iadgov/Control-Flow-Integrity/ tree/master/paper.Google ScholarGoogle Scholar
  35. Oleksii Oleksenko and Dmitrii Kuvaiskii. 2017. Intel MPX explained. arXiv preprint arXiv:1702.00719 (2017).Google ScholarGoogle Scholar
  36. Aleph One. 1996. Smashing the stack for fun and profit. Phrack 49 (1996).Google ScholarGoogle Scholar
  37. Qualcomm Security. 2017. Pointer Authentication on ARMv8. Retrieved from https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf.Google ScholarGoogle Scholar
  38. UC Berkeley Architecture Research. 2015. The RISC-V Instruction Set Architecture. Retrieved from http://riscv.org/.Google ScholarGoogle Scholar
  39. Gayou Scott. 2017. Remote Code Execution on the Smiths Medical Medfusion 4000. Retrieved from https://github.com/sgayou/medfusion-4000-research/blob/master/doc/README.md.Google ScholarGoogle Scholar
  40. Department of Homeland Security. 2016. Hospira Multiple Products Buffer Overflow Vulnerability. Retrieved from https://www.us-cert.gov/ics/advisories/ICSA-15-337-02.Google ScholarGoogle Scholar
  41. Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad Reza Sadeghi. 2013. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the IEEE Symposium on Security and Privacy. 574--588. DOI:https://doi.org/10.1109/SP.2013.45.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee, and Yunheung Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 1--17.Google ScholarGoogle ScholarCross RefCross Ref
  43. Shirley Tay. 2019. A serious shortage of cybersecurity experts could cost companies hundreds of millions of dollars. CNBC. Retrieved from https://www.cnbc.com/2019/03/06/cybersecurity-expert-shortage-may-cost-companies-hundreds-of-millions.html.Google ScholarGoogle Scholar
  44. Perry Wagle and Crispin Cowa. 2003. Stackguard: Simple stack smash protection for GCC. In Proceedings of the GCC Developers Summit. 243--255.Google ScholarGoogle Scholar
  45. Jos Wetzels and Ali Abbasi. 2017. Ghost in the machine. In Proceedings of the Usenix Enigma Conference. DOI:https://doi.org/10.1038/482562a.Google ScholarGoogle Scholar
  46. B. Wijnen, E. J. Hunt, G. C. Anzalone, and J. M. Pearce. 2014. Open-source syringe pump library. PLoS ONE 9, 9 (2014). DOI:https://doi.org/10.1371/journal.pone.0107216.Google ScholarGoogle Scholar
  47. John Wilander, Nick Nikiforakis, Yves Youan, Mariam Kamkar, and Wouter Joosen.2011. RIPE: Runtime intrusion prevention evaluator. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 41--50.Google ScholarGoogle Scholar

Index Terms

  1. TrustFlow-X: A Practical Framework for Fine-grained Control-flow Integrity in Critical Systems

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!