Sponge-Based Control-Flow Protection for IoT Devices

TL;DR

This paper introduces Sponge-based Control Flow Protection (SCFP), a hardware-assisted scheme that encrypts and authenticates software on IoT devices to prevent code-reuse, injection, and fault attacks with minimal overhead.

Contribution

It presents a novel sponge-based control flow protection scheme with hardware support, ensuring security and integrity of IoT device software at instruction level.

Findings

SCFP encrypts and authenticates software at compile time.

Hardware extension decrypts and authenticates instructions during execution.

Overhead is approximately 20% in size and 9% in execution time.

Abstract

Embedded devices in the Internet of Things (IoT) face a wide variety of security challenges. For example, software attackers perform code injection and code-reuse attacks on their remote interfaces, and physical access to IoT devices allows to tamper with code in memory, steal confidential Intellectual Property (IP), or mount fault attacks to manipulate a CPU's control flow. In this work, we present Sponge-based Control Flow Protection (SCFP). SCFP is a stateful, sponge-based scheme to ensure the confidentiality of software IP and its authentic execution on IoT devices. At compile time, SCFP encrypts and authenticates software with instruction-level granularity. During execution, an SCFP hardware extension between the CPU's fetch and decode stage continuously decrypts and authenticates instructions. Sponge-based authenticated encryption in SCFP yields fine-grained control-flow integrity and thus prevents code-reuse, code-injection, and fault attacks on the code and the control flow. In addition, SCFP withstands any modification of software in memory. For evaluation, we extended a RISC-V core with SCFP and fabricated a real System on Chip (SoC). The average overhead in code size and execution time of SCFP on this design is 19.8% and 9.1%, respectively, and thus meets the requirements of embedded IoT devices.