Poster: Control-Flow Integrity in Low-end Embedded Devices

TL;DR

This paper presents a low-cost architecture for enforcing control-flow integrity in resource-constrained embedded devices, enhancing run-time security against attacks like ROP with minimal hardware overhead.

Contribution

It extends a low-cost Root-of-Trust with shadow stacks and CFI monitoring, enabling dynamic security guarantees on low-end embedded devices.

Findings

CFI can be implemented on low-end devices with minimal overhead

The architecture effectively mitigates run-time attacks like ROP

Hardware costs remain low for the proposed security enhancements

Abstract

Embedded, smart, and IoT devices are increasingly popular in numerous everyday settings. Since lower-end devices have the most strict cost constraints, they tend to have few, if any, security features. This makes them attractive targets for exploits and malware. Prior research proposed various security architectures for enforcing security properties for resource-constrained devices, e.g., via Remote Attestation (RA). Such techniques can (statically) verify software integrity of a remote device and detect compromise. However, run-time (dynamic) security, e.g., via Control-Flow Integrity (CFI), is hard to achieve. This work constructs an architecture that ensures integrity of software execution against run-time attacks, such as Return-Oriented Programming (ROP). It is built atop a recently proposed CASU -- a low-cost active Root-of-Trust (RoT) that guarantees software immutability. We extend CASU to support a shadow stack and a CFI monitor to mitigate run-time attacks. This gives some confidence that CFI can indeed be attained even on low-end devices, with minimal hardware overhead.