R5Detect: Detecting Control-Flow Attacks from Standard RISC-V Enclaves

TL;DR

R5Detect is a software solution for low-power RISC-V devices that detects and prevents control-flow attacks using shadow stacks and hardware performance counters, achieving low overhead and enhancing security.

Contribution

It introduces R5Detect, a novel security monitoring system combining shadow stacks and heuristics for control-flow attack detection on unmodified RISC-V architectures.

Findings

Effective control-flow attack detection on RISC-V devices

Low performance overhead of below 5%

Successful implementation on standard low-power hardware

Abstract

Embedded and Internet-of-Things (IoT) devices are ubiquitous today, and the uprising of several botnets based on them (e.g., Mirai, Ripple20) raises issues about the security of such devices. Especially low-power devices often lack support for modern system security measures, such as stack integrity, Non-eXecutable bits or strong cryptography. In this work, we present R5Detect, a security monitoring software that detects and prevents control-flow attacks on unmodified RISC-V standard architectures. With a novel combination of different protection techniques, it can run on embedded and low-power IoT devices, which may lack proper security features. R5Detect implements a memory-protected shadow stack to prevent runtime modifications, as well as a heuristics detection based on Hardware Performance Counters to detect control-flow integrity violations. Our results indicate that regular software can be protected against different degrees of control-flow manipulations with an average performance overhead of below 5 %. We implement and evaluate R5Detect on standard low-power RISC-V devices and show that such security features can be effectively used with minimal hardware support.