DeTRAP: RISC-V Return Address Protection With Debug Triggers

TL;DR

DeTRAP is a lightweight RISC-V-based return address protection mechanism that uses debug hardware to create a shadow stack, offering low overheads without needing memory protection hardware.

Contribution

DeTRAP introduces a novel method for return address protection using RISC-V debug hardware, requiring minimal compiler modifications and no additional memory protection hardware.

Findings

Overheads between 0.5% and 1.9% in execution time

Code size overheads average 7.9% or less

Effective protection without hardware modifications

Abstract

Modern microcontroller software is often written in C/C++ and suffers from control-flow hijacking vulnerabilities. Previous mitigations suffer from high performance and memory overheads and require either the presence of memory protection hardware or sophisticated program analysis in the compiler. This paper presents DeTRAP (Debug Trigger Return Address Protection). DeTRAP utilizes a full implementation of the RISC-V debug hardware specification to provide a write-protected shadow stack for return addresses. Unlike previous work, DeTRAP requires no memory protection hardware and only minor changes to the compiler toolchain. We tested DeTRAP on an FPGA running a 32-bit RISC-V microcontroller core and found average execution time overheads to be between 0.5% and 1.9% on evaluated benchmark suites with code size overheads averaging 7.9% or less.