CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers

  title={CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers},
  author={Thomas Nyman and Jan-Erik Ekberg and Lucas Davi and N. Asokan},
With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. [] Key Method CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate…
uTango: an open-source TEE for the Internet of Things
UTANGO proposes a novel architecture aiming at tackling the major architectural deficiencies currently affecting TrustZone(-M)-assisted TEEs, and leverages the very same TrustZone hardware primitives used by dual-world implementations to create multiple, equally-secure execution environments within the normal world.
A TOCTOU Attack on DICE Attestation
It is demonstrated that it is possible to install persistent malware in the flash memory of a constrained microcontroller that cannot be detected through DICE-based attestation, and a discussion of several possible countermeasures which can mitigate the shortcomings of the DICE specifications is provided.
uTango: An Open-Source TEE for IoT Devices
UTANGO proposes a novel architecture aiming at tackling the major architectural deficiencies currently affecting TrustZone(-M)-assisted TEEs, and leverages the very same TrustZone hardware primitives used by dual-world implementations to create multiple and equally secure execution environments within the normal world.
On Runtime Software Security of TrustZone-M Based IoT Devices
This paper presents the first security analysis of potential software security issues in TrustZone-M enabled MCUs, and explores the stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against Non-secure Callable (NSC) functions in the context of Trustzone-M.
Exploiting Memory Corruption Vulnerabilities in Connman for IoT Devices
This paper presents an approach for exploiting stack-based buffer-overflow attacks in IoT firmware, to hijack the device remotely, and demonstrates the ease in which an adversary can control IoT devices.
SAFES: Sand-boxed Architecture for Frequent Environment Self-measurement
This work proposes a monitoring architecture for untrusted software at the I/O event granularity for TrustZone-enabled devices that enables to measure the integrity of the code immediately before its execution is triggered by any input.
µRAI: Securing Embedded Systems with Return Address Integrity
μRAI is presented, a compiler-based mitigation to prevent control-flow hijacking attacks targeting backward edges by enforcing the Return Address Integrity (RAI) property on MCUS, and evaluation shows that μRAI enforces its protection with negligible overhead.
BenchIoT: A Security Benchmark for the Internet of Things
BenchIoT is introduced, a benchmark suite and evaluation framework to address pressing challenges and limitations for evaluating IoT-uCs security and is demonstrated by evaluating three defense mechanisms.
PAC it up: Towards Pointer Integrity using ARM Pointer Authentication
PARTS, an instrumentation framework that integrates PA-based defenses into the LLVM compiler and the GNU/Linux operating system is presented and it is shown that PARTS provides better protection than current solutions at a reasonable performance overhead.
Towards Hardware-Assisted Security for IoT Systems
  • Yier Jin
  • Computer Science
    2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI)
  • 2019
A survey of prominent hardware-assisted security defenses is provided, enumerate the attacks these defenses aim to protect, as well as their effectiveness, and discuss the implications in both performance and system design.


Secure interrupts on low-end microcontrollers
This work focuses on the problem of secure interrupt handling, which has not been covered in related work, and proposes three methods of securely handling interrupts, each exploring a different tradeoff between hardware and software complexity, and interrupt latency.
MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones
A novel framework, MoCFI (Mobile CFI), that provides a general countermeasure against control-flow attacks on smartphone platforms by enforcing CFI, and shows that CFI on typical smartphone platforms powered by an ARM processor is technically involved due to architectural differences between ARM and Intel x86, as well as the specifics of smartphone OSes.
DisARM: Mitigating Buffer Overflow Attacks on Embedded Devices
A novel defense technique, DisARM, is proposed that protects against both code-injection and code-reuse based buffer overflow attacks by breaking the ability for attackers to manipulate the return address of a function.
SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust
A new primitive based on hardware-software co-design SMART, a simple, efficient and secure approach for establishing a dynamic root of trust in a remote embedded device that focuses on low-end microcontroller units (MCU) that lack specialized memory management or protection features.
TrustLite: a security architecture for tiny embedded devices
This work describes mechanisms for secure exception handling and communication between protected modules, enabling seamless interoperability with untrusted operating systems and tasks, and presents the TrustLite security architecture for flexible, hardware-enforced isolation of software modules.
Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base
Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees, and can remotely attest to a software provider that a specific software module is running uncompromised.
Defending embedded systems against control flow attacks
This paper presents a control flow enforcement technique based on an Instruction Based Memory Access Control (IBMAC) implemented in hardware. It is specifically designed to protect low-cost embedded
Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage
It is demonstrated that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload.
Control-Flow Integrity for Real-Time Embedded Systems
This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems, and provides techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection.
SoK: Eternal War in Memory
The current knowledge about various protection techniques are systematized by setting up a general model for memory corruption attacks, and what policies can stop which attacks are shown, to analyze the reasons why protection mechanisms implementing stricter polices are not deployed.