ARCE: Towards Code Pointer Integrity on Embedded Processors Using Architecture-Assisted Run-Time Metadata Management

Abstract

Code Pointer Integrity (CPI) is an efficient control flow protection technique focusing on sensitive code pointers with a formal proof of security, but it relies on software lookup tables or Memory Management Unit (MMU) based address translation and instruction-level memory isolation which are impractical for resource-constrained embedded processors. This paper enables Architecture-assisted Run-time CPI on Embedded Processors (ARCE) with 2-level metadata to balance security, performance and resource overhead. The first level 2-bit property metadata colors data into different domains and the second level boundary metadata holds structure constraints for indirect code pointers only. With memory and instruction extensions, metadata shares the address space with program data and is propagated at runtime to maintain a precise set of sensitive code pointers. It lazily validates the content and boundary of sensitive pointers at dereference stage to eliminate false alarms. We implemented ARCE based on a shallow 3-stage pipeline processor Z-scale and validated its security effectiveness with code pointer attack vectors in RIPE. It introduces less than 1 percent performance overhead for benchmarks in C with 7.33 percent logic and 6.25 percent memory overhead. ARCE eliminates address space waste and dependency on advanced hardware which makes CPI practical even for systems with bare metal applications.