Abstract
In recent decades, there has been an increasing number of studies on control flow integrity (CFI), particularly those implementing hardware-assisted CFI solutions that utilize a special instruction set extension. More recently, ARM and Intel, which are prominent processor architectures, also announced instruction set extensions for CFI called branch target identification (BTI) and control-flow enhancement technology (CET), respectively. However, according to our preliminary analysis, they do not support various CFI solutions in an efficient and scalable manner. In this study, we propose Bratter, a new instruction set extension for forward CFI solutions on RISC-V. At the center of Bratter, there are Branch Tag Registers and dedicated instructions for these registers. We implemented well-known CFI solutions (i.e., branch regulation and function signature check) using Bratter to evaluate its performance. Our experimental results show that, by using Bratter, even when these two solutions work together, they impose only 1.20% and 5.99% overhead for code size and execution time, respectively.
Highlights
In recent decades, control-flow integrity (CFI) has been considered to effectively prevent a number of control hijacking attacks such as return-oriented programming (ROP) and jump-oriented programming (JOP) attacks
We present Bratter, an instruction set extension for supporting forward CFI solutions in RISC-V
Note that in the direct control transfer instruction (CTI), the target address is obtained from the offset (±4 KiB ranges) embedded in the instruction encoding, whereas in the case of indirect CTIs, the target address is loaded from the general purpose register specified in the instruction encoding
Summary
Control-flow integrity (CFI) has been considered to effectively prevent a number of control hijacking attacks such as return-oriented programming (ROP) and jump-oriented programming (JOP) attacks. To check whether the target address of indirect calls is valid, some studies have utilized a control flow graph (CFG) [2] whereas others make use of the function type [3]. To implement such various policies, some researchers have proposed a software-based approach in which additional instructions are inserted to every CTI to prevent control hijacking attacks exploiting the instruction. The added instructions promote considerable performance overhead To relieve such overhead, several commodity processor architectures introduced instruction set extensions for CFI, such as ARM branch target identification (ARM BTI) [4] and Intel CETS [5]. CFI solutions can be divided into forward-edge and backward-edge CFIs according to what they aim to protect
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
