Towards a practical solution to detect code reuse attacks on ARM mobile devices

Abstract

In recent years, there is a growing need to protect security and privacy of the data against various attacks on software running on smart mobile devices. The attackers mostly attempt to acquire privileges to control system behaviors as they want. As of today, the code reuse attack (CRA) is known as one of the most sophisticated techniques that can be exploited in such attempts. The attackers launch CRAs to perform arbitrary computation by reusing and chaining existing code fragments, called gadgets. Prior solutions to CRAs are engineered either in software or hardware. However, both of them have their own weaknesses. Software solutions suffer from huge performance overhead because they occupy computing resources of the host CPU. On the other hand, existing hardware solutions all require invasive modifications to the CPU internal architecture. This is contradictory to the conventional application processor (AP) design principle which is to integrate off-the-shelf commodity CPU cores and other special-purpose hardware modules together to form a system. In this paper, we propose a more practical hardware solution which conforms to such design convention, thus being amenable for immediate deployment to modern mobile devices that use APs as their central computing engines. In our work, we target the devices that employ as their AP CPUs the ARM processors which are the de-facto standard CPUs for commercial mobile devices today. The key difference of ours from previous hardware solutions is that our CRA detection hardware modules have been integrated as off-core modules with the processor, strictly following the AP designing principle. We exploit the ARM debug interface to obtain the core internal information which is not directly accessible from off-core hardware modules. As a result, we were able to detect CRAs from outside the CPU without modifying the processor internal. For our preliminary experiment, we have implemented in our prototype a module to detect the attacks based on return-oriented programming (ROP) which is a representative technique used in CRAs. Empirical results show that our solution successfully detects ROP attacks with negligibly low runtime overhead and moderate area overhead.