Formally verified software countermeasures for control-flow integrity of smart card C code

Heydemann, Karine; Lalande, Jean-François; Berthomé, Pascal

doi:10.1016/j.cose.2019.05.004

Cited by 16 publications

(12 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, due to the fine-grained CFI imposes too much overhead on the system, it is difficult to implement. e CFI program proposes a simplified version of the solution, which is called coarse-grained CFI [12,13]. Coarse-grained CFI neither needs to obtain the CFG of the program nor needs to assign a corresponding address ID to each address where the program jumps.…”

Section: Related Workmentioning

confidence: 99%

A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

Chen

Ali

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

With the wide application of software system, software vulnerability has become a major risk in computer security. The on-time detection and proper repair for possible software vulnerabilities are of great importance in maintaining system security and decreasing system crashes. The Control Flow Integrity (CFI) can be used to detect the exploit by some researchers. In this paper, we propose an improved Control Flow Graph with Jump (JCFG) based on CFI and develop a novel Vulnerability Exploit Detection Method based on JCFG (JCFG-VEDM). The detection method of the exploit program is realized based on the analysis results of the exploit program. Then the JCFG is addressed through combining the features of the exploit program and the jump instruction. Finally, we implement JCFG-VEDM and conduct the experiments to verify the effectiveness of the proposed method. The experimental results show that the proposed detection method (JCFG-VEDM) is feasible and effective.

show abstract

Section: Related Workmentioning

confidence: 99%

A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

Chen

Ali

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…ACFC [79] reduces the performance penalty down to 47 % by decreasing the checking precision and thereby reducing the security guarantees. Similarly, other approaches [39,31] annotate the source code with counter increment and verification macros to detect control-flow deviations. However, a protection scheme requiring manual source code modifications is not practical.…”

Section: Fault Cfi Schemesmentioning

confidence: 99%

FIPAC: Thwarting Fault- and Software-Induced Control-Flow Attacks with ARM Pointer Authentication

Schilling¹,

Nasahl²,

Mangard³

2021

Preprint

View full text Add to dashboard Cite

With the improvements of computing technology, more and more applications in the Internet-of-Things, mobile devices, automotive, or industrial areas embed powerful ARM processors into their devices. These systems can be attacked by redirecting the control-flow of a program to bypass critical pieces of code such as privilege checks or signature verifications or to perform other fault attacks on applications, operating systems, or security mechanisms like secure boot. Control-flow hijacks can be performed using classical software vulnerabilities, physical fault attacks, or software-induced fault attacks, such as CLKscrew or Plundervolt. To cope with this threat and to protect the control-flow, dedicated countermeasures are needed. To counteract control-flow hijacks, control-flow integrity (CFI) aims to be a generic solution. However, software-based CFI protection schemes typically either protect against software or fault attacks, but not against both. While hardware-assisted CFI schemes can mitigate both types of attacks, they require extensive hardware modifications. As hardware changes are unrealistic for existing ARM architectures, a wide range of systems remains unprotected and vulnerable to control-flow attacks. In this work, we present FIPAC, an efficient software-based CFI scheme protecting the execution at basic block granularity of upcoming ARM-based devices against software and fault attacks. FIPAC exploits ARM pointer authentication of recent ARMv8.6-A architectures to implement a cryptographically signed control-flow graph. We cryptographically link the correct sequence of executed basic blocks to enforce control-flow integrity at this granularity at runtime. We use a custom LLVM-based toolchain to automatically instrument programs without user interaction. The evaluation on the application-grade SPEC2017 benchmark with different security policies shows a code size overhead between 54-97 % and a runtime overhead between 35-105 %. For small embedded benchmarks, we measured a runtime overhead between 61-211 %. While these overheads are significantly higher than for countermeasures against software attacks, FIPAC outperforms related work protecting the control-flow against fault attacks. FIPAC is an efficient solution to provide protection against softwareand fault-based CFI attacks on basic block level on modern ARM devices.

show abstract

“…The figure 1 shows how a conditional branching is protected by introducing two CCPs (the secswift_assert statement is equivalent to our abstract alarm command). 3) LHB [20]: this countermeasure introduces step counters to protect against C-level instruction skips. Each counter check corresponds to a CCP in our approach.…”

Section: Studied Countermeasuresmentioning

confidence: 99%

“…The countermeasure presented in section V-C3 is analyzed in [21] and [20]. The correctness of the hardened code and its robustness with respect to C-level single jump attack faults is proved by model-checking for each basic control-flow statement.…”

Section: Related Workmentioning

confidence: 99%

“…The correctness of the hardened code and its robustness with respect to C-level single jump attack faults is proved by model-checking for each basic control-flow statement. In [20], a lighter version of this countermeasure scheme is proposed to reduce its overhead (at the cost of delaying the attack detection). However, this variant remains generic, and it is not (automatically) tailored for a precise code example, which could lead to further optimizations.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Countermeasures Optimization in Multiple Fault-Injection Context

Boespflug

Ene

Mounier

et al. 2020

2020 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)

View full text Add to dashboard Cite

Fault attacks consist in changing the program behavior by injecting faults at run-time, either at hardware or at software level. Their goal is to change the correct progress of the algorithm and hence, either to allow gaining some privilege access or to allow retrieving some secret information based on an analysis of the deviation of the corrupted behavior with respect to the original one. Countermeasures have been proposed to protect embedded systems by adding spatial, temporal or information redundancy at hardware or software level. First we define Countermeasures Check Point (CCP) and CCPs-based countermeasures as an important subclass of countermeasures. Then we propose a methodology to generate an optimal protection scheme for CCPs-based countermeasure. Finally we evaluate our work on a benchmark of code examples with respect to several Control Flow Integrity (CFI) oriented existing protection schemes.

show abstract

Formally verified software countermeasures for control-flow integrity of smart card C code

Cited by 16 publications

References 46 publications

A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

A Detection Approach for Vulnerability Exploiter Based on the Features of the Exploiter

FIPAC: Thwarting Fault- and Software-Induced Control-Flow Attacks with ARM Pointer Authentication

Countermeasures Optimization in Multiple Fault-Injection Context

Contact Info

Product

Resources

About