Skip to main content
SpringerLink
Log in

Performance Counters and DWT Enabled Control Flow Integrity

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Control flow integrity (CFI) attacks resulting from buffer overflow and return-oriented programming are common. The problem is particularly acute for legacy systems and IoT devices. Legacy industrial control systems are not supported with periodic security patches leaving them susceptible to attack vectors published over the system life span. IoT devices, on the other hand, are thin devices with limited resources. This rules out many of the traditional heavy-duty software countermeasures for the IoT world. In this research, we deploy hardware/software solutions to detect CFI attacks. Many IoT devices are based on Raspberry Pi boards. These boards include ARM Cortex A-53 (Pi 3) or Cortex A-73 (Pi 4) processors. These ARM Cortex processors contain hardware counters that can be programmed to count microarchitecture level events such as branch mispredictions. Since control flow anomalies resulting from buffer overflow or return oriented programming (ROP) modify the program execution, the microarchitecture level events counts diverge. For instance, number of instructions issued per cycle could differ due to different instruction level parallelism. Hence, a vector of most discriminating hardware counters can flag control flow anomalies. This paper focuses on embedded programs. Embedded program behavior is dominated by the main event loops and task/event handlers, which can be measured with performance counters. Lighter weight IoT devices, based on ARM Cortex M4 or M7, include DWT (Debug, Watch and Trace) module, but not performance counters. DWT contains a much more limited set of counters. We show that DWT counters can also detect CFI anomalies with somewhat lower accuracy. For legacy software, we insert the performance counters instrumentation hooks with direct binary editing of ELF files. The proposed anomaly detection mechanism is evaluated on ArduPilot Team (2016)—a popular autopilot software on a Raspberry Pi 3 with PMU and DWT. A self-navigation program is evaluated on an iCreate Roomba platform with an ARM Cortex M4 processor which contains a DWT but not performance counters. We are able to achieve 97–99%+ accuracy with 1–10 \(\upmu\)s time overhead per control flow anomaly check.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Abadi M, Budiu M, Erlingsson U, Ligatti J. Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 05, p. 340–353. Association for Computing Machinery, New York, NY, USA; 2005. https://doi.org/10.1145/1102120.1102165.

  2. Alvarez S, Jin M. The official radare 2 book. https://book.rada.re/ (2016). Accessed: 2021-05-22.

  3. ARM. Arm cortex-a53 mpcore processor technical reference manual. https://developer.arm.com/documentation/ddi0500/d/performance-monitor-unit/pmu-functional-description. Accessed: 2020-08-15.

  4. ARM. Armv7-m architecture reference manual, section c1.8 - dwt. https://developer.arm.com/documentation/ddi0403/ed/. Accessed: 2020-08-15.

  5. Baratloo A, Singh N, Tsai TK, et al. Transparent run-time defense against stack-smashing attacks. In: USENIX Annual Technical Conference, General Track; 2000. p. 251–262.

  6. Chang CC, Lin CJ. LIBSVM: A library for support vector machines. ACM Trans Intell Syst Technol. 2011;2:27:1–27:27. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm. Accessed 8 Oct 2021.

  7. Cheng Y, Zhou Z, Miao Y, Ding X, Deng HR. Ropecker: a generic and practical approach for defending against rop attacks. In: In Symposium on Network and Distributed System Security (NDSS); 2014.

  8. Christoulakis N, Christou G, Athanasopoulos E, Ioannidis S. Hcfi: Hardware-enforced control-flow integrity. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY 16, pp. 38–49. Association for Computing Machinery, New York, NY, USA; 2016. https://doi.org/10.1145/2857705.2857722.

  9. Cowan C, Pu C, Maier D, Hintony H, Walpole J, Bakke P, Beattie S, Grier A, Wagle P, Zhang Q. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM98, p. 5. USENIX Association, USA; 1998.

  10. Das S, Werner J, Antonakakis M, Polychronakis M, Monrose F. Sok: The challenges, pitfalls, and perils of using hardware performance counters for security. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19–23, 2019; 2019. p. 20–38. IEEE. https://doi.org/10.1109/SP.2019.00021.

  11. Demme J, Maycock M, Schmitz J, Tang A, Waksman A, Sethumadhavan S, Stolfo S. On the feasibility of online malware detection with performance counters. In: Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA 13, p. 559–570. Association for Computing Machinery, New York, NY, USA; 2013. https://doi.org/10.1145/2485922.2485970.

  12. Diatchki I, Pike L, Erkök L. Practical considerations in control-flow integrity monitoring. In: 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops; 2011. pp. 537–44. https://doi.org/10.1109/ICSTW.2011.27

  13. Eagle C, The IDA. Pro Book: the unofficial guide to the worlds most popular disassembler. San Francisco: No Starch Press; 2011.

    Google Scholar 

  14. Evtyushkin D, Ponomarev D, Abu-Ghazaleh N. Jump over ASLR: attacking branch predictors to bypass ASLR. In: The 49th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-49. IEEE Press; 2016.

  15. G SS, Darki A, Faloutsos M, Abu-Ghazaleh N, Sridharan M. Idapro for iot malware analysis? In: 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). USENIX Association, Santa Clara, CA; 2019. https://www.usenix.org/conference/cset19/presentation/g. Accessed 8 Oct 2021.

  16. Göktas E, Athanasopoulos E, Bos H, Portokalidis G. Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy; 2014. pp. 575–89. https://doi.org/10.1109/SP.2014.43.

  17. Gras B, Razavi K, Bosman E, Bos H, Giuffrida C. ASLR on the line: practical cache attacks on the MMU. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26–March 1, 2017. The Internet Society; 2017. https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/aslrcache-practical-cache-attacks-mmu/. Accessed 8 Oct 2021.

  18. Levinthal D. Performance analysis guide for Intel Core I7 processor and intel xeon 5500 processors. https://software.intel.com/sites/products/collateral/hpc/vtune/performance_analysis_guide.pdf. Accessed: 2018-07-03.

  19. Malone C, Zahran M, Karri R. Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing, STC 11, pp. 71–6. Association for Computing Machinery, New York, NY, USA; 2011. https://doi.org/10.1145/2046582.2046596.

  20. Shacham H, Page M, Pfaff B, Goh EJ, Modadugu N, Boneh D. On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security; 2004. pp. 298–307. ACM.

  21. Shoshitaishvili Y, Wang R, Salls C, Stephens N, Polino M, Dutcher A, Grosen J, Feng S, Hauser C, Kruegel C, Vigna G. Sok: (state of) the art of war: offensive techniques in binary analysis; 2016.

  22. Singh B, Evtyushkin D, Elwell J, Riley R, Cervesato I. On the detection of kernel-level rootkits using hardware performance counters. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 17, pp. 483–93. ACM, New York, NY, USA; 2017. https://doi.org/10.1145/3052973.3052999.

  23. Team AD. Ardupilot autopilot suite. URL http://ardupilot.com/. Accessed; 2016. pp. 05–20.

  24. Team A. ANGR documentation. https://docs.angr.io/. Accessed: 2021-05-22.

  25. Team L. LIEF documentation. https://lief.quarkslab.com/. Accessed: 2021-05-22.

  26. Uhsadel L, Georges A, Verbauwhede I. Exploiting hardware performance counters. In: 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography; 2008. pp. 59–67.

  27. Wang X, Karri R. Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In: Proceedings of the 50th Annual Design Automation Conference, DAC 13. Association for Computing Machinery, New York, NY, USA; 2013. https://doi.org/10.1145/2463209.2488831.

  28. Xia Y, Liu Y, Chen H, Zang B. Cfimon: detecting violation of control flow integrity using performance counters. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012); 2012. pp. 1–12. IEEE.

  29. Yuan L, Xing W, Chen H, Zang B. Security breaches as PMU deviation: detecting and identifying security attacks using performance counters. In: Proceedings of the Second Asia-Pacific Workshop on Systems, APSys 11. Association for Computing Machinery, New York, NY, USA; 2011. https://doi.org/10.1145/2103799.2103807.

  30. Zhou B, Gupta A, Jahanshahi R, Egele M, Joshi A. Hardware performance counters can detect malware: Myth or fact? In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 18, pp. 457–68. Association for Computing Machinery, New York, NY, USA; 2018. https://doi.org/10.1145/3196494.3196515.

Download references

Acknowledgements

This material is based upon work supported by the Office of Naval Research under Contract No. N68335-17-C-0208. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research.

Funding

This study was funded by the Office of Naval Research (grant number N68335-17-C-0208).

Author information

Authors and Affiliations

  1. Electrical and Computer Engineering, Iowa State University, Ames, IA, USA

    Ananda Biswas & Akhilesh Tyagi

  2. Computer Science, Iowa State University, Ames, IA, USA

    Zelong Li

Authors
  1. Ananda Biswas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zelong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Akhilesh Tyagi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ananda Biswas.

Ethics declarations

Conflict of Interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Technologies and Components for Smart Cities” guest edited by Himanshu Thapliyal, Saraju P. Mohanty, Srinivas Katkoori and Kailash Chandra Ray.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Biswas, A., Li, Z. & Tyagi, A. Performance Counters and DWT Enabled Control Flow Integrity. SN COMPUT. SCI. 3, 48 (2022). https://doi.org/10.1007/s42979-021-00915-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-021-00915-y

Keywords

Search

Navigation