research-article

HardScope: Hardening Embedded Systems Against Data-Oriented Attacks

Authors:

Ghada Dessouky,

Shaza Zeitouni,

Aaro Lehikoinen,

Ahmad-Reza SadeghiAuthors Info & Claims

DAC '19: Proceedings of the 56th Annual Design Automation Conference 2019

Article No.: 63, Pages 1 - 6

https://doi.org/10.1145/3316781.3317836

Published: 02 June 2019 Publication History

Abstract

Memory-unsafe programming languages like C and C++ leave many (embedded) systems vulnerable to attacks like control-flow hijacking. However, defenses against control-flow attacks, such as (fine-grained) randomization or control-flow integrity are in-effective against data-oriented attacks and more expressive Data-oriented Programming (DOP) attacks that bypass state-of-the-art defenses.

We propose run-time scope enforcement (RSE), a novel approach that efficiently mitigates all currently known DOP attacks by enforcing compile-time memory safety constraints like variable visibility rules at run-time. We present Hardscope, a proof-of-concept implementation of hardware-assisted RSE for RISC-V, and show it has a low performance overhead of 3.2% for embedded benchmarks.

References

[1]

Tigist Abera et al. 2016. C-FLAT: Control-Flow Attestation for Embedded Systems Software. In Proc. ACM CCS '16. 743--754.

Digital Library

[2]

Periklis Akritidis et al. 2008. Preventing Memory Error Exploits with WIT. In Proc. IEEE S&P '08. 263--277.

Digital Library

[3]

Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Proc. DIMWA '08. 1--22.

Digital Library

[4]

Cristian Cadar et al. 2008. Data Randomization. Technical Report MSR-TR-2008-120. Microsoft Research.

[5]

Miguel Castro et al. 2009. Fast Byte-granularity Software Fault Isolation. In Proc. ACM SOSP '09. 45--58.

Digital Library

[6]

Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing Software by Enforcing Data-flow Integrity. In Proc. USENIX OSDI '06. 147--160.

Digital Library

[7]

Shuo Chen et al. 2005. Non-control-data Attacks Are Realistic Threats. In Proc. USENIX Security '05. 12--12.

Digital Library

[8]

Long Cheng, Ke Tian, and Danfeng (Daphne) Yao. 2017. Orpheus: Enforcing Cyber-Physical Execution Semantics to Defend Against Data-Oriented Attacks. In Proc. ACM ACSAC '17. 315--326.

Digital Library

[9]

Ghada Dessouky et al. 2017. LO-FAT: Low-Overhead Control Flow ATtestation in Hardware. In Proc. ACM/EDAC/IEEE DAC '17. 24:1--24:6.

Digital Library

[10]

Ghada Dessouky et al. 2018. LiteHAX: Lightweight Hardware-assisted Attestation of Program Execution. In ICCAD '18.

Digital Library

[11]

Joe Devietti et al. 2008. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In Proc. ACM ASPLOS '08. 103--114.

Digital Library

[12]

Archibald Samuel Elliott et al. 2018. Checked C: Making C Safe by Extension. In Proc. IEEE SecDev '18. 53--60.

[13]

Úlfar Erlingsson et al. 2006. XFI: Software Guards for System Address Spaces. In Proc. USENIX OSDI '06. 75--88.

Digital Library

[14]

Ronald Gil, Hamed Okhravi, and Howard E. Shrobe. 2018. There's a Hole in the Bottom of the C: On the Effectiveness of Allocation Protection. In Proc. IEEE SecDev '18. 102--109.

[15]

Hong Hu et al. 2016. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In Proc. IEEE S&P '16. 969--986.

[16]

Trevor Jim et al. 2002. Cyclone: A Safe Dialect of C. In Proc. USENIX ATC '02. 275--288.

Digital Library

[17]

Dmitrii Kuvaiskii et al. 2017. SGXBOUNDS: Memory Safety for Shielded Execution. In Proc. ACM EuroSys '17. 205--221.

Digital Library

[18]

Volodymyr Kuznetsov et al. 2014. Code-pointer Integrity. In Proc. USENIX OSDI '14. 147--163.

Digital Library

[19]

Albert Kwon et al. 2013. Low-fat Pointers: Compact Encoding and Efficient Gate-level Implementation of Fat Pointers for Spatial Safety and Capability-based Security. In Proc. ACM CCS '13. 721--732.

Digital Library

[20]

Santosh Nagarakatte et al. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proc. ACM PLDI '09. 245--258.

Digital Library

[21]

George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe Retrofitting of Legacy Code. In Proc. ACM POPL '02. 128--139.

Digital Library

[22]

Thomas Nyman et al. 2017. HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement. https://arxiv.org/abs/1705.10295

[23]

Oleksii Oleksenko et al. 2017. Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches. https://arxiv.org/abs/1702.00719.

[24]

C. Schlesinger et al. 2011. Modular Protections against Non-control Data Attacks. In Proc. IEEE CSF '11. 131--145.

Digital Library

[25]

Konstantin Serebryany et al. 2012. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC '12. 309--318.

Digital Library

[26]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Returninto-libc Without Function Calls (on the x86). In Proc. ACM CCS '07. 552--561.

Digital Library

[27]

C. Song et al. 2016. HDFI: Hardware-Assisted Data-Flow Isolation. In Proc. IEEE S&P '16. 1--17.

[28]

Jonathan Woodruff et al. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In Proc. IEEE ISCA '14. 457--468.

Digital Library

[29]

Shaza Zeitouni et al. 2017. ATRIUM: Runtime Attestation Resilient Under Memory Attacks. In ICCAD '17.

Digital Library

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Shen DHou TLu ZLiu YWang T(2023)SecDINT: Preventing Data-oriented Attacks via Intel SGX Escorted Data Integrity2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10289062(1-9)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10289062
Geden MRasmussen K(2023)RegGuardComputers and Security10.1016/j.cose.2023.103213129:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103213
Show More Cited By

HardScope: Hardening Embedded Systems Against Data-Oriented Attacks
1. Security and privacy
  1. Systems security

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social Sciences

The Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '19: Proceedings of the 56th Annual Design Automation Conference 2019

June 2019

1378 pages

ISBN:9781450367257

DOI:10.1145/3316781

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGDA: ACM Special Interest Group on Design Automation
IEEE-CEDA

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

DAC '19

Sponsor:

SIGDA

DAC '19: The 56th Annual Design Automation Conference 2019

June 2 - 6, 2019

NV, Las Vegas, USA

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
338
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Shen DHou TLu ZLiu YWang T(2023)SecDINT: Preventing Data-oriented Attacks via Intel SGX Escorted Data Integrity2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10289062(1-9)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10289062
Geden MRasmussen K(2023)RegGuardComputers and Security10.1016/j.cose.2023.103213129:COnline publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103213
Kornaros G(2022)Hardware-Assisted Machine Learning in Resource-Constrained IoT Environments for Security: Review and Future ProspectiveIEEE Access10.1109/ACCESS.2022.317904710(58603-58622)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3179047
Mezger BSantos DDilillo LZeferino CMelo D(2022)A Survey of the RISC-V Architecture Software SupportIEEE Access10.1109/ACCESS.2022.317412510(51394-51411)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3174125
Spang CLavan YHartmann MMeisel FKoch A(2022)DExIE - An IoT-Class Hardware Monitor for Real-Time Fine-Grained Control-Flow IntegrityJournal of Signal Processing Systems10.1007/s11265-021-01732-594:7(739-752)Online publication date: 6-Jan-2022
https://doi.org/10.1007/s11265-021-01732-5
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Ahmed SXiao YSnow KTan GMonrose FYao DLigatti JOu XKatz JVigna G(2020)Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROPProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417248(1803-1820)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417248
De ABasu AGhosh SJaeger T(2020)Hardware Assisted Buffer Protection Mechanisms for Embedded RISC-VIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2020.2984407(1-1)Online publication date: 2020
https://doi.org/10.1109/TCAD.2020.2984407
Gunning DAha D(2019)DARPA's Explainable Artificial Intelligence ProgramAI Magazine10.1609/aimag.v40i2.285040:2(44-58)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1609/aimag.v40i2.2850
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten