Research On Defending Control Flow Attacks Based On Hardware-assisted

With the rapid development of the Internet of Things,cloud computing,and mobile payment technologies,embedded systems have been widely used in military,automotive,medical,and communication fields.Especially,the capabilities of the network communication and collaborative processing between many embedded systems have been further improved.And also,attackers have a chance to attack embedded systems,they can use software vulnerabilities to carry out control flow attacks to control the entire embedded system.Control flow attack refers to use program vulnerabilities to tamper with the program's control flow storage address or control flow data and direct the program to predetermined malicious code,finally achieve the purpose of damaging the system or stealing key information.However,the existing defense methods are basically based on the control flow integrity to check the legality of the control flow transfer destination address,thereby achieving the purpose of preventing the control flow attacks.The defense method is generally implemented by software,but the software implementation method is costly and the insecurity.Therefore,how to effectively prevent control flow attacks and low cost implementation is becoming an urgent problem.Compared with the software methods,the hardware method has greater advantages: it is not easy to be tampered with,the instruction set is compatible,and the reliability is high.Based on the exploration of the control flow attacks principle,this thesis proposes a hardware-assisted defense control flow attacks method with considering of the limitations of the existing defense methods.The research content of this thesis mainly includes the following three parts:1.Method of defending control flow attacks based on built-in security register bank(BSRB).Based on the research on the change of the return address in the stack before and after control flow attacks,the built-in security register bank is used to back up the original return address of the stack.When the subroutine call starts,that is,call instruction is executed,the system not only pushes the return address into the original stack,but also writes the return address into the BSRB at the same time;When the subroutine call ends,the ret instruction is executed.At this time,the system will read the return address from the BSRB and the original stack and send its to the comparator.Finally,the purpose of detecting and preventing control flow attacks is achieved according to whether the return addresses are consistent.2.Method of defending control flow attack based on XOR-gate encryption.Based on the research that attackers may cover both the stack and BSRB to bypass the defense mechanism and then implement the control flow attacks,introducing XOR encryption circuit and decryption circuit before pushing the stack and after popping the stack used to deviate from the malicious return address to make up for this deficiency,therefore we proposed method of defending control flow attacks based on XOR-gate encryption.This method first uses an XOR encryption circuit to encrypt the return address when instruction call is executed.Secondly,the encrypted return address is pushed into the stack and the BSRB.Then,when the instruction ret is executed,the encrypted return address in the stack and BSRB is deviated and are sent to the address comparator after the XOR decryption circuit.Finally,control flow attacks are prevented based on whether the return addresses are consistent and deviate malicious address.3.Method of defending control flow attacks based on return address signature.Based on the research on the problem that attackers may obtain keys to construct special addresses to bypass a single encryption circuit defense mechanism.Using XOR encryption circuit and MD5 algorithm to do secondary encryption to make up for the deficiency of attacks that due to key leakage,and a method of defending control flow attacks based on the return address signature is proposed.This method first triggers a pseudo-random number generator to generate a key K to perform a XOR operation with the push?stack return address when call instruction is executed,and using the MD5 algorithm to generate a push?stack signature for the encrypted return address;Then when instruction ret is executed,that is,the return address is pop out from stack,using the key K to perform an XOR operation with the return address that pop out from the stack,and the encrypted return address is used as the input of the MD5 algorithm to generate the pop?stack signature.Finally control flow attacks are prevented based on whether the push?stack signature matches the pop?stack signature.Under TSMC 65 nm CMOS process,the proposed circuits are designed.And the simulation tools include Cadence and Synopsys,which are selected to implement circuit simulation and verification.The proposed methods provide theoretical basis for problems such as improving security,reducing overhead costs,and compatible instruction sets of circuit systems,and promoting efficient,secure,and rapid development of the information industry.