FIPAC: Thwarting Fault- and Software-Induced Control-Flow Attacks with ARM Pointer Authentication

Abstract

With improvements in computing technology, more and more applications in the Internet-of-Things, mobile devices, or automotive area embed powerful ARM processors. These systems can be attacked by redirecting the control-flow to bypass critical pieces of code such as privilege checks or signature verifications or to perform other fault attacks on applications or security mechanisms like secure boot. Control-flow hijacks can be performed using classical software vulnerabilities, physical fault attacks, or software-induced faults. To cope with this threat and to protect the control-flow, dedicated countermeasures are needed. Control-flow integrity (CFI) aims to be a generic solution to counteract control-flow hijacks. However, software-based CFI typically either protects against software or fault attacks, but not against both. While hardware-assisted CFI can mitigate both, they require hardware changes, which are unrealistic for existing architectures. Thus, a wide range of systems remains unprotected and vulnerable to control-flow attacks. This work presents FIPAC, a software-based CFI scheme protecting the execution at basic block granularity against software and fault attacks. FIPAC exploits ARM pointer authentication of ARMv8.6-A to implement a cryptographically signed control-flow graph. We cryptographically link the correct sequence of executed basic blocks to enforce CFI at this level. We use a custom LLVM-based toolchain to automatically instrument programs. The evaluation on SPEC2017 with different security policies shows a geometric mean code overhead between 51–91 % and a runtime overhead between 19–63 %. For embedded benchmarks, we measured geometric mean runtime overheads between 49–168 %. While these overheads are higher than for countermeasures against software attacks, FIPAC outperforms related work protecting the control-flow against faults. FIPAC is an efficient solution to protect software- and fault-based CFI attacks on basic block level on modern ARM devices.