TUM Logo

RISC-V ISA Extension for Control Flow Integrity

RISC-V ISA Extension for Control Flow Integrity

Supervisor(s): Lukas Auer
Status: finished
Topic: Integrity Measures (CFI etc.)
Author: Leander Seidlitz - Mail: leander.seidlitz@tum.de
Submission: 2019-04-15
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Description

Software written in unsafe low-level programming languages like C and C++ open the possibility for memory corruption vulnerabilities. Buffer-overflow exploits and return-oriented programming are two examples, which take control of the control flow by modifying pointers. In particular, they replace the return address on the stack. As soon as the processor returns, control is handed to attacker-controlled code.
To counter these attacks, ARM has introduced pointer authentication in ARMv8.3-A. Unused bits in the pointer are used to store an authentication code of the pointer itself, a cryptographic key, and a context value such as the current stack pointer. Before the pointer is used, its authentication code is verified. If verification fails, the pointer is changed to a value that will raise an exception once used.
The goal of this thesis is to design a RISC-V ISA extension for control flow integrity, similar to ARM's implementation of pointer authentication. The RISC-V ISA has to be analyzed to determine how ARM's concept can be adapted and, optionally, extended. As a proof-of-concept, the ISA extension is implemented in the ISA simulator Spike to evaluate the final design.