CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI Schemes
Abstract
:1. Introduction
- The CFIEE tool is a critical metadata extraction tool for RISC-V hardware-based CFI schemes, providing output data files that serve as valuable references for the design of hardware-based CFI mechanisms.
- We have developed an algorithm for analyzing control transfer relationships based on the execution rules of RISC-V programs. Through static analysis, the algorithm can approximate the actual execution path of the program, providing CFIEE with a comprehensive analysis scope, which in turn provides researchers with comprehensive CFI metadata.
- CFIEE will be released as an open-source project [14], providing unrestricted usage and modification of the software to all individuals under an open-source license.
2. Background and Related Works
2.1. Control Transfer Instructions in RISC-V ISA
2.2. Control Flow Graph
2.3. Phases of CFG-Based CFI Mechanisms
3. Technical Specifications
3.1. Overview of CFIEE Architecture
3.1.1. Input Files
3.1.2. Internal Processes
3.1.3. CFI-Related Metadata Files
3.2. Workflow of CFIEE
3.3. Functions of CFIEE
3.3.1. Data Preprocessing
3.3.2. Control Flow Analysis
Algorithm 1. Find to_visit functions |
Input: disassemble_file_info; func_name; function_call_instr; visited_functions Output: to_visit_functions; visited_functions; function_call_instr |
if instruction is ‘jal’ or ‘j’: jump_target <- Get jump target operand if jump_target is outside func_addr_range: Append line to call_instrs else if jump_target is within any function’s address range: Add corresponding function name to to_visit_functions called_func_name <- func_name else if instruction is branch instruction: jump_target <- Get jump target operand if this is the last instruction in current function: Add next function’s name to to_visit_functions called_func_name <- func_name if jump_target is within any function’s address range: Add corresponding function name to to_visit_functions called_func_name <- func_name
|
3.3.3. Data Curation and Output
4. Application Scenarios of CFIEE
5. Evaluations
5.1. Comparison with Other Tools
5.2. Functional Evaluation
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Lhee, K.S.; Chapin, S.J. Buffer overflow and format string overflow vulnerabilities. Softw. Pract. Exper. 2003, 33, 423–460. [Google Scholar] [CrossRef]
- Roemer, R.; Buchanan, E.; Shacham, H.; Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 2012, 15, 1–34. [Google Scholar] [CrossRef]
- Abadi, M.; Budiu, M.; Erlingsson, U.; Ligatti, J. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 2009, 13, 1–40. [Google Scholar] [CrossRef]
- Mishra, T.; Chantem, T.; Gerdes, R. Survey of Control-flow Integrity Techniques for Real-time Embedded Systems. ACM Trans. Inf. Syst. Secur. (TISSEC) 2022, 21, 1–32. [Google Scholar] [CrossRef]
- Dariz, L.; Ruggeri, M.; Selvatici, M. A static microcode analysis tool for programmable load drivers. In Proceedings of the 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM), Bremen, Germany, 27–28 September 2015; pp. 265–270. [Google Scholar] [CrossRef]
- Almossawi, A.; Lim, K.; Sinha, T. Analysis Tool Evaluation: Coverity Prevent; Carnegie Mellon University: Pittsburgh, PA, USA, 2006; pp. 7–11. [Google Scholar]
- Nethercote, N.; Seward, J. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM Sigplan Not. 2007, 42, 89–100. [Google Scholar] [CrossRef]
- Luk, C.-K.; Cohn, R.; Muth, R.; Patil, H.; Klauser, A.; Lowney, G.; Wallace, S.; Reddi, V.J.; Hazelwood, K. Pin: Building customized program analysis tools with dynamic instrumentation. ACM Sigplan Not. 2005, 40, 190–200. [Google Scholar] [CrossRef]
- Wang, F.; Shoshitaishvili, Y. Angr—The Next Generation of Binary Analysis. In Proceedings of the 2017 IEEE Cybersecurity Development (SecDev), Boston, MA, USA, 24–26 September 2017; pp. 8–9. [Google Scholar]
- Cadar, C.; Dunbar, D.; Engler, D.R. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the OSDI, San Diego, CA, USA, 8–10 December 2008; pp. 209–224. [Google Scholar]
- T-Head Xuantie E906 Datasheet. Available online: https://www.xrvm.cn/product/xuantie/E906 (accessed on 25 March 2024).
- Waterman, A.; Asanovi, K. (Eds.) The RISC-V Instruction Set Manual; Volume I: Unprivileged ISA, Document Version 20190608-Base-Ratified; RISC-V International: Zurich, Switzerland, 2019. [Google Scholar]
- Waterman, A.; Asanovi, K. (Eds.) The RISC-V Instruction Set Manual; Volume II: Privileged Architecture Document Version 20190608-Priv-MSU-Ratified; RISC-V International: Zurich, Switzerland, 2019. [Google Scholar]
- CFIEE: A Critical Metadata Extraction Engine for RISC-V Hardware CFI Scheme. Available online: https://github.com/Taurus052/CFIEE (accessed on 25 March 2024).
- Kanter, D. RISC-V offers simple, modular ISA. Microprocess. Rep. 2016, 1, 1–5. [Google Scholar]
- Waterman, A.; Lee, Y.; Patterson, D.; Asanovic, K. The RISC-V Instruction Set Manual; Volume I: User-Level ISA’, Version 2.0; RISC-V International: Zurich, Switzerland, 2014. [Google Scholar]
- Allen, F.E. Control flow analysis. ACM Sigplan Not. 1970, 5, 1–19. [Google Scholar] [CrossRef]
- Jing, J.; Jiang, L.-H.; Liu, T.-M.; Wang, Z.-Y.; Wang, R.-M. A precision-tunable CFG reconstruction algorithm. In Proceedings of the 2013 International Conference on Mechatronic Sciences, Electric Engineering and Computer (MEC), Shenyang, China, 20–22 December 2013; pp. 2095–2099. [Google Scholar] [CrossRef]
- Jang, H.; Park, M.C.; Lee, D.H. IBV-CFI: Efficient fine-grained control-flow integrity preserving CFG precision. Comput. Secur. 2020, 94, 101828. [Google Scholar] [CrossRef]
- Park, M.C.; Lee, D.H. BGCFI: Efficient Verification in Fine-Grained Control-Flow Integrity Based on Bipartite Graph. IEEE Access 2023, 11, 4291–4305. [Google Scholar] [CrossRef]
- Niu, B.; Tan, G. Per-Input Control-Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 914–926. [Google Scholar] [CrossRef]
- Yin, W.; Jiang, L.; Yin, Q.; Zhou, L.; Li, J. A control flow graph reconstruction method from binaries based on XML. In Proceedings of the 2009 International Forum on Computer Science-Technology and Applications, Chongqing, China, 25–27 December 2009; pp. 226–229. [Google Scholar] [CrossRef]
- Yount, C.; Patil, H.; Islam, M.S.; Srikanth, A. Graph-matching-based simulation-region selection for multiple binaries. In Proceedings of the 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), Philadelphia, PA, USA, 29–31 March 2015; pp. 52–61. [Google Scholar] [CrossRef]
- Barbar, M.; Sui, Y.; Zhang, H.; Chen, S.; Xue, J. Live path control flow integrity. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceedings, Gothenburg, Sweden, 30 May–1 June 2018; pp. 195–196. [Google Scholar] [CrossRef]
- Sahin, V.H. Turna: A control flow graph reconstruction tool for RISC-V architecture. Computing 2023, 105, 1821–1845. [Google Scholar] [CrossRef]
- Li, S.; Wang, W.; Li, W.; Zhang, D. Hardware-Based Software Control Flow Integrity: Review on the State-of-the-Art Implementation Technology. IEEE Access 2023, 11, 133255–133280. [Google Scholar] [CrossRef]
- Tauner, S.; Telesklav, M. Comparative analysis and enhancement of CFG-Based hardware-assisted cfi schemes. ACM Trans. Embed. Comput. Syst. (TECS) 2021, 20, 1–25. [Google Scholar] [CrossRef]
- Pallister, J.; Hollis, S.; Bennett, J. BEEBS: Open benchmarks for energy measurements on embedded platforms. arXiv 2013, arXiv:1308.5174. [Google Scholar] [CrossRef]
- Burow, N.; Carr, S.A.; Nash, J.; Larsen, P.; Franz, M.; Brunthaler, S.; Payer, M. Control-Flow Integrity: Precision, Security, and Performance. ACM Comput. Surv. 2017, 50, 1–33. [Google Scholar] [CrossRef]
- Li, W.; Wang, W.; Li, S.; An, Z. A Static CFG Extraction Scheme for RISC-V Runtime CFI. In Proceedings of the 9th International Symposium on System Security, Safety, and Reliability (ISSSR 2023), Hangzhou, China, 10–11 June 2023; pp. 444–445. [Google Scholar] [CrossRef]
- An, Z.; Wang, W.; Li, W.; Li, S.; Zhang, D. Securing Embedded System from Code Reuse Attacks: A Lightweight Scheme with Hardware Assistance. Micromachines 2023, 14, 1525. [Google Scholar] [CrossRef] [PubMed]
- Kanuparthi, A.; Rajendran, J.; Karri, R. Controlling your control flow graph. In Proceedings of the 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), McLean, VA, USA, 3–5 May 2016; pp. 43–48. [Google Scholar] [CrossRef]
Name | Mnemonic |
---|---|
branch equal | beq |
branch not equal | bne |
branch less than | blt |
branch greater than or equal | bge |
branch less than unsigned | bltu |
branch greater than or equal unsigned | bgeu |
Name | Mnemonic |
---|---|
jump and link | jal |
jump | j |
jump and link register | jalr |
Filename | File Type | Introduction |
---|---|---|
xxx_basic_block | .txt | Basic blocks’ information |
xxx_bin_basic_block_info | .txt | Blocks’ info in binary form |
xxx_hex_basic_block_info | .txt | Blocks’ info in hexadecimal form |
xxx_forward_transfers | .txt | All forward transfer instructions and target instructions |
xxx_control_transfer | .bin | Metadata related to forward transfers |
xxx_CFG | .svg | Program-wide control flow graph |
xxx_forward_transfers_per_function | .svg | Show the number of transfer instructions within each function |
xxx_function_call_relationship | .svg | Demonstrate the program’s function call relationships |
BB Edge | Rules |
---|---|
Begin edge | 1. First instr. of any function 2. Target instruction of uncond. jumps or cond. branches 3. Instr. following any cond. branch or uncond. jump |
End edge | 1. Last instr. of any function 2. An uncond. jump instr. or a cond. branch instr. 3. The “ret” instruction |
Features | CFIEE | angr [9] | Turna [25] |
---|---|---|---|
GUI | √ | × | × |
Without Extra Programming | √ | × | √ |
Drawing CFG | √ | √ | √ |
Hash Calculation | √ | √ | × |
Function Call Relationship | √ | √ | × |
Program Name | Traversed Func. | Traversed Instr. | Basic Blocks | Edges | Forward Transfers |
---|---|---|---|---|---|
cover | 40 | 5514 | 1632 | 2765 | 1287 |
crc | 38 | 5587 | 1633 | 2768 | 1289 |
ctl_stack | 19 | 477 | 108 | 166 | 66 |
dijkstra | 40 | 5703 | 1647 | 2791 | 1298 |
duff | 39 | 5567 | 1624 | 2749 | 1280 |
fir | 14 | 267 | 49 | 70 | 30 |
insertsort | 39 | 5561 | 1618 | 2744 | 1279 |
jfdcint | 39 | 5750 | 1618 | 2745 | 1276 |
lcdnum | 15 | 293 | 58 | 83 | 35 |
nettle_des | 41 | 7283 | 1621 | 2743 | 1278 |
nettle_md5 | 40 | 6402 | 1636 | 2773 | 1292 |
qurt | 41 | 5912 | 1725 | 2928 | 1363 |
rijndael | 44 | 9725 | 1736 | 2931 | 1358 |
sglib_dllist | 17 | 506 | 135 | 217 | 92 |
sglib_rbtree | 19 | 614 | 155 | 244 | 113 |
One of the Basic Blocks in “basic_block.txt” |
---|
Basic_block Name: 48 |
In Function: <main> |
Start address: 2940 |
End address: 2940 |
Start instruction: 2940: fe941ae3 bne s0, s1, 2934 <main+0x110> |
End instruction: 2940: fe941ae3 bne s0, s1, 2934 <main+0x110> |
Length: 1 |
Taken_Target address: 2934 |
Taken_Target instruction: 2934: 00040513 mv a0, s0 |
Not_Taken_Target address: 2944 |
Not_Taken_Target instruction: 2944: 0000d2b7 lui t0,0xd |
Instruction: 2940: fe941ae3 bne s0, s1, 2934 <main+0x110> |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Li, W.; Wang, W.; Li, S. CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI Schemes. Electronics 2024, 13, 1681. https://doi.org/10.3390/electronics13091681
Li W, Wang W, Li S. CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI Schemes. Electronics. 2024; 13(9):1681. https://doi.org/10.3390/electronics13091681
Chicago/Turabian StyleLi, Wenxin, Weike Wang, and Senyang Li. 2024. "CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI Schemes" Electronics 13, no. 9: 1681. https://doi.org/10.3390/electronics13091681
APA StyleLi, W., Wang, W., & Li, S. (2024). CFIEE: An Open-Source Critical Metadata Extraction Tool for RISC-V Hardware-Based CFI Schemes. Electronics, 13(9), 1681. https://doi.org/10.3390/electronics13091681