Performance Counters and DWT Enabled Control Flow Integrity

Control flow integrity (CFI) attacks resulting from buffer overflow and return-oriented programming are common. The problem is particularly acute for legacy systems and IoT devices. Legacy industrial control systems are not supported with periodic security patches leaving them susceptible to attack vectors published over the system life span. IoT devices, on the other hand, are thin devices with limited resources. This rules out many of the traditional heavy-duty software countermeasures for the IoT world. In this research, we deploy hardware/software solutions to detect CFI attacks. Many IoT devices are based on Raspberry Pi boards. These boards include ARM Cortex A-53 (Pi 3) or Cortex A-73 (Pi 4) processors. These ARM Cortex processors contain hardware counters that can be programmed to count microarchitecture level events such as branch mispredictions. Since control flow anomalies resulting from buffer overflow or return oriented programming (ROP) modify the program execution, the microarchitecture level events counts diverge. For instance, number of instructions issued per cycle could differ due to different instruction level parallelism. Hence, a vector of most discriminating hardware counters can flag control flow anomalies. This paper focuses on embedded programs. Embedded program behavior is dominated by the main event loops and task/event handlers, which can be measured with performance counters. Lighter weight IoT devices, based on ARM Cortex M4 or M7, include DWT (Debug, Watch and Trace) module, but not performance counters. DWT contains a much more limited set of counters. We show that DWT counters can also detect CFI anomalies with somewhat lower accuracy. For legacy software, we insert the performance counters instrumentation hooks with direct binary editing of ELF files. The proposed anomaly detection mechanism is evaluated on ArduPilot Team (2016)—a popular autopilot software on a Raspberry Pi 3 with PMU and DWT. A self-navigation program is evaluated on an iCreate Roomba platform with an ARM Cortex M4 processor which contains a DWT but not performance counters. We are able to achieve 97–99