On Bridging the Gap between Control Flow Integrity and Attestation Schemes

Control-flow hijacking attacks are still a major challenge in software security. Several means of protection and detection have been proposed but gaps still exist. To bridge such gaps, major processor manufacturers have designed and implemented several hardware security extensions in the new generations of processors. High-profile examples include Pointer Authentication (PA) and Branch Target Identification (BTI) technologies that are supported in the ARMv8.5-A processor architecture. Nevertheless, the direct enablement of these technologies would only provide coarse-grained security guarantees without any trustworthy evidence of runtime integrity.

To fill this gap, we propose CFA+, a practical hardware-assisted control flow attestation mechanism with prevention capabilities. CFA+ leverages the ARMv8.5-A's BTI security extension along with selective software instrumentation to enable lightweight always-on monitoring of the execution state without the need to maintain in-memory control-flow logs. The hybrid policy of CFA+ allows for either immediate prevention or quick detection of control-flow hijacks while providing trustworthy evidence of the runtime integrity status. CFA+ provides fine-grained security guarantees to complex software stacks while maintaining a high level of efficiency and scalability, surpassing state-of-the-art solutions. Our evaluation results show that CFA+ incurs less than 3% of runtime overhead on average when applied to a wide range of benchmark applications including SPEC CPU2006 suite and nginx.