Towards Transparent Control-Flow Integrity in Safety-Critical Systems

Protecting safety-critical Cyber-Physical Systems (CPS) against security threats is becoming a growing necessity. Due to the high level of network integration, CPS pose new targets to remote code-reuse attacks, such as Return-Oriented Programming (ROP). An effective mechanism to detect code-reuse attacks is Control-Flow Integrity (CFI). However, because of the intrusiveness of most current CFI solutions, i.e., their requirement for program instrumentation and run-time interference, we cannot directly apply them to safety-critical CPS. To the best of our knowledge, there is no CFI solution designed for CPS; and more specifically, we are not aware of any solution that fully monitors the forward-edges and backward-edges of an application's control-flow, while providing independence and freedom from interference guarantees. Hence, for the first time, we propose a safety certifiable, separation kernel-based partitioning architecture to integrate CFI monitoring in a safety-critical system to protect applications with real-time constraints. Our solution leverages ARM CoreSight to transparently enforce both forward-edge and backward-edge CFI for an application at run-time. Despite imposing a significant overhead on the overall system, our approach reliably protects the control-flow of the monitored application, while guaranteeing its real-time constraints. We evaluate our solution by analyzing its timing impact and discussing the resulting considerations for the integration and practical deployment in a safety-critical CPS.