Student Number: 100905113 Luke Atherton

# Towards Auditing of Control-Flow Integrity

Supervisor: Konstantinos Markantonakis

Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London.



I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work.

Signature:

Date:

# Acknowledgements

Thanks everyone! Elisabeth

# **Contents**

| Li | st of  | Figures | S                                          |   | xi   |
|----|--------|---------|--------------------------------------------|---|------|
| Li | st of  | Tables  |                                            |   | xiii |
| Li | st of  | Abbrev  | viations                                   |   | xv   |
| Ex | cecuti | ve Sun  | nmary                                      |   | xvii |
| 1  | Intr   | oductio | on                                         |   | 1    |
|    | 1.1    | Contr   | rol Flow                                   |   | . 1  |
|    |        | 1.1.1   | Basic Blocks                               |   | . 1  |
|    |        | 1.1.2   | Control-flow graphs                        |   | . 2  |
|    |        | 1.1.3   | Types of branches                          |   |      |
|    |        | 1.1.4   | Loops                                      | • | . 4  |
|    | 1.2    | Attacl  | ks on hardware                             |   | . 4  |
|    |        | 1.2.1   | Invasive Attacks                           |   | . 4  |
|    |        | 1.2.2   | Semi-Invasive Attacks                      |   | . 5  |
|    |        | 1.2.3   | Non-Invasive Attacks                       |   | . 5  |
|    | 1.3    | Softw   | are attacks                                |   | . 6  |
|    |        | 1.3.1   | Common software attacks methods            |   | . 6  |
|    | 1.4    | Proble  | em Description                             |   | . 7  |
|    |        | 1.4.1   | Introduction                               |   | . 7  |
|    |        | 1.4.2   | Auditing control-flow                      |   | . 8  |
|    | 1.5    | Projec  | et Objectives                              |   | . 8  |
|    |        | 1.5.1   | Practical Requirements                     |   | . 9  |
|    |        | 1.5.2   | Security Requirements                      |   |      |
|    |        | 1.5.3   | Attacker Model                             |   | . 9  |
|    | 1.6    | Projec  | et Structure                               |   | . 9  |
|    | 1.7    | Chapt   | ter Summary                                | • | . 10 |
| 2  | Eml    | bedded  | Systems and Control Flow Integrity         |   | 11   |
|    | 2.1    | Introd  | duction to Embedded Systems                |   | . 11 |
|    |        | 2.1.1   | A Definition of Embedded Systems           |   | . 11 |
|    |        | 2.1.2   | Uses of Embedded Systems                   |   | . 12 |
|    |        | 2.1.3   | Common Implementations of Embedded Systems |   | . 12 |
|    | 2.2    | ARM     | TrustZone                                  |   | . 12 |
|    |        | 221     | An introduction to ARM TrustZone           |   | 12   |

| <b>T</b> 7 | 1 |
|------------|---|
| v          |   |

| vi |            |                                                                            |    |
|----|------------|----------------------------------------------------------------------------|----|
|    | 2.3        | Control-flow Integrity                                                     | 13 |
|    |            | 2.3.1 Control Flow Graphs                                                  | 13 |
|    |            | 2.3.2 Hardware-based CFI                                                   | 14 |
|    |            | 2.3.3 Software-based CFI                                                   | 14 |
|    |            | 2.3.4 Alternatives to Basic Block CFG-based CFI                            | 14 |
|    | 2.4        | Chapter Summary                                                            | 15 |
| 2  | D1         | leave and I the sections Described                                         | 15 |
| 3  |            | kground Literature Review                                                  | 17 |
|    | 3.1        | Subject-matter Surveys                                                     | 17 |
|    |            | 3.1.1 Surveys on Existing Solutions for IP Protection and Secure Execution |    |
|    |            | 3.1.2 Defence against fault injection                                      |    |
|    |            |                                                                            |    |
|    | 3.2        | Attacks                                                                    | 19 |
|    | 3.3        | Solutions                                                                  |    |
|    |            | 3.3.1 Binding Hardware and Software                                        |    |
|    |            | 3.3.2 Secure execution                                                     | 23 |
|    | 3.4        |                                                                            |    |
|    |            | 3.4.1 Control-flow Graphs                                                  |    |
|    |            | 3.4.2 Physical Unclonable Functions (PUFs)                                 |    |
|    | 3.5        | Chapter Summary                                                            | 25 |
| 4  | Con        | nparison of Solutions                                                      | 27 |
|    | 4.1        | Comparison of solutions providing Control-Flow Integrity and Attestation   | 27 |
|    |            | 4.1.1 Established Criteria                                                 | 27 |
|    |            | 4.1.2 Solutions Presented                                                  | 28 |
|    |            | 4.1.3 Discussion of findings                                               | 30 |
|    | 4.2        | Comparison of solutions providing Static Attestation                       | 32 |
|    |            | 4.2.1 Established Criteria                                                 | 32 |
|    |            | 4.2.2 Solutions Presented                                                  | 32 |
|    |            | 4.2.3 Discussion of Findings                                               | 35 |
|    | 4.3        | Chapter Summary                                                            |    |
| 5  | Prot       | posed Solution                                                             | 39 |
| 3  | 5.1        |                                                                            | 39 |
|    | 0.1        | 5.1.1 Tools for generating CFGs                                            |    |
|    | 5.2        | Tracing Control-Flow                                                       | 41 |
|    | 9.2        | · ·                                                                        | 41 |
|    | 5.3        |                                                                            | 43 |
|    | 5.5        | 5.3.1 Other running processes                                              |    |
|    | 5.4        | Provisioning                                                               |    |
|    | J.4        | 5.4.1 Instrumentation                                                      |    |
|    |            | 5.4.2 Initial attestation                                                  |    |
|    |            |                                                                            |    |
|    | <b>-</b> - |                                                                            |    |
|    | 5.5        | Chapter Summary                                                            | 44 |

|   |                               | vii |
|---|-------------------------------|-----|
| 6 | Security Analysis             | 45  |
|   | 6.1 Security Analysis         | 45  |
|   | 6.1.1 Hardware Implementation | 46  |
| 7 | Conclusion                    | 47  |

# Listings

| 1.1 | An example of code which can be broken down into basic blocks                     | 1  |
|-----|-----------------------------------------------------------------------------------|----|
| 1.2 | An example of code which is vulnerable to skipping of instructions                | 5  |
| 1.3 | An example of code which is vulnerable to pointer subterfuge [1]                  | 6  |
| 5.1 | Example of results from angr CFG analysis of fauxware in form of .edgelist output |    |
|     | from networkx utilities                                                           | 40 |

# **List of Figures**

|  | 1.1 | The control-flow graph for o | ode in listing 1.1 | 1 |
|--|-----|------------------------------|--------------------|---|
|--|-----|------------------------------|--------------------|---|

# **List of Tables**

| 4.1 | Requirement Comparison of Control-flow Integrity and Control-flow Attestation   | 30 |
|-----|---------------------------------------------------------------------------------|----|
| 4.2 | Comparison of Control-flow Integrity and Control-flow Attestation schemes prop- |    |
|     | erties 1-5                                                                      | 31 |
| 4.3 | Comparison of Control-flow Integrity and Control-flow Attestation schemes prop- |    |
|     | erties 6-14                                                                     | 31 |
| 4.4 | Comparison of Static Attestation Solutions                                      | 36 |

# List of Abbreviations

ASIC Application-Specific Integrated Circuit
ASLR Address Space Layout Randomisation

BBL Basic BLock

CFG Control-Flow Graph
CFI Control-Flow Integrity

CISC Complex Instruction-Set Computer

CPU Central Processing Unit
DEP Data Execution Prevention

DoS Denial of Service ECB Electronic Code Book

FPGA Field Programmable Gate Array

GPU Graphics Processing Unit ICS Industrial Control System

IoT Internet of ThingsIP Intellectual Property

ISA Instruction Set ArchitectureJOP Jump-Oriented ProgrammingMAC Message Authentication Code

MCU Micro Controller Unit
NVM Non-Volatile Memory
OS Operating System
PC Program Counter

PUF Physical Unclonable Function RAM Random Access Memory

RISC Reduced Instruction Set Computer

**ROM** Read-Only Memory

ROP Return-Oriented Programming RTOS Real-Time Operating System

SCS Shadow Call Stack (same as Shadow Stack)

SoCSystem on ChipSRAMStatic RAMSSShadow Stack

TEE Trusted Execution Environment

TPM Trusted Platform Module

# **Executive Summary**

Control-flow integrity is a fundamental problem in computer security. Many attacks on software can be represented as a violation of a control-flow graph - the graphical representation of the legitimate control flow of an application. Attacks on hardware can be used to force the skipping of instructions, making the targeted application take a path which does not belong to the legitimate control-flow graph. Software-based attacks such as buffer overflows may target return addresses stored on an application's stack in order to divert its control-flow such that it does not follow the legitimate control-flow graph. Defences for attacks on control-flow attacks exist on general purpose computers, however embedded systems which have less resources than general purpose computers are not as well catered for in terms of control-flow integrity. Producing an audit trail of control-flow enables a verifier to gain assurances that applications have been executed in such a way that they legitimately followed their pre-defined control-flow graph.

Using control-flow integrity audit as a viewpoint this project surveys existing solutions in the area of control-flow integrity. Initially it undertakes a high-level review of secure software execution, associated subjects and the common properties for embedded systems. Following this it sets out an established criteria for the assessment of solutions providing static attestation of memory space and control-flow integrity protection and attestation, using this criteria these solutions are analysed and compared. The solutions presented consist of hardware-based solutions, where additional hardware components or modifications are required, and software-based solutions, where objectives are achieved using only software and existing Commercial off-the-shelf (COTS) hardware.

In its concluding chapters, the project builds upon the principles and methodologies identified during the analysis and comparison phase to propose a solution to enable auditing of control-flow within embedded systems. Using a combination of static attestation and dynamic monitoring, the proposed solution aims to provide the building blocks for a software-based design anchored on the security features provided by ARM TrustZone (recently added to ARM Cortex-M processor cores, which are at the heart of many embedded systems). Finally, it is recommended that the proposed solution is implemented in a hardware-based solution, where any overhead introduced as a result of the functionality can be reduced by introducing dedicated hardware.

## Chapter 1

# Introduction

In this chapter we first introduce the concept of control-flow, describing how it is built up from transitions between basic blocks to form a control-flow graph and how control-flow can be violated. We then look at the types of execution branches which trigger transitions between basic blocks. We explain some important categories of hardware and software attacks which can lead to the subversion of a control-flow. Finally the problem setting for this project is described along with a list of objectives which the proposed solution will be judged against.

#### 1.1 Control Flow

Control flow is how instructions within software applications transition from one instruction to another. Applications can be logically broken down into basic blocks (BBLs) through which the executing application traverses. The tracing of these transitions forms the control flow taken.

#### 1.1.1 Basic Blocks

The principle of basic blocks creates a useful way of breaking down the instructions of an application into manageable chunks containing sequences of instructions. A basic block is a set of instructions which sequentially run from beginning to end. An example of this is illustrated in pseudo-code at listing 1.1.

```
void GreaterThanPlusOne(int firstNum, int secondNum)

{
    string message;
    firstNum++;
    if (firstNum > secondNum)
    {
        message = "firstNum plus one is greater than secondNum";
    }
    if (firstNum <= secondNum)
    {
        message = "firstNum plus one less than or equal to secondNum";
    }
}</pre>
```

LISTING 1.1: An example of code which can be broken down into basic blocks



FIGURE 1.1: The control-flow graph for code in listing 1.1

The instructions from string message; (line 3) up to and including if (firstNum > secondNum) (line 5), basic block 1, will execute sequentially (barring an exception being thrown). This is a basic block. The contents within the first if (line 5) and also the second if (line 9) parenthesis are also basic blocks, basic blocks 2 and 3 respectively.

So in the code described at listing 1.1, the sequence of instructions can flow from the first basic block to either the second or the third. An unauthorised flow would be from basic block 2 to basic block 3 as there is no way that under normal operation both of these sequences of instructions would execute after one another.

Other examples of programming control flow statements which could form basic blocks are switch cases, loops, break statements and functions, as the these control the diversion of instruction execution depending on the current running circumstances (e.g. variable state).

#### 1.1.2 Control-flow graphs

Control-flow graphs (CFGs) are the graphical representation of the series of valid transitions between basic blocks within an application (see figure 1.1 for a CFG of listing 1.1). It is conceivable that a CFG can become enormous as the size of an application grows, as the number of different valid paths along the graph will rapidly increase. (need to find reference for this) . Valid control flow is where the flow which follows a CFG for a given application. Using figure 1.1 as an example for the code in listing 1.1, BBL 1  $\rightarrow$  BBL 2 and BBL 1  $\rightarrow$  BBL 3 are both valid flows, however BBL 1  $\rightarrow$  BBL 2  $\rightarrow$  BBL 3 is invalid. To create BBL 1  $\rightarrow$  BBL 2  $\rightarrow$  BBL 3 an attacker could change the value of secondNum to one which is greater than or equal to firstNum once the first if statement has been passed.

1.1. Control Flow

#### 1.1.3 Types of branches

Basic blocks transitions are triggered by branches, so in order to understand control-flow it is important to understand the difference between the various branch types: direct, indirect, unintended and function returns.

#### Direct

A direct branch is one where the next instruction address is hard coded with the jump instruction. This means the execution will flow to a pre-defined location.

A direct branch can be violated by hardware attacks such as glitching, which forces the skipping of instructions, or memory attacks, whereby the destination address is swapped for another, causing the execution to flow along an unintended path.

Attacks on direct branches can often be overlooked by control-flow integrity (CFI) protection mechanisms as the requirements of needing direct access to memory or performing glitching attacks often lie outside of the scope of these protections, as they view attacks on indirect branches and function returns as larger threats.

#### Indirect

An indirect branch is one where the next instruction address is set at run-time, either through registers, or pointers pointing to addresses in memory containing the jump destination. This could be the result of a compiled switch-case statement or dynamic libraries (e.g. reflection). In the case of the switch-case statement it might not appear as indirect in the source code, however when compiled has the possibility of indirectness. Indirect branches are usually targets of buffer overflows.

#### Unintended

De Clerq [2] describes an unintended branch as one which arises due to variable length instruction encoding in architectures. An attacker transfers control flow to the middle of an instruction. A high percentage (80%) of gadgets exploit this, according to Kayaalp [3]. For more information see section 4.2 of Kayaalp's work [3] which describes unintended branches in detail. The threat of unintended branches is currently not such a problem in embedded systems as they tend to use fixed length instruction sets (such as RISC). However ARMv8, for example, has two sets of encoding which can be switched between, and as embedded systems' capabilities converge with those of general purpose computers we may see the introduction of variable length instruction encoding in the near future.

#### **Function Return**

A function returning to its caller is a branch in itself. When a function returns to its calling section of code the return address is retrieved from the stack and inserted in to the program counter (pc). This presents a problem as the return address is not hard coded and according to a CFG, a function could legally return to any of the locations in code which call that function. Tracking the entire

path taken along the CFG allows the checking of calling location, making sure the function has returned to the correct caller.

If the stack is attacked the return address can be re-written to point to existing code, or instructions placed in data (this is usually protected for by read  $\oplus$  write). This is a well-explored area in computer security with various existing solutions including stack canaries, NX bit and Address Space Layout Randomisation (ASLR).

#### **1.1.4** Loops

Loops are problematic in terms of CFGs. Modelling a loop which could run indefinitely is simply not feasible if full coverage is to be achieved. Various methods have been used to approach this, with some [4] simply compacting loops (this presents issues where an attacker can continually run a loop until they reach the desired outcome, such as performing an exhaustive search on passwords) while others [5] track loop metadata such as iteration count for each unique path taken through a loop.

#### 1.2 Attacks on hardware

Attacks on hardware are amongst the hardest attacks to mitigate against, as having direct access to memory or even cache memory can enable an attacker to bypass many protections (for example software-based protections). Hardware attacks can be used to capture the leaking of cryptographic keys, which presents a problem, particularly for attestation where a typical attestation report is signed using a signing key or when a symmetric key is used for encrypting or applying a MAC to the attestation report. The basis for this section stems from [6] where attacks on hardware which are applicable to embedded systems are well explored.

#### 1.2.1 Invasive Attacks

An invasive attack occurs when a microprocessor is removed and attacked directly through physical methods. In theory any microprocessor can be attacked in this way however it does require expensive equipment and a large investment in time.

One example of an invasive attack is probing bus lines between blocks on a chip (with a hole being made in a chip's passivation layer). Here, secret information is derived by observing information sent from one block to another. An extreme example of an invasive attack is using a focused ion beam to destroy or create tracks on the chip's surface. This could be used to reconnect disconnected fuses (this is a threat to the use of PUFs (see 3.4.2 for more details) where fuses are used to deactivate PUF derivation circuits). Fuses can also be used to turn off test modes which are used to read/write to memory addresses during manufacture. Modern solutions avoid this vulnerability by removing test circuits from the chip when it is cut from the die during the manufacturing process [7],[8].

#### 1.2.2 Semi-Invasive Attacks

Semi-invasive attacks require the surface of chip to be exposed, however the security is compromised without directly modifying the chip. Examples of semi-invasive attacks include observing electro-magnetic eminations using a suitable probe [9],[10], injecting faults using laser [11] or white light [12]. Numerous more have been discussed in literature [13].

#### **Fault Injection**

Variations in supply voltage may cause processors to misinterpret or skip instructions [7],[14], this is applicable to control-flow as the misinterpreting or skipping of instructions are attacks used to subvert the control-flow of applications. Variations in external clock can cause data to be misread [7],[15],[8] (i.e. data is attempted to be read before memory has time to latch-out correct value). This can lead to the missing of instructions, which can be an attack vector if software is written in an insecure manner (such as aborting an operation if an if check is successful). Extremes of temperature can cause unpredictable effects in a microprocessor [16],[17]. Two examples of these effects are random modification of RAM cells due to overheating and read write temperature thresholds in most non-volatile memory (NVM) not coinciding [11]. In this case if the temperature is set to a level where write ops work but read do not a number of attacks can be mounted. Laser light can be used where light arriving on a metal surface induces a current, which if intense enough could induce a fault in a circuit [18]. White light has been proposed as alternative to laserbased attacks [7],[12], however as it is not directional it is challenging to focus on a particular areas of a microprocessor and therefore provide a targeted attack. Electromagnetic flux has been used to change values in RAM, where strong eddy currents can affect microprocessors although this has only been observed in insecure microprocessors [19].

```
int CheckNumberOfAttempts(int attemptCount, int attemptLimit)

if (attemptCount => attemptLimit)

return -1;

ContinueLogin();

return 1;

}
```

LISTING 1.2: An example of code which is vulnerable to skipping of instructions

The effects of fault injection include resetting data where data is forced to a blank state, data randomisation where data can be changed to a new random value and modifying of opcodes where instructions executed on a chip's CPU are changed which often has the same effect as previous examples but additionally allows for the removal of functions and breaking of loops [7]. Countermeasures given in [11]

#### 1.2.3 Non-Invasive Attacks

Non-invasive attacks can be used to derive information without modification of hardware through information that leaks during computation of a given command, or attempting to inject faults in manners other than light. Examples include monitoring power consumption [20],[21] and injecting faults by glitching the power supply [7],[11].

#### 1.3 Software attacks

Attacks on software represent a likely threat to the security of embedded systems as they can be carried out remotely or simply stumbled upon (fuzzed). Once an exploit is discovered it is highly repeatable and can be crafted into a number of different attack methods. Embedded systems can be more vulnerable than other computer systems due to the language used to write applications - C. As C provides the developer with memory operations but, as a result, also presents the attacker with an opportunity to exploit any bugs in the code, usually by manipulating memory.

#### 1.3.1 Common software attacks methods

The aim of a **buffer overflow attack** is to manipulate control-flow information stored on the stack and heap of a program in order to achieve further objectives, examples of such information could be return addresses or other variables on which the basis of decisions are made (e.g. if statements).

When performing an **injected code attack**, control flow is diverted to existing injected code (usually as data). To mitigate against this, NX bit can be implemented which marks data memory as non-executable.

Existing code such as system functions or sequences of code which, when combined, have unintended consequences can be the target of a deviated control-flow. This is known as a **code re-use attack**. See also return oriented programming and return-to-libc attacks.

An attacker can string together (ordinarily benign) existing code sequences to form gadgets, which can result in malicious program actions. This attack is referred to as **return-oriented programming (ROP)**. This is done through changing the return addresses on the stack to point at each snippet of the code sequence.

An attacker replaces the return address on the stack to one which contains subroutines which already exist in memory (**return-to-libc**) such as functions which allow the execution of shell commands. libc refers to the C standard library.

**Pointer subterfuge** is where the value of a pointer is modified by an attacker, there are various methods of achieving this and various points of attack. The simplest example is overrunning a buffer which is next to data in memory which is later assigned to a pointer as shown in listing 1.3 [1].

```
int main(){
  int *ptr = ...;
  int val = ...;
  char buf[16];

gets(buf);

*ptr = val;
  return 0;
}
```

LISTING 1.3: An example of code which is vulnerable to pointer subterfuge [1]

**Non-control data attacks** involve corrupting data which is used to decide on control flow, for example in a comparison in an if statement. These usually produce unintended yet valid program flow, however there are examples which do not induce unintended flows (yet still allow an attacker to achieve their objectives), this is discussed in detail by Shacham [22].

## 1.4 Problem Description

#### 1.4.1 Introduction

CFI has been a persistent problem in computer security, with examples of attacks including return oriented programming, stack overflows and hardware-based attacks (see 1.2). Several means of defence have been designed to address some or all of the problematic results (see 3.3). These include:

#### Prevention

Where violation of the control-flow integrity is prevented before it occurs. Methods include:

- Read  $\oplus$  Write memory, which prevents the execution of data memory and the overwriting of memory containing executable instructions.
- Encrypted instructions, which enforce decryption based on a particular order of instructions following the application CFG.

#### **Detection**

Where processes are put in place to detect a violation of control-flow integrity and act upon detection, in this instance the intention is to catch the violation before too much damage has been done. Methods include:

- Stack canaries, which detect ROP attempts therefore preventing violation of CFI.
- Shadow stacks, which aid in preventing return-oriented programming by detecting ROP attempts and assist in preventing violation of CFI
- Software-based CFI, which adds checking of calling IDs between each basic block to ensure they are permitted within the CFG. This was first discussed by Adabi et. al [4] and has been subject to a large amount of subsequent research.

#### Attestation

Where a third party (verifier) receives a report, which could only have come from the device (prover), stating either that the control-flow integrity has not been violated or describing the taken control-flow (therefore allowing the verifier to compare against the CFG to be sure that control-flow integrity has been maintained). Example methods include:

 Basic-block IDs are hashed to create a hash chain representation of the control-flow path taken. • Instructions are intercepted by secondary hardware monitor to take flow measurements, comparing these to the valid instructions as described by the CFG.

#### **Data-flow integrity**

Data flow integrity [23] is a measure used to ensure that data only flows in the correct direction from authorised callers. This can be used to ensure only the correct caller has changed an important variable - for example one which a decision is based on (e.g. inside an if statement), this can also be used to protect the stack. In [23] the solution maintains a table for each piece of data accessed with the address of last accessor. If the last accessor is not within the legal list a security failure exists and an exception is thrown.

Dynamic taint analysis [24] is another method used to detect and prevent control-data and non-control-data attacks by labelling data as untrusted and tracking that data to make sure it is not used to determine program execution. With dynamic taint analysis there is no need for source code, however it does yield false positives, has a high overhead and requires additional hardware support as noted by Castro et al. [23].

#### 1.4.2 Auditing control-flow

CFI prevention and detection has proven to lead to a slight computational overhead [2] and a large storage overhead (if the CFG were to be stored locally), while attestation requires an always-on connection. What if we can store the control flow of an application on a hard disk, which can be retrieved later? This could be useful to prove to a third party that a disputed result of a computation is correct (or at least the steps taken during the computation was correct), or providing a record of the control-flow which has been taken during the execution of a vitally important operation.

Keeping audit records of control-flow could also be useful for spot-checking inaccessible devices which have no internet connection, such as industrial control systems (ICS) components or medical devices which can only be communicated with during medical check-ups.

So, while we would not provide immediate detection or real-time attestation, the contents of the audit file can be compared with the CFG for an application at a later time. This could also be useful for reducing computing requirements as comparisons could be appropriately scheduled for the efficient use of processor time, rather than being performed on an ad-hoc basis as required by some attestation methods.

## 1.5 Project Objectives

The objectives of this project are to investigate and implement a solution for audit of the control flow of applications.

The solution will statically attest the application before including this in the result in dynamic results of the control-flow monitoring. It will store this result and a signature/MAC on the long-term storage of the device.

In this section we will define the requirements which we will aim to meet with the solution proposed as a result of this project. These have been built up using the literature for CFI and attestation methods as well as the requirements identified from the attack model.

#### 1.5.1 Practical Requirements

- 1. Compatible with compiled binaries: where the original source code does not need adjusting to be compatible with the solution.
- 2. Compatible with external libraries: similar to compatibility with compiled binaries but with the added constraint of no access to the external library source code.
- 3. Compatible with embedded systems: a crucial element as the solution is aimed at solving the problem for embedded devices.
- 4. Granularity: the solution should (at a minimum) be able to keep track of transitions between basic blocks (including direct branches).

#### 1.5.2 Security Requirements

- 1. An attacker must be detected if they change the sequential order of instructions. Reordering instructions can be used to bypass cryptographic protections (similar to ECB vulnerabilities) to achieve the attackers goals.
- 2. An attacker must be detected if they change the execution order of basic blocks. Reordering BBLs can be used to execute code in a manner which violates the control-flow graph.
- 3. **An attacker must be detected if they skip instructions** Skipping instructions can be used to bypass checks.
- 4. An attacker must be detected if they subvert control flow to existing code (e.g. return-to-libc) Subverting control-flow to external existing code could enable an attacker to perform functions not permitted through normal usage of the application.

#### 1.5.3 Attacker Model

We assume that attacker may have direct access to memory but not internal registers, they cannot break cryptographic protections and that cryptographic keys can be safely stored. This level of attacker has been referred to as the Dolev-Yao attacker model [25] by [26].

## 1.6 Project Structure

This project will be broken down into three sections. Chapter 2 describes Control-Flow Integrity including construction of control-flow-graphs, the prevention of CFI corruption, the detection of CFI corruption and how CFI is attested. Chapter 3 looks into the background existing literature surrounding the subject. Chapter 4 identifies some key requirements we need and compares the

existing solutions against them. Chapter 5 will describe the theory behind the proposed solution. In chapter 6 we will perform a security evaluation on the proposed solution. Chapter 7 will provide the conclusion and a recommendation for directions for further work.

## 1.7 Chapter Summary

Control-flow is the way in which a program transitions between its instructions, being directed by programming mechanisms such as conditional statements, loops and functions. A useful method of breaking an application down is to look at sections where instructions execute sequentially from beginning to end, where there is no opportunity for execution to be diverted elsewhere within the program (for example, through a function call or switch-case statement). These sequences of instructions are called "basic blocks" (BBLs) and are separated by different kinds of branches described (with each having well-understood attacks designed to exploit them).

A control-flow graph (CFG) is a graphical representation of all of the legitimate transitions between BBLs within an application. In graph theory terms, BBLs are represented as vertices and transitions are represented as edges. A further detail to note is that CFGs are in fact digraphs, where the edges have a direction associated with them. Control-flow within an executing application is only valid when all execution follows the application's CFG, so a violation of a CFG represents a violation to the legitimate control-flow of the application, known as control-flow integrity (CFI).

Hardware and software attacks have been tailored to provide attackers with methods of violating CFI. Hardware attacks are very powerful, and represent a dangerous threat to the CFI of embedded systems. While hardware attacks are a threat, they also typically require expensive equipment, specialist technical skills and cannot be carried out en-mass. Software attacks on the other hand, while still requiring specialist technical skills, can be achieved using personal computers and scripts containing the exploit, can be repetitively used against a number of targets and can be sold on to other attackers with similar objectives. It is therefore reasonable to direct efforts of defence towards software attacks, however the threat of advanced technical attacks should not be ignored (particularly for critical devices which are situated in unsecure environments.

The problem this project aims to address is that of auditing control-flow integrity. Control-flow integrity and attestation of control-flow are well-explored in existing literature, however providing audit records would enable us to apply these principles to devices without the requirement to have a live connection with a verifier or without the introduction of computational overheads due to checks put in place to ensure run-time CFI.

# Chapter 2

# **Embedded Systems and Control Flow Integrity**

In this chapter we begin by gaining a basic understanding of embedded systems and how they are used. This knowledge is used to frame the project and anchor it towards the constraints of implementing an embedded system-based solution. Control-flow integrity (CFI) is then discussed in deeper detail than when first introduced in this project's introduction and approaches for ensuring the protection of CFI are identified and explored.

### 2.1 Introduction to Embedded Systems

In this section we will define embedded systems, their uses, understand their key properties or criteria and describe some common implementations.

#### 2.1.1 A Definition of Embedded Systems

Embedded systems are small-form, low power computer systems. A useful way of defining them is to compare an embedded system with a PC [27]. To asses them from this angle, embedded systems are:

- Dedicated to specific task (PCs are generic computing platforms) where a change of task will
  usually require redesigning the entire system.
- Supported by a wide array of processors and processor architectures.
- Usually cost sensitive.

#### They also have:

- Real-time constraints embedded devices may not have an operating system, but if they
  do it will most likely be real-time operating system (RTOS). It should be noted that with
  the introduction of IoT devices this has become less of a constraint, with standard Linux
  distributions such as Ubuntu becoming more prominent.
- Implications of software failure far more serious than desktop systems (due to their usage).
- Electrical power constrains they may be battery powered, powered other Ethernet or arranged in a bus network sharing a single power supply.

- The ability to operate in extreme conditions.
- Far fewer system resources.
- Storage of software in ROM.
- The need for specialized tools and efficient design methods.
- Dedicated debugging circuitry.

Another important point for comparison is that control-flow integrity protection is already well considered in PCs. For example, Microsoft has implemented Control Flow Guard for C/C++ in Visual Studio 2015 which can run on x86 and x64 releases of Windows 8.1 and Windows 10 for both desktop and server [28].

#### 2.1.2 Uses of Embedded Systems

Embedded systems are ideal for applications where the computer system has a single role - for example in traffic lights, where the flow of traffic needs to be monitored and the timing of the light sequence needs to be controlled. The low power consumption of embedded systems makes them ideal for use in personal medical devices (which can only have small batteries) such as insulin injection pumps, or as part of a collection of sensors which are served by a low-voltage bus, for example automotive systems.

The small-form (and corresponding low-weight) means they are a good candidate for use in aeronautics, such as sensor controllers on aircraft or flight computers in missiles.

Consumer IoT also makes use of embedded systems, exploiting their low cost, power consumption and small footprint to add smart functions to what have historically been simple devices such as kettles or fridges.

#### 2.1.3 Common Implementations of Embedded Systems

A large number of manufacturers have an interest in embedded systems. A big player is ARM with their Cortex-M Series of CPUs, one example of these being used is in the Pebble smartwatch<sup>1</sup>.

Another common base for embedded systems are field programmable gate arrays (FPGAs) which are essentially software defined circuits. These can be set up in a variety of ways, but in modern applications they often utilise soft-core processors - where FPGA code is used to define a processor (for example following the RISC-V instruction set).

#### 2.2 ARM TrustZone

#### 2.2.1 An introduction to ARM TrustZone

ARM TrustZone is a method used to separate "secure" applications from non-secure ones in two separate worlds, where memory can be designated as *secure* or *not secure*. Execution is transferred

<sup>1</sup>https://www.ifixit.com/Teardown/Pebble+Teardown/13319#s45416

from each world either through interrupts or direct function calls. ARM TrustZone is very well described by Ngabonziza et al [29].

Secure world TrustZone applications have access to normal world memory, this will enable static attestation. A secure world application would need to supply the normal world application with a nonce to make sure the response is not a replay.

### 2.3 Control-flow Integrity

Control-flow integrity (CFI) was introduced in the introduction to this project. As it is a key part of this project we shall provide an in-depth discussion of its important principles. CFI is described as a security policy which states that software execution must follow a path of a Control-Flow Graph (CFG). CFI can be provided in a number of ways including signature modelling, shadow stacks and through the enforcement of basic block transitions along a CFG.

#### 2.3.1 Control Flow Graphs

Abadi et al. [4] introduced CFI as a method to protect the secure execution of software, using static analysis of an application binary to create a Control Flow Graph (CFG). Only control flow transfers which follow the CFG are permitted.

Clerq and Verbauwhede [2] posed CFGs as part of a solution for tracking instructions causing control flow transfers, however Lee et al. [26] note that they do not focus on sequential transitions. They argue that the method used in [2] (where forward edges are described as control flow transfers caused by jumps and calls, and backward edges are described as those caused by returns) is disadvantageous as by considering all jumps and calls equally there is a loss in distinction between jumps to register-determined and instruction-determined locations. They state that when implementing a scheme, instruction-dependant transitions are simpler to process than instruction-independent transitions. CFI schemes such as SEP [26] and SOFIA [30] go one step further to provide integrity protection for each individual instruction.

Adabi et al. [4] state that CFGs can be defined by analysis-type methods or explicit policies. Examples of analysis-type methods include source-code analysis, binary analysis or execution profiling. An example of an explicit security policy method is writing as security automata as seen in [31]. What is this???

CFGs have been used to provide protection against soft faults (single-event upsets) using software based methods [32],[33],[34]. The solution put forward by Adabi et al. [4] restricts control flow through in-lined labels and checks. The CFG is embedded through a set of static intermediate bit patterns in program code. The problem with this is that they are evaluated at the destinations of all branches and jumps but not at the sources. These fail to prevent jumps into the middle of functions (e.g. ones which bypass security checks such as access control).

The method described in [4] ensures that whenever an instruction transfers control, it targets a valid destination as determined by the CFG (ahead of time). When the destination is determined at runtime this must go through a dynamic check. Dynamic checks are enabled through the the

use of static analysis and machine-code rewriting, forming an instrumentation process. Machine-code is rewritten using modern tools for binary instrumentation in order to overcome the resulting new memory addresses which are the product of the rewriting process [35],[36].

Generating a CFG from static analysis is troublesome, and often an over-approximation is used which is not fully precise [37],[38], the survey [39] assists the understanding of CFG generation methods by classifying the precision of computing CFGs using different static analysis techniques.

#### 2.3.2 Hardware-based CFI

Hardware-based CFI is provided by the addition of dedicated hardware which is either included in the execution pipeline or intercepts the instruction flow from memory to the processor. We provide a survey of prominent hardware-based CFI solutions in 4.1.

#### 2.3.3 Software-based CFI

Software-based CFI was first introduced in the seminal paper by Adabi et al. [4]. This has been the foundation for further research surveyed by Burow et al. [39], which provides a detailed insight into the technical properties of a number of software-based CFI solutions.

#### 2.3.4 Alternatives to Basic Block CFG-based CFI

#### Signature modelling

Here, if a series of executed instructions do not follow the trace of the program's CFG the controlflow integrity has been lost. Yang et al. [40] describe this method through their implementation in software. They also performed a thorough analysis of various existing solutions. The methodology of signature modelling was successfully implemented using a hardware-based method in the work carried out by Werner et al [41].

A problem with signature modelling is that the number of unique sequences of instructions (and their accompanying signatures) accumulate very quickly, requiring more storage if they are to be used as a comparison. This is a particular problem when considering embedded systems due to their inherent limitation of storage capacity. Another difficulty is the necessity to compute signatures in real-time, which would require additional processing and therefore an increase in processing overhead. Although, as we have seen in other methods [42],[26], decryption is a common method of ensuring CFI, so perhaps this is not an unreasonable expectation.

#### Verification on transition

#### **Shadow Stacks**

Some have argued that ensuring CFI without the use of shadow stacks (SSs) [43], also known as shadow call stacks (SCSs) is an impossible task and that "the use of a shadow stack is mandatory for any practical CFI deployment". A shadow stack consists separate stack, stored in memory (protected or unprotected, depending on the solution), which contains just the return addresses. This solves the problem of ROP, especially when working with commonly called functions or system functions, as the implementation of the shadow stack ensures the calling function also has

to be the return function (at least until longjmp is used, which adds a further complication). There are some flaws with shadow stacks which include:

- Storage of shadow stacks can be cumbersome especially if they are to be secure (which they would have to be if memory access is an assumed capability of an attacker).
- Maintaining a shadow stack in multi-threaded systems will be troublesome searching through the SS for a process ID will add additional time overhead to any processing.
- Recursive functions can add multiple entries of the same return address to the SS, and this is an unnecessary addition so is reduced down to a single bit flag (or counter) by some solutions [43]. This can raise the problem of manipulating the number of recursions by an attacker, however it is argued by some that this is a very limited attack. Ref for number of iterations not being bad?
- Instructions such as longjmp will skip back through multiple return addresses, so this needs to be taken into account either by removing the instruction from the ISA or another method such as iterating through the SS until the return address is identified (with the above addresses then removed from the SS to maintain a proper representation of the stack).
- It has been found that shadow stacks can introduce an overhead of up to 13% [44], which when compared to the overhead values of 5-10% described in [45] as the limits for adoption proves to be problematic.

#### Other alternatives

Branch limitation is an alternative to CFG [46] [47]. Another alternative is Code Pointer Integrity described in [48] and implemented in [49],[50] and [45].

Generalised path signature analysis is described by [51] while [41] implemented it using an ARM Cortex-M3 microprocessor.

## 2.4 Chapter Summary

Embedded systems are a particular type of computer system which provide dedicated resources for specialist applications. Embedded systems often have small form factors, limited resources (such as less memory and slower processors providing only basic features) and are usually manufactured on a low budget. Due to these limitations they may not have fully functional operating systems, or may run specialist real-time operating systems. These properties mean that providing control-flow integrity (CFI) is not as easy at it is with general purpose computers, and due to the nature of the use of embedded systems (for example, personal medical equipment, sensors in critical systems and controllers for cyber-physical systems) the protection of CFI is extremely important.

Control-flow integrity (CFI) can be provided by a number of methods. One method is to closely bind the execution of an application with its control-flow graph (CFG). In order to do this a CFG needs to generated for an application and the execution of the application is controlled in a manner where it is compared against the generated CFG, if a violation is detected pre-determined

actions are carries out. Another method is to build up a path of basic block transitions, where the signatures of each block is added to a function which creates a signature for the entire path taken. The resultant signature is then compared against a collection of valid pre-calculated signatures (created during analysis). Shadow stacks are presented as a method of protecting against attacks on the return addresses stored on the application's stack, which if successful would violate CFI.

# **Chapter 3**

# **Background Literature Review**

This chapter analyses and summarises contributing and related academic work applicable to this project. In the first section we will discuss works which describe the problems to be addressed and existing solutions to said problems, this section also includes a subsection on FPGA security which makes for useful reading as many embedded systems are FPGA-based. The second section contains a brief look at other physical attacks not addressed in the first section. We then give a deeper analysis of a handful of existing solutions, some of which directly address binding of software and hardware and some of which focus on the related subject of secure software execution. The fourth section provides a brief introduction into some of the founding principles used in many of the solutions already described and should be useful knowledge to have with respect to this project.

## 3.1 Subject-matter Surveys

Many surveys on solutions which increase security for firmware/software in embedded systems have been completed. One such survey [52] focusses on existing mature solutions, while others [53], [54] and [55] provide a look at broader principles. All of these surveys also paint a picture of the attacks and threats which embedded systems face. Other surveys exist on the technologies described in this project, one such survey is [56] which focuses on FPGA security.

These subject-matter surveys will be discussed in 3.1.1 and 3.1.2 and a deeper analysis of some of the solutions presented will be discussed in 3.3.1, 3.3.2 and 4.2.

#### 3.1.1 Surveys on Existing Solutions for IP Protection and Secure Execution

A survey in to technologies designed to ascertain trust for embedded systems is provided in [52]. In this, the authors compare various technologies, some of which are mature and some in their infancy. Studied solutions include: Trusted Platform Module (TPM), Secure Elements(SE), hypervisors and virtualisation (e.g. Java Card and Intel's Trusted eXecution technology), Trusted Execution Environments (TEEs), Host Card Emulation (HCE) and Encryption Execution Environments (E3 - which has also been directly discussed in [57]). The paper's authors set out a series of criteria which solutions are tested against, including such criteria as "Centralised Control', where the trust technology is under the control of the issuer or the maintainer, and "Remote Attestation"

where the trust technology provides assurance to remote verifiers that the system is running as expected. The paper goes on to describe each technology in a small amount of detail and populates a matrix of technologies vs. criteria.

In a survey of anti-tamper technologies [53], a series of *cracking* threats and software and hardware protection mechanisms are described, many of which apply to embedded systems. Such threats include:

- Reverse engineering, achieved through a variety of methods including gaining an understanding of software or simply *code lifting* where sections of code are re-used without understanding of their functionality;
- Violating code integrity, where code is injected into a running program to make it carry out illegal actions outside of the desired control-flow of the program.

Hardware solutions described include: using a trusted processor used to secure the boot of the system, using hardware to decrypt encrypted software from the hard-drive and RAM, using a hardware *token* which is required to be present for the software to run.

The advantages of using hardware solutions include: using a complex CPU which is difficult to defeat while not redirecting resource from the processor used for standard operation, it is more costly to repeat attacks on hardware than it is for software (physical access is required each time) and secure hardware can also control which peripherals can be connected to the system and which software (signatures) can be allowed to run. There are some disadvantages of using hardware solutions which need to be considered, including:

- Secure data traversing the secure to non-secure boundary needs to be encrypted (which creates an additional overhead for the main processor)
- Hardware solutions tend to be inflexible and less secure than commonly assumed
- Additional components can add to the cost of manufacture, which is a high priority for embedded systems design.

#### Software solutions described include:

- Encryption wrappers, where all or just the critical portions of software are stored in a ciphertext form and dynamically decrypted. The value of this is that the attacker will not see all of the source program at the same time, however they can piece it together through snapshots or simply learn the encryption key/s. This paper does not cite any references for the subject of encryption wrappers, which could suggest that encryption wrappers are not widely researched;
- Code obfuscation, where the look of the code is adjusted to make it not easily readable or understandable by the attacker but performs in the same manner;
- Software watermarking and fingerprinting, which can be used for proof of ownership or authorship and for finding the source of leak of the software;

3.2. Attacks 19

Guarding, which is the act of adding code purely to perform anti-tamper functionality. An
example of guarding is comparing checksums of running code to expected value and performing certain actions if they do not match. It is recommended that guarding is implemented automatically rather than manually as providing sufficient coverage is a complex
task. It is also noted that a guard should not react immediately so as to not reveal the point
in the code which triggered it.

The paper also describes a series of steps to take when using anti-tamper technology as put forward by the "Defence Acquisition Guidebook" created by the Defence Acquisition University [58].

A similar survey [54] covers three types of attacks: reverse engineering, software piracy and tampering, which it describes as "malicious host attacks". To defend against such attacks the paper states three corresponding defences: code obfuscation (as well as anti-disassembly and anti-debugging measures), watermarking and tamper-proofing. The authors note that they could not find a wealth of information on tamper-proofing at the time of writing (2002) but they do draw an interesting parallel with the anti-tamper mechanisms used in computer viruses.

#### 3.1.2 Defence against fault injection

A series of high-coverage tests for security protections against fault injection attacks were run and described in [55]. It describes 17 different countermeasures, including: countermeasures protecting the data layer, combinations of data protection methods, countermeasures protecting control flow layer, combinations of control flow protection methods and combinations of data and control flow protection. To test these methods the authors produced a high number of simulated fault injections on a simulator of an ARM-Cortex-M3 processor running a benchmark application representing a bank card.

The experiments found that a combination of redundant condition checks (such as data duplication) and source and destination IDs reached the best coverage with moderate performance overhead. They also found that simple ID-based inter-block control checking were able to outperform more sophisticated (and complex) methods such as Control-Flow Checking by Software Signatures (CFCSS) as seen in [41] and Assertions for Control-Flow Checking (ACFC) seen in [59].

#### 3.1.3 FPGA Security

An excellent high-coverage survey on FPGA security is provided in [56]. Its contents include the background of FPGAs, attacks associated with FPGAs, defences for protecting FPGA implementations (existing at the time and ongoing research) and many more.

#### 3.2 Attacks

The following are some examples of analysis of threats, all of which are aimed towards disrupting the flow of software, the likes of which are the focus of secure software execution solutions.

Attacks which can be used to break instruction-level countermeasures are described in [60]. This paper discusses various attack countermeasures and how these are circumvented. The only countermeasures addressed in this paper are algorithm-level and instruction-level (both of which are mostly redundancy-based). This paper suggests that a purely software-based countermeasure could be a futile defence.

Findings that physical faults can be injected in a non-random manner and in a low cost environment are presented in [61]. This contradicts assumptions made in many of the examined solutions that physical attacks are too costly. It finds that instruction-skipping attacks create a vulnerability to skipped-instruction errors (which, it could be argued, drives the motivation behind control-flow monitoring right down to the intra-block level).

Further details on side-channel attacks, as well as a brief description of the security concerns associated with FPGAs are provided in [62].

#### 3.3 Solutions

A myriad of creative technical solutions have been put forward which address the problems already discussed. They can be placed in to one of two categories - binding hardware 3.3.1 ([57], [63], [64] and [65]) and software or secure software execution 3.3.2 ([41], [66], [67] and [68]). Hybrids of the two approaches are presented in [69] and [70].

#### 3.3.1 Binding Hardware and Software

Hardware software binding is a technique where hardware and software a co-designed in such a way that software needs to be tailored to run on an individual instance of hardware. The same principle works the other way in that an individual piece of hardware will not execute software unless is it specifically tailored to it.

The first piece of work we consider is [57]. The problem the paper aims to address is device counterfeiting. An example of the requirement for binding of hardware and software is for Graphics Processing Units (GPUs), where GPUs are fabricated and then tested on their operating performance and subsequently graded. Once graded, the GPUs are loaded with firmware which controls their voltage and clockspeed. The paper states that firmware aimed towards the superior graded GPUs could be installed on lesser graded devices, which would then be rebadged and sold on as superior GPUs.

The attacker described in [57] is one which has several special attributes: they have physical access the the device, access to the device storage where they can read and copy the entire contents of memory, they are able to use hardware which has been built to the exact specifications as the original hardware and they can "read and copy any data which is loaded onto any of the buses which make up the embedded system". The attacker's aim is to either create a counterfeit platform which performs and functions in the same manner as the original or to install software retrieved from the legitimate product onto different (counterfeit) hardware.

The method presented in [57] uses a function applied to either the previous contents of memory or a randomly generated number to produce a mask which is applied to the program instructions

3.3. Solutions 21

residing in memory. The intention is that the CPU unmasks the contents as part of the execution process prior to actually carrying out the operation. The paper discusses the options for the mask-creating function, suggesting the use of hash-functions, PUFs, or block ciphers before finally selecting PUFs due to their intrinsic nature. The act of masking the software has been undecided in this paper, which suggests that either the software is masked prior to loading or is masked during the loading process. The paper's author describes the provisioning process in a further paper [71].

The second piece of work we consider is [63] where the goal is to "protect against intellectual property (IP) extraction or modification on embedded devices without dedicated security mechanisms". In this paper the attacker is aiming to extract IP (in the form of software or secrets) stored on the device. The attacker may use this information in any of the following ways: they may implement the extracted information on counterfeit devices, they may modify the software or data to remove licensing restrictions or unlock premium features, they may downgrade to earlier firmware versions in order exploit previous vulnerabilities, they may wish to alter firmware to capture valuable data such as password, change output data such as readings on smart meters or reveal secrets such as cryptographic keys.

## although how does this help with this? I suppose the earlier firmware would have to have been taken from the same device.

In [63] the attacker is assumed to have physical access to the device, can read the contents of external memory and can inspect and modify on-chip memory values. The assumed limitations placed on the attacker by the paper are that the attacker cannot change the code of the boot-loader as it is stored in a masked read-only memory (ROM), they cannot replace the ROM chip with one with a boot-loader under the attacker's control (as the ROM chip would be heavily integrated on a system-on-a-chip (SoC) so would require skill levels outside of those expected of the attacker) and finally the attacker cannot read the start-up values of the on-chip SRAM during start-up which are protected by the boot-loader and are erased once read by the boot-loader.

#### How are the start-up values on the chip protected?

The method described in [63] heavily utilises PUFs created using the SRAM start-up values to derive a key used to decrypt the firmware. The firmware is decrypted by the the boot-loader before being loaded and executed. The system was implemented on a SoC platform using a two-stage bootloader (u-boot). The paper's authors provide an extensive review of SRAM PUFs for ARM Cortex-M and Pandaboard's IMAP and includes a description of Fuzzy Extractor design used by the solution.

#### are the where are the plaintext instructions now stored?

The third piece of work [69] has not been published in a well-established journal however the authors have been invited to present their findings in [72]. Here the problem of injection of malicious code is also addressed, as well as prevention of code reverse-engineering. This paper uses secure execution to bind hardware to software.

The attacker identified in [69] has physical access to the processor, peripheral connections and they can read out contents of memory or registers. They are also assumed to be able to place

arbitrary data into the main memory of the processor (either locally or remotely). Attacks comprising denial-of-service (DoS)achieved by, for example, injection of random invalid instructions and hardware side-channel attacks have not been addressed.

The method described has been labelled "Secure Execution PUF-based Processor" or SEPP. The operating principle of SEPP is the encryption of basic blocks (which have exactly one entry point and one exit point) which make up programs. The blocks are encrypted using a symmetric cipher in CTR mode with the parameters set in relation to instruction location within a block and the block's location within memory. The key used for this encryption is set by the user. SEPP utilises a ring-operator (RO) PUF to create a new key used to encrypt the user's key. The decryption module is included in the instruction fetch stage of the processor's pipeline and makes use of first-in, first-out (FIFO) buffer to store encryption pads before they are needed by the processor (therefore making use of spare time provided by instructions which take more than one processor cycle). This system also implements u-boot as a bootloader which has been modified to provide the functions of the security kernel. It appears that due to the nature of this method (the device tailoring the software to itself), it does not prevent malicious uploading of a new program to the device which it then processes.

Where us Ku (the user key) stored? As it is used to decrypt it is surely readable by the attacker? If so the programmer could be extracted and decrypted.

The fourth method identified in [70] has identified illegitimate reproduction as a problem that requires a solution. It also identifies modification of software to bypass the need for purchasing a license for particular features as another attack scenario. Here, the attacker has the ability to read and modify the content of external memory such as flash memory or RAM. They can also do the same with internal memory including software with hard-coded secrets and cryptographic keys. The method consists of four basic mechanisms: two check functions and two response functions. The first check function hashes the native program code and compares this to the current running code. The second check function uses a SRAM-derived PUF to measure the authenticity of the device. If these functions indicate that either the software is not in its intended state or is running on the incorrect device, the first response function adjusts the flow of the program to move in a random manner and the second response corrupts the program's execution stack. Both response functions are designed to cause a malfunction in the program. One has to question the safety of having a program jump to a random block.

The fifth method described in [64] is developed to protect against IP theft or reverse engineering. This paper does not describe the attacker but makes the assumption that they will not be able to access the PUF-based key used for encryption as it is internal to the FPGA. This method uses an obfuscated secure ROM to start the boot process, checking and running the integrity kernel which decrypts and runs the software using the PUF-based key. In my opinion, the problem with this solution is the reliance on an obfuscated ROM. This is because once there is an understanding of a ROM it could be possible for malicious software to be written in a manner that is accepted by the boot program in ROM.

So is is the obfuscated ROM the same on each chip and will it be able to be understood in order to create malicious integrity and security kernels or just the software? Also once decrypted where

3.3. Solutions 23

#### are the plain text instructions stored?

An honourable mention should be made for [65] which was published in 2006 and led the way in using PUFs to secure software and also clearly describes the enrolment process with defined message exchanges.

Actually why have I ranked this one so low? If it's just because of its age I should re-review.

#### 3.3.2 Secure execution

Secure software execution (or control-flow security/integrity) has the goal of preventing the desired results of attacks against program control flow, which aim to use physical attacks to make the execution of running programs jump to blocks which should not be running at that particular time (e.g. an administration function).

The first solution, [41] raises the point that most research on fault-attacks has been aimed towards cryptographic functions which result in gaining knowledge of the secret key. This paper takes this further by considering the modification of games consoles to make them skip the function which checks the validity of loaded software. The paper focuses on securing against fault-attacks.

The method mainly utilises control-flow integrity to solve the stated problem. The basic principle behind control-flow integrity is the understanding of the basic blocks of a making up a program. The blocks will transition into one another creating control-flow. This flow can be described as the control-flow graph (CFG) and a correctly functioning program will abide by this graph. The signature of the program flow is created and compared against the expected value according to the CFG. The solution provides assistance to C programmers in that it automatically inserts signature updates, although programmers can also insert them manually for critical sections of the program. This functionality has been provided via the editing of LLVM compiler. If using assembly code the programmer must manually insert signature updates whenever branches, loops and function calls are encountered. The control flow signatures are calculated through a recursive disassembling approach. In order to check the running program's integrity a "derived signature" is calculated on the running code's path, this can then be compared to the corresponding derived signature of the intended route of the CFG. Important principles introduced in this paper (along the same lines as CFG) are generalized path signature analysis (GPSA) and continuous-signature monitoring (CSM). This paper does require modifications to be made to Cortex-M3 architecture.

#### Should I directly address GPSA and CSM?

#### How hard is this/ how is this done? Perhaps need more info on processor architecture

The second paper [66] (ConFirm) states that "given the critical role of firmware, implementation of effective security controls against firmware malicious actions is essential", having read the various prior examples seen we can safely agree with this.

The attacker is assumed to have the ability to inject and execute malicious code, or call existing functions not abiding by the control-flow graph. These attacks are assumed to be possible either on-line or off-line (which would require a device to reboot after uploading of a malicious firmware

image) and depending on the design of the device the firmware alterations could be achieved locally or remotely.

The method employed revolves around making use of hardware performance counters (HPCs) which count various types of events. The HPCs are utilized in conjunction with a bootloader (which sets checkpoints, initialises an HPC handler and contains a database of valid HPC-based signatures). While the program is run, HPC values are checked once checkpoints are reached (checkpoints are placed at the beginning and end of each basic block, as well as one randomly inserted between). The checkpoints actually redirect the control flow to the ConFirm core module to compare the HPC value with those stored in the database containing valid values. If the check fails ConFirm will report a deviation, which could be used to run a fault sequence, such as "rebooting the system, generating an alarm and disabling the device".

#### If the database is stored in RAM how is it updated when new FW is released?.

The third paper [67] approaches secure execution from a slightly different direction: remote attestation. It aims to provide remote attestation of an application's control flow path during operation. The paper excludes physical attacks and instead focusses on execution path attacks. They assume that the subject device features data execution prevention (DEP) such as read  $\oplus$  write and a secure trust anchor that provides an isolated measurement engine and can generate the fresh authenticated attestation report.

The method builds a hash of the path taken from node to node which is then reported to the verifier. Loops are dealt with in a novel manner to work around the issue posed due to the infinite hash available when the number of iterations of a loop is set dynamically.

#### Read more into this Could this be a good project basis?

The fourth paper [68] lists various attacks, ranging from buffer overflow attacks to physical attacks. Their method measures inter-procedural control flow, intra-procedural control flow and instruction stream integrity. Control flow monitoring is provided by an additional hardware element which tracks instruction addresses and compares them to known acceptable values stored in lookup tables. Instruction steam integrity monitoring utilises the lookup tables in addition to corresponding hash values of the basic clock. If a violation is discovered it is reported to the processor which should then terminate execution of the current program. Details of the violation are included in the report to the processor to enable a finer-grained view of the violation.

#### 3.4 Primitives

### 3.4.1 Control-flow Graphs

The use of control flow checking for accidental program flow changes is considered in [59], and explains the basic principle well. It describes basic blocks, control-flow between blocks, how these make up program graphs and finally how these graphs can be used to indicate control-flow error. The paper presents two existing error detection methods but finds faults in both so presents a novel solution addressing the previous solutions' shortcomings.

Chapter 9 of [73] contains a wealth of information on data-flow and will provide a good basis for understanding both the essence of data(control)-flow and how compilers use them for code optimisation. This chapter should be referenced in order to gain a meaningful understanding of control-flow.

#### 3.4.2 Physical Unclonable Functions (PUFs)

A huge amount of prior research has been undertaken into PUFs and their application towards security in embedded systems. One very good overview is the PhD thesis [74], which provides a thorough examination into most aspects of PUFs including the types, analysis of each type in terms of uniqueness and reproducibility and uses including entity-authentication and key generation.

Much of the literature ([57], [63], [69], [70], [64] and [65]) already described explain the use of PUFs and their reasoning behind their choice in PUFs.

### 3.5 Chapter Summary

In this literature review we have seen the reasons why the security of firmware of embedded devices is an important matter which needs to be addressed. We then saw reviews of existing solutions and introductions to primitives used. After an introduction to potential physical attacks we then provided an in depth review of solutions which enabled the binding of hardware and software and solutions which provide secure software and attestation of code. Finally we looked at two primitives which were prominent in many of the solutions examined.

## Chapter 4

## **Comparison of Solutions**

This chapter is focussed on carrying out comparisons of various solutions related to the project subject matter, this is to assist us in understanding which approaches will be most useful for producing the proposed solution. The first set of solutions to be compared are ones which provide control-flow integrity and control-flow auditing. They will be assessed against a set of predetermined requirements, and we also compare key properties of the solutions. The second set of solutions are ones which provide static attestation. These will also be compared against a predetermined set of requirements and properties.

# 4.1 Comparison of solutions providing Control-Flow Integrity and Attestation

#### 4.1.1 Established Criteria

We will consider each solution described in 4.1 against a set of requirements closely resembling those defined in 1.5. These requirements have been decided based on their relevance to this project and as a method to different each solution from one another.

#### Requirements

The requirements included as established criteria are:

- (1) Works with compiled binaries: software does not need to be recompiled to be compatible with the solution.
- (2) Works with external libraries: libraries can be used without the need to access their source code
- (3) Can be used to bind software and hardware: would allow for future functionality of binding software to hardware.
- (4) Works with embedded systems
- (5) Immediate identification: whether the solution can identify a breach in CFI as soon as it occurs.
- (6) Not reliant on TPM: Embedded systems are resource-constrained and therefore may not have TPMs.

#### **Properties**

The properties of each solution which are of particular interest are:

- (1) Hardware based: The solution is implemented through hardware.
- (2) Software based: The solution is implemented through software.
- (3) Source code modification required: Source code needs to be changed for implementation.
- (4) Granularity: How granular the control-flow is examined, e.g. individual instructions or basic blocks.
- (5) Provisioning method: How software is updated.
- (6) How it is secured?: What is providing the security.
- (7) CPU Overhead
- (8) Storage overhead
- (9) Memory overhead
- (10) Execution time overhead
- (11) Compatible architectures
- (12) Action after identification of a CFI violation
- (13) Prevention/Detection/Attestation
- (14) CFG or other: Whether the solution makes use of CFGs

#### 4.1.2 Solutions Presented

The following solutions have been selected for comparison due to their prominence in research literature and their relevance to the subject of this project. We will provide a brief description of each solution prior to presenting them in a table against the requirements and properties defined in 4.1.1.

#### **C-FLAT**

C-FLAT uses ARM TrustZone to facilitate control-flow monitoring and attestation [67]. Binaries are re-factored to enable normal-world programs to log control-flow changes with a measurement engine operating within the "secure world" (via trampolines set up in the "normal world"). Control-flow edges are hashed together to form a hash of the complete control flow. Loops are handled as their own sub-program which require separate meta data to be gathered and included in the attestation report. This solution requires code instrumentation but also requires programs to not use LR as a general purpose register, where the use of the -ffixed-lr compilation option in GCC¹ is recommended, for example.

#### **LO-FAT**

LO-FAT implements a hardware-based solution which monitors control-flow instructions by collecting the program counter and instruction executed for each clock cycle, then filtering out branch, jump and return instructions [5]. LO-FAT follows a similar method as C-FLAT where a hash is built up of each control-flow operation, along with special meta data for loops. It uses additional hardware components (designed onto an FPGA - Virtex-7 XC7Z020) to operate alongside the main

 $<sup>^{1}</sup> https://gcc.gnu.org/onlinedocs/gcc-4.6.1/gcc/Global-Reg-Vars.html \\$ 

processing unit. Through the use of these components (almost co-processors) the solution is able to run alongside normal operations, therefore removing the burden of additional instruction executions and the requirement for software instrumentation (a process of changing the contents of software to meet the requirements of the solution).

#### **Secure-Execution Processor (SEP)**

SEP uses encryption of each instruction which takes the previously executed instruction as an input to the decryption algorithm [26]. Decryption is performed within the processor pipeline which prevents the malicious diversion of control-flow, if an attempt is made to alter the control-flow the processor will attempt to execute a garbage instruction, the result of which will be to hit the 'kill switch'. The solution goes into great detail on how to deal with particularly troublesome instructions. Unfortunately due to the large memory and execution overhead (235%), the limited instruction set and the use of a slow encryption mechanism, this solution still has a long way to go before it can be properly considered, though the principal and elegance of the solution is promising. This solution requires code instrumentation in order to deterministically encrypt each instruction.

#### **CCFI-Cache**

CCFI-Cache implements a hardware-based solution where control-flow metadata (including the number of instructions in the BBL, the valid destination addresses for the current BBL and a hash value of the instructions of the contained within the BBL)is fetched by the cache (CCFI-cache) and checked by the checker (CCFI-checker) [75]. The metadata and BBLs are padded out to ensure that their length matches (empty regions for the metadata and NOPs for the BBL), this enables the checker to know if either the metadata or BBL has been modified in a manner which affects the length. The checker checks that the destination of a BBL matches the pre-computed metadata and that the hashed instructions within the BBL match the stored hash. It also utilises a shadow stack to ensure the correctness of return addresses. If a violation is detected an interrupt on the CPU will be triggered. In this author's opinion this solution provides the best coverage for protecting control-flow integrity. This solution requires code instrumentation.

#### **HCFI**

HCFI implements a shadow-stack on additional hardware [75]. The paper does not describe how it ensures the integrity of forward edges but it does provide a thorough analysis of backward-edge protection through the use of a shadow stack. It is not clear if this solution requires code instrumentation or not.

#### **HAFIX**

HAFIX (like HCFI [75]) focuses on backward-edge protection through their implementation of a shadow stack [42]. HAFIX and HCFI have different approaches with regards to handling recursive functions and loops. This solution requires code instrumentation.

| Scheme                     |                                 |                   |           |                          | Requirements                                                   |
|----------------------------|---------------------------------|-------------------|-----------|--------------------------|----------------------------------------------------------------|
| (1) Works with complied by | (A) Works Can be the translites | with entry for by | hedded sy | (5) Humacaliste decembra | © Not think on Trys                                            |
| C-FLAT [67]                | •                               | •                 | 0         | ARM Cortex A             | 0 0                                                            |
| LO-FAT [5]                 | •                               | •                 | 0         | •                        | 0                                                              |
| SEP-LEE [26]               | 0                               | 0                 | •         | •                        | On jump or return                                              |
| CCFI-Cache [75]            | 0                               | 0                 | 0         | •                        | <ul> <li>End of BBL or number of executions reached</li> </ul> |
| HCFI [43]                  | 0                               | 0                 | 0         | •                        | •                                                              |
| HAFIX [42]                 | 0                               | 0                 | 0         | •                        | •                                                              |
| SOFIA [30]                 | 0                               | 0                 | •         | •                        | •                                                              |
| Sullivan [76]              | 0                               | •                 | 0         | •                        | •                                                              |

TABLE 4.1: Requirement Comparison of Control-flow Integrity and Control-flow Attestation

ullet = meets requirement; ullet = partially meets requirement;  $\bigcirc$  = does not meet; - = not enough information

#### **SOFIA**

SOFIA works in a similar manner to SEP [26], where instructions are decrypted using program counters of previously executed instructions [42]. SOFIA handles instructions with multiple callers by creating a multiplexor block, which allows two predecessors, so multiple predecessors can be used by creating layers of multiplexor blocks. The fast expansion of multiplexor blocks could prove problematic in terms of size and operating time of applications. The solution requires code instrumentation (for creating the multiplexor blocks and encryption of instructions).

#### Strategy without tactics (Sullivan)

In Strategy without tactics [42], the author uses trampolines to deal with multiple callers, where a single destination is replaced with a trampoline. Through adding a trampoline the solution is able to transform a call source/destination pair into a unique call source/trampoline pair which solves the problem of basic blocks with a number of possible predecessors. From the trampoline, a direct jump is issued to the original destination. A label state stack records backward-edges and a label state register records forward-edges.

#### 4.1.3 Discussion of findings

#### Comparison against requirements

Table 4.1 shows how (or whether) each solution presented meets the requirements defined in 4.1.1. It can be seen that all solutions are compatible with embedded systems and most provide immediate identification of violation of CFI. Only two solutions could be used for binding hardware and software, while the mechanisms of operations of the other solutions would not facilitate software/hardware binding.

#### Comparison of properties

Tables 4.2 and 4.3 show how the solutions compare against each other on the basic of some key properties. The majority of solutions use hardware to implement their schemes, and the single

Scheme Properties 1-5 C-FLAT [67] **O**Star Control flow instructions Basic Block TPM and Digital Signatures re-written to go via (for report) trampolines Basic Blocks LO-FAT Memory is protected LO-FAT [5] PRINCE
Meta-data in ROM,
Hardware Security for
controller SEP-LEE [26] CCFI-Cache [75] O Reassembly Sequential or BBLs • Sequential (Only number or hash of instructions) HCFI [43] BBLs HAFIX [42] Backwards edge SOFIA [30] Sequential instructions or Encrypt+MAC (RECTANGLE-80) Sullivan [76] BBLsAttacker cannot modify code

TABLE 4.2: Comparison of Control-flow Integrity and Control-flow Attestation schemes properties 1-5

 ${\it TABLE~4.3: Comparison~of~Control-flow~Integrity~and~Control-flow~Attestation~schemes~properties~6-14}$ 

| Scheme            |                                                                     |                     |                                   |                                   | Properties 6                                                        | 5-14                           |                                |                                                          |                                                                   |
|-------------------|---------------------------------------------------------------------|---------------------|-----------------------------------|-----------------------------------|---------------------------------------------------------------------|--------------------------------|--------------------------------|----------------------------------------------------------|-------------------------------------------------------------------|
| િ <u>ત્</u> યું જ | (1) EPCA are                                                        | (B) Memory overlead | (S) Time over                     | (10) Compatible active            | (I) Pric (I) Action on identifie                                    | rication of Adecision of Alles | (13) Vises Che or another 111. | (J.A. Sziece Constituted                                 |                                                                   |
| C-FLAT [67]       | the ad                                                              | inead .             | ineach                            | 0.03 - 0.13%                      | 32-bit RISC                                                         | Adoj                           | Attestation                    | CFG                                                      | tak                                                               |
| LO-FAT [5]        | 0%                                                                  | 20%                 | -                                 | 0%                                | PULPINO RISC-<br>V                                                  | -                              | Attestation                    | CFG                                                      | -                                                                 |
| SEP-LEE [26]      | -                                                                   | -                   | 235% (160<br>vs 68<br>operations) | 235% (160<br>vs 68<br>operations) | SEP (based on<br>Picoblaze but<br>reduced from 18<br>bit to 16 bit) | Kill switch                    | Prevention<br>and<br>detection | Sequential or BBL                                        | -                                                                 |
| CCFI-Cache [75]   | -                                                                   | 10%                 | x2 + 9-30%<br>for nops            | 2-63%                             | PicoRV<br>(Implementation<br>on RISC-V ISA)                         | Interrupt                      | Detection                      | CFG + No of<br>instructions +<br>hash of<br>instructions | Small<br>number of<br>ROP and<br>JOP attack<br>will still<br>work |
| HCFI [43]         | -                                                                   | 2.5%                | -                                 | 1-6%                              | Leon3/SPARC<br>V8                                                   | Interrupt                      | Detection                      | CFG and<br>Shadow Stack                                  | -                                                                 |
| HAFIX [42]        | -                                                                   | 2-8%                | -                                 | 2%                                | Intel Siskiyou<br>Peak, SPARC                                       | -                              | Detection                      | CFG                                                      | 80%                                                               |
| SOFIA [30]        | 13.7%<br>Cycle<br>overhead,<br>84.6%<br>Clock<br>speed<br>reduction | 28.2%               | -                                 | 110%                              | Leon3/SPARC<br>V8                                                   | Processor<br>reset             | Prevention<br>and<br>detection | Sequential and<br>BBLs                                   | -                                                                 |
| Sullivan [76]     | -                                                                   | 1.78%               | -                                 | 1.75%                             | Leon3/SPARC<br>V8                                                   | Termination of process         | Detection                      | CFG                                                      | Dependan<br>on CFG<br>policy<br>(assumed<br>100%)                 |

 $<sup>\</sup>bullet = \text{has property; } \bullet = \text{partially has property; } \bigcirc = \text{does not have property; } - = \text{not enough information}$ 

ullet = has property; ullet = partially has property; ullet = does not have property; - = not enough information; star = makes use of hardware features not present in all embedded systems.

one which does not need additional hardware (C-FLAT [67]) makes use of additional security functionality provided by ARM TrustZone. Most solutions require the alteration of software, be it instrumentation or encryption of instructions. In terms of granularity, half of the solutions operate at a basic block level, while others offer an insight into the actual instructions executing (this functionality is offered thanks to hardware modifications which intercept executing instructions). It is challenging to compare each solution on operating overheads as they have not been tested against the same benchmarks while using the same equipment. FGPA area increase should also be a good measurement however, as noted by [2], overheads claimed in solutions tend to be referenced against the existing soft-core processor implemented which varies greatly in FGPA area.

## 4.2 Comparison of solutions providing Static Attestation

#### 4.2.1 Established Criteria

We will compare each solution described in 4.2 using a set of defined properties. These properties are built using those described in 4.1 as a template and refined to suite the solutions for static attestation presented. The result of this comparison will be used to help define the static attestation phase of the proposed solution, and may also provide inspiration for the overall proposed solution.

#### **Properties**

The properties which will be used for comparison are:

- (1) Hardware-based: modification of hardware or additional hardware is required for the solution.
- (2) Software-based: the solution is created through the use of additional software.
- (3) Successfully implemented: is the solution has been successfully implemented, this gives an indication on the legitimacy of the solution.
- (4) Testing results: was the solution successful when defending against defined attacks.
- (5) Instruction set architecture: what ISA the solution was initially designed for.
- (6) Architecture-independent: will the solution be applicable to other architectures, as well as the architecture it was implemented and tested on.

#### 4.2.2 Solutions Presented

The following solutions have been presented for comparison through a combination of them being prominent work or by being referenced in control-flow attestations schemes which we have already analysed. We will provide a brief description of their methods and focus prior to presenting the results of a comparison of solutions in table 4.4.

#### SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust

SMART provides a simple method of attesting the state of a user application through slight hardware alterations [77]. As an input from the verifier it takes a nonce, start memory address and end

memory address (as well as additional parameters for an optional start position of user application). The prover replies with a SHA-1 HMAC of the requested code space.

Important capabilities required by SMART are:

- Secure HMAC key storage this has not been directly addressed here however options are
  presented such as the key being hard-coded at production time (and never changed again)
  or by implementing a secure means of modifying by an authorized party, but not reading
  (i.e. the key can only be read by SMART).
- Secure HMAC key access only SMART code on ROM can access the HMAC key. This is
  provided by registers only allowing access to the HMAC key while the program counter is
  located within SMART application space.
- It is not possible to enter or exit SMART instructions other than in the beginning or end. For example, if the program counter (pc) is outside of SMART its previous location must also be outside of SMART (or the last instruction), and if the pc is inside SMART its previous location must be at the start or also within SMART.
- Smart code is not editable as it is stored on ROM.

SMART was implemented on low-end microcontroller units (MCUs) such as MSP430 or AVR. After implementation it was realised that only the memory access controller needed to be modified, therefore making the solution potentially compatible with "black box" processors such as low-end ARM cores.

A criticism of the method would be that it uses SHA1 which is now outdated. It may also succumb to cold-boot attacks however the authors state that due to the typical MCU design (where the processor and memory are a single package) memory could not be accessed directly so therefore is not vulnerable to this attack.

#### VIPER: Verifying the Integrity of PERipherals' Firmware

VIPER is a software only solution designed to provide attestation for peripherals' firmware, where the host CPU queries peripherals [78]. It uses combinations of checksums, hashes and time-frame based checks to ensure peripheral firmware is correct. The method consists of two parties: the verifier (host CPU) and the prover (peripheral). The verifier will have access to a "checksum simulator" which contains copies of correct firmware for each peripheral and is able to generate random numbers. The checksum simulator is first invoked, generating challenges (nonces) and the expected correct response from the prover by simulating the verification procedure on the correct peripheral firmware. This process is used to gain confidence that the verification/hash code is correct on the peripheral. The verifier then starts the process with the peripheral, requesting that the peripheral resets itself to a known-good state. Then the verifier starts a timer and sends the challenges, the peripheral then calculates the checksum over its checksum and hashing code before returning the result to the verifier. Finally the peripheral will compute the hash over the full contents of its memory, which is then sent to the verifier program for validation.

A significant proportion of this solution is focused on how latency needs to be taken into account for a live attestation protocol as the timing of the checksum calculations need to be precise enough

to prevent the use of a proxy device to generate valid responses. This is also an important consideration when dealing with peripherals with different processing capabilities (consider a keyboard vs. a graphics card) as the response time will be significantly different. As this solution carries out attestation on multiple devices it is stated that it will attest high powered peripherals first, with slower peripherals subject to attestation in the later stages of the process. Additional methods are used to ensure use of a proxy is detectable such as increasing the proxy communications overhead and implementing continuous checksum computation. As much as the solution aims to address the latency and proxy system issue, time/delay-based protocols are still vulnerable to exploitation [79], though it must be noted that the solution presented in [78] presents some promising protections against such attacks.

The paper [78] also provides an excellent description of the principles of designing a checksum function for the prover. These principles include using all available registers as part of the checksum calculation, the checksum should follow a pseudo-random pattern when reading from memory (preventing predictability for any attacker) and that the program counter (pc) should be included in the calculation (if accessible).

## Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems

Pioneer is a software-only solution which works in a similar way to VIPER but is designed to attest remote legacy systems [80]. A checksum is calculated throughout the execution of the verifying (testing mechanism) code, the resulting execution time is compared to an expected execution time known to the verifier. This proves that the testing mechanism is correct. The testing mechanism then builds a hash of the target code.

This solution makes some major assumptions in order to ensure security. Some of these assumptions are easily attainable such as the verifier knowing the exact hardware configuration of the prover and platform having only a single CPU. While other assumptions seem to be less feasible such as the adversary not being able to generate a System Management Interrupt (SMI) on the prover, or assuming that the prover can only communicate with the attester during the attestation process (therefore preventing proxy attacks) through the use of a direct network connection or dedicated network configuration.

The paper provides a solid description of the design of the checksum and verification mechanisms, including design decisions based around stack layouts on the target architectures and how the pc can be utilised.

#### SWATT: SoftWare-based ATTestation for Embedded Devices

SWATT is a software-based solution which uses a random number generator (for example RC4 for 8-bit architectures, Helix for 32-bit architectures [81], or using bits from the output of a multi-word T-function for 16 and 32-bit architectures [82]) to generate random memory addresses which are attested [83]. This means an attacker cannot predict which regions they need to leave intact. It is notable that the verification function is not the target of a separate checksum, but as the entire contents of memory are covered by the check it will be checked, just not to the same granularity as

other solutions such as VIPER [78] or Pioneer [80]. Like other static attestation methods, SWATT also uses time measurement to ensure an attacker is not manipulating the results. We question whether time-based checking is a reliable component, especially when attestation is taking place remotely, for example, over a network. This paper also references solutions which use secure coprocessors which are used during system initialisation to bootstrap trust. Examples of these are TCG (Trusted Computing Group, formerly known as TCPA) and Next-Generation Secure Computing Base (NGSCB, formerly Palladium) which may be of interest at a later point as we will be able to see if they produce a useful output after start-up has occurred.

This paper notes that "without secure hardware, a (potentially) compromised device cannot be trusted to verify itself correctly" and therefore an external verifier is required. It also states that the solution described in [84] requires the use of a virtual memory subsystem and therefore will not work with many embedded systems as they have no support for virtual memory.

This solution requires that an attacker will not increase the size of memory on the prover device.

#### Software-Based Remote Code Attestation in Wireless Sensor Network

AbuHMed at al. [85] present a software-based solution which focuses on filling empty memory with predictable contents either prior to deployment or post-deployment in an attempt to prevent an attacker from utilizing free space for malicious instructions. An example method of filling empty memory is using generated ciphertext, utilising a key shared with the verifier as the seed. The verification of the memory is then performed in a similar pseudo-random manner as SWATT [83], but upgrading the pseudo-random number generating algorithm to RC5 (with the possibility of further upgrade to MISTY1, Rijndael or Skipjack). As the solution is not based around the timing of algorithms the authors find that it will be most useful in scenarios where multiple hops are required. They state that, through the use of pseudo-random memory traversal, proxy-based attacks are not possible. The use of predetermined noise to fill empty memory aids in this, however we observe that if a good device and its memory can be cloned, the original device could be vulnerable to a proxy-based attack.

#### 4.2.3 Discussion of Findings

Table 4.4 shows how the solutions compare when taking some key properties into account. Most solutions are created only using software, this aids in ease of implementation and reducing cost. A large amount of the focus of the software-only mechanisms centres on proving the integrity of the verification software, which is a legitimate concern. Using a hardware-based mechanism assists in reducing this concern as it is assumed it cannot be modified. As can be seen, the choice of ISA is not important when performing static attestation, this is due to instructions not being the main focus (unlike control-flow attestation).

One notable assumption presumed by static-attestation solutions is that CPU clockspeed cannot be increased, or that CPU has not been changed. They tend to use optimised algorithms for computing checksums in order to make it easier to detect additional time added by attackers' attempts to circumvent the procedure.

| Scheme         |                      |                    |                                                              | Properties                                               |                                                          |
|----------------|----------------------|--------------------|--------------------------------------------------------------|----------------------------------------------------------|----------------------------------------------------------|
| (1) Handawater | (3) Succession based | Atully implemented | (5) Instruction est archive                                  | 6 Artentirecture 1.                                      | ·degendent                                               |
| SMART [77]     | • •                  | • On ASIC          | •                                                            | 16-bit von Neumann (MSP430), RISC 8-bit<br>Harvard (AVR) | •                                                        |
| VIPER [78]     | 0                    | •                  | • with CPU executing in tight loop with interrupts disabled  | x86                                                      | •                                                        |
| Pioneer [80]   | 0                    | •                  | • fails if rootkit can uninstall itself prior to attestation | x86                                                      | •                                                        |
| SWATT [83]     | 0                    | •                  | •                                                            | RISC - 8-bit Harvard Architecture                        | ●Can be<br>extended to 16<br>and 32-bit<br>architectures |
| AbuHmed [85]   | 0                    | ● Simulated        | •                                                            | RISC - 8-bit Harvard Architecture                        | -                                                        |

This paper [79] finds that software-based attestation is a problematic solution. They attack SWATT [83] by adding a hook into the attestation code which swaps out malicious code to data memory, and as a result they recommend covering all memory in attestation processes (which, they note, would not be easy in embedded systems). They find that the time overhead relied upon by SWATT [83] is imprecise and that their attacks fit within the tolerance. The paper also attacks solutions which fill empty memory with noise, as they found they could compress legitimate applications

= has property; € = partially has property requirement; ○ = does not have property; - = not enough information

## 4.3 Chapter Summary

to make room for malicious ones.

Control-flow integrity and attestation schemes differ greatly in their construction. Some monitor transitions by making changes to the instructions contained within an application, where the new instructions call the monitoring code whenever a branch occurs. Some encrypt instructions to be executed, with them only being successful decrypted if the previously executing instructions were the ones expected. Other solutions make use of shadow stacks to ensure that the destination of backwards edge transitions (e.g. function returns) match the locations where they were called from.

Using comparison tables 4.1, 4.2 and 4.3, it can be identified that all of the solutions are compatible with embedded systems (in some form), and the solutions which implement additional hardware do not require the additional of a trusted platform module (TPM), although some require secure storage of cryptographic keys. Comparing the overhead of each solution is not a good comparison factor, as each solution has been implemented on different equipment. With that being said it does make for some interesting reading, as the range of overhead varies dramatically. LO-FAT [5] achieves an impressively low 0% execution time overhead (thanks to offloading the attestation mechanism to additional hardware), while SEP [26] incurs an overhead of 235% (due to the padding of instructions and slow implementation of its decryption function). With these extremes

37

discussed most of the other schemes incur up to 5% overhead, which makes them within the range of adoption (according to [45]).

Static attestation schemes follow much more of a pattern (in comparison to CFI attestation), where a hash is produced by taking samples of the entire memory space or samples of application code stored in memory. The approaches differ in that some also carry out a self-attestation stage on the instructions which carries out the attestation process, with the results of this being time critical to ensure the initial check has not been run through a proxy.

The comparison table 4.4 containing static attestation shows just how similar each scheme is with one another, with only SMART [77] differing significantly due to its requirement for hardware modification.

## **Chapter 5**

## **Proposed Solution**

In this chapter we first aim to provide the theoretical information required to implement a solution which enables audit of control-flow integrity. Initially we discuss the methods for constructing of CFGs. We then examine how to trace the control-flow at run time, including how a chain of transitions would be created. We also consider the problematic areas of control-flow tracking/monitoring, using prior work discussed throughout this project as guidance. Finally, additional contents of audit files such as concurrent processes or important variables, are detailed.

### 5.1 Building CFGs

#### The problem behind generating CFGs

Control-flow graphs (CFGs) are the cornerstone of control-flow integrity, and while several solutions already examined (for example, SEP [26], HAFIX [42] and HCFI [75]) do not require their construction, a CFG will be required when we consider audit as it provides a static reference point. Efficiently computing a generic program's CFG, and accompanying exploration of all possible execution paths is an open problem [67]. However applications for embedded systems tend to be far smaller than those operating on a general purpose computer, this means it is foreseeable that generation of a CFG for embedded systems applications should be possible.

#### 5.1.1 Tools for generating CFGs

A number of tools have been used in CFI solutions already examined. These tools usually have a different primary function such as compilation or reverse-engineering, but offer CFG generation as a bi-product of the process required to provide their primary function. The following is a selection of tools already used by other CFI solutions.

#### **LLVM**

LLVM [86] consists of a collection of tools which have the primary function of compilation. It provides various methods of building CFGs, using different parts of some of the many toolchains. Unfortunately building CFGs in LLVM is not as simple task, as this functionality is not a main feature. Some of the CFG methods included in LLVM create a the CFG in the "dot" format, which is widely used in representing CFGs (The "Jakstab" tool also outputs generated CFGs in "dot" format [87]). If LLVM were to be used for generating CFGs, source code of an application would

be required. This could prove problematic when adding the proposed solution to legacy systems. However due to the prominence of LLVM, the CFG production functionality may be added into the compilation tool-chain, removing the need for extra steps to be undertaken by the software developer.

#### Vulcan

Vulcan [35] is a far reaching project, designed to enable binary code modification, analysis and optimisation. It was used by [88] and the seminal work [4]. It has since been taken out of production by Microsoft and is currently unavailable for further use or evaluation.

#### **Jakstab**

Jakstab [87],[89], like LLVM can be used to create a dot file containing the CFG. It is currently designed for use on x86 executables, so may need enhancement to support instruction set architectures (ISAs) commonly used in embedded systems such as ARMv8-M or RISC-V. It was successfully used in [90] to construct CFGs for x86 Complex Instruction Set Computer (CISC) instructions. The last development activity on this was 31st March 2017. The tool's author has been trying to improve on the tool with the aim of creating under-approximated CFGs rather than over-approximated ones (which can lead to vulnerabilities in resultant implementations) [38].

#### 'angr' Framework

LiteHAX [91] uses the 'angr' [92] framework to generate the CFG outputting a networkx [93] Di-Graph. 'angr' is primarily a reverse engineering tool, with the additional functionality of creating CFGs for target applications. It is notable that the framework is still under active development, meaning additional enhancements in the area of CFG generation may be added. 'angr' offers two types of computation methods: CFGFast (a static CFG generation method) and CFGEmulated (a dynamic CFG generation method), which provide different levels of coverage for the resulting CFG.

During assessment of angr, utilising networkx utilities, we have found that only single edges are identified, as shown in a sample of the output file at listing 5.1. While this is useful for checking single transitions, the aim of the proposed solution is to track the entire path taken during execution, therefore we would require a list of valid paths rather than single edges.

LISTING 5.1: Example of results from angr CFG analysis of fauxware in form of .edgelist output from networkx utilities

#### **Alternative Tools**

IDA Pro <sup>1</sup> is a popular tool for reverse-engineering which is known to be able to create CFGs, however due to its high licence cost we have been unable to evaluate its suitability. The high cost also prohibits its utilisation as part of the tool chain.

The recently released (March 2019) Ghidra <sup>2</sup> leverages CFGs to assist in carry out its core function as a reverse-engineering tool, and while we have not found a method of extracting the CFGs created, this may be possible in the future as development is ongoing.

### 5.2 Tracing Control-Flow

#### 5.2.1 Using existing hardware

Recording of every executed instruction is infeasible as the overhead added would be too large if no additional hardware is included, as each instruction processed would require a corresponding context switch and further processing. If each instruction is hashed in real time the computational overhead would increase or if each instruction is recorded in storage prior to processing the memory/storage/IO capacity would see a significant overhead increase. The use of basic blocks allows us to deal with multiple instructions at a time, and therefore reduce the potential overhead dramatically.

CFG granularity can be broken down into three levels [67]:

- 1. Entire functions
- 2. Basic Blocks ending in a direct branch (this would cover most ROP attacks)
- 3. Basic Blocks ending in any branch instruction, this would provide the highest level of detail

To achieve the best coverage for the solution level 3 (Basic Blocks ending in any branch instruction) would be the optimum granularity to aim for.

We can build up a hash of the flow by taking the ID of the source node and hashing that with the previous hash. At the start ( $ID_1$ ) the previous hash would be replaced with zero or a nonce. With the resulting chain appearing as:  $H_1 = H(ID_1, 0)$  (or  $H_1 = H(ID_1, nonce)$ ),  $H_2 = H(ID_2, H_1)$  ...  $H_n = H(ID_n, H_{n-1})$ .

The solution would implement a dedicated method in the secure world where a save is triggered. This will enable software authors an opportunity to save at key points - for example after a key decision is made. Hashes could also be stored along with variables used if we are able to implement that.

BLAKE-2 [94] has been suggested as a lightweight hash function, however this is only one such potential candidate.

<sup>1</sup>https://www.hex-rays.com/products/ida/

<sup>&</sup>lt;sup>2</sup>https://ghidra-sre.org

#### Challenges of CFG tracking

Loops are a considerable issue when it comes to tracking control flow, as the number of possible paths could be overwhelming, especially if the loops contain branch instructions or function calls.

To overcome the problems presented by loops, C-FLAT [67] begins with treating loops as subprograms. Where each run of a loop has a hash derived from it, and the total number of each time that hash was calculated is stored (therefore storing the number of times that exact sequence occurs). The result of this is the growth of the stored audit (as each loop will need to be referenced separately), when tested by C-FLAT was 1527 bytes for a path containing 16 loop invocations and 18 unique loop paths (this could probably be calculated at compile time, with a warning presented to the developer). Another path containing 12 loop invocations and 14 unique paths resulted in a 1179 byte result. Another second study (which is not as well documented by the paper) produced a maximum result of 490 bytes. The previous hash is also included to show where the was called from.

Return call matching is used where call and return edges are indexed during static analysis, so only valid routes are authorised. Break statements need to be dealt with in a special manner as they are an additional place where a loop can exit. Section 4.2 of C-FLAT [67] describes this in detail.

#### Instrumentation

Branches are identified, with direct jump addresses stored in a branch table then replaced with the address of the trampoline assembly code which, when executing, triggers the measurement engine to be add the source address and destination address to the hash chain before redirecting the program counter to the corresponding entry on the branch table.

#### **Trampolines**

A trampoline enables redirecting execution to a single piece of simple and secure code without needing to add too many instructions during instrumentation. A trampoline can carry out a number of functions but in C-FLAT [67] it manages the return address register as well as the register holding the destination address in indirect branches.

#### Hardware-assisted

A co-processor designed specifically for the purpose of providing audit of control-flow would offload the heavy lifting and therefore have a negligible impact on normal operation. Examples of designs which could be tailored to provide auditing are provided in [2]. A hardware-assisted solution could keep track of instructions executed (in the form of a hash), to add further granularity.

#### 5.3 Contents of audit files

#### 5.3.1 Other running processes

When implemented on an OS, the save will query the running processes from the OS and add them to the control-flow manifest. Query process IDs will be a different process between operating systems, so we will evaluate which OS will potentially be used prior to finalising the process. While there has been some work done in regards to enabling CFG to work with operating systems it will need investigating prior to any further planning.

#### **Variables**

The solution will implement a function where the software can assert (send data to secure world) variables currently in use, either when saving or as an additional instruction through the solution's API. External data or internal data will be tracked using asserts.

#### Previous hash

A hash chain will be built to prove the control-flow was tied to the previous control flow and the static attestation report.

#### Security

The resulting audit files will either be signed or have an HMAC created for them, they will be encrypted depending on requirements. A chain of files may be built up by including hashes of the previous file in each audit file, with the first also containing the initial attestation report.

## 5.4 Provisioning

#### 5.4.1 Instrumentation

The existing binary will be instrumented either prior to loading or during the loading (bootloading process).

#### 5.4.2 Initial attestation

All software will be scrutinised with an initial attestation upon initial commissioning.

#### 5.4.3 Secure world

Secure world applications need to be signed before they are loaded as per the design of ARM TrustZone

### 5.5 Chapter Summary

Building a control-flow graph (CFG) is has been an open problem in academia. There are a handful of software packages which aim to offer this functionality (usually as a bi-product of other functionality such as compilation or reverse engineering). The most promising solution, angr [92], showed promise, however it only produced single BBL (basic clock) to BBL edges, rather than complete paths. This could be symptom of using CFGs a basis for control-flow integrity (CFI) protection, whereas perhaps generating a collection of all valid paths would provide a superior basis for ensuring secure execution. Based on evaluations taken place, 'angr' framework would most likely be the tool used in the proposed solution.

To trace control-flow it is has been suggested that existing binaries should be go through an instrumentation process, where instructions which trigger transitions between BBLs are replaced with code which jumps execution to a trampoline (provided by the solution). This trampoline then sends the control-flow information to an application existing in the "secure world" which records said information. Execution is then transferred back to the original destination.

Additional details can be added to attestation reports via an api provided by the solution. This additional information may be important variables (which the developer of the application may which to keep track of) or environment information such as other processes running on the device. Allowing these additions represents an increase in functionality compared to standard attestation, as important information can be bound to a record of the prior control-flow.

## Chapter 6

## **Security Analysis**

### 6.1 Security Analysis

The solution presented fits with the security requirements in the following ways:

- 1. **Works with compiled binaries**: The solution works with compiled binaries, where the binaries go through an instrumentation process.
- 2. **Works with external binaries**: As with compiled binaries, external binaries will have to undergo instrumentation.
- 3. **Works with embedded systems**: ARM TrustZone has been implemented on Cortex M processors which are widely used in embedded systems. Key storage and external storage will need to be in place for an embedded system to make use of this solution.
- 4. **Granularity**: The solution provides granularity down to a basic block (BBL) level.

Obvious vulnerabilities in the solution are the breach of the 'secure world' where the measurement engine is manipulated to create 'good' attestation files, deletion of files and resulting loss of audit capabilities (a backup method would somewhat alleviate this problem) and cloning of audit files. Cloning of audit files represents a significant problem due to the fact that this is an offline process, so a method will need to be used to ensure freshness of files, for example a tamper-proof date-time stamp.

Proxy-based attacks (as described in [80] and [78]) as well as replay or cloning attacks are a threat to a simple implementation of the solution. The inclusion of an anti-tamper real time clock (similar to the one provided by the Java iButton described in [95]) for use in signing or date-stamping the audit records would mitigate against this vulnerability.

Key management has been an open problem in the field of embedded systems, where the use of a TPM is not a given. The secure storage of a cryptographic key is vital for providing audit capabilities, as the signing of or applying a MAC to an audit record is vital from proving its origin.

Granularity to an instruction level can only be provided by a hardware solution which intercepts each instruction.

#### 6.1.1 Hardware Implementation

Using a hardware solution it would be possible to address further criteria which the software-based solution was unable to address, much like the improvements LO-FAT[5] made on C-FLAT [67]. By moving monitoring and auditing capabilities to additional hardware such as a co-processor, or dedicated circuitry it would be possible to remove the majority of the overhead introduced when monitoring control-flow. Dedicated hardware with the ability to intercept instructions as they flow through the processing pipeline would enable monitoring of control-flow to a deeper granularity, where individual instructions of a basic block could be tracked in the form of a hash and number of instructions present within the basic block, this would be provided in a similar fashion as CCFI-Cache [75].

## Chapter 7

## Conclusion

The objective of this project was to investigate secure software execution in embedded systems and apply this knowledge towards a proposed method of providing audit records of control-flow.

In order to achieve these objectives, it was first important to understand the principles of control-flow: how instructions within an application transition into one another, how we can model these transitions using control-flow graphs (CFG) and how that if the instruction execution diverts away from following the CFG for a particular application this represents a violation of control-flow integrity (CFI), an important principal when considering secure software execution. Attacks on secure software execution were identified and examined as were the elements of execution flow which are vulnerable to manipulation. A literature review was carried out on the subject of secure software execution as well as software-hardware binding, as the two concepts meet in that they require close control/monitoring of software execution, and that by utilising dedicated cryptographic keys in ensuring secure software execution it is possible to leverage the mechanisms to provide software-hardware binding. Leading solutions providing static attestation and CFI attestation/protection were analysed and assessed against a set of defined requirements. Finally a proposed solution, with the goal of providing audit records of control-flow, was described.

The solution presented was defined after the introduction and literature review and inspired by the solutions identified in the comparison chapter. It was decided that the solution would be software-based and leverage the security features provided by TrustZone functionality of the ARMv8-M architecture to removed the requirement for additional hardware. The solution consists of several phases: performing analysis on the compiled binary to produce a CFG (for use as a comparison when audit records are referred to a later point), undertaking an instrumentation phase where instructions within the binary are replaced with ones facilitating control-flow monitoring, provisioning the binary to the device, performing an initial static attestation report on the "normal-world" and "secure-world" memory, before sampling the control-flow history of the application and storing it along with important operating variables in signed and hash-chained files.

A security analysis of the proposed solution found that while a software-based method leveraging ARM TrustZone met several of the objectives set at the start of the project, and advanced existing CFI solutions in a manner which allows offline auditing. The analysis also found that a hardware-based solution would offer many more advantages, such as removing execution overhead from the primary processor and enabling the monitoring at an individual instruction level granularity.

The analysis also found that the use of offline methods for monitoring control-flow were vulnerable to several attacks such as replay and proxy-based attacks, however this could be mitigated against through the combined use of tamper resistant real time clocks and digital signatures.

Further work could include implementing the proposed solution, testing the overhead introduced by the solution and implementing a similar solution using hardware (for example using an FPGA with a softcore processor). We would predict that control flow integrity will eventually become part of the hardware offering for secure embedded systems, much like how TPMs have grown in prominence over recent years. The hurdles to overcome include efficient generation of full-coverage CFGs (or removing the requirement for generation) and reducing the requirement for binary instrumentation (or making it a seamless part of the provisioning process).

- [1] W. Wang, Non-Stack Buffer Overflow and Pointer Subterfuge The Memory Layout of Process in Linux, 2016. [Online]. Available: http://www.cs.virginia.edu/~ww6r/CS4630/lectures/Non\_stack\_Buffer\_Overflow\_Pointer\_Subterfuge.pdf (visited on Aug. 18, 2019).
- [2] R. de Clercq and I. Verbauwhede, "A survey of Hardware-based Control Flow Integrity (CFI)", vol. 1, pp. 1–27, 2017. arXiv: 1706.07257. [Online]. Available: http://arxiv.org/abs/1706.07257.
- [3] M. Kayaalp, M. Ozsoy, N. A. Ghazaleh, and D. Ponomarev, "Efficiently securing systems from code reuse attacks", *IEEE Transactions on Computers*, vol. 63, no. 5, pp. 1144–1156, 2014.
- [4] M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti, "Control-flow integrity", in *Proceedings* of the 12th ACM conference on Computer and communications security CCS '05, New York, New York, USA: ACM Press, 2005, p. 340. [Online]. Available: http://portal.acm.org/citation.cfm?doid=1102120.1102165.
- [5] G. Dessouky, S. Zeitouni, T. Nyman, A. Paverd, L. Davi, P. Koeberl, N. Asokan, and A.-R. Sadeghi, "LO-FAT", in *Proceedings of the 54th Annual Design Automation Conference 2017 on DAC '17*, New York, New York, USA: ACM Press, 2017, pp. 1–6. arXiv: 1706.03754. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3061639.3062276.
- [6] K. E. Mayes and K. Markantonakis, *Smart Cards, Tokens, Security and Applications*. Boston, MA: Springer US, 2008.
- [7] R. Anderson and M. Kuhn, "Tamper Resistance: A Cautionary Note", in *Proceedings of the 2Nd Conference on Proceedings of the Second USENIX Workshop on Electronic Commerce Volume 2*, ser. WOEC'96, Berkeley, CA, USA: USENIX Association, 1996, p. 1. [Online]. Available: http://dl.acm.org/citation.cfm?id=1267167.1267168.
- [8] O. Kömmerling and M. G. Kuhn, "Design Principles for Tamper-Resistant Smartcard Processors", *USENIX Workshop on Smartcard Technology*, pp. 9–20, 1999.
- [9] K. Gandolfi, C. Mourtel, and F. Olivier, "Electromagnetic Analysis: Concrete Results", in *Cryptographic Hardware and Embedded Systems CHES 2001*, Ç. K. Koç, D. Naccache, and C. Paar, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 251–261.
- [10] J.-J. Quisquater and D. Samyde, "ElectroMagnetic Analysis (EMA): Measures and Counter-measures for Smart Cards", in ACM Transactions on Embedded Computing Systems, 3, vol. 18, Apr. 2001, pp. 200–210. [Online]. Available: http://link.springer.com/10.1007/3-540-45418-7\_17.
- [11] H. Bar-el and H. Choukri, "The Sorcerer's Apprenctice's Guide to Fault Attacks", *Proceedings of the IEEE*, vol. 94, no. 2, pp. 370–382, 2006. [Online]. Available: http://ieeexplore.ieee.org/abstract/document/1580506/.

[12] S. P. Skorobogatov and R. J. Anderson, "Optical Fault Induction Attacks", in *Cryptographic Hardware and Embedded Systems - CHES* 2002, B. S. Kaliski, ç. K. Koç, and C. Paar, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 2–12.

- [13] S. P. Skorobogatov, "Semi-invasive attacks-a new approach to hardware security analysis", Technical report, University of Cambridge, Computer Laboratory, no. 630, p. 144, 2005. [Online]. Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.228.2204&rep=rep1&type=pdf.
- [14] J. Blömer and J.-P. Seifert, "Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)", in *Financial Cryptography*, R. N. Wright, Ed., Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 162–181.
- [15] R. Anderson and M. Kuhn, "Low cost attacks on tamper resistant devices", in *Security Protocols*, B. Christianson, B. Crispo, M. Lomas, and M. Roe, Eds., Berlin, Heidelberg: Springer Berlin Heidelberg, 1998, pp. 125–136.
- [16] D. Boneh, R. A. DeMillo, and R. J. Lipton, "On the Importance of Eliminating Errors in Cryptographic Computations", *Journal of Cryptology*, vol. 14, no. 2, pp. 101–119, Mar. 2001. [Online]. Available: http://link.springer.com/10.1007/s001450010016.
- [17] S. Govindavajhala and A. W. Appel, "Using memory errors to attack a virtual machine", *Proceedings IEEE Symposium on Security and Privacy*, vol. 2003-Janua, pp. 154–165, 2003.
- [18] D. H. Habing, "The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits", *IEEE Transactions on Nuclear Science*, vol. 12, no. 5, pp. 91–100, 1965.
- [19] D. Samyde, S. Skorobogatov, R. Anderson, and J. J. Quisquater, "On a new way to read data from memory", *Proceedings 1st International IEEE Security in Storage Workshop, SISW 2002*, pp. 65–69, 2003.
- [20] U. Maurer, "Differential Power Analysis", *Advances in Cryptology CRYPTO'* 99, vol. 1666, p. 785, 1999. [Online]. Available: http://www.springerlink.com/content/cdp6u8xpenkkx08m.
- [21] S. Mangard, Power analysis attacks: revealing the secrets of smart cards. New York: Springer, 2007
- [22] H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)", CCS '07 Proceedings of the 14th ACM conference on Computer and communications security, pp. 552–561, 2007.
- [23] M. Castro, M. Costa, and T. Harris, "Securing software by enforcing data-flow integrity", OSDI '06: 7th USENIX Symposium on Operating Systems Design and Implementation, pp. 147–160, 2006. [Online]. Available: https://dl.acm.org/citation.cfm?id=1298470.
- [24] L. Davi, A.-R. Sadeghi, and M. Winandy, "Dynamic integrity measurement and attestation", in *Proceedings of the 2009 ACM workshop on Scalable trusted computing STC '09*, New York, New York, USA: ACM Press, 2009, p. 49. [Online]. Available: http://portal.acm.org/citation.cfm?doid=1655108.1655117.
- [25] D. Dolev and A. C. Yao, "On the security of public key protocols", in 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981), IEEE, Oct. 1981, pp. 350–357. [Online]. Available: http://ieeexplore.ieee.org/document/4568353/.

[26] R. P. Lee, K. Markantonakis, and R. N. Akram, "Ensuring Secure Application Execution and Platform-Specific Execution in Embedded Devices", *ACM Transactions on Embedded Computing Systems*, vol. 18, no. 3, pp. 1–21, Apr. 2019. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3323876.3284361.

- [27] A. Berger, *Embedded systems design : an introduction to processes, tools, and techniques.* Lawrence, Kan. : Berkeley, CA : CMP Books ; 2002.
- [28] Microsoft Corporation, Control Flow Guard, 2018. [Online]. Available: https://docs.microsoft.com/en-gb/windows/win32/secbp/control-flow-guard (visited on Aug. 19, 2019).
- [29] B. Ngabonziza, D. Martin, A. Bailey, H. Cho, and S. Martin, "TrustZone explained: Architectural features and use cases", *Proceedings 2016 IEEE 2nd International Conference on Collaboration and Internet Computing, IEEE CIC 2016*, vol. 7, pp. 445–451, 2017.
- [30] R. de Clercq, J. Götzfried, D. Übler, P. Maene, and I. Verbauwhede, "SOFIA: Software and control flow integrity architecture", *Computers and Security*, vol. 68, no. 2, pp. 16–35, 2017.
- [31] Ú. Erlingsson and F. B. Schneider, "SASI enforcement of security policies", in *Proceedings of the 1999 workshop on New security paradigms NSPW '99*, New York, New York, USA: ACM Press, 2000, pp. 87–95. [Online]. Available: http://portal.acm.org/citation.cfm?doid= 335169.335201.
- [32] N. Oh, P. P. Shirvani, and E. J. McCluskey, "Control-flow checking by software signatures", *IEEE Transactions on Reliability*, vol. 51, no. 1, pp. 111–122, 2002.
- [33] G. Reis, J. Chang, N. Vachharajani, R. Rangan, and D. August, "SWIFT: Software Implemented Fault Tolerance", in *International Symposium on Code Generation and Optimization*, IEEE, 2012, pp. 243–254. [Online]. Available: http://ieeexplore.ieee.org/document/1402092/.
- [34] R. Venkatasubramanian, J. P. Hayes, and B. T. Murray, "Low-cost on-line fault detection using control flow assertions", *Proceedings 9th IEEE International On-Line Testing Symposium, IOLTS 2003*, pp. 137–143, 2003.
- [35] A. Srivastava, A. Edwards, and H. Vo, "Vulcan: Binary Transformation in a Distributed Environment", in MSR TechReport, Microsoft Research, 2001. [Online]. Available: https://www.microsoft.com/en-us/research/publication/vulcan-binary-transformation-in-a-distributed-environment/.
- [36] A. Srivastava and A. Eustace, "ATOM: a system for building customized program analysis tools", WRL Research Report (ACM SIGPLAN Notices), vol. 29, no. 6, pp. 196–205, 1994. [Online]. Available: http://dl.acm.org/citation.cfm?id=773473.178260.
- [37] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, "Control-Flow Bending: On the Effectiveness of Control-Flow Integrity", in 24th {USENIX} Security Symposium ({USENIX} Security 15), Washington, D.C.: {USENIX} Association, Aug. 2015, pp. 161–176. [Online]. Available: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini.
- [38] J. Kinder and D. Kravchenko, "Alternating Control Flow Reconstruction", in *Verification, Model Checking, and Abstract Interpretation*, 2012, pp. 267–282. [Online]. Available: http://link.springer.com/10.1007/978-3-642-27940-9\_18.

[39] N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer, "Control-Flow Integrity", *ACM Computing Surveys*, vol. 50, no. 1, pp. 1–33, Apr. 2017. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3058791.3054924.

- [40] M. Yang, H. Wang, Y. Zheng, and Z. Jin, "Graph-tree-based software control flow checking for COTS processors on pico-satellites", *Chinese Journal of Aeronautics*, vol. 26, no. 2, pp. 413–422, 2013. [Online]. Available: http://dx.doi.org/10.1016/j.cja.2013.02.019.
- [41] M. Werner, E. Wenger, and S. Mangard, "Protecting the Control Flow of Embedded Processors against Fault Attacks", in *Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics*), vol. 9514, 2016, pp. 161–176. arXiv: 9780201398298. [Online]. Available: http://link.springer.com/10.1007/978-3-319-31271-2\_10.
- [42] L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sullivan, O. Arias, and Y. Jin, "Hafix", 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6, 2015.
- [43] N. Christoulakis, G. Christou, E. Athanasopoulos, and S. Ioannidis, "HCFI", in *Proceedings* of the Sixth ACM on Conference on Data and Application Security and Privacy CODASPY '16, New York, New York, USA: ACM Press, 2016, pp. 38–49. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2857705.2857722.
- [44] T. H. Y. Dang and D. Wagner, "The Performance Cost of Shadow Stacks and Stack Canaries Time of Check to Time of Use", *Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security*, pp. 555–566, 2015.
- [45] L. Szekeres, M. Payer, T. Wei, and D. Song, "SoK: Eternal war in memory", *Proceedings IEEE Symposium on Security and Privacy*, pp. 48–62, 2013.
- [46] W. He, S. Das, W. Zhang, and Y. Liu, "No-Jump-into-Basic-Block: Enforce Basic Block CFI on the Fly for Real-world Binaries", *Proceedings Design Automation Conference*, vol. Part 12828, pp. 1–6, 2017.
- [47] I. Corporation, "Control-flow Enforcement Technology Preview", Intel Specifications, no. June, pp. 1–136, 2017. [Online]. Available: https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf.
- [48] Qualcomm Security, "Pointer Authentication on ARMv8.3", Tech. Rep. January, 2017. [Online]. Available: https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf.
- [49] V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, "Code-Pointer Integrity", Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, pp. 147–163, 2014. [Online]. Available: https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-kuznetsov.pdf.
- [50] A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières, "CCFI: Cryptographically enforced control flow integrity", in *Proceedings of the ACM Conference on Computer and Communications Security*, vol. 2015-Octob, New York, New York, USA: ACM Press, 2015, pp. 941–951. arXiv: 1408 . 1451. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2810103 . 2813676.
- [51] A. Mahmood and E. J. Mccluskey, "Concurrent Error Detection Using Watchdog Processors—A Survey", *IEEE Transactions on Computers*, vol. 37, no. 2, pp. 160–174, 1988.

[52] C. Shepherd, G. Arfaoui, I. Gurulian, R. P. Lee, K. Markantonakis, R. N. Akram, D. Sauveron, and E. Conchon, "Secure and Trusted Execution: Past, Present, and Future - A Critical Review in the Context of the Internet of Things and Cyber-Physical Systems", in 2016 IEEE Trustcom/BigDataSE/ISPA, IEEE, Aug. 2016, pp. 168–177. [Online]. Available: http://ieeexplore.ieee.org/document/7846943/.

- [53] E. D. Bryant, M. J. Atallah, M. R. Stytz, M. J. Atallah, E. D. Bryant, and M. R. Stytz, "A Survey of Anti-Tamper Technologies", *The Journal of Defense Software Engineering*, no. November, pp. 12–16, 2004.
- [54] C. S. Collberg and C. Thomborson, "Watermarking, tamper-proofing, and obfuscation Tools for software protection", *IEEE Transactions on Software Engineering*, vol. 28, no. 8, pp. 735–746, 2002.
- [55] N. Theissing, D. Merli, M. Smola, F. Stumpf, and G. Sigl, "Comprehensive Analysis of Software Countermeasures against Fault Attacks", *Design, Automation & Test in Europe Conference & Exhibition (DATE)*, 2013, pp. 404–409, 2013. [Online]. Available: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6513538.
- [56] S. Drimer, "Volatile FPGA design security a survey", PhD thesis, University of Cambridge, 2008, pp. 1–51. [Online]. Available: http://www.cl.cam.ac.uk/~sd410/papers/fpga\_security.pdf.
- [57] R. P. Lee, K. Markantonakis, and R. N. Akram, "Binding Hardware and Software to Prevent Firmware Modification and Device Counterfeiting", *Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security CPSS '16*, pp. 70–81, 2016. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2899015.2899029.
- [58] DAU, "Defense Acquisition Guidebook", pp. 1–969, 2011. [Online]. Available: https://www.dau.mil/tools/dag.
- [59] O. Goloubeva, M. Rebaudengo, M. Sonza Reorda, and M. Violante, "Soft-error detection using control flow assertions", in *Proceedings*. 16th IEEE Symposium on Computer Arithmetic, vol. 16, IEEE Comput. Soc, Nov. 2003, pp. 581–588. [Online]. Available: http://ieeexplore.ieee.org/document/1250158/.
- [60] B. Yuce, N. F. Ghalaty, H. Santapuri, C. Deshpande, C. Patrick, and P. Schaumont, "Software Fault Resistance is Futile: Effective Single-Glitch Attacks", *Proceedings 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2016*, pp. 47–58, 2016.
- [61] M. S. Kelly, K. Mayes, and J. F. Walker, "Characterising a CPU fault attack model via runtime data analysis", in 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), IEEE, May 2017, pp. 79–84. [Online]. Available: http://ieeexplore.ieee.org/document/7951802/.
- [62] C. H. Gebotys, *Security in Embedded Devices*, ser. Embedded systems. New York ; London: Springer, 2010.
- [63] A. Schaller, T. Arul, V. Van Der Leest, and S. Katzenbeisser, "Lightweight anti-counterfeiting solution for low-end commodity hardware using inherent PUFs", *Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics*), vol. 8564 LNCS, pp. 83–100, 2014.
- [64] M. A. Gora, A. Maiti, and P. Schaumont, "A flexible design flow for software IP binding in FPGA", IEEE Transactions on Industrial Informatics, vol. 6, no. 4, pp. 719–728, 2010.

[65] E. Simpson and P. Schaumont, "Offline HW / SW Authentication for Reconfigurable Platforms", *Cryptographic Hardware and Embedded Systems (CHES)*, pp. 1–13, 2006.

- [66] X. Wang, C. Konstantinou, M. Maniatakos, and R. Karri, "ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters", 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015, pp. 544–551, 2016.
- [67] T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, and G. Tsudik, "C-FLAT: Control-Flow Attestation for Embedded Systems Software", in *Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security CCS'16*, New York, New York, USA: ACM Press, 2016, pp. 743–754. arXiv: 1605.07763. [Online]. Available: http://arxiv.org/abs/1605.07763.
- [68] D. Arora, S. Ravi, A. Raghunathan, and N. K. Jha, "Hardware-Assisted Run-Time Monitoring for Secure Program Execution on Embedded Processors", *IEEE Transactions on Very Large Scale Integration (VLSI) Systems*, vol. 14, no. 12, pp. 1295–1308, Dec. 2006. [Online]. Available: http://ieeexplore.ieee.org/document/4052340/.
- [69] S. Kleber, F. Unterstein, M. Matousek, F. Kargl, F. Slomka, and M. Hiller, "Secure Execution Architecture based on PUF-driven Instruction Level Code Encryption", *Cryptology ePrint Archive*, *Report 2015/651*, 2015.
- [70] F. Kohnhäuser, A. Schaller, and S. Katzenbeisser, "PUF-Based Software Protection for Low-End Embedded Devices", in *Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)*, vol. 9229, 2015, pp. 3–21. arXiv: arXiv: 1506.07739v2. [Online]. Available: http://link.springer.com/10.1007/978-3-319-22846-4\_1.
- [71] R. P. Lee, K. Markantonakis, and R. N. Akram, "Provisioning Software with Hardware-Software Binding", in *Proceedings of the 12th International Conference on Availability, Reliability and Security ARES '17*, New York, New York, USA: ACM Press, 2017, pp. 1–9. [Online]. Available: http://dl.acm.org/citation.cfm?doid=3098954.3103158.
- [72] S. Kleber, F. Unterstein, M. Matousek, F. Kargl, F. Slomka, and M. Hiller, "Design of the Secure Execution PUF-based Processor (SEPP)", Workshop on Trustworthy Manufacturing and Utilization of Secure Devices, TRUDEVICE 2015, no. 2, pp. 1–5, 2015.
- [73] A. V. Aho, *Compilers : principles, techniques, and tools*. Second edi. Pearson custom library, 2014.
- [74] R. Maes, "Physically Unclonable Functions: Constructions, Properties and Applications (Fysisch onkloonbare functies: constructies, eigenschappen en toepassingen)", PhD thesis, Katholieke Universiteit Leuven, 2012. [Online]. Available: https://lirias.kuleuven.be/handle/123456789/353455.
- [75] J. L. Danger, A. Facon, S. Guilley, K. Heydemann, U. Kuhne, A. Si Merabet, and M. Timbert, "CCFI-Cache: A transparent and flexible hardware protection for code and control-flow integrity", *Proceedings 21st Euromicro Conference on Digital System Design*, DSD 2018, pp. 529–536, 2018.
- [76] D. Sullivan, O. Arias, L. Davi, P. Larsen, A.-R. Sadeghi, and Y. Jin, "Strategy without tactics", 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6, 2016.

[77] K. E. Defrawy, D. Perito, G. Tsudik, and E. al., "SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust", in *Processings of the 19th Annual Network and Distributed System Security Symposium*, pp. 5–8.

- [78] Y. Li, J. M. Mccune, and A. Perrig, "VIPER: Verifying the Integrity of PERipherals' Firmware", *Proceedings of the ACM Conference on Computer and Communications Security* (CCS), vol. 22, no. October, pp. 3–16, 2011. [Online]. Available: http://dl.acm.org/citation.cfm?id=2046711.
- [79] C. Castelluccia, A. Francillon, D. Perito, and C. Soriente, "On the difficulty of software-based attestation of embedded devices", in *Proceedings of the 16th ACM conference on Computer and communications security CCS '09*, New York, New York, USA: ACM Press, 2009, p. 400. [Online]. Available: http://portal.acm.org/citation.cfm?doid=1653662.1653711.
- [80] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. Van Doorn, and P. Khosla, "Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems", *Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005*, pp. 1–16, 2005.
- [81] N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, and T. Kohno, "Helix: Fast encryption and authentication in a single cryptographic primitive", *Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics*), vol. 2887, pp. 330–346, 2003.
- [82] A. Klimov and A. Shamir, "New cryptographic primitives based on multiword T-functions", Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3017, pp. 1–15, 2004.
- [83] A. Seshadri, A. Perrig, L. Van Doom, and P. Khosla, "SWATT: SoftWare-based ATTestation for embedded devices", *Proceedings IEEE Symposium on Security and Privacy*, vol. 2004, pp. 272–282, 2004.
- [84] R. Kennell and L. H. Jamieson, "Establishing the Genuinity of Remote Computer Systems", Proceedings of the 12th USENIX Security Symposium, vol. 52, no. 3, pp. 608–616, 2003. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0360131508001668.
- [85] T. AbuHmed, N. Nyamaa, and D. H. Nyang, "Software-based remote code attestation in wireless sensor network", *GLOBECOM IEEE Global Telecommunications Conference*, pp. 1–8, 2009.
- [86] C. Lattner and V. Adve, "{LLVM}: A Compilation Framework for Lifelong Program Analysis and Transformation", San Jose, CA, USA, Mar. 2004, pp. 75–88.
- [87] J. Kinder and H. Veith, "Jakstab: A static analysis platform for binaries Tool paper", Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5123 LNCS, pp. 423–427, 2008.
- [88] L. Davi, A. Dmitrienko, M. Egele, F. Thomas, T. Holz, R. Hund, S. Nurnberger, and A.-R. Sadeghi, "MoCFI: A framework to mitigate control-flow attacks on smartphones", Symposium on Network and Distributed System Security, 2012. [Online]. Available: https://pdfs.semanticscholar.org/fb43/699356089cca6bcf063af6841228afaa0f3e.pdf.
- [89] D.-I. J. Kinder, "Static Analysis of x86 Executables", PhD thesis, Technische Universitat Darmstadt, 2010. [Online]. Available: https://infoscience.epfl.ch/record/167546/files/thesis.pdf.

[90] M. H. Nguyen, T. B. Nguyen, T. T. Quan, and M. Ogawa, "A hybrid approach for control flow graph construction from binary code", *Proceedings - Asia-Pacific Software Engineering Conference, APSEC*, vol. 2, no. 2, pp. 159–164, 2013.

- [91] G. Dessouky, T. Abera, A. Ibrahim, and A.-R. Sadeghi, "LiteHAX", 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1–8, 2018.
- [92] Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, "SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis", in 2016 IEEE Symposium on Security and Privacy (SP), IEEE, May 2016, pp. 138–157. [Online]. Available: http://ieeexplore.ieee.org/document/7546500/.
- [93] A. A. Hagberg, D. A. Schult, and P. J. Swart, "Exploring network structure, dynamics, and function using NetworkX", 7th Python in Science Conference (SciPy 2008), no. SciPy, pp. 11–15, 2008.
- [94] J. P. Aumasson, S. Neves, Z. Wilcox-O'Hearn, and C. Winnerlein, "BLAKE2: Simpler, smaller, fast as MD5", Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7954 LNCS, pp. 119–135, 2013.
- [95] C. N. Chong, Z. Peng, and P. H. Hartel, "Secure Audit Logging with Tamper-Resistant Hardware", in *Security and Privacy in the Age of Uncertainty*, D. Gritzalis, S. Capitani di Vimercati, P. Samarati, and S. Katsikas, Eds., vol. 122, Boston, MA: Springer US, 2003, pp. 73–84. [Online]. Available: http://link.springer.com/10.1007/978-0-387-35691-4\_7.