Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TitanCFI: Toward Enforcing Control-Flow Integrity in the Root-of-Trust

Emanuele Parisi, Alberto Musa, Simone Manoni, Maicol Ciani, Davide Rossi, Francesco Barchi, Andrea Bartolini, Andrea Acquaviva

TL;DR

TitanCFI tackles enforcing Control-Flow Integrity on RoT-enabled RISC-V systems by streaming retired control-flow instructions from the host to the OpenTitan RoT and executing a policy in RoT firmware. The approach reuses existing hardware, avoids custom IPs or toolchain changes, and leverages the RoT's tamper-proof memory and cryptographic accelerators to secure CFI metadata, with area overhead under $<1\%$ and runtime overhead competitive with state-of-the-art solutions. Empirical results on an OpenTitan-based platform show a shadow-stack CfI policy incurs measurable but modest costs, with runtime slowdown typically below $10\%$ for most benchmarks and hardware overhead under $6\%$ for the host core. Overall, TitanCFI demonstrates that CFI can be robustly enforced inside the RoT while maintaining compatibility with standard toolchains and preserving hardware efficiency, enabling scalable, policy-driven security for RoT-centric IoT and automotive systems.

Abstract

Modern RISC-V platforms control and monitor security-critical systems such as industrial controllers and autonomous vehicles. While these platforms feature a Root-of-Trust (RoT) to store authentication secrets and enable secure boot technologies, they often lack Control-Flow Integrity (CFI) enforcement and are vulnerable to cyber-attacks which divert the control flow of an application to trigger malicious behaviours. Recent techniques to enforce CFI in RISC-V systems include ISA modifications or custom hardware IPs, all requiring ad-hoc binary toolchains or design of CFI primitives in hardware. This paper proposes TitanCFI, a novel approach to enforce CFI in the RoT. TitanCFI modifies the commit stage of the protected core to stream control flow instructions to the RoT and it integrates the CFI enforcement policy in the RoT firmware. Our approach enables maximum reuse of the hardware resource present in the System-on-Chip (SoC), and it avoids the design of custom IPs and the modification of the compilation toolchain, while exploiting the RoT tamper-proof storage and cryptographic accelerators to secure CFI metadata. We implemented the proposed architecture on a modern RISC-V SoC along with a return address protection policy in the RoT, and benchmarked area and runtime overhead. Experimental results show that TitanCFI achieves overhead comparable to SoA hardware CFI solutions for most benchmarks, with lower area overhead, resulting in 1% of additional area occupation.

TitanCFI: Toward Enforcing Control-Flow Integrity in the Root-of-Trust

TL;DR

TitanCFI tackles enforcing Control-Flow Integrity on RoT-enabled RISC-V systems by streaming retired control-flow instructions from the host to the OpenTitan RoT and executing a policy in RoT firmware. The approach reuses existing hardware, avoids custom IPs or toolchain changes, and leverages the RoT's tamper-proof memory and cryptographic accelerators to secure CFI metadata, with area overhead under and runtime overhead competitive with state-of-the-art solutions. Empirical results on an OpenTitan-based platform show a shadow-stack CfI policy incurs measurable but modest costs, with runtime slowdown typically below for most benchmarks and hardware overhead under for the host core. Overall, TitanCFI demonstrates that CFI can be robustly enforced inside the RoT while maintaining compatibility with standard toolchains and preserving hardware efficiency, enabling scalable, policy-driven security for RoT-centric IoT and automotive systems.

Abstract

Modern RISC-V platforms control and monitor security-critical systems such as industrial controllers and autonomous vehicles. While these platforms feature a Root-of-Trust (RoT) to store authentication secrets and enable secure boot technologies, they often lack Control-Flow Integrity (CFI) enforcement and are vulnerable to cyber-attacks which divert the control flow of an application to trigger malicious behaviours. Recent techniques to enforce CFI in RISC-V systems include ISA modifications or custom hardware IPs, all requiring ad-hoc binary toolchains or design of CFI primitives in hardware. This paper proposes TitanCFI, a novel approach to enforce CFI in the RoT. TitanCFI modifies the commit stage of the protected core to stream control flow instructions to the RoT and it integrates the CFI enforcement policy in the RoT firmware. Our approach enables maximum reuse of the hardware resource present in the System-on-Chip (SoC), and it avoids the design of custom IPs and the modification of the compilation toolchain, while exploiting the RoT tamper-proof storage and cryptographic accelerators to secure CFI metadata. We implemented the proposed architecture on a modern RISC-V SoC along with a return address protection policy in the RoT, and benchmarked area and runtime overhead. Experimental results show that TitanCFI achieves overhead comparable to SoA hardware CFI solutions for most benchmarks, with lower area overhead, resulting in 1% of additional area occupation.
Paper Structure (19 sections, 1 figure, 4 tables)

This paper contains 19 sections, 1 figure, 4 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. SoC Architecture
  4. Host Domain Architecture
  5. OpenTitan Root-of-Trust Architecture
  6. CFI Extensions and OpenTitan Firmware
  7. SoC Modifications --- CFI Mailbox
  8. Host Core Modifications
  9. CFI Filters
  10. CFI Queue and Queue Controller
  11. CFI Log Writer
  12. OpenTitan Firmware Design
  13. Experimental Results
  14. Experimental environment
  15. OpenTitan firmware analysis
  16. ...and 4 more sections

Figures (1)

  • Figure 1: Architecture of TitanCFI. The diagram highlights the proposed architectural modification to the SoC (left) and CVA6 core (right)