One for All and All for One: GNN-based Control-Flow Attestation for Embedded Devices

TL;DR

RAGE, a novel, lightweight CFA approach with minimal requirements, is introduced, which efficiently extracts features from one execution trace and leverages Unsupervised Graph Neural Networks (GNNs) to identify deviations from benign executions.

Abstract

Control-Flow Attestation (CFA) is a security service that allows an entity (verifier) to verify the integrity of code execution on a remote computer system (prover). Existing CFA schemes suffer from impractical assumptions, such as requiring access to the prover's internal state (e.g., memory or code), the complete Control-Flow Graph (CFG) of the prover's software, large sets of measurements, or tailor-made hardware. Moreover, current CFA schemes are inadequate for attesting embedded systems due to their high computational overhead and resource usage. In this paper, we overcome the limitations of existing CFA schemes for embedded devices by introducing RAGE, a novel, lightweight CFA approach with minimal requirements. RAGE can detect Code Reuse Attacks (CRA), including control- and non-control-data attacks. It efficiently extracts features from one execution trace and leverages Unsupervised Graph Neural Networks (GNNs) to identify deviations from benign executions. The core intuition behind RAGE is to exploit the correspondence between execution trace, execution graph, and execution embeddings to eliminate the unrealistic requirement of having access to a complete CFG. We evaluate RAGE on embedded benchmarks and demonstrate that (i) it detects 40 real-world attacks on embedded software; (ii) Further, we stress our scheme with synthetic return-oriented programming (ROP) and data-oriented programming (DOP) attacks on the real-world embedded software benchmark Embench, achieving 98.03% (ROP) and 91.01% (DOP) F1-Score while maintaining a low False Positive Rate of 3.19%; (iii) Additionally, we evaluate RAGE on OpenSSL, used by millions of devices and achieve 97.49% and 84.42% F1-Score for ROP and DOP attack detection, with an FPR of 5.47%.

Figures (7)

• Figure 1: Correspondence between the recorded execution trace, the processed execution graph, and the execution embeddings produced by RAGE's model. The preserved mapping between basic blocks, graph nodes and embedding is highlighted in red.
• Figure 2: Overview of RAGE, including both the Training pipeline (carried out by the verifier) and the Inference stage (when attestation occurs).
• Figure 3: (a) Graphical representation of the Variational Graph AutoEncoders (VGAEs) structure. In the figure, the graph structure (i.e., graph connectivity in coordinate format - COO) is denoted as $A$, the features of each node are $X$, and $Z$ represents the latent variables. The operator $*$ represents the matrix product and $\phi(\cdot, \cdot)$ is the activation function. (b) Representation of the encoder designed for the Variational Graph Autoencoder (VGAE) utilized in RAGE. The decoder is not represented (i.e., the standard inner product decoder kipf2016variational). The overall number of parameters for the entire model is $8,128$.
• Figure 4: Evaluation of ROP attacks. In the label "ROP $x$", $x$ indicates the length of the ROP attack in the trace. Each data point represents the mean of 50 evaluated ROP traces of the same kind. For better readability, the presented data points are capped at 15, as higher data points are naturally detected as malicious.
• Figure 5: Evaluation of DOP attacks. For each software, 100 different DOP attack traces have been generated, except for AES, where we generated 53 attacks.