Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

R5Detect: Detecting Control-Flow Attacks from Standard RISC-V Enclaves

Davide Bove, Lukas Panzer

TL;DR

R5Detect addresses the security challenges of resource‑constrained IoT and embedded devices by combining a software‑based control‑flow integrity monitor (CFI) built around a Shadow Stack with a hardware performance counter (HPC) based anomaly detector. Implemented on standard RISC‑V hardware within a MultiZone TEEs framework (OpenMZ), it operates with minimal hardware support, achieving overheads under 5% on common benchmarks and supporting zone‑level isolation. The work details two complementary defenses—CFI via binary instrumentation and a Shadow Stack, plus per‑zone HPC profiling with offline signatures—analyzing security guarantees, performance tradeoffs, and limitations such as counter availability and intervention costs. Together, these approaches demonstrate a feasible security framework for low‑power IoT devices that can defend against runtime control‑flow manipulations while leveraging existing RISC‑V primitives and TEEs.

Abstract

Embedded and Internet-of-Things (IoT) devices are ubiquitous today, and the uprising of several botnets based on them (e.g., Mirai, Ripple20) raises issues about the security of such devices. Especially low-power devices often lack support for modern system security measures, such as stack integrity, Non-eXecutable bits or strong cryptography. In this work, we present R5Detect, a security monitoring software that detects and prevents control-flow attacks on unmodified RISC-V standard architectures. With a novel combination of different protection techniques, it can run on embedded and low-power IoT devices, which may lack proper security features. R5Detect implements a memory-protected shadow stack to prevent runtime modifications, as well as a heuristics detection based on Hardware Performance Counters to detect control-flow integrity violations. Our results indicate that regular software can be protected against different degrees of control-flow manipulations with an average performance overhead of below 5 %. We implement and evaluate R5Detect on standard low-power RISC-V devices and show that such security features can be effectively used with minimal hardware support.

R5Detect: Detecting Control-Flow Attacks from Standard RISC-V Enclaves

TL;DR

R5Detect addresses the security challenges of resource‑constrained IoT and embedded devices by combining a software‑based control‑flow integrity monitor (CFI) built around a Shadow Stack with a hardware performance counter (HPC) based anomaly detector. Implemented on standard RISC‑V hardware within a MultiZone TEEs framework (OpenMZ), it operates with minimal hardware support, achieving overheads under 5% on common benchmarks and supporting zone‑level isolation. The work details two complementary defenses—CFI via binary instrumentation and a Shadow Stack, plus per‑zone HPC profiling with offline signatures—analyzing security guarantees, performance tradeoffs, and limitations such as counter availability and intervention costs. Together, these approaches demonstrate a feasible security framework for low‑power IoT devices that can defend against runtime control‑flow manipulations while leveraging existing RISC‑V primitives and TEEs.

Abstract

Embedded and Internet-of-Things (IoT) devices are ubiquitous today, and the uprising of several botnets based on them (e.g., Mirai, Ripple20) raises issues about the security of such devices. Especially low-power devices often lack support for modern system security measures, such as stack integrity, Non-eXecutable bits or strong cryptography. In this work, we present R5Detect, a security monitoring software that detects and prevents control-flow attacks on unmodified RISC-V standard architectures. With a novel combination of different protection techniques, it can run on embedded and low-power IoT devices, which may lack proper security features. R5Detect implements a memory-protected shadow stack to prevent runtime modifications, as well as a heuristics detection based on Hardware Performance Counters to detect control-flow integrity violations. Our results indicate that regular software can be protected against different degrees of control-flow manipulations with an average performance overhead of below 5 %. We implement and evaluate R5Detect on standard low-power RISC-V devices and show that such security features can be effectively used with minimal hardware support.
Paper Structure (27 sections, 2 equations, 2 figures, 1 table)

This paper contains 27 sections, 2 equations, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. RISC-V Security
  4. Privilege Levels
  5. Physical Memory Protection
  6. Trusted Execution Environment
  7. OpenMZ
  8. Threat Model
  9. Control-Flow-Integrity Using a Shadow Stack
  10. Setup
  11. Implementation
  12. Indirect jumps
  13. Return instructions
  14. Evaluation
  15. Security
  16. ...and 12 more sections

Figures (2)

  • Figure 1: Example program with indirect jumps and forward checks using labels. The sort function has two valid sub-functions (lt and gt), which are determined and annotated at compile time.
  • Figure 2: Run-time overhead of different BEEBS benchmarks for the Shadow Stack implementation compared to unmodified benchmarks