CVA6-CFI: A First Glance at RISC-V Control-Flow Integrity Extensions
Simone Manoni, Emanuele Parisi, Riccardo Tedeschi, Davide Rossi, Andrea Acquaviva, Andrea Bartolini
TL;DR
This paper addresses the problem of protecting RISC-V embedded cores from control-flow hijacking by evaluating the standard RISC-V CFI extensions Zicfiss (shadow stack) and Zicfilp (landing pads) in the CVA6 core. It presents two hardware modules—the Shadow Stack Unit and the Landing Pad Unit—integrated into CVA6-CFI, along with CSR and pipeline modifications to enforce backward- and forward-edge protections. The authors report approximately 1.0% area overhead and up to 15.6% performance overhead on the MiBench automotive subset, and they release the full implementation as open-source, demonstrating practical, low-overhead hardware-assisted CFI for security-critical embedded workloads. The work validates the feasibility of RISC-V CFI in an application-class core and sets the stage for further silicon prototyping, power analysis, and study of these extensions in more complex, multi-threaded architectures.
Abstract
This work presents the first design, integration, and evaluation of the standard RISC-V extensions for Control-Flow Integrity (CFI). The Zicfiss and Zicfilp extensions aim at protecting the execution of a vulnerable program from control-flow hijacking attacks through the implementation of security mechanisms based on shadow stack and landing pad primitives. We introduce two independent and configurable hardware units implementing forward-edge and backward-edge control-flow protection, fully integrated into the open-source CVA6 core. Our design incurs in only 1.0% area overhead when synthesized in 22 nm FDX technology, and up to 15.6% performance overhead based on evaluation with the MiBench automotive benchmark subset. We release the complete implementation as open source.