Modern RISC-V platforms control and monitor security-critical systems such as industrial controllers and autonomous vehicles. While these platforms feature a Root-of-Trust (RoT) to store authentication secrets and enable secure boot technologies, they often lack Control-Flow Integrity (CFI) enforcement and are vulnerable to cyber-attacks which divert the control flow of an application to trigger malicious behaviours. Recent techniques to enforce CFI in RISC-V systems include ISA modifications or custom hardware IPs, all requiring ad-hoc binary toolchains or design of CFI primitives in hardware. This paper proposes TitanCFI, a novel approach to enforce CFI in the RoT. TitanCFI modifies the commit stage of the protected core to stream control flow instructions to the RoT and it integrates the CFI enforcement policy in the RoT firmware. Our approach enables maximum reuse of the hardware resource present in the System-on-Chip (SoC), and it avoids the design of custom IPs and the modification of the compilation toolchain, while exploiting the RoT tamper-proof storage and cryptographic accelerators to secure CFI metadata. We implemented the proposed architecture on a modern RISC-V SoC along with a return address protection policy in the RoT, and benchmarked area and runtime overhead. Experimental results show that TitanCFI achieves overhead comparable to SoA hardware CFI solutions for most benchmarks, with lower area overhead, resulting in 1% of additional area occupation.

翻译：现代RISC-V平台监控和管理诸如工业控制器和自动驾驶汽车等安全关键系统。尽管这些平台配备了信任根（RoT）以存储认证密钥并支持安全启动技术，但它们通常缺乏控制流完整性（CFI）的强制执行，容易遭受通过篡改应用程序控制流以触发恶意行为的网络攻击。近期在RISC-V系统中强制实施CFI的技术包括修改指令集架构或定制硬件IP，这些都需要定制的二进制工具链或硬件中设计CFI原语。本文提出TitanCFI，一种在信任根中强制实施CFI的新型方法。TitanCFI修改受保护内核的提交阶段，将控制流指令流式传输至RoT，并在RoT固件中集成CFI强制执行策略。该方法能最大化重用片上系统（SoC）中的硬件资源，避免设计定制IP和修改编译工具链，同时利用RoT的防篡改存储和密码加速器来保护CFI元数据。我们在现代RISC-V SoC上实现了所提出的架构，并在RoT中集成返回地址保护策略，评估了面积和运行时开销。实验结果表明，对于大多数基准测试，TitanCFI在保持更低面积开销（仅增加1%的额外面积占用）的同时，实现了与现有硬件CFI解决方案相当的开销。