Embedded devices are increasingly present in our everyday life. They often process critical information, and hence, rely on cryptographic protocols to achieve security. However, embedded devices remain vulnerable to attackers seeking to hijack their operation and extract sensitive information by exploiting side channels and code reuse. Code-Reuse Attacks (CRAs) can steer the execution of a program to malicious outcomes, altering existing on-board code without direct access to the device memory. Moreover, Side-Channel Attacks (SCAs) may reveal secret information to the attacker based on mere observation of the device. Thwarting CRAs and SCAs against embedded devices is challenging because embedded devices are often resource constrained. Fine-grained code diversification hinders CRAs by introducing uncertainty to the binary code; while software mechanisms can thwart timing or power SCAs. The resilience to either attack may come at the price of the overall efficiency. Moreover, a unified approach that preserves these mitigations against both CRAs and SCAs is not available. In this paper, we propose a novel Secure Diversity by Construction (SecDivCon) approach that tackles this challenge. SecDivCon is a combinatorial compiler-based approach that combines software diversification against CRAs with software mitigations against SCAs. SecDivCon restricts the performance overhead introduced by the generated code that thwarts the attacks and hence, offers a secure-by-design approach enabling control over the performance-security trade-off. Our experiments, using 16 benchmark programs, show that SCA-aware diversification is effective against CRAs, while preserving SCA mitigation properties at a low, controllable overhead. Given the combinatorial nature of our approach, SecDivCon is suitable for small, performance-critical functions that are sensitive to SCAs.

翻译：嵌入式设备日益融入我们的日常生活，它们通常处理关键信息，因此依赖密码协议来实现安全性。然而，嵌入式设备仍然容易受到试图劫持其操作并通过利用侧信道和代码重用提取敏感信息的攻击者的攻击。代码重用攻击（CRAs）可以引导程序执行产生恶意结果，在无需直接访问设备内存的情况下改变现有板载代码。此外，侧信道攻击（SCAs）可能仅通过观察设备就向攻击者泄露秘密信息。由于嵌入式设备通常资源受限，防范针对它们的CRAs和SCAs具有挑战性。细粒度代码多样化通过给二进制代码引入不确定性来阻碍CRAs；而软件机制可以阻止时序或功耗SCAs。对其中一种攻击的韧性可能会以整体效率为代价。此外，目前缺乏一种统一的方法来同时保持针对CRAs和SCAs的缓解措施。在本文中，我们提出了一种新颖的构造安全多样性（SecDivCon）方法来应对这一挑战。SecDivCon是一种基于编译器的组合方法，它将针对CRAs的软件多样化与针对SCAs的软件缓解措施相结合。SecDivCon限制了所生成代码引入的性能开销，该代码能够阻止攻击，从而提供了一种安全设计方法，实现了对性能-安全性权衡的控制。我们使用16个基准程序进行的实验表明，SCA感知的多样化在保持低可控开销下SCA缓解特性的同时，能有效对抗CRAs。鉴于我们方法的组合特性，SecDivCon适用于对SCA敏感的小型、性能关键函数。