# SHERLOC: Secure and Holistic Control-Flow Violation Detection on Embedded Systems (Accepted at ACM CCS 2023)

Xi Tan and Ziming Zhao

CactiLab, Department of Computer Science and Engineering, University at Buffalo {xitan, zimingzh}@buffalo.edu

## 1 Introduction

Microcontroller-based embedded systems are often programmed in low-level languages and are vulnerable to control-flow hijacking. But inlined control-flow integrity (CFI) enforcement solutions increase the binary size and change the memory layout. Trace-based control-flow violation detection (CFVD) offers an alternative, but existing solutions are **application-oriented**, requiring kernel modifications to store and analyze the trace, limiting their use to monitor privileged codes.

### **4** Design Overview



#### **2** System-oriented CFVD

Monitor control-flow transfers both within and among privileged and unprivileged components.

#### Interrupt-aware

 Interrupts and exceptions occur asynchronously and cannot be anticipated through static analysis or dynamic training. E.g., <*C*<sub>7</sub>, *t*<sub>1</sub>>

#### Scheduling-aware

 Scheduler may resume any running tasks' execution. E.g., both (s<sub>2</sub>, b<sub>5</sub>) and (s<sub>2</sub>, c<sub>7</sub>) are legitimate control-flow transfers.

#### •Secure hardware tracing

• Prevent

privileged but potentially compromised system to disable tracing

#### •Secure trace storage and analysis

• Secure trace from the protected system



Offline Analysis

— Runtime Detection

Figure 2: SHERLOC comprises offline analysis and runtime configuration and enforcement modules. The unmodified protected system program runs in the non-secure state, whereas SHERLOC runtime modules execute in the secure state.

## **5 Runtime Detection Policy**

The approach that SHERLOC takes for handling each type of dereferenced instruction in the trace.  $\langle s, d \rangle$ : a standard trace record. ( $\langle s_1, d_1 \rangle$ ,  $\langle s_2, d_2 \rangle$ ): a pair of interrupt or exception return trace records. IBT: Indirect branch table. VT: non-secure state vector table. RCS: the current task- or kernel-specific reconstructed call stack.  $Y_T$ : task entry and re-entry address list.

|                | Туре                                    | Instruction(s)                              | Ins. Size | How to Identify the Type?                                                                                           | Sherloc Actions                                                                                                                                                                                                                                            |  |
|----------------|-----------------------------------------|---------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| and RTOS Cases | Direct branch (§4.4.1)                  | B{cond} #imm                                | 2/4       | The dereferenced instruction                                                                                        | Skip the record                                                                                                                                                                                                                                            |  |
|                | Direct call (§4.4.1)                    | BL{cond} #imm                               | 4         | The dereferenced instruction                                                                                        | RCS.push(s + 4)                                                                                                                                                                                                                                            |  |
|                | Indirect branch (§4.4.1)                | BX{cond} Rx                                 | 2         | The dereferenced instruction                                                                                        | <i>if</i> $\langle s, d \rangle \notin IBT$ , reset                                                                                                                                                                                                        |  |
|                |                                         | TBB/TBH {PC,}                               | 4         |                                                                                                                     |                                                                                                                                                                                                                                                            |  |
|                | Indirect call (§4.4.1)                  | BLX Rx                                      | 2         | The dereferenced instruction                                                                                        | <i>if</i> $\langle s, d \rangle \notin IBT$ , reset; <i>else</i> RCS.push( $s + 2$ )                                                                                                                                                                       |  |
|                | Function return (§4.4.2)                | <pre>BX LR POP {, PC} LDM SP!, {, PC}</pre> | 2/4       | The dereferenced instruction                                                                                        | <i>if</i> $d \neq \text{RCS.pop}()$ , reset                                                                                                                                                                                                                |  |
| System         | Sync. exception (§4.4.3)                | SVC #imm                                    | 2         | s[A-bit]                                                                                                            | <i>if</i> $d \notin VT$ , reset; <i>else if</i> $d \neq PendSV$ , RCS.push( <i>s</i> )                                                                                                                                                                     |  |
| Bare-metal     | Non-PendSV async.<br>interrupt (§4.4.3) | N/A                                         | N/A       | s[A-bit]                                                                                                            | <i>if</i> $d \notin VT$ , reset; <i>else if</i> $d \neq PendSV$ , RCS.push( <i>s</i> )                                                                                                                                                                     |  |
|                | Non-PendSV ISR<br>return (§4.4.4)       | <pre>BX LR POP {, PC} LDM SP!, {, PC}</pre> | 2/4       | The dereferenced instruction and<br>( $d_1 == \text{EXC}_{\text{RETURN}} \land s_2 == \text{EXC}_{\text{RETURN}}$ ) | $if \text{ bare-metal and } d_2 \neq \text{RCS.top(), reset;}$<br>$else \ if \text{ bare-metal and } d_2 == \text{RCS.top(), RCS.pop();}$<br>$else \ \text{go to PendSV ISR return handling}$                                                              |  |
| )S-only Case   | PendSV async.<br>interrupt (§4.4.5)     | N/A                                         | N/A       | s[A-bit]                                                                                                            | $if \ d == \text{PendSV},$<br>$Y_{\mathcal{T}}.\text{add}(s) \text{ and } Y_{\mathcal{T}}.\text{add}(\text{RCS.pop}())$                                                                                                                                    |  |
|                | PendSV ISR<br>return (§4.4.6)           | BX LR<br>POP {, PC}<br>LDM SP!, {, PC}      | 2/4       | The dereferenced instruction and<br>( $d_1 == \text{EXC}_{\text{RETURN}} \land s_2 == \text{EXC}_{\text{RETURN}}$ ) | $\begin{array}{l} \label{eq:constraint} if \ d_2 \notin Y_{\mathcal{T}}, \mbox{ reset}; \\ \ if \ d_2 \ \mbox{is in a shared library,} \\ \mbox{and assuming the next trace record is } \langle s_n, d_n \rangle, \\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ $ |  |



**SCFVD** verifies each indirect control-flow transfer must match an edge in the interprocedural CFG ( $G_{s}$ ) or the destination must match an address in the interrupt ISR address list ( $I_{K}$ ) or the set of task entry or re-entry list ( $Y_{T}$ )

**System-oriented CFVD (SCFVD)**. Given the trace  $R_{\mathcal{S}} = (r_0, r_1, \ldots, r_n)$  of a system  $\mathcal{S}$  including a kernel  $\mathcal{K}$  and tasks  $\mathcal{T}$ , SCFVD verifies that  $r_i \in E_{\mathcal{S}} \bigvee r_i . d \in I_{\mathcal{K}} \bigcup Y_{\mathcal{T}}, \forall i \in \{0, 1, \ldots, n\}$ .

### **3** System and Threat Model

- The system features a hardware trace unit. Filtering capabilities are not required.
- The system supports TEE and secure boot for code

## **6 Running Example on FreeRTOS**

[] represents RCS with the top on the right-hand side. Black [] represents the active RCS, and gray [] represents an inactive RCS.

| Trace Buffer                                      | Runtime Enforcement                                                                    | RCS for Task A            | RCS for Task B   | $Y_{\mathcal{T}}$                                |
|---------------------------------------------------|----------------------------------------------------------------------------------------|---------------------------|------------------|--------------------------------------------------|
| $\langle a_3, a_4 \rangle$                        | Direct branch: skip                                                                    | $[a_1+4]$                 | []               | $\{b_4+4, l_2,\}$                                |
| $\langle a_1, a_2 \rangle$                        | Direct call: RCS.push( $a_1 + 4$ )                                                     | $[a_1+4]$                 | []               | $\{b_4+4, l_2,\}$                                |
| $\langle a_5, a_6 \rangle$                        | Function return: $a_6 == \text{RCS.pop}()$                                             | [], #++4                  | []               | $\{b_4+4, l_2,\}$                                |
| $\langle l_3, a_8 \rangle$                        | Function return: $a_8 is in Y_T(a_8 == a_7 + 4)$                                       | $[a_1+4]$                 | []               | $\{b_4+4, l_2, \ldots\}, \frac{a_7+4}{a_7+4}$    |
| $\langle \text{EXC}_{\text{RETURN}}, l_2 \rangle$ | PendSV ISR return: $l_2$ is in $Y_T$                                                   | $[a_1 + 4]$               |                  | $\{b_4+4, l_2, a_7+4, \ldots\}, \frac{l_2}{l_2}$ |
| $\langle S_2, \text{EXC}_{\text{RETURN}} \rangle$ |                                                                                        |                           |                  |                                                  |
| $\langle l_2, s_1 \rangle$                        | $S_1$ is PendSV ISR address: $Y_{\tau}$ .add( $l_2$ ) and $Y_{\tau}$ .add( $b_4 + 4$ ) | $[a_1+4]$                 | [], <b>b</b> ++4 | { $l_2, b_4 + 4, l_2, a_7 + 4, \ldots$ }         |
| $\langle b_4, l_1 \rangle$                        | Direct call: RCS.push( $b_4 + 4$ )                                                     | $[a_1+4]$                 | $[, b_4 + 4]$    | $\{l_2, a_7+4, \ldots\}$                         |
| $\langle \text{EXC}_{\text{RETURN}}, b_s \rangle$ | PendSV ISR return: $b_5$ is in $Y_T$                                                   | $\left[ a_{1}+4\right]$   | []               | $\{l_2, a_7 + 4,\}, b_{-5}$                      |
| $\langle S_2, EXC\_RETURN \rangle$                |                                                                                        |                           |                  | (,,,,,,,,,,,,,,,,,,,                             |
|                                                   | •••                                                                                    | $[a_1+4]$                 | []               | $\{b_5, l_2, a_7 + 4, \ldots\}$                  |
| $\langle l_2, s_1 \rangle$                        | $S_1$ is PendSV ISR address: $Y_{\tau}$ .add( $l_2$ ) and $Y_{\tau}$ .add( $a_7 + 4$ ) | $[a_1+4], \mathbf{a}_7+4$ | []               | $\{b_5, l_2, a_7 + 4,\}$                         |
| $\langle a_7, l_1 \rangle$                        | Direct call: RCS.push( $a_7 + 4$ )                                                     | $[a_1+4, a_7+4]$          | []               | $\{b_{5},\}$                                     |



## Attackers can exploit privileged code bugs of the protected system via memory corruptions.



## **University at Buffalo** The State University of New York

