Hardware Control Flow Protection for Cyber-Physical Systems Stanley Bak University of Illinois at Urbana-Champaign (Some slides from Joel Van Der Woude) Problem • Cyber-physical systems are vulnerable to cyber attack. • Attacks on critical infrastructure bring physical consequences. Typical Attacks • Remote code execution – Buffer overflows – Return into libc – String format vulnerabilities – Code injection • Network attacks – Denial of service – MITM • Social Engineering Secure System Simplex Architecture (S3A) What Side Channels? • • • • • Timing of Multiple Task Executions Statistical Timing of Blocks of Code I/O Access Memory Access Patterns Program Control Flow What Side Channels? • • • • • Timing of Multiple Task Executions Statistical Timing of Blocks of Code I/O Access Memory Access Program Control Flow Control Flow Monitoring • Control flow possible paths a program may take to execute • Enumerates jumps/calls/branches to create a “map” of possible “routes” through a program • Does not guarantee that the proper instructions were executed, only that blocks were executed in a plausible order Our Approach • Detect unexpected changes in control flow – Implement secure coprocessor to limit overhead – Create tool to generate a control flow graph that can be read by the co-processor – Fail safely using a trusted Simplex controller – Restore complex controller and return control CFG Info • We watch for changes in “blocks” • Each block represents a set of instructions – – – – Address of block Number of instructions Taken block Not taken block Detection • If PC is outside the “block” – Is it the address of taken? – Is it the address of not taken? • If not we have detected a problem • Could be caused by an attacker overwriting a return address Current Issues • Large code • Multiple processes – Operating system (do we trust?) • Polymorphic code • More general purpose computing – How do we ensure that each program has a control flow graph? Conclusion • • • • CPS Security Hardware Control Flow Protection Currently Implementing Questions?