Hardware Assisted Buffer Protection Mechanisms for Embedded RISC-V

TLDR: A physically unclonable function (PUF)-based randomized canary generation technique is employed that removes the need to store the sensitive canary words in memory or CPU registers, thereby being more secure, while incurring low overheads.

Abstract: RISC-V is a promising open-source architecture that targets low-power embedded devices and system-on-chips (SoCs). However, there is a dearth of practical and low-overhead security solutions in the RISC-V architecture. Programs compiled using RISC-V toolchains are still vulnerable to code injection and code reuse attacks, such as buffer overflow and return-oriented programming (ROP). In this article, we propose two hardware-implemented security extensions to RISC-V that provides a defense mechanism against such attacks. We first employ a physically unclonable function (PUF)-based randomized canary generation technique that removes the need to store the sensitive canary words in memory or CPU registers, thereby being more secure, while incurring low overheads. We implement the proposed Canary Engine in RISC-V RocketChip with rocket custom coprocessor (RoCC). The simulation results show 2.2% average execution overhead with a single buffer protection, while a $10\times $ increase in buffer count only increases the overhead by $1.5\times $ when protection is extended to all buffers. We further improve upon this with a dedicated security coprocessor flow integrity extensions for embedded RISC-V (FIXER), implemented on the RoCC. FIXER enforces fine-grained control-flow integrity (CFI) of running programs on backward edges (returns) and forward edges (calls) without requiring any architectural modifications to the processor core. Compared to software-based solutions, FIXER reduces energy overhead by 60% at minimal execution time (1.5%) and area (2.9%) overheads.