Strengthening Return Address Stack of Rocket Core Against Buffer Overflow Attacks

Strengthening Return Address Stack of Rocket Core Against Buffer Overflow Attacks

연구 분야: Verification

학회: International Conference on Information Technology and Communications Security

The existing Return Address Stack (RAS) structure in RISC-V-based processor cores, such as the Rocket or Boom, is fixed during the design phase and provides limited performance benefits by predicting the Return Address (‘ra’) for branch predictor. In literature, RAS is used to avoid Stack-based Buffer Overflow (SBFO) attacks. However, overflow and underflow conditions of existing RAS pose a security risk because it is not always possible to predict and verify the ‘ra’. As a result, the current RAS structure cannot be used for ‘ra’ verification, and SBFO attacks could easily compromise the overall system’s Control Flow Integrity (CFI). This paper evaluates and optimizes the current RAS structure to meet specific requirements, resulting in a 0.1% resource overhead and a timing overhead of less than 4% for most embedded applications. This paper proposes a design that modifies the current RAS to provide sufficient storage for embedded applications while holding the RAS hidden from the Instruction Set Architecture (ISA). The proposed design has been evaluated on the Artix 7 FPGA using the Chipyard framework, which is built on the Chisel programming language and offers high-level abstractions, functional programming capabilities, expressive code, and faster development times.