CCFI-Cache: A Transparent and Flexible Hardware Protection for Code and Control-Flow Integrity

In this paper we present a hardware based solution to verify simultaneously Code and Control-Flow Integrity (CCFI), aiming at protecting microcontrollers against both cyber-and physical attacks. This solution is non-intrusive as it does not require any modification of the CPU core. It relies on two additional hardware blocks external to the CPU: The first one – called CCFI-cache – acts as a dedicated cache for the storage of information to check the code and control-flow integrity, and the second one – CCFI-checker – performs control-flow and code integrity verification. Based on a RISC-V platform implementation, we show that the proposed scheme is able to perform online CCFI validation at the price of a small hardware area overhead and doubling the size of the. text section. In most cases, the impact on the run-time performance is on average 32 percent, offering for the first time a generic and practical hardware-enabled cyber-security solution.