CVA6-CFI: A First Glance at RISC-V Control-Flow Integrity Extensions

By Simone Manoni ¹, Emanuele Parisi ², Riccardo Tedeschi ¹, Davide Rossi ^1,3, Andrea Acquaviva ¹, Andrea Bartolini ^1
1 Department of Electrical, Electronic, and Information Engineering - University of Bologna, Italy
² High Performance Domain-Specific Architectures Group - Barcelona Supercomputing Center, Spain
³ Department of Digital Design and Open Hardware - Chips-IT, Italy

Abstract

This work presents the first design, integration, and evaluation of the standard RISC-V extensions for Control-Flow Integrity (CFI). The Zicfiss and Zicfilp extensions aim at protecting the execution of a vulnerable program from control-flow hijacking attacks through the implementation of security mechanisms based on shadow stack and landing pad primitives. We introduce two independent and configurable hardware units implementing forward-edge and backward-edge control-flow protection, fully integrated into the open-source CVA6 core. Our design incurs in only 1.0% area overhead when synthesized in 22 nm FDX technology, and up to 15.6% performance overhead based on evaluation with the MiBench automotive benchmark subset. We release the complete implementation as open source.

Index Terms — Control-Flow Integrity, Shadow Stack, Landing Pad, RISC-V

To read the full article, click here