CFICore

Abstract

As the mobile market continues to grow and applications that require high performance are developed, recent mobile processors are attempting to improve performance by increasing the number of cores. In addition, powerful debugging capabilities are built into the processor for application developers. However, recent studies have shown that the number of cores used by mobile applications is less than two. A typical ARM debugging feature is the Coresight module, which can extract core execution instructions in real time, in addition to traditional breakpoints. In Coresight, it is worth noting that one core can control the execution flow of another core or extract executed instructions. Using the above two facts, this paper proposes a detection methodology for Code Reuse Attack. The methodology executes the CFI detection module on a different core than the monitored application, extracts CPU instructions executed by the application through ARM Coresight, and detects whether there are instructions that violate the CFI policy. It also provides a way to isolate CPU cores and memory resources via TrustZone to block attacks against CFI modules from attackers. The methodology of this paper has an advantage that it is easy to apply to existing mobile devices because it does not require any modifications to the target application and the kernel and does not require hardware modification. The methodology presented in this thesis is implemented in ARM 64bit hardware and security evaluation is performed. We confirmed that the actual kernel area JOP attack was detected through the experiment. In addition, we confirm that the proposed methodology can be applied sufficiently in actual mobile environment through the performance benchmark which assumes mobile environment.