Vol.:(0123456789) SN Computer Science (2022) 3:48 https://doi.org/10.1007/s42979-021-00915-y SN Computer Science ORIGINAL RESEARCH Performance Counters and DWT Enabled Control Flow Integrity Ananda Biswas 1  · Zelong Li 2  · Akhilesh Tyagi 1 Received: 30 May 2021 / Accepted: 30 September 2021 © The Author(s), under exclusive licence to Springer Nature Singapore Pte Ltd 2021 Abstract Control fow integrity (CFI) attacks resulting from bufer overfow and return-oriented programming are common. The problem is particularly acute for legacy systems and IoT devices. Legacy industrial control systems are not supported with periodic security patches leaving them susceptible to attack vectors published over the system life span. IoT devices, on the other hand, are thin devices with limited resources. This rules out many of the traditional heavy-duty software countermeas- ures for the IoT world. In this research, we deploy hardware/software solutions to detect CFI attacks. Many IoT devices are based on Raspberry Pi boards. These boards include ARM Cortex A-53 (Pi 3) or Cortex A-73 (Pi 4) processors. These ARM Cortex processors contain hardware counters that can be programmed to count microarchitecture level events such as branch mispredictions. Since control fow anomalies resulting from bufer overfow or return oriented programming (ROP) modify the program execution, the microarchitecture level events counts diverge. For instance, number of instructions issued per cycle could difer due to diferent instruction level parallelism. Hence, a vector of most discriminating hardware counters can fag control fow anomalies. This paper focuses on embedded programs. Embedded program behavior is dominated by the main event loops and task/event handlers, which can be measured with performance counters. Lighter weight IoT devices, based on ARM Cortex M4 or M7, include DWT (Debug, Watch and Trace) module, but not performance counters. DWT contains a much more limited set of counters. We show that DWT counters can also detect CFI anomalies with somewhat lower accuracy. For legacy software, we insert the performance counters instrumentation hooks with direct binary editing of ELF fles. The proposed anomaly detection mechanism is evaluated on ArduPilot Team (2016)—a popular autopilot software on a Raspberry Pi 3 with PMU and DWT. A self-navigation program is evaluated on an iCreate Roomba platform with an ARM Cortex M4 processor which contains a DWT but not performance counters. We are able to achieve 97–99%+ accuracy with 1–10 μ s time overhead per control fow anomaly check. Keywords Control fow integrity · Performance monitoring unit · Debug and watch timer · Machine learning · Bufer overfow · Return oriented programming · Support vector machine Introduction Smart cities, communities, and environments are enabled by Internet of Things (IoTs) that sense and control our envi- ronment. IoT devices are networked computing devices that typically deploy embedded software. In addition to the tra- ditional network mounted attacks such as bufer overfow, code injection, and return oriented programming (ROP), IoT devices are also vulnerable to physical access attacks. Eventually, most of these attacks either intend to gain root privilege through a shell spawned through bufer overfow or ROP attack or exfltrate secret crypto keys to gain access to secret data, communication, or functionality. In this paper, we focus on the frst type of attacks. This article is part of the topical collection “Technologies and Components for Smart Cities” guest edited by Himanshu Thapliyal, Saraju P. Mohanty, Srinivas Katkoori and Kailash Chandra Ray. * Ananda Biswas biswas@iastate.edu Zelong Li zelongl@iastate.edu Akhilesh Tyagi tyagi@iastate.edu 1 Electrical and Computer Engineering, Iowa State University, Ames, IA, USA 2 Computer Science, Iowa State University, Ames, IA, USA