Control-flow checking for intrusion detection via a real-time debug interface

We propose a hardware-based intrusion detection approach called CONtrol-flow VERification SystEm (CONVERSE), which ensures control-flow integrity by verifying the destination of control-flow branches at runtime. Many techniques exist for an attacker to alter control-flow to trigger malicious behavior, such as stack and heap overflows which overwrite a return address or function pointer. Control-flow modification is used to enable a range of attacks including return-oriented programming attacks. By verifying branch target addresses at runtime, security exploits can be detected as illegal control-flow. Our approach uses the real-time hardware debug interface of the processor to extract branch target addresses at runtime with no performance overhead and no area overhead on-chip. Our approach is compatible with the IEEE-ISTO Nexus 5001 standard debugging interface which is open source and is implemented in a wide range of processors. By using an existing debug interfaces, our approach can be implemented at low cost using a commercial off-the-shelf (COTS) design strategy.