TitanCFI: Toward Enforcing Control-Flow Integrity in the Root-of-Trust

Abstract

TitanCFI is a novel architecture designed to enforce Control-Flow Integrity (CFI) within the Root-of-Trust (RoT) on modern RISC-V platforms, mitigating attacks that divert control flow. This approach modifies the protected core's commit stage to stream control flow instructions to the RoT firmware, where the CFI policy is enforced using tamper-proof storage. TitanCFI avoids custom hardware IPs or toolchain modifications, achieving runtime overhead comparable to state-of-the-art solutions while adding only 1% additional area occupation.

Report

Key Highlights

• Target Vulnerability: Addresses the lack of Control-Flow Integrity (CFI) enforcement in RISC-V Root-of-Trust (RoT) platforms, which are vulnerable to control-flow hijacking cyber-attacks.
• Architectural Novelty: Proposes TitanCFI, which enforces CFI by integrating the policy into the RoT firmware rather than relying on custom ISA extensions or dedicated hardware IPs.
• Integration Method: CFI enforcement is achieved by modifying the core's commit stage to stream control flow instructions directly to the RoT.
• Efficiency: Achieves runtime overhead comparable to existing hardware CFI solutions while requiring significantly lower area occupation, demonstrated by experimental results showing only 1% additional area occupation.
• Compatibility: The design avoids the need for ad-hoc binary toolchains or the modification of the core compilation process.

Technical Details

• Enforcement Location: CFI policy enforcement is executed within the RoT firmware.
• Data Security: The RoT's native tamper-proof storage and cryptographic accelerators are utilized to secure and protect the CFI metadata.
• Core Modification: The protected RISC-V core requires modification only at the commit stage to facilitate instruction streaming to the RoT.
• Policy Implementation: The architecture was implemented on a modern RISC-V SoC and benchmarked using a return address protection policy.
• Resource Reuse: TitanCFI maximizes the reuse of existing hardware resources present in the System-on-Chip (SoC), minimizing design complexity and overhead.

Implications

• Strengthening the Root-of-Trust: By securing the foundational trust layer (the RoT) with hardware-backed CFI, TitanCFI significantly improves the overall security posture of critical RISC-V systems, such as industrial controllers and autonomous vehicles.
• Accelerated Adoption: Since the solution avoids complex ISA modifications or mandatory toolchain changes, it presents a low-friction path for RISC-V ecosystem partners to implement robust hardware-assisted CFI.
• Viability in Resource-Constrained Environments: The minimal area overhead (1%) makes TitanCFI an extremely attractive and viable security measure for deeply embedded and IoT devices where die space and power efficiency are paramount concerns.
• Firmware-Defined Security: The ability to implement and update the security policy in the RoT firmware provides greater flexibility compared to solutions hardcoded entirely into custom hardware blocks.