RetTag: Hardware-Assisted Return Address Integrity on RISC-V

Abstract

Memory-corruption-based return address hijacking, such as Return-oriented Programming (ROP), is a prevalent attack technique that compromises the program's control flow integrity. So far, software-based defenses against these attacks either introduce heavy performance overhead or trade-off security for performance. Meanwhile, some hardware-Assisted defense mechanisms are not practical for large-scale deployment due to additional requirements of hardware features and flaws caused by complicated design. In this paper, we present RetTag, a hardware-Assisted and crypto-based defense scheme on RISC-V architecture that leverages Pointer Authentication Code (PAC) embedded into the unused bits of function return address to ensure return address integrity. We extend RISC-V ISA with Return Address Authentication (RAA) instructions to generate the PAC efficiently. We integrate RetTag into the mainstream compilers GCC and LLVM to help developers transparently employ the defense and implement a prototype of RetTag on the Rocket emulator and FPGA development board to demonstrate its effectiveness by detecting various ROP attacks. Moreover, the performance evaluation shows that RetTag only introduces 0.11% performance overhead on NBench and 7.69% on Coremark.