International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Call Rewinding: Efficient Backward Edge Protection

Authors:
Téo Biton
Olivier Gilles
Daniel Gracia Pérez
Nikolai Kosmatov
Sébastien Pillement
Download:
DOI: 10.46586/tches.v2025.i1.227-250
URL: https://tches.iacr.org/index.php/TCHES/article/view/11928
Search ePrint
Search Google
Abstract: The prevalence of memory-unsafe software prompts significant efforts by the research community to mitigate memory corruption bugs. This endeavor is crucial for safeguarding critical systems against security threats. Specifically, there is a focus to protect against code-reuse attacks through enforcing control-flow integrity (CFI). This paper introduces call rewinding, a novel microarchitecture-level mechanism for protection of return addresses. It is based on a property of the calling convention that is common to major architectures such as x86, ARM and RISC-V, which states that all return instructions transfer control to a valid call site. Call rewinding consists of jumping to the instruction preceding the return target for each return instruction and checking if the instruction at this address is a call or not. On systems equipped with return address prediction, a commonly employed optimization, the security check is performed only on mispredicted return addresses. The proposed protection mechanism demonstrates negligible impact on both area and performance. We implement call rewinding on the CV64A6, a RISC-V CPU with consequent branch prediction support. Our evaluation validates the effectiveness of call rewinding, both in bare-metal and in a Linux operating system (OS) environment. It triggers no false positives in bare-metal and is functional with the OS extended with a custom exception handler. Furthermore, our findings indicate that call rewinding successfully detects unauthorized return addresses, highlighting its potential as a reliable and efficient security mechanism.
BibTeX
@article{tches-2024-34870,
  title={Call Rewinding: Efficient Backward Edge Protection},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2025},
  pages={227-250},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11928},
  doi={10.46586/tches.v2025.i1.227-250},
  author={Téo Biton and Olivier Gilles and Daniel Gracia Pérez and Nikolai Kosmatov and Sébastien Pillement},
  year=2024
}