An Efficient Hardware Support for Control Data Validation

Software-based, fine-grain control flow integrity (CFI) validation technique has been proposed to enforce control flow integrity of program execution. By validating every indirect branch instruction, it can prevent various control flow attacks, but at the cost of non-trivial overhead: up to 50% and on average 21% as reported in a case study. We propose a new hardware mechanism to accelerate the CFI validation. It utilizes the branch prediction unit of modern processors to reduce the frequency of necessary validation, and proposes to use a small hardware structure called indirect branch filter cache (IBF cache) to further reduce the frequency of validation. The small IBF cache buffers and reuses previous validation results, which dramatically reduces the frequency of validation for all workloads we have studied. We collect the trace of indirect branch of various workloads on an Intel P4 computer and conduct trace-based simulation to estimate the performance overhead. Our results show that the overhead is negligible for all SPEC CPU2000int, SPEC CPU2006intprograms, TPC-C, WebStone and FTP server benchmarks.