Control-Flow Integrity (CFI) is an effective defense technique against a variety of memory-based cyber attacks. CFI is usually enforced through software methods, which entail considerable performance overhead. Hardware-based CFI techniques can largely avoid performance overhead, but typically rely on code instrumentation, forming a non-trivial hurdle to the application of CFI. Taking advantage of the tradeoff between computing efficiency and flexibility of FPGA, we develop FastCFI, an FPGA-based CFI system that can perform fine-grained and stateful checking without code instrumentation. We also propose an automated Verilog generation technique that facilitates fast deployment of FastCFI, and a compression algorithm for reducing the hardware expense. Experiments on popular benchmarks confirm that FastCFI can detect fine-grained CFI violations over unmodified binaries. When using FastCFI on prevalent benchmarks, we demonstrate its capability to detect fine-grained CFI violations in unmodified binaries, while incurring an average of 0.36% overhead and a maximum of 2.93% overhead.

中文翻译：

---

FastCFI：使用 FPGA 的实时控制流完整性，无需代码检测

控制流完整性 (CFI) 是针对各种基于内存的网络攻击的有效防御技术。CFI 通常通过软件方法强制执行，这需要相当大的性能开销。基于硬件的 CFI 技术可以在很大程度上避免性能开销，但通常依赖于代码检测，这对 CFI 的应用构成了不小的障碍。利用 FPGA 的计算效率和灵活性之间的权衡，我们开发了 FastCFI，这是一个基于 FPGA 的 CFI 系统，可以在没有代码检测的情况下执行细粒度和状态检查。我们还提出了一种有助于快速部署 FastCFI 的自动 Verilog 生成技术，以及一种用于降低硬件费用的压缩算法。流行基准的实验证实，FastCFI 可以检测未修改二进制文件的细粒度 CFI 违规。在流行的基准测试中使用 FastCFI 时，我们展示了它在未修改的二进制文件中检测细粒度 CFI 违规的能力，同时产生平均 0.36% 的开销和最大 2.93% 的开销。