TUM Logo

Backward-Edge Protection against Code Reuse Attacks on Embedded MIPS Devices

Backward-Edge Protection against Code Reuse Attacks on Embedded MIPS Devices

Supervisor(s): Philipp Zieris
Status: finished
Topic: Monitoring (VMI etc.)
Author: Fuchs Franz Anton
Submission: 2018-07-16
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching



A vast majority of todays security-relevant vulnerabilities arise from the broad use of unsafe program- ming languages, such as C and C++. These languages omit the enforcement of strong type safety and memory safety in favor of efficiency and flexibility, rendering them ideal for software development, especially in the field of low-level embedded systems. However, the lack of such type safety and me- mory safety features frequently causes programming errors to result in vulnerable code pointers that can be corrupted at run-time. Code reuse attacks, such as the Return-Oriented Programming (ROP) attack, exploit these vulnerable code pointers in order to divert a program’s control-flow and induce malicious behaviour.

To circumvent code reuse attacks, programs can be equipped with Control-Flow Integrity (CFI) me- chanisms that detect deviations from the program’s intended Control-Flow Graph (CFG). As ROP targets backward-edges within a CFG, appropriate CFI mechanisms have to protect the program’s return addresses form being maliciously altered.

A simple solution to protect return addresses are compiler extensions that insert dual stacks into protected programs. Dual stack schemes separate the return addresses from other data on the regular stack, effectively preventing a ROP attack to reach and possibly overwrite any return address.

Task Description

In previous work, the LLVM compiler framework has been adapted to build dual stacks for the AMD64, ARM, and AArch64 architectures. In this work, we want to evaluate the feasibility of this dual stack scheme on different embedded architectures and implement the necessary changes in the LLVM ba- ckend to produce machine code with dual stack protection. Finally, we evaluate the effectiveness and performance overhead of our solution by running web servers and embedded benchmarks compiled with our LLVM compiler. Possible architectures include PowerPC, Sparc, and MIPS.


  • Ability to work independently and accurately
  • Good C/C++ programming skills
  • Interest in embedded architectures
  • Interest in compiler backends and assembly



Philipp Zieris

Telefon: +4989322-9986-183
Fraunhofer Institute for Applied and Integrated Security (AISEC) Parkring 4, 85748 Garching (near Munich), Germany http://www.aisec.fraunhofer.de