Code Encryption with Intel TME-MK for Control-Flow Enforcement
摘要
Memory safety errors enable an adversary to corrupt code pointers, diverting the program’s control flow. Recent CPU features, such as Intel CET/IBT, harden software systems against exploitation attempts that maliciously redirect control flow operations. While IBT limits valid indirect branch targets, forward-edge transfers can still be redirected to any IBT-marked function. Thus, IBT cannot provide fine-grained protection against forward-edge control-flow attacks. This paper presents code encryption with Intel TME-MK, a novel approach for control-flow enforcement against software exploitation on off-the-shelf x86 machines. We repurpose the Intel TME-MK runtime encryption to achieve function-level code encryption. Encrypted functions are only accessible through function pointers associated with the correct key, thereby enforcing fine-grained restrictions for control-flow transfers. We demonstrate two new encryption-based techniques for software hardening in practice: forward-edge control-flow integrity and library encryption. We implement a security-hardened toolchain that combines compiler instrumentation and a loader extension to ensure the validity of the program’s execution flow through efficient hardware-backed encryption. Our prototype shows a geomean performance overhead of 7.8 % for forward-edge control-flow integrity and 2.2 % for library encryption evaluated with the SPEC CPU2017 benchmark suite.