Kangmin Kim,Jeong‐Nyeo Kim,Seungkwang Lee

DOI: https://doi.org/10.1049/ell2.13310

2024-10-08

Electronics Letters

Abstract:The existing method of canary‐based stack protection can be bypassed by several buffer overflow attacks. This paper improves on the canary‐based protection without having to recompile the binary. This paper introduces a novel software‐based approach to enhancing stack smashing protection in C/C++ applications, specifically targeting return‐oriented programming attacks, which remain a significant threat to firmware and software security. Traditional canary‐based protections are vulnerable to brute‐force and format string attacks. Additionally, many stack protection mechanisms require access to the source code or recompilation, complicating the security of existing binaries. This paper proposes a new method, aptly named StackGuard+ , that modifies the canary‐based protection mechanism by altering the code responsible for canary insertion and verification. This change ensures the integrity of the return address while maintaining the original code size, allowing for seamless interoperability without the need for recompilation or additional hardware. The approach can be automated using a Python script, which modifies existing canary‐based binaries with only 26 bytes of machine code on the × 86‐64 platform. Moreover, this approach can be easily adapted to other platforms, including × 86 and ARM64.

engineering, electrical & electronic

Jiadong Sun,Xia Zhou,Wenbo Shen,Yajin Zhou,Kui Ren

DOI: https://doi.org/10.1145/3374664.3375734

2020-01-01

Abstract:Stack canary is the most widely deployed defense technique against stack buffer overflow attacks. However, since its proposition, the design of stack canary has very few improvements during the past 20 years, making it vulnerable to new and sophisticated attacks. For example, the ARM64 Linux kernel is still adopting the same design with StackGuard, using one global canary for the whole kernel. The x86_64 Linux kernel leverages a better design by using a per-task canary for different threads. Unfortunately, both of them are vulnerable to kernel memory leaks. Using the memory leak bugs or hardware side-channel attacks, e.g., Meltdown or Spectre, attackers can easily peek the kernel stack canary value, thus bypassing the protection. To address this issue, we proposed a fine-grained design of the kernel stack canary named PESC, standing for Per-System-Call Canary, which changes the kernel canary value on the system call basis. With PESC, attackers cannot accumulate any knowledge of prior canary across multiple system calls. In other words, PESC is resilient to memory leaks. Our key observation is that before serving a system call, the kernel stack is empty and there are no residual canary values on the stack. As a result, we can directly change the canary value on system call entry without the burden of tracking and updating old canary values on the kernel stack. Moreover, to balance the performance as well as the security, we proposed two PESC designs: one relies on the performance monitor counter register, termed as PESC-PMC, while the other one uses the kernel random number generator, denoted as PESC-RNG. We implemented both PESC-PMC and PESC-RNG on the real-world hardware, using HiKey960 board for ARM64 and Intel i7-7700 for x86_64. The synthetic benchmark and SPEC CPU2006 experimental results show that the performance overhead introduced by PESC-PMC and PESC-RNG on the whole system is less than 1%.

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Jun Zhu,Weiping Zhou,Zhilong Wang,Dongliang Mu,Bing Mao

DOI: https://doi.org/10.1007/978-3-319-78813-5_39

2018-01-01

Abstract:Memory Corruption attacks have monopolized the headlines in the security research community for the past two decades. NX/XD, ASLR, and canary-based protections have been introduced to defend effectively against memory corruption attacks. Most of these techniques rely on keeping secret in some key information needed by the attackers to build the exploit. Unfortunately, due to the inherent limitations of these defenses, it is relatively difficult to restrain trained attackers to find those secrets and create effective exploits. Through an information disclosure vulnerability, attackers could leak stack data of the runtime process and scan out canary word without crashing the program. We present DiffGuard, a modification of the canary based protections which eliminates stack sweep attacks against the canary and proposes a more robust countermeasures against the byte-by-byte discovery of stack canaries in forking programs. We have implemented a compiler-based DiffGuard which consists of a plugin for the GCC and a PIC dynamic shared library that gets linked with the running application via LD PRELOAD. DiffGuard incurs an average runtime overhead of 3.2%, meanwhile, ensures application correctness and seamless integration with third-party software.

Ziyao Zhang,Wenlong Zheng,Baojian Hua,Qiliang Fan,Zhizhong Pan

DOI: https://doi.org/10.1109/QRS60937.2023.00070

2023-01-01

Abstract:WebAssembly is an emerging secure programming language and portable instruction set architecture, and has been deployed in diverse security-critical scenarios due to its safety advantages. However, WebAssembly’s linear memory is still vulnerable to buffer overflows due to the lack of effective protection mechanism, defeating its security guarantees. In this paper, we present VMCanary, the first framework for effective WebAssembly memory protection, by leveraging a canary approach but with the aid from WebAssembly virtual machines (VMs). Our key idea is that, due to the fact that WebAssembly is a managed programming language to be executed by underlying WebAssembly VMs, the VMs must understand any protection mechanisms already enforced in programs. With this key idea, we first propose the concept of canary in code, which is like a traditional canary in data but whose semantics is understandable by underlying WebAssembly VMs. To realize this kind of canary, we introduced two novel WebAssembly instructions by defining their semantics. Furthermore, we designed an instrumentation for WebAssembly binaries to instrument these two instructions automatically, hence no sources and compiler toolchain modifications are required. We have implemented a software prototype for VMCanary, and have conducted extensive experiment to evaluate it on micro benchmarks and 59 real-world CWEs. Experimental results demonstrated that VMCanary is effective in protecting Wasm memory with negligible overhead (3% on average).

YongGang Li,Yeh-Ching Chung,Yu Bao,Yi Lu,ShanQing Guo,GuoYuan Lin

DOI: https://doi.org/10.1016/j.cose.2022.102781

2022-09-01

Abstract:Affected by vulnerabilities, the control data on the stack is easily destroyed, which provides the most convenient conditions for code reuse attacks (CRAs). The operating system (OS) does not impose strict restrictions on the control flow paths. It allows instructions to jump to any location in the same address space. The OS will prevent code execution if and only if an execution error occurs. However, attackers can use stack overflow to accurately tamper with the control data on the stack and avoid execution errors. Although canary technology has been widely adopted, it turns out that this method can be bypassed. The traditional shadow stack technology can only protect the backward control flow and is invalid for the forward control flow. In contrast, the defense effect of the control flow integrity methods is better. Unfortunately, they either cannot get rid of the source code dependence on the protected objects, or cannot provide high-precision instruction boundaries. All these problems make it difficult to eliminate the CRAs based on stack overflow. Faced with these problems, this paper proposes a new security method KPointer. It filters the vulnerable data by tracking the overwriting operation to the stack data. Next, these data will be tracked to locate the jump instructions related to them. Finally, we use new security strategies to determine whether the current instruction is illegal. Experiments and analysis show that KPointer has a good protection effect on the CRAs based on stack overflow. It does not depend on the source code of the protected objects and only introduces 2.7% performance overhead to the CPU.

computer science, information systems

Haoqi Shan,Dean Sullivan,Orlando Arias

DOI: https://doi.org/10.1109/AsianHOST59942.2023.10409308

2023-12-21

Abstract:In recent years we have seen an explosion in the usage of low-cost, low-power microcontrollers (MCUs) in embedded devices around us due to the popularity of Internet of Things (IoT) devices. Although this is good from an economics perspective, it has also been detrimental for security as microcontroller-based systems are now a viable attack target. In response, researchers have developed various protection mechanisms dedicated to improve security in these resource-constrained embedded systems. We demonstrate in this paper these defenses fall short when we leverage benign memory mapped design-for-debug (DfD) structures added by MCU vendors in their products. In particular, we utilize the Flash Patch and Breakpoint (FPB) unit present in the ARM Cortex-M family to build new attack primitives which can be used to bypass common defenses for embedded devices. Our work serves as a warning and a call in balancing security and debug structures in modern microcontrollers.

Cryptography and Security

Xi Tan,Zheyuan Ma,Sandro Pinto,Le Guan,Ning Zhang,Jun Xu,Zhiqiang Lin,Hongxin Hu,Ziming Zhao

2024-05-14

Abstract:Arm Cortex-M processors are the most widely used 32-bit microcontrollers among embedded and Internet-of-Things devices. Despite the widespread usage, there has been little effort in summarizing their hardware security features, characterizing the limitations and vulnerabilities of their hardware and software stack, and systematizing the research on securing these systems. The goals and contributions of this paper are multi-fold. First, we analyze the hardware security limitations and issues of Cortex-M systems. Second, we conducted a deep study of the software stack designed for Cortex-M and revealed its limitations, which is accompanied by an empirical analysis of 1,797 real-world firmware. Third, we categorize the reported bugs in Cortex-M software systems. Finally, we systematize the efforts that aim at securing Cortex-M systems and evaluate them in terms of the protections they offer, runtime performance, required hardware features, etc. Based on the insights, we develop a set of recommendations for the research community and MCU software developers.

Cryptography and Security,Hardware Architecture

Cristiano Pegoraro Chenet,Ziteng Zhang,Alessandro Savino,Stefano Di Carlo

2024-06-12

Abstract:This work evaluates how well hardware-based approaches detect stack buffer overflow (SBO) attacks in RISC-V systems. We conducted simulations on the PULP platform and examined micro-architecture events using semi-supervised anomaly detection techniques. The findings showed the challenge of detection performance. Thus, a potential solution combines software and hardware-based detectors concurrently, with hardware as the primary defense. The hardware-based approaches present compelling benefits that could enhance RISC-V-based architectures.

Cryptography and Security

Zhenliang An,Weike Wang,Wenxin Li,Senyang Li,Dexue Zhang

DOI: https://doi.org/10.3390/mi14081525

IF: 3.4

2023-07-30

Micromachines

Abstract:The growing prevalence of embedded systems in various applications has raised concerns about their vulnerability to malicious code reuse attacks. Current software-based and hardware-assisted security techniques struggle to detect or block these attacks with minor performance and implementation overhead. To address this issue, this paper presents a lightweight hardware-assisted scheme to enhance the security of embedded systems against code reuse attacks. We develop an on-chip lightweight hardware shadow stack to validate target addresses at runtime for backward-edge control flow integrity, which backs up valid return addresses during function calls and automatically verifies actual return addresses during the return phase. Additionally, we propose a lightweight stream cipher circuit that encrypts and decrypts critical stack data related to control flow manipulation, preventing attackers from analyzing or tampering with them. When designing and implementing the security mechanism for embedded systems, we fully consider the constraints of limited system resources and performance, optimizing both the architecture design and implementation of the proposed hardware. Finally, we integrate both the proposed lightweight hardware shadow stack and the runtime data encryption hardware into the OR1200 processor. We have verified the system security function on the Terasic DE1-SoC FPGA platform and evaluated the system performance as well as implementation overhead. The results show that the proposed lightweight hardware-assisted scheme can provide a dedicated defense capability against code reuse attacks for embedded systems, with an average system performance overhead of 0.39% and an area footprint of 0.316 mm2.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Johannes Obermaier,Marc Schink,Kosma Moczek

DOI: https://doi.org/10.48550/arXiv.2008.09710

2020-08-21

Cryptography and Security

Abstract:With the increasing complexity of embedded systems, the firmware has become a valuable asset. At the same time, pressure for cost reductions in hardware is imminent. These two aspects are united at the heart of the system, i.e., the microcontroller. It runs and protects its firmware, but simultaneously has to prevail against cheaper alternatives. For the very popular STM32F1 microcontroller series, this has caused the emergence of many competitors in the last few years who offer drop-in replacements or even sell counterfeit devices at a fraction of the original price. Thus, the question emerges whether the replacements are silicon-level clones and, if not, whether they provide better, equal, or less security. In this paper, we analyze a total of six devices by four manufacturers, including the original device, in depth. Via a low-level analysis, we identify all of them as being individually developed devices. We further put the focus on debug and hardware security, discovering several novel vulnerabilities in all devices, causing the exposure of the entire firmware. All of the presented vulnerabilities, including invasive ones, are on a Do it Yourself (DiY) level without the demand for a sophisticated lab -- thereby underlining the urgency for hardware fixes. To facilitate further research, reproduction, and testing of other devices, we provide a comprehensive description of all vulnerabilities in this paper and code for proofs-of-concepts online.

Shijia Wei,Aydin Aysu,Michael Orshansky,Andreas Gerstlauer,Mohit Tiwari

DOI: https://doi.org/10.1109/hst.2019.8740838

2019-05-01

Abstract:High-assurance embedded systems are deployed for decades and expensive to re-certify – hence, each new attack is an unpatchable problem that can only be detected by monitoring out-of-band channels such as the system’s power trace or electromagnetic emissions. Micro-Architectural attacks, for example, have recently come to prominence since they break all existing software-isolation based security – for example, by hammering memory rows to gain root privileges or by abusing speculative execution and shared hardware to leak secret data. This work is the first to use anomalies in an embedded system’s power trace to detect evasive micro-architectural attacks. To this end, we introduce power-mimicking micro-architectural attacks – including DRAM-rowhammer attacks, side/covert-channel and speculation-driven attacks – to study their evasiveness. We then quantify the operating range of the power-anomalies detector using the Odroid XU3 board – showing that rowhammer attacks cannot evade detection while covert channel and speculation-driven attacks can evade detection but are forced to operate at a 36 × and 7 × lower bandwidth . Our power-anomaly detector is efficient and can be embedded-of-band into (e.g.,) programmable batteries. While rowhammer, side-channel, and speculation-driven attack defenses require invasive code- and hardware-changes in general-purpose systems, we show that power-anomalies are a simple and effective defense for embedded systems. Power-anomalies can help future-proof embedded systems against vulnerabilities that are likely to emerge as new hardware like phase-change memories and accelerators become mainstream.

Andrea Mambretti,Alexandra Sandulescu,Alessandro Sorniotti,William Robertson,Engin Kirda,Anil Kurmus

DOI: https://doi.org/10.48550/arXiv.2003.05503

2021-04-19

Abstract:The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program. In this paper, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, in a speculative return-oriented programming attack. We discuss and implement software mitigations, showing moderate performance impact.

Cryptography and Security

Konrad Hohentanner,Philipp Zieris,Julian Horsch

DOI: https://doi.org/10.1145/3555776.3577635

2023-05-11

Abstract:Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity (CFI). But since its operations are generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose CryptSan, a memory safety approach based on ARM Pointer Authentication. CryptSan uses pointer signatures to retrofit memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its interoperability with uninstrumented libraries and cryptographic protection against attacks on metadata, makes CryptSan a viable solution for retrofitting memory safety to C/C++ programs.

Cryptography and Security,Programming Languages,Software Engineering

Liam Tyler,Ivan De Oliveira Nunes

DOI: https://doi.org/10.1109/tcad.2024.3444691

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Micro-controller units (MCUs) implement the de facto interface between the physical and digital worlds. As a consequence, they appear in a variety of sensing/actuation applications from smart personal spaces to complex industrial control systems and safety-critical medical equipment. While many of these devices perform safety- and time-critical tasks, they often lack support for security features compatible with their importance to overall system functions. This lack of architectural support leaves them vulnerable to run-time attacks that can remotely alter their intended behavior, with potentially catastrophic consequences. In particular, we note that, MCU software often includes untrusted third-party libraries (some of them closed-source) that are blindly used within MCU programs, without proper isolation from the rest of the system. In turn, a single vulnerability (or intentional backdoor) in one such third-party software can often compromise the entire MCU software state. In this article, we tackle this problem by proposing, demonstrating security, and formally verifying the implementation of UCCA: an Untrusted Code Compartment Architecture. UCCA provides flexible hardware-enforced isolation of untrusted code sections (e.g., third-party software modules) in resource-constrained and time-critical MCUs. To demonstrate UCCA's practicality, we implement an open-source version of the design on a real resource-constrained MCU: the well-known TI MSP430. Our evaluation shows that UCCA incurs little overhead and is affordable even to lowest-end MCUs, requiring significantly less overhead and assumptions than the prior related work.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Lan Luo,Yue Zhang,Cliff C. Zou,Xinhui Shao,Zhen Ling,Xinwen Fu

DOI: https://doi.org/10.48550/arXiv.2007.05876

2020-07-12

Abstract:Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension for MCUs, is an emerging security technique fortifying MCU based IoT devices. This paper presents the first security analysis of potential software security issues in TrustZone-M enabled MCUs. We explore the stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against Non-secure Callable (NSC) functions in the context of TrustZone-M. We validate these attacks using the TrustZone-M enabled SAM L11 MCU. Strategies to mitigate these software attacks are also discussed.

Cryptography and Security

Xiaoguang Wang,Yong Qi,Chi Zhang,Saiyu Qi,Peijian Wang

DOI: https://doi.org/10.1109/COMPSAC.2017.206

2017-01-01

Abstract:Software memory disclosure attacks, such as buffer over-read, often work quietly and would cause secret data leakage. The well-known OpenSSL Heartbleed vulnerability leaked out millions of servers' private keys, which caused most of the Internet services insecure at that time. Existing solutions are either hard to apply to large code bases (e.g., through formal verification [20] or symbolic execution [8] on program code), or too heavyweight (e.g., by involving a hypervisor software [23], [24] or a modified operating system kernel [17]). In this paper, we propose SecretSafe, a lightweight and easy-to-use system which leverages the traditional x86 segmentation mechanism to isolate the application secrets from the remaining data. Software developers could prevent the secrets from being leaked out by simply declaring the secret variables with SECURE keyword. Our customized compiler will automatically separate the secrets from the remaining non-secret data with an isolated memory segment. Any legal instructions that have to access the secrets will be automatically instrumented to enable accesses to the isolated segment. We have implemented a SecretSafe prototype with the open source LLVM compiler framework. The evaluation shows that SecretSafe is both secure and efficient.

Laszlo Szekeres,Mathias Payer,Tao Wei,Dawn Song

DOI: https://doi.org/10.1109/sp.2013.13

2013-01-01

Abstract:Memory corruption bugs in software written in low-level languages like C or C++ are one of the oldest problems in computer security. The lack of safety in these languages allows attackers to alter the program's behavior or take full control over it by hijacking its control flow. This problem has existed for more than 30 years and a vast number of potential solutions have been proposed, yet memory corruption attacks continue to pose a serious threat. Real world exploits show that all currently deployed protections can be defeated. This paper sheds light on the primary reasons for this by describing attacks that succeed on today's systems. We systematize the current knowledge about various protection techniques by setting up a general model for memory corruption attacks. Using this model we show what policies can stop which attacks. The model identifies weaknesses of currently deployed techniques, as well as other proposed protections enforcing stricter policies. We analyze the reasons why protection mechanisms implementing stricter polices are not deployed. To achieve wide adoption, protection mechanisms must support a multitude of features and must satisfy a host of requirements. Especially important is performance, as experience shows that only solutions whose overhead is in reasonable bounds get deployed. A comparison of different enforceable policies helps designers of new protection mechanisms in finding the balance between effectiveness (security) and efficiency. We identify some open research problems, and provide suggestions on improving the adoption of newer techniques.

Yujie Wang,Cailani Lemieux Mack,Xi Tan,Ning Zhang,Ziming Zhao,Sanjoy Baruah,Bryan C. Ward

DOI: https://doi.org/10.1109/rtas61025.2024.00036

2023-01-01

Abstract:Real-time and embedded systems are predominantly written in C, a language that is notoriously not memory safe. This has led to widespread memory-corruption vulnerabilities in real-time embedded cyber-physical systems (CPS). This is concerning, as such devices are becoming increasingly networked with the Internet of Things (IoT) and other communication technologies (e.g., 5G), rendering them vulnerable to remote attacks. Attackers have demonstrated how memory-corruption vulnerabilities can be used to hijack program control flow to implement arbitrary attacker-controlled logic. One class of defenses that has been developed to prevent such attacks is called control-flow integrity (CFI), which applies checks at control-flow transitions to ensure the target is valid. Unfortunately, attackers have shown how to divert control flow to seemingly valid targets in an invalid and malicious sequence. This paper presents InsectACIDE, the first holistic CFI for embedded and real-time systems that does not require binary instrumentation and that is context sensitive, i.e., it checks that the sequence of control-flow transitions taken is valid, not just individual transitions, thereby detecting such attacks. InsectACIDE is implemented on an embedded Cortex-M processor using the TrustZone trusted execution environment, and holistic context-sensitive CFI is enforced for both applications and the kernel. InsectACIDE uses hardware debugging features on the Cortex-M processor and therefore does not require any kernel or application binary modification. Experimental results show that InsectACIDE incurs significantly less runtime overhead compared to the state-of-the-art holistic CFI solution. Real-time schedulability analysis is presented, along with a schedulability evaluation, to demonstrate the tradeoff between stronger protection and real-time schedulability.

Xiayang Wang,Fuqian Huang,Haibo Chen

DOI: https://doi.org/10.1109/tc.2019.2946770

IF: 3.183

2020-01-01

IEEE Transactions on Computers

Abstract:Attackers often exploit memory corruption vulnerabilities to overwrite control data and further gain control over victim applications. Despite progress in advanced defensive techniques, such attacks still remain a major security threat. In this article, we present Niffler, a new technique that provides lightweight and practical defense against such attacks. Niffler eliminates the threat of memory corruption over control data by cloaking all control data in registers along its execution and only spilling them into a dedicated read-only area in memory upon a shortage of registers. As an attacker cannot directly overwrite any register or read-only memory pages, no direct memory corruption on control data is feasible. Niffler is made efficient by compactly encoding return address, balancing register allocation, dynamically determining register spilling and leveraging the recent Intel Memory Protection Extensions (MPX) for control data lookup during register restoring. We implement Niffler based on LLVM and conduct a set of evaluations on SPECCPU 2006 and real-world applications. Performance evaluation shows that Niffler introduces an average of only 6.3 percent overhead on SPECCPU 2006 C programs and an average of 28.2 percent overhead on C++ programs.