Off-campus UMass Amherst users: To download campus access dissertations, please use the following link to log into our proxy server with your UMass Amherst user name and password.

Non-UMass Amherst users: Please talk to your librarian about requesting this dissertation through interlibrary loan.

Dissertations that have an embargo placed on them will not be available to anyone until the embargo expires.


yuhe zhaoFollow


Access Type

Open Access Thesis

Document Type


Degree Program

Electrical & Computer Engineering

Degree Type

Master of Science in Electrical and Computer Engineering (M.S.E.C.E.)

Year Degree Awarded


Month Degree Awarded



Embedded systems based on lightweight microprocessors are becoming more prevalent in various applications. However, the security of them remains a significant challenge due to the limited resources and exposure to external threats. Especially, some of these devices store sensitive data and control critical devices, making them high-value targets for attackers. Software security is particularly important because attackers can easily access these devices on the internet and obtain control of them by injecting malware.

Return address (RA) hijacking is a common software attack technique used to compromise control flow integrity (CFI) by manipulating memory, such as return-to-libc attacks. Several methods have been proposed to protect CFI, including RA authentication, stack canaries, and shadow stack. However, these hardware and software defense mechanisms introduce significant memory overhead and resource consumption, making them unsuitable for IoT devices with limited memory.

This thesis investigates the security of embedded systems by focusing on the control flow integrity of the return address for RISC-V. This project asserts the Pointer Authentication Code (PAC) in the return address to protect the CFI by custom instructions. Compared to the previous work, this project introduces a faster cipher to improve the performance of the system. Also, a prediction mechanism is embedded into the system to reduce the latency of the authentication. This project also integrates the PAC generator into the GCC compiler to support automatic PAC generation. The overhead of this project is 4.19\% on TACleBench and 3.25\% on Coremark with the Rocket chip on the Nexys A7 board.

First Advisor

Wayne Burelson

Second Advisor

Tilman Wolf

Third Advisor

Yadi Eslami