Fault Attacks on Embedded Software: Threats, Design, and Mitigation

Size: px

Start display at page:

Download "Fault Attacks on Embedded Software: Threats, Design, and Mitigation"

Dora Anthony
5 years ago
Views:

1 Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team Supported through National Science Foundation Semiconductor Research Corporation 1

2 Objective The black box model Fault Injection input (Secure) SW???? output correct behavior output faulty behavior Fault Analysis 2

3 Objective The black box model Fault Injection input The grey box model (Secure) SW???? output correct behavior output faulty behavior Fault Analysis 3

4 Objective The black box model Fault Injection input (Secure) SW The grey box model (Secure) SW Fault Injection Microprocessor Manifestation Propagation output output Mem Hierarchy Observation Exploitation correct behavior faulty behavior Fault Analysis 4

5 Objective The black box model Fault Injection input (Secure) SW The grey box model (Secure) SW Fault Injection Microprocessor Manifestation Propagation output correct behavior Fault Analysis output faulty behavior Mem Hierarchy Observation Exploitation Make a systematic review of the fault attack process on embedded software 5

6 Outline 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors 6

7 Attacks on Embedded Software I/O MEM CPU Embedded Software assumes execution is correct (This presentation) Incorrect execution as starting point for attack Privilege Escalation Information Leakage 7

8 Privilege Escalation & Information Leakage Privilege Escalation = Adversarial Control of Critical Decisions if (! access_allowed ) abort( ); Information Leakage = Disclosure of Secret Data & Dependencies r1 if (key_bit) out = f(r1); else out = f(r0); key_bit leaks through out 8

Image Lack of Mem Isolation Hardware Attacker Instruction Opcode Modification Instruction

9 Triggering Incorrect Execution I/O MEM CPU Attacker Attack Target Security Failure Input/Output Attacker Input/Output Data Software Bugs Memory Attacker Application/Task Image Lack of Mem Isolation Hardware Attacker Instruction Opcode Modification Instruction Execution Micro-Architecture Circuit Timing, Threshold Levels Environment Operating Conditions this talk 9

10 Outline 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors 10

11 Anatomy of a Fault Attack 1. Fault Attack Design Fault Target and Fault Model Fault Injection Method Fault Exploitation Method 2. Fault Attack Implementation Fault Injection Fault Manifestation Fault Propagation Fault Observation Fault Exploitation Defined by Security (Attack) Objective Constrained by Implementation 11

12 Anatomy of a Fault Attack electrical transient Physical Level Fault Injection 12

13 Anatomy of a Fault Attack faulty bits Circuit Level Fault Manifestation electrical transient Physical Level Fault Injection 13

14 Anatomy of a Fault Attack Hardware faulty micro op Micro Architecture Level I Fetch Decode Control Instruction Memory Boot ROM D Fetch Execute Datapath Status Regs Register File Data Mem Store Fault Propagation faulty bits Circuit Level Fault Manifestation electrical transient Physical Level Fault Injection 14

15 Anatomy of a Fault Attack Application OS Firmware int verify(s,p){ int r; if (S = P) r = 1; else r = 0; return r } P S 1 S,P r 5 r Faulty Control Flow and/or Data Flow Fault Observation Software Hardware faulty instruction Instruction Set Architecture faulty micro op Micro Architecture Level I Fetch Decode Control Instruction Memory Boot ROM D Fetch Execute Datapath Status Regs Register File Data Mem Store Fault Propagation faulty bits Circuit Level Fault Manifestation electrical transient Physical Level Fault Injection 15

Anatomy of a Fault Attack Application OS Firmware 1 2 3 4 5 int verify(s,p){ int r; if (S = P) r = 1; else r = 0; return r } P S 1 S,P 2 3 4

Architecture faulty micro op Micro Architecture Level I Fetch Decode Control Instruction Memory Boot ROM D Fetch Execute Datapath Status

16 Anatomy of a Fault Attack Application OS Firmware int verify(s,p){ int r; if (S = P) r = 1; else r = 0; return r } P S 1 S,P r 5 r Faulty Control Flow and/or Data Flow Fault Exploitation Fault Observation Software Hardware faulty instruction Instruction Set Architecture faulty micro op Micro Architecture Level I Fetch Decode Control Instruction Memory Boot ROM D Fetch Execute Datapath Status Regs Register File Data Mem Store Fault Propagation faulty bits Circuit Level Fault Manifestation electrical transient Physical Level Fault Injection 16

17 Outline 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors 17

18 Fault injection Control Hardware controlled Fault Injection Software controlled Fault Injection Fault Injection Hardware Software Tasks Fault Control Injector CTL/Injection Victim Timing Physical Stress Physical Stress I/O MEM CPU I/O MEM CPU 18

19 Timing Vdd Temp logic clk nominal clock period critical path + slack 19

20 Artificial Timing Faults Vdd Temp logic clk Overclocking Clock Glitching shortened clock period critical path Timing Violation Underfeeding Voltage Glitching Overheating slack nominal clock period increased critical path slack 20

21 Noise Injection EMFI clk Area A logic E Faraday s Law E = A. db dt Field B di dt 21

22 Noise Injection EMFI clk Area A logic E Faraday s Law E = A. db dt Field B di dt 22

23 Noise Injection Laser Faults Glitches Single Event Upset on Vdd Laser Beam 0 1 off Vss Photocurrent Flip Laser Beam 23

24 Software Controlled Faults DVFS Interface (CLKSCREW) Programming Interface PLL PMIC f1 f2 V1 V2 Core1 Core2 software controlled timing violation by modified (V2,f2) Memory Disturbance software controlled leak repeated word access row 0 row 1 row 2 word bit row buffer 24

25 Fault Injection Portfolio Fault Injection Spatial Precision Temporal Precision Cost Intensity Overclocking Low Low Low Clock f Clock Glitching Low High Low Glitch Width Underfeeding Low Low Low Voltage Voltage Glitching Low High Low Glitch V/W Overheating Low Low Low Temperature Light Pulse Medium Medium Low Pulse W/Enrgy Laser Pulse High High High Pulse W/Enrgy EM Pulse Medium High High Probe Current DVFS Interface Low Medium Zero V/f Memory Disturbance High Medium Zero Disturbance f 25

26 Outline 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors 26

27 Processor Micro architecture Programmer s Model Instruction Semantics & Syntax Memory Model Interrupt/Exception Interface Instruction Set Architecture Micro Architecture Instruction Memory Control Fetch Store Decode Datapath Load Data Mem RegFile Flags 27

28 Processor Micro architecture Faults Programmer s Model Instruction Semantics & Syntax Memory Model Interrupt/Exception Interface Instruction Set Architecture Faulty Instruction Propagation Micro Architecture Store Instruction Memory Fetch Control Decode Datapath Load Data Mem RegFile Flags Manifestation Fault Location Fault Effect Fault Duration Fault Size 28

29 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Operand fetch Execute Store Data memory Register File Status Flags 29

30 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Function Different instruction Operand Different source/dest Immediate Different value Operand fetch Execute Store Data memory Register File Status Flags 30

31 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Function Different instruction Operand Different source/dest Immediate Different value Operand fetch Execute Store Data memory Register File Status Flags Assume a one bit fault on ld [%i1 + 4], %g1 Resulting fault space includes 21 ld variants with different load address 6 ld variants with a different target 1 add variant 1 store variant 1 call variant 2 unknown variants (trap) 31

32 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Function Different instruction Operand Different source/dest Immediate Different value Operand fetch Execute Store Data memory Register File Status Flags Assume a one bit fault on add %l2, %l7, %g2 Resulting fault space includes 12 add variants with a different source 9 unknown variants (trap) 5 add variants with a different target 3 arithmetic variants (sub, addx, addcc) 2 logical variants (or, and) 1 ld variant 32

33 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Function Different instruction Operand Different source/dest Immediate Different value Operand fetch Execute Store Data memory Register File Status Flags Assume a one bit fault on be 0x Resulting fault space includes 23 be variants with a different target 5 branch targets with different condition 2 unknown variants (trap) 1 call variant 1 add variant 33

34 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Modifies the PC, can modify control flow Operand fetch Execute Store Data memory Register File Status Flags 34

35 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Operand fetch Execute Store Data memory Register File Status Flags Modifies the value of the source operands ld [r1 + r2], r3 faulty r3 cmp r1, r2 faulty flags be dest no effect 35

36 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Operand fetch Execute Store Data memory Register File Status Flags Modifies the value of the computation ld [r1 + r2], r3 faulty r3 cmp r1, r2 faulty flags be dest faulty jump address 36

37 Processor Micro architecture Faults Micro architecture Element Instruction memory Instruction fetch Instruction decode Operand fetch Execute Store Data memory Register File Status Flags Fault effects on a microarchitecture are highly nonlinear + For a given fault effect, analysis is possible 37

38 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors Intermezzo: Fault Exploitation Outline Cryptanalysis Fault Aided SCA Fault Enabled Logical Attacks DFA Biased Fault Analysis Safe Error Analysis 38

39 Bit flip Attack on AES Last round of the Advanced Encryption Standard Secret state v 9 th round SubBytes S S S S S S S S S S S S S S S S ShiftRows AddRoundKey Ciphertext C

40 Bit flip Attack on AES Fault Model: Bit flip on a secret state bit SubBytes S S S S S S S S S S S S S S S S ShiftRows AddRoundKey A bit flip results in a faulty ciphertext byte

41 Bit flip Attack on AES Fault Differential c = sbox(v) k c' = sbox(v') k Hence = c c' = sbox(v) sbox(v') Fault Analysis Reconstruct v by analyzing Once we know v, we find the last round key as: k = sbox(v) c c c' v, v' S 32 bit flip faults in round 10 disclose entire key

42 Classic Differential Fault Analysis Cryptographic Algorithm Fault Model Random Byte Random Bit Chosen Bit DFA C, C, C,.. K [TM 2010] Single random byte fault at 8 th round of AES-128: Key [SL+ 2012] Two seq. byte fault at 9 th, 10 th round of AES-192: Key Current DFA methods are optimal IF the fault model can be realized 42

43 Implementations and Actual Faults Cryptographic Algorithm Fault Model Random Byte Random Bit Chosen Bit DFA C, C, C,.. K Implementation Fault Injection Cryptographic Architecture Fault 43

44 Biased Fault Attacks Cryptographic Algorithm Fault Model Random Byte Random Bit Chosen Bit DFA C, C, C,.. K Implementation Fault Injection Variable Fault Intensity Cryptographic Architecture Fault Fault Bias 1-bit, 2-bit,.. FSA [2010] NUEVA [2012] NUFVA [2013] DFIA [2014] DERA [2015]... 44

45 Biased Faults as a Side Channel S Biased Fault Injection 8 SBOX correct S faulty S (8-dimensional space) RK C C 45

46 Biased Faults as a Side Channel S Biased Fault Injection 8 Under Correct Key Hypothesis correct S faulty S Under Wrong Key Hypothesis 4 SBOX RK SBOX -1 (C RK hyp ) SBOX -1 (C RK hyp ) C C C 46

47 Differential Fault Intensity Analysis RK S Biased Fault Injection 8 SBOX Differential Fault Intensity Analysis 1. Inject Faults at different Fault Intensities HW(S S ) < 2. Collect Fault Ciphertext C 3. For all Key hypothesis RK hyp compute S i,rk = SBOX 1 (C RK hyp ) 4. Select RK for which RK = ArgMin( i j HD(S i,rk, S j,rk )) C 47

48 DFIA versus DFA DFA DFIA makes a precise assumption on the injected fault needs a system of equations to resolve key guess makes an approximate model of the injected fault uses max likelihood testing to resolve key guess DFIA relaxes the fault model requirements and is more suitable when fault injection is hard to control 48

49 Outline 1. Introducing the Fault Attack 2. Anatomy of a Fault Attack 3. Fault Injection Techniques 4. Manifestation and Propagation in the ISA 5. FAME A Mitigation Technique for Microprocessors 49

50 Mitigating Fault Attacks on Embedded SW Redundant Execution in SW Sensors and Checkpoint 50

51 Mitigating Fault Attacks on Embedded SW Detection Strategy 1: Redundant Execution in SW Verify redundant copies Strategy 2: HW Sensors and Checkpoint Dedicated HW sensor (Timing, EM, Voltage,..) Response Correct fault using redundancy Recover from checkpoint Overhead Redundant execution Checkpoint storage Risk Redundant Fault False pos/neg on sensor

52 Mitigating Fault Attacks on Embedded SW Detection Strategy 1: Redundant Execution in SW Verify redundant copies FAME Fault attack Aware Microprocessor Extension Strategy 2: HW Sensors and Checkpoint Dedicated HW sensor (Timing, EM, Voltage,..) Response Correct fault using redundancy Recover from checkpoint Overhead Redundant execution Checkpoint storage Risk Redundant Fault False pos/neg on sensor

53 FAME Operation [HASP 16] Protected Software Application Software 3. transfer the control to the trap handler Secure Trap Handler (STH) 1. fault injection 4. access and restore fault free checkpoint Vdd clk Fault Detection Unit (FDU) 2. alarm Fault Control Unit (FCU) 3. fault recovery info Fault Response Registers (FRR) Baseline Processor FAME Processor Fault attack Aware Microprocessor Extensions 53

54 All digital Fault Sensors in FAME Glitch Timing Sensor configurable delay stage (20x) c[i] T flop q d D flop q clk clk alarm d D flop q In situ EM Sensor clk 54

55 Single cycle Checkpointing Hardware Fault Response Registers (FRR) for critical processor state, including PC, PSR and last two pipeline stages 55

56 FAME Chip 1 Block Diagram FAME Core Functionality FAME ASIC I$ (1KB) D$ (2KB) FAME Core APB AHB LEON3 Core (w FRR) Reset Management Sensor (FDU) Recovery (FCU) 56

57 FAME Chip 1 Block Diagram Download and Debug Software debugger FAME ASIC I$ (1KB) D$ (2KB) FAME Core Debug Support Unit APB AHB Debug UART2 LEON3 Core (w FRR) Debug UART1 Reset Management Sensor (FDU) Recovery (FCU) SRAM 64KB ROM 1KB 57

58 FAME Chip 1 Block Diagram User Applications debugger user I/O FAME ASIC I$ (1KB) D$ (2KB) FAME Core Debug Support Unit APB AHB Debug UART2 GPIO LEON3 Core (w FRR) Debug UART1 User UART Reset Management Sensor (FDU) Recovery (FCU) SRAM 64KB Interrupt Controller ROM 1KB 58

59 FAME Chip 1 Block Diagram fault injection controller Fault Injection and Fault Diagnosis debugger user I/O FAME ASIC I$ (1KB) D$ (2KB) FAME Core Debug Support Unit APB AHB Debug UART2 GPIO Fault injector (FPGA) Reset Management Observe Trigger Sensor (FDU) LEON3 Core (w FRR) Recovery (FCU) Debug UART1 SRAM 64KB User UART Interrupt Controller ROM 1KB 59

60 FAME Chip 1 Block Diagram fault injection controller debugger user I/O FAME ASIC I$ (1KB) D$ (2KB) FAME Core Debug Support Unit APB AHB Debug UART2 GPIO Fault injector (FPGA) Reset Management Observe Trigger Sensor (FDU) LEON3 Core (w FRR) Recovery (FCU) Debug UART1 SRAM 64KB User UART Interrupt Controller ROM 1KB 60

FAME Chip 1 Micrograph 180nm 6LM TSMC 25 mm2 die area Active area LEON3: 6.217mm2 w FAME: 6.301 mm2 w FAME+Diag: 6.364 mm2 FAME extensions overhead 1.

61 FAME Chip 1 Micrograph 180nm 6LM TSMC 25 mm2 die area Active area LEON3: 6.217mm2 w FAME: mm2 w FAME+Diag: mm2 FAME extensions overhead 1.35% (of active area) 80 MHz clock 54 I/O Clock, reset 8 I/O, 16 Core Power 3x UART 4 GPIO 4 Trigger Sensor alarm monitor Scan and test pins 108-pin PGA package 61

62 FAME Chip 1 Test PCB Debug/User USB-UART Power Measurement Power/ Clock Glitcher FPGA Interface: GPIO, Trigger, Scan, Alarm SAKURA-G FPGA w glitch generator 62

63 FAME Chip 1 Test Setup FAME Application Monitor Glitch Control Software 63

64 FAME Chip 1 Fault Sensor configurable delay stage (20x) c[i] T flop q d D flop q clk clk alarm d D flop q clk 64

65 Secure Trap Handler Development ptc--; falls through 65

66 Traditional Redundancy Based Design int ptc = 3; int ptc = 3; //Pin Try Counter char devicepin[5] = ; Algorithm-level redundancy Instruction-level redundancy int VerifyPin(userPIN) { ptc--; if (ptc > 0) if (ptc > 0) if (Cmp(userPIN,devicePIN)) if (Cmp(userPIN,devicePIN)) result = 1; ptc++; else result = 0; else result = 0; else result = 0; else result = 0; return result; } hardened if 66

67 Traditional Redundancy Based Design int ptc = 3; int ptc = 3; //Pin Try Counter char devicepin[5] = ; Algorithm-level redundancy Instruction-level redundancy int VerifyPin(userPIN) { ptc--; if (ptc > 0) if (ptc > 0) if (Cmp(userPIN,devicePIN)) if (Cmp(userPIN,devicePIN)) result = 1; ptc++; } else result = 0; else result = 0; else result = 0; else result = 0; return result; Disadvantage - performance overhead - Fails under redundant fault injection 67

68 FAME Based Design int ptc = 3; //Pin Try Counter char devicepin[5] = ; int nofault = 1; int VerifyPin(userPIN) { if (ptc > 0) if (Cmp(userPIN,devicePIN)) result = nofault; else result = 0; ptc--; else result = 0; return result; } SecureTrapHandler() { if (ptc > 0) ptc--; nofault = 0; } No redundancy needed: FAME FRR Hardware Checkpoint prevents fault propagation No overhead without fault Secure trap handler enables user-defined fault response 68

69 EMFI on FAME Clock Tree Leaves Clock Tree Root FAME Flip flop [DAC2018] 69

70 EMFI on FAME Global Effect of EMFI Injection at clock tree root Local Effect of EMFI Injection at clock tree leaves 146 Faulty Flip Flop 24 Faulty Flip Flop [DAC2018] 70

71 References 1. B. Yuce, M. Witteman, P. Schaumont, Fault Attacks on Secure Embedded Software: Threats, Design and Evaluation, Journal of Hardware and Systems Security, (preprint). 2. B. Yuce, C. Deshpande, M. Ghodrati, A. Bendre, L. Nazhandali, P. Schaumont, "A Secure Exception Mode for Fault Attack Resistant Processing" IEEE Transactions on Dependable and Secure Computing, (preprint). 3. M. Ghodrati, B. Yuce, S. Gujar, C. Deshpande, L. Nazhandali, P. Schaumont, Inducing Local Timing Fault through EM Injection, DAC FAME Fault Awareness using Microprocessor Enhancements. 71

72 Thank You! Questions? Patrick Schaumont 72

Electromagnetic Transient Fault Injection on AES

Electromagnetic Transient Fault Injection on AES Amine DEHBAOUI ¹, Jean-Max DUTERTRE ², Bruno ROBISSON ¹, Assia TRIA ¹ Fault Diagnosis and Tolerance in Cryptography Leuven, Belgium Sunday, September 9,