8 research outputs found
SCRAMBLE-CFI: Mitigating Fault-Induced Control-Flow Attacks on OpenTitan
Secure elements physically exposed to adversaries are frequently targeted by
fault attacks. These attacks can be utilized to hijack the control-flow of
software allowing the attacker to bypass security measures, extract sensitive
data, or gain full code execution. In this paper, we systematically analyze the
threat vector of fault-induced control-flow manipulations on the open-source
OpenTitan secure element. Our thorough analysis reveals that current
countermeasures of this chip either induce large area overheads or still cannot
prevent the attacker from exploiting the identified threats. In this context,
we introduce SCRAMBLE-CFI, an encryption-based control-flow integrity scheme
utilizing existing hardware features of OpenTitan. SCRAMBLE-CFI confines, with
minimal hardware overhead, the impact of fault-induced control-flow attacks by
encrypting each function with a different encryption tweak at load-time. At
runtime, code only can be successfully decrypted when the correct decryption
tweak is active. We open-source our hardware changes and release our LLVM
toolchain automatically protecting programs. Our analysis shows that
SCRAMBLE-CFI complementarily enhances security guarantees of OpenTitan with a
negligible hardware overhead of less than 3.97 % and a runtime overhead of 7.02
% for the Embench-IoT benchmarks.Comment: Accepted at GLSVLSI'2
SCFI: State Machine Control-Flow Hardening Against Fault Attacks
Fault injection (FI) is a powerful attack methodology allowing an adversary
to entirely break the security of a target device. As finite-state machines
(FSMs) are fundamental hardware building blocks responsible for controlling
systems, inducing faults into these controllers enables an adversary to hijack
the execution of the integrated circuit. A common defense strategy mitigating
these attacks is to manually instantiate FSMs multiple times and detect faults
using a majority voting logic. However, as each additional FSM instance only
provides security against one additional induced fault, this approach scales
poorly in a multi-fault attack scenario.
In this paper, we present SCFI: a strong, probabilistic FSM protection
mechanism ensuring that control-flow deviations from the intended control-flow
are detected even in the presence of multiple faults. At its core, SCFI
consists of a hardened next-state function absorbing the execution history as
well as the FSM's control signals to derive the next state. When either the
absorbed inputs, the state registers, or the function itself are affected by
faults, SCFI triggers an error with no detection latency. We integrate SCFI
into a synthesis tool capable of automatically hardening arbitrary unprotected
FSMs without user interaction and open-source the tool. Our evaluation shows
that SCFI provides strong protection guarantees with a better area-time product
than FSMs protected using classical redundancy-based approaches. Finally, we
formally verify the resilience of the protected state machines using a
pre-silicon fault analysis tool
SYNFI: Pre-Silicon Fault Analysis of an Open-Source Secure Element
Fault attacks are active, physical attacks that an adversary can leverage to alter the control-flow of embedded devices to gain access to sensitive information or bypass protection mechanisms. Due to the severity of these attacks, manufacturers deploy hardware-based fault defenses into security-critical systems, such as secure elements. The development of these countermeasures is a challenging task due to the complex interplay of circuit components and because contemporary design automation tools tend to optimize inserted structures away, thereby defeating their purpose. Hence, it is critical that such countermeasures are rigorously verified post-synthesis. Since classical functional verification techniques fall short of assessing the effectiveness of countermeasures (due to the circuit being analyzed when no faults are present), developers have to resort to methods capable of injecting faults in a simulation testbench or into a physical chip sample. However, developing test sequences to inject faults in simulation is an error-prone task and performing fault attacks on a chip requires specialized equipment and is incredibly time-consuming. Moreover, identifying the fault-vulnerable circuit is hard in both approaches, and fixing potential design flaws post-silicon is usually infeasible since that would require another tape-out. To that end, this paper introduces SYNFI, a formal pre-silicon fault verification framework that operates on synthesized netlists. SYNFI can be used to analyze the general effect of faults on the input-output relationship in a circuit and its fault countermeasures, and thus enables hardware designers to assess and verify the effectiveness of embedded countermeasures in a systematic and semi-automatic way. The framework automatically extracts sensitive parts of the circuit, induces faults into the extracted subcircuit, and analyzes the faults’ effects using formal methods. To demonstrate that SYNFI is capable of handling unmodified, industry-grade netlists synthesized with commercial and open tools, we analyze OpenTitan, the first opensource secure element. In our analysis, we identified critical security weaknesses in the unprotected AES block, developed targeted countermeasures, reassessed their security, and contributed these countermeasures back to the OpenTitan project. For other fault-hardened IP, such as the life cycle controller, we used SYNFI to confirm that existing countermeasures provide adequate protection
SYNFI: Pre-Silicon Fault Analysis of an Open-Source Secure Element
Fault attacks are active, physical attacks that an adversary can leverage to alter the control-flow of embedded devices to gain access to sensitive information or bypass protection mechanisms. Due to the severity of these attacks, manufacturers deploy hardware-based fault defenses into security-critical systems, such as secure elements. The development of these countermeasures is a challenging task due to the complex interplay of circuit components and because contemporary design automation tools tend to optimize inserted structures away, thereby defeating their purpose. Hence, it is critical that such countermeasures are rigorously verified post-synthesis. Since classical functional verification techniques fall short of assessing the effectiveness of countermeasures (due to the circuit being analyzed when no faults are present), developers have to resort to methods capable of injecting faults in a simulation testbench or into a physical chip sample. However, developing test sequences to inject faults in simulation is an error-prone task and performing fault attacks on a chip requires specialized equipment and is incredibly time-consuming. Moreover, identifying the fault-vulnerable circuit is hard in both approaches, and fixing potential design flaws post-silicon is usually infeasible since that would require another tape-out. To that end, this paper introduces SYNFI, a formal pre-silicon fault verification framework that operates on synthesized netlists. SYNFI can be used to analyze the general effect of faults on the input-output relationship in a circuit and its fault countermeasures, and thus enables hardware designers to assess and verify the effectiveness of embedded countermeasures in a systematic and semi-automatic way. The framework automatically extracts sensitive parts of the circuit, induces faults into the extracted subcircuit, and analyzes the faults’ effects using formal methods. To demonstrate that SYNFI is capable of handling unmodified, industry-grade netlists synthesized with commercial and open tools, we analyze OpenTitan, the first opensource secure element. In our analysis, we identified critical security weaknesses in the unprotected AES block, developed targeted countermeasures, reassessed their security, and contributed these countermeasures back to the OpenTitan project. For other fault-hardened IP, such as the life cycle controller, we used SYNFI to confirm that existing countermeasures provide adequate protection
SYNFI: Pre-Silicon Fault Analysis of an Open-Source Secure Element
Fault attacks are active, physical attacks that an adversary can leverage to
alter the control-flow of embedded devices to gain access to sensitive
information or bypass protection mechanisms. Due to the severity of these
attacks, manufacturers deploy hardware-based fault defenses into
security-critical systems, such as secure elements. The development of these
countermeasures is a challenging task due to the complex interplay of circuit
components and because contemporary design automation tools tend to optimize
inserted structures away, thereby defeating their purpose. Hence, it is
critical that such countermeasures are rigorously verified post-synthesis. As
classical functional verification techniques fall short of assessing the
effectiveness of countermeasures, developers have to resort to methods capable
of injecting faults in a simulation testbench or into a physical chip. However,
developing test sequences to inject faults in simulation is an error-prone task
and performing fault attacks on a chip requires specialized equipment and is
incredibly time-consuming. To that end, this paper introduces SYNFI, a formal
pre-silicon fault verification framework that operates on synthesized netlists.
SYNFI can be used to analyze the general effect of faults on the input-output
relationship in a circuit and its fault countermeasures, and thus enables
hardware designers to assess and verify the effectiveness of embedded
countermeasures in a systematic and semi-automatic way. To demonstrate that
SYNFI is capable of handling unmodified, industry-grade netlists synthesized
with commercial and open tools, we analyze OpenTitan, the first open-source
secure element. In our analysis, we identified critical security weaknesses in
the unprotected AES block, developed targeted countermeasures, reassessed their
security, and contributed these countermeasures back to the OpenTitan
repository