HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement

Widespread use of memory unsafe programming languages (e.g., C and C++) leaves many systems vulnerable to memory corruption attacks. A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) randomization or Control Flow Integrity. However, recent work on data-oriented programming (DOP) demonstrated highly expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses. Although multiple real-world DOP attacks have been demonstrated, no efficient defenses are yet available. We propose run-time scope enforcement (RSE), a novel approach designed to efficiently mitigate all currently known DOP attacks by enforcing compile-time memory safety constraints (e.g., variable visibility rules) at run-time. We present HardScope, a proof-of-concept implementation of hardware-assisted RSE for the new RISC-V open instruction set architecture. We discuss our systematic empirical evaluation of HardScope which demonstrates that it can mitigate all currently known DOP attacks, and has a real-world performance overhead of 3.2% in embedded benchmarks

LO-FAT: Low-Overhead Control Flow ATtestation in Hardware

Attacks targeting software on embedded systems are becoming increasingly prevalent. Remote attestation is a mechanism that allows establishing trust in embedded devices. However, existing attestation schemes are either static and cannot detect control-flow attacks, or require instrumentation of software incurring high performance overheads. To overcome these limitations, we present LO-FAT, the first practical hardware-based approach to control-flow attestation. By leveraging existing processor hardware features and commonly-used IP blocks, our approach enables efficient control-flow attestation without requiring software instrumentation. We show that our proof-of-concept implementation based on a RISC-V SoC incurs no processor stalls and requires reasonable area overhead.Comment: Authors' pre-print version to appear in DAC 2017 proceeding

Hardware entangled security primitives: attacks and defenses

Hardware-assisted security aims at protecting computing systems against software-based attacks that can affect the different software layers. This is attained by leveraging hardware components or modules to enforce strict security measures and thus providing stronger security guarantees compared to software-only solutions. The trusted hardware components form together the so-called trust anchor, which comprises various primitives to support different security protocols and services such as authentication, platform integrity, runtime protection, trusted execution and trusted configuration, to name some. This thesis consists of two parts: i) an offensive part, where we present our findings based on attacks we conducted on hardware-based security primitives that can be deployed in trust anchors for platform authentication and cryptographic key generation, and ii) a defensive part, where we present our novel hardware-assisted defenses/architectures for platform integrity at runtime and trusted configuration that are based on trust anchors of our design. The contributions are organized in three pivots based on the security service provided by the trust anchor. Platform Authentication. Physically Unclonable Functions (PUFs) are hardware security primitives that leverage the innate characteristics of hardware due to its manufacturing process for the generation of device-specific identifiers or cryptographic keys. Therefore, PUFs have been considered as a promising cost-effective primitive/component in trust anchors for constrained embedded devices. In this part of the thesis we evaluate the security of several PUF primitives. We demonstrate a noninvasive fault injection attack on SRAM PUFs that is conducted by controlling the voltage supply to the PUF under attack for the recovery of the secret PUF response [1]. Then, we present remote software-based fault injection attack on Rowhammer PUFs and modeling attacks on Rowhammer PUFs and memristor-based PUFs that require no physical access to the PUF under attack [2, 3]. This pivot is based on the following publications: [1] Shaza Zeitouni, Yossef Oren, Christian Wachsmann, Patrick Koeberl, Ahmad-Reza Sadeghi. “Remanence Decay Side-Channel: The PUF Case”. In IEEE Transactions on Information Forensics and Security (TIFS), Vol. 11, 2015. [2] Shaza Zeitouni, David Gens, Ahmad-Reza Sadeghi. “It’s Hammer Time: How to Attack (Rowhammer-based) DRAM-PUFs”. In Proceedings of the 55th ACM/IEEE Design Automation Conference (DAC’18), 2018. [3] Shaza Zeitouni, Emmanuel Stapf, Hossein Fereidooni, Ahmad-Reza Sadeghi. “On the Security of Strong Memristor-based Physically Unclonable Functions”. In Proceedings of the 57th ACM/IEEE Design Automation Conference (DAC’20), 2020. Runtime Protection. Memory corruption attacks aim at diverting the execution of software at runtime without violating its integrity at rest. While static attestation is a well established approach to verify the trustworthiness/integrity of software components and detect malware attacks, it cannot detect runtime attacks. In this part of the thesis, we present our runtime defenses for embedded systems under different deployment and adversary models and their underlying hardware-based trust anchors that we design and implement. We present i) LO-FAT, the first hardware-based control-flow attestation scheme to mitigate runtime control-flow attacks [4], ii) ATRIUM, the first runtime attestation scheme to capture executed instructions/binaries and control-flow behavior simultaneously to mitigate runtime control-flow as well as Time of Check Time of Use attacks [5], iii) CHASE, a flexible runtime attestation scheme suitable for real-time constrained devices [6] and iv) HardScope, a runtime context-specific memory isolation scheme to efficiently mitigate currently-known runtime data-oriented attacks [7]. This pivot is based on the following publications: [4] Ghada Dessouky, Shaza Zeitouni, Thomas Nyman, Andrew Paverd, Lucas Davi, Patrick Koeberl, N. Asokan, Ahmad-Reza Sadeghi. “LO-FAT: Low-Overhead Control Flow ATtestation in Hardware”. In Proceedings of the 54th ACM/IEEE Design Automation Conference (DAC’17), 2017. [5] Shaza Zeitouni, Ghada Dessouky, Orlando Arias, Dean Sullivan, Ahmad Ibrahim, Yier Jin, Ahmad-Reza Sadeghi. “ATRIUM: Runtime Attestation Resilient Under Memory Attacks”. In Proceedings of the 36th ACM/IEEE International Conference on Computer Aided Design (ICCAD’17), 2017. [6] Ghada Dessouky, Shaza Zeitouni, Ahmad Ibrahim, Lucas Davi, Ahmad-Reza Sadeghi. “CHASE: Configurable Hardware-Assisted Security Extension for Real-Time Systems”. In Proceedings of the 38th ACM/IEEE International Conference on Computer Aided Design (ICCAD’19), 2019. [7] Thomas Nyman, Ghada Dessouky, Shaza Zeitouni, Aaro Lehikoinen, Andrew Paverd, N. Asokan, Ahmad-Reza Sadeghi. “HardScope: Hardening Embedded Systems Against Data-Oriented Attacks”. In Proceedings of the 56th ACM/IEEE Design Automation Conference (DAC’19), 2019. Trusted Configuration. Due to their flexibility and high performance-to-power ratio, Field Programmable Gate Arrays (FPGAs) have found their way into data centers. Major Cloud Service Providers (CSPs) offer their clients FPGA-accelerated compute instances and allow them to freely configure the FPGAs. However, this deployment model engenders a new type of physical attacks that can be launched remotely by clients using only malicious FPGA configurations. In this part of the thesis, we systematize the research work on cloud FPGAs and spot the light on fundamental security concerns and challenges [8]. Among them, the mutual trust problem of FPGA configuration: clients aim to protect their proprietary designs by encrypting FPGA configurations, while CSPs do not support the use of encrypted configurations and require access to FPGA configurations to inspect for malicious primitives, e.g. voltage sensors. To tackle this open challenge, we present a security protocol between the involved parties and its underlying hardware-based trust anchor that we design and implement for trusted configuration on cloud FPGAs [9]. This pivot is based on the following publications: [8] Ghada Dessouky, Ahmad-Reza Sadeghi, Shaza Zeitouni. “SoK: Secure FPGA Multi-Tenancy in the Cloud: Challenges and Opportunities”. In Proceedings of the 6th IEEE European Symposium on Security and Privacy (EuroS&P’21), 2021. [9] Shaza Zeitouni, Jo Vliegen, Tommaso Frassetto, Dirk Koch, Ahmad-Reza Sadeghi, Nele Mentens. “Trusted Configuration in Cloud FPGAs”. In Proceedings of the 29th IEEE International Symposium On Field-Programmable Custom Computing Machines (FCCM’21), 2021

SeED: Secure Non-Interactive Attestation for Embedded Devices

Remote attestation is a security service that is typically realized by an interactive challenge-response protocol that allows a trusted verifier to capture the state of a potentially untrusted remote device. However, existing attestation schemes are vulnerable to Denial of Service (DoS) attacks, which can be carried out by swamping the targeted device with fake attestation requests. In this paper, we propose SeED, the first non-interactive attestation protocol that mitigates DoS attacks and is highly efficient. Designing such a protocol is not straightforward, since it relies on a potentially malicious prover to trigger the attestation process. We investigate the related challenges and subtleties and describe how to address them with minimal assumptions. As evaluation results show, our non-interactive attestation protocol is particularly suitable for resource-constrained embedded devices, since it is highly efficient in terms of power consumption and communication

It’s Hammer Time: How to Attack (Rowhammer-based) DRAM-PUFs

Physically Unclonable Functions (PUFs) are still considered promising technology as building blocks in cryptographic protocols. While most PUFs require dedicated circuitry, recent research leverages DRAM hardware for PUFs due to its intrinsic properties and wide deployment. Recently, a new memory-based PUF was proposed that utilizes the infamous Rowhammer effect in DRAM. In this paper, we show two remote attacks on DRAM-based PUFs. First, a DoS attack that exploits the Rowhammer effect to manipulate PUF responses. Second, a modeling attack that predicts PUF responses by observing few challenge-response pairs. Our results indicate that DRAM may not be suitable for PUFs

Atrium: Runtime Attestation Resilient Under Memory Attacks

Remote attestation is an important security service that allows a trusted party (verifier) to verify the integrity of a software running on a remote and potentially compromised device (prover). The security of existing remote attestation schemes relies on the assumption that attacks are software-only and that the prover\u27s code cannot be modified at runtime. However, in practice, these schemes can be bypassed in a stronger and more realistic adversary model that is hereby capable of controlling and modifying code memory to attest benign code but execute malicious code instead - leaving the underlying system vulnerable to Time of Check Time of Use (TOCTOU) attacks. In this work, we first demonstrate TOCTOU attacks on recently proposed attestation schemes by exploiting physical access to prover\u27s memory. Then we present the design and proof-of-concept implementation of ATRIUM, a runtime remote attestation system that securely attests both the code\u27s binary and its execution behavior under memory attacks. ATRIUM provides resilience against both software- and hardware-based TOCTOU attacks, while incurring minimal area and performance overhead