SlideShare a Scribd company logo

Controlling PC on ARM using Fault Injection

Riscure
Riscure

The slides from the presentation by Riscure's Niek Timmers, Albert Spruyt and Marc Whitteman. The paper describes an ARM specific fault injection attack strategy for exploiting embedded systems where externally controlled data is loaded in the program counter (PC) register of the processor.

Related slideshows

Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
1 of 86
Download to read offline
Public 1 Controlling PC on ARM using Fault Injection Niek Timmers timmers@riscure.com Albert Spruyt spruyt@riscure.com Marc Witteman witteman@riscure.com August 16, 2016
Public 2 Table of contents 1 Attack strategy 2 Practical attack scenario 3 Simulation 4 Experimentation 5 Countermeasures 6 Conclusion
Public 3 Fault injection techniques clock voltage electromagnetic laser
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 14 Experimentation - Test setup
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 16 Experimentation - Characterization
Public 17 Experimentation - Test application (LDR) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldr r0, [r1];" // 9 <repeat x1000> // GLITCH HERE 10 "ldr r0, [r1]" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: ""
Public 18 Experimentation - LDR - 10k
Public 19 Experimentation - Test application (LDMIA) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldmia r0!, r4-r7;" // 9 <repeat x1000> // GLITCH HERE 10 "ldmia r0!, r4-r7" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: "" ]
Public 20 Experimentation - LDMIA - 10k
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com
Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com

More Related Content

Controlling PC on ARM using Fault Injection

  • 1. Public 1 Controlling PC on ARM using Fault Injection Niek Timmers timmers@riscure.com Albert Spruyt spruyt@riscure.com Marc Witteman witteman@riscure.com August 16, 2016
  • 2. Public 2 Table of contents 1 Attack strategy 2 Practical attack scenario 3 Simulation 4 Experimentation 5 Countermeasures 6 Conclusion
  • 3. Public 3 Fault injection techniques clock voltage electromagnetic laser
  • 4. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 5. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 6. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 7. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 8. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 9. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 10. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 11. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 12. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 13. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 14. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 15. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 16. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 17. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 18. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 19. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 20. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 21. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 22. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 23. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 24. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 25. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 26. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 27. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 28. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 29. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 30. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 31. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 32. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 33. Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
  • 34. Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
  • 35. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 36. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 37. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 38. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 39. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 40. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 41. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 42. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 43. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 44. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 45. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 46. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 47. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 48. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 49. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 50. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 51. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 52. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 53. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 54. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 55. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 56. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 58. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 59. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 60. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 62. Public 17 Experimentation - Test application (LDR) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldr r0, [r1];" // 9 <repeat x1000> // GLITCH HERE 10 "ldr r0, [r1]" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: ""
  • 64. Public 19 Experimentation - Test application (LDMIA) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldmia r0!, r4-r7;" // 9 <repeat x1000> // GLITCH HERE 10 "ldmia r0!, r4-r7" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: "" ]
  • 66. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 67. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 68. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 69. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 70. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 71. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 72. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 73. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 74. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 75. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 76. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 77. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 78. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 79. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 80. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 81. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 82. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 83. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 84. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 85. Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com
  • 86. Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com