When a Patch is Not Enough - HardFails: Software-Exploitable Hardware Bugs

Modern computer systems are becoming faster, more efficient, and increasingly interconnected with each generation. Consequently, these platforms also grow more complex, with continuously new features introducing the possibility of new bugs. Hence, the semiconductor industry employs a combination of different verification techniques to ensure the security of System-on-Chip (SoC) designs during the development life cycle. However, a growing number of increasingly sophisticated attacks are starting to leverage cross-layer bugs by exploiting subtle interactions between hardware and software, as recently demonstrated through a series of real-world exploits with significant security impact that affected all major hardware vendors.

[1]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[3]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[4]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[5]  Sunny L. He,et al.  Model of the Product Development Lifecycle. , 2015 .

[6]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[7]  Stefan Mangard,et al.  Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR , 2016, CCS.

[8]  Wei Hu,et al.  Theoretical analysis of gate level information flow tracking , 2010, Design Automation Conference.

[9]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[10]  Sayak Ray,et al.  Formal security verification of concurrent firmware in SoCs using instruction-level abstraction for hardware , 2018, DAC.

[11]  Jean-Pierre Seifert,et al.  Software mitigations to hedge AES against cache-based software side channel vulnerabilities , 2006, IACR Cryptol. ePrint Arch..

[12]  Yiorgos Makris,et al.  Data Secrecy Protection Through Information Flow Tracking in Proof-Carrying Hardware IP—Part II: Framework Automation , 2017, IEEE Transactions on Information Forensics and Security.

[13]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[14]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[15]  Srinivas Devadas,et al.  A Formal Foundation for Secure Remote Execution of Enclaves , 2017, IACR Cryptol. ePrint Arch..

[16]  Matthew H. Wong,et al.  Survey of Existing Tools for Formal Verification , 2014 .

[17]  Jakub Szefer,et al.  Survey of Approaches for Security Verification of Hardware/Software Systems , 2016, IACR Cryptol. ePrint Arch..

[18]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[19]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[20]  Ruby B. Lee,et al.  New models of cache architectures characterizing information leakage from cache side channels , 2014, ACSAC.

[21]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[23]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[24]  Edmund M. Clarke,et al.  Model Checking and the State Explosion Problem , 2011, LASER Summer School.

[25]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[26]  Farimah Farahmandi,et al.  Formal Approaches to Hardware Trust Verification , 2018 .

[27]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[28]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[29]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[30]  Wei Hu,et al.  Register transfer level information flow tracking for provably secure hardware design , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[31]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[32]  Herbert Bos,et al.  Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks , 2018, USENIX Security Symposium.

[33]  Thomas Eisenbarth,et al.  MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations in SGX , 2018, CT-RSA.

[34]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[35]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[36]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .

[37]  Wei Hu,et al.  Quantifying hardware security using joint information flow analysis , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[38]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[39]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[40]  Sayak Ray,et al.  Formal Security Verification of Concurrent Firmware in SoCs using Instruction-Level Abstraction for Hardware* , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[41]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[42]  Rui Xu,et al.  Verification of a Practical Hardware Security Architecture Through Static Information Flow Analysis , 2017, ASPLOS.

[43]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[44]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[45]  Yiorgos Makris,et al.  Data Secrecy Protection Through Information Flow Tracking in Proof-Carrying Hardware IP—Part I: Framework Fundamentals , 2017, IEEE Transactions on Information Forensics and Security.

[46]  Jean-Pierre Seifert,et al.  Towards Vulnerability Discovery Using Staged Program Analysis , 2015, DIMVA.

[47]  Hareesh Khattri,et al.  HSDL: A Security Development Lifecycle for hardware technologies , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[48]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[49]  Wei Hu,et al.  Clepsydra: Modeling timing flows in hardware designs , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[50]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[51]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[52]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[53]  Ahmad-Reza Sadeghi,et al.  PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables , 2017, NDSS.

[54]  B. Nikolić,et al.  BOOM v 2 an open-source out-of-order RISC-V core , 2017 .

[55]  Wei Hu,et al.  Information flow isolation in I2C and USB , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[56]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[57]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[58]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[59]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[60]  M. Blum,et al.  Reflections on the Pentium Division Bug , 1995 .

[61]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[62]  Yiorgos Makris,et al.  VeriCoq: A Verilog-to-Coq converter for proof-carrying hardware automation , 2015, 2015 IEEE International Symposium on Circuits and Systems (ISCAS).

[63]  Margaret Martonosi,et al.  TriCheck: Memory Model Verification at the Trisection of Software, Hardware, and ISA , 2016, ASPLOS.

[64]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..