Buffer overflow attack with multiple fault injection and a proven countermeasure

In this paper, we present a hardware/software co-attack to hijack a program flow on microcontrollers. The basic idea is to skip a few instructions using multiple fault injection in microcontrollers in cooperation with a software attack. We focus on buffer overflow (BOF) attacks together with such multiple fault injection. The proposed attack can be applied to a program code with a typical software countermeasure against BOF attacks. The attack manipulates the program control flow by skipping specific instructions related to the countermeasure, and thus, the subsequent BOF attack code is successfully executed on the microcontroller. We show the effectiveness of our proposed attack through experiments using an 8-bit AVR ATmega163 microcontroller and a 32-bit ARM Cortex-M0+ microcontroller, where the target software was equipped with a countermeasure limiting the size of user input against BOF attacks. The result showed that our attack can overwrite a return address stored in a stack and call an arbitrary malicious function. We also propose a software countermeasure against our attack and prove its validity by examining all the possible instruction skips.

[1]  Thomas Korak,et al.  On the Effects of Clock and Power Supply Tampering on Two Microcontroller Platforms , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[2]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[3]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[4]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[5]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[6]  user surfaces,et al.  Data Execution Prevention , 2011 .

[7]  Yu-ichi Hayashi,et al.  A Multiple-Fault Injection Attack by Adaptive Timing Control Under Black-Box Conditions and a Countermeasure , 2014, COSADE.

[8]  Takeshi Sugawara,et al.  A Configurable On-Chip Glitchy-Clock Generator for Fault Injection Experiments , 2012, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[9]  Ingrid Verbauwhede,et al.  An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[10]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[11]  Frédéric Valette,et al.  Using faults for buffer overflow effects , 2012, SAC '12.

[12]  David Naccache,et al.  How to flip a bit? , 2010, 2010 IEEE 16th International On-Line Testing Symposium.

[13]  Guillaume Barbu,et al.  Attacks on Java Card 3.0 Combining Fault and Logical Attacks , 2010, CARDIS.

[14]  Shen Lei,et al.  Differential Fault Analysis on AES and DES , 2013 .

[15]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..