Pointing in the Right Direction - Securing Memory Accesses in a Faulty World

Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multiresidue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10 % in terms of code size and 7 % regarding runtime, which makes it suitable for practical adoption.

[1]  Johannes Götzfried,et al.  SOFIA: Software and control flow integrity architecture , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Herbert Bos,et al.  Throwhammer: Rowhammer Attacks over the Network and Defenses , 2018, USENIX ATC.

[3]  Dirmanto Jap,et al.  Laser Profiling for the Back-Side Fault Attacks: With a Practical Laser Skip Instruction Attack on AES , 2015, CPSS@ASIACSS.

[4]  Stefan Mangard,et al.  Arithmetic logic units with high error detection rates to counteract fault attacks , 2011, 2011 Design, Automation & Test in Europe.

[5]  David A. Patterson,et al.  The RISC-V instruction set , 2013, 2013 IEEE Hot Chips 25 Symposium (HCS).

[6]  Debdeep Mukhopadhyay,et al.  Differential fault analysis of AES: towards reaching its limits , 2013, Journal of Cryptographic Engineering.

[7]  Wolfgang Schröder-Preikschat,et al.  A Practitioner's Guide to Software-Based Soft-Error Mitigation Using AN-Codes , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[8]  Reto Zimmermann,et al.  Efficient VLSI implementation of modulo (2/sup n//spl plusmn/1) addition and multiplication , 1999, Proceedings 14th IEEE Symposium on Computer Arithmetic (Cat. No.99CB36336).

[9]  Krste Asanovic,et al.  The RISC-V Instruction Set Manual Volume 2: Privileged Architecture Version 1.7 , 2015 .

[10]  Georg Sigl,et al.  Precise Laser Fault Injections into 90 nm and 45 nm SRAM-cells , 2015, CARDIS.

[11]  Daniel Gruss,et al.  Nethammer: Inducing Rowhammer Faults through Network Requests , 2018, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[12]  Yunsup Lee,et al.  The RISC-V Instruction Set Manual , 2014 .

[13]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[14]  T. R. N. Rao,et al.  Biresidue Error-Correcting Codes for Computer Arithmetic , 1970, IEEE Transactions on Computers.

[15]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[16]  Sylvain Guilley,et al.  Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  F. Lemmermeyer Error-correcting Codes , 2005 .

[18]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[19]  Alessandro Barenghi,et al.  Countermeasures against fault attacks on software implemented AES: effectiveness and cost , 2010, WESS '10.

[20]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  T. R. N. Rao,et al.  Cyclic and multiresidue codes for arithmetic operations , 1971, IEEE Trans. Inf. Theory.

[22]  David T. Brown Error Detecting and Correcting Binary Codes for Arithmetic Operations , 1960, IRE Trans. Electron. Comput..

[23]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[24]  Christophe Giraud,et al.  A Survey on Fault Attacks , 2004, CARDIS.

[25]  Jörn-Marc Schmidt,et al.  Coding Schemes for Arithmetic and Logic Operations - How Robust Are They? , 2009, WISA.

[26]  R.C. Baumann,et al.  Radiation-induced soft errors in advanced semiconductor technologies , 2005, IEEE Transactions on Device and Materials Reliability.

[27]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[28]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[29]  Andreas Persson,et al.  Forward and Reverse Converters and Moduli Set Selection in Signed-Digit Residue Number Systems , 2009, J. Signal Process. Syst..

[30]  Christof Fetzer,et al.  ANB- and ANBDmem-Encoding: Detecting Hardware Errors in Software , 2010, SAFECOMP.

[31]  P. Forin,et al.  VITAL CODED MICROPROCESSOR PRINCIPLES AND APPLICATION FOR VARIOUS TRANSIT SYSTEMS , 1990 .

[32]  W. W. Peterson,et al.  Error-Correcting Codes. , 1962 .

[33]  Stefan Mangard,et al.  Securing conditional branches in the presence of fault attacks , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).