Perturbation attack on modern CPUs, from the fault model to the - - PowerPoint PPT Presentation

Perturbation attack on modern CPUs, from the fault model to the exploitation

Thomas TROUCHKINE1, Guillaume BOUFFARD1,2, Jessy CLÉDIÈRE3

1 National Cybersecurity Agency of France (ANSSI) 2 Information Security Group, École Normale Supérieure 3 CEA, LETI, MINATEC September, 24th 2020

My thesis

Evaluation of hardware attacks against System-On-Chip Jessy Clédière (Director) Guillaume Bouffard (Supervisor) Focus on the perturbation of modern CPUs

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 1 / 19

Modern CPU ?

Exynos 9820 SoC (Samsung)

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 2 / 19

Modern CPU ?

Exynos 9820 SoC (Samsung) Exynos M4 core

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 2 / 19

Targets

BCM2837

(Raspberry Pi 3 model B)

Intel Core i3-6100T

(Custom motherboard)

BMC2711b0

(Raspberry Pi 4)

Linux based OS (Raspbian Buster/Debian 9)

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 3 / 19

Fault injection mediums

Device EMFI LFI BCM2837 (RPi3)

• X

Intel Core i3

• X

BCM2711b0 (RPi4)

• Perturbation on CPUs

Thomas TROUCHKINE (ANSSI) September, 24th 2020 4 / 19

Characterization method

Tested program trigger_up();

• rr r5, r5;

... # several times

• rr r5, r5;

trigger_down(); Analysis paths

Faulted program Faulted data Registers Faulted instruction Pipeline Decode Execute Memory Fetch Bus Cache MMU

Initial values Register Value r0 0xfffe0001 r1 0xfffd0002 r2 0xfffb0004 r3 0xfff70008 r4 0xffef0010 r5 0xffdf0020 r6 0xffbf0040 r7 0xff7f0080 r8 0xfeff0100 r9 0xfdff0200

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 5 / 19

Characterization (BCM2837)

14 13 12 11 10 9 8 7 6 5 4 3 2 1 X position (mm) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Y position (mm) 1 2 3 4

Number of faults per positions

Positions of the probe over the chip leading to faults. Fault models Register corruption

Bit reset Instruction dependent value

Instruction corruption

Operands corruption Opcode corruption

Hypothesis

Fault targets cache

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 6 / 19

Characterization (Intel Core i3)

2 4 6 8 10 12 14 16 18 20 22 24 26 28 Position (mm) 2 4 6 8 10 12 14 16 18 20 22 24 26 28 Position (mm) 1

Number of faults per positions

Positions of the probe over the die leading to faults. Fault models Register corruption

Bit reset System values

Instruction corruption

Operands corruption Opcode corruption

Hypothesis

Fault targets cache

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 7 / 19

Characterization (Intel Core i3)

2 4 6 8 10 12 14 16 18 20 22 24 26 28 Position (mm) 2 4 6 8 10 12 14 16 18 20 22 24 26 28 Position (mm) 1 2 3 4 5

Number of reboots per positions

Positions of the probe over the die leading to reboots. Fault models Register corruption

Bit reset System values

Instruction corruption

Operands corruption Opcode corruption

Hypothesis

Fault targets cache

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 7 / 19

Characterization (BCM2711b0)

1 2 3 4 5 6 7 X position (mm) 1 2 3 4 5 6 Y position (mm) 1

Number of faults per position

Positions of the laser spot over the die leading to faults. Fault models Register corruption

Bit set Bit reset

Instruction corruption

Operands corruption Opcode corruption

Not an hypothesis

We mainly target the cache

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 8 / 19

Fault model exploitability

Component Injection medium Fault model Secrets Source/Binary Attack path Exploitation Characterization Analysis Exploitation

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 9 / 19

Exploitation

DFA on AES (BCM2837) target MixColumns 9th round entry 1 useful cipher every 294 injection (0.34%) 1 useful cipher every 10 minutes 2 to 8 ciphers needed for the attack Up to 3 hours of fault injections Forced authentication (On going) target password verification functions from PAM library use-case with sudo program 2 library dynamic loads and 12 functions involved in total

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 10 / 19

Exploitation - OpenSSL AES

Fault probability regarding the delay of injection

2 2.5 3 3.5 4 4.5 5 5.5 6

·10−7

1 2 3 4 5 Delays (s) Fault Probability (%)

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 11 / 19

Exploitation - OpenSSL AES

Number of faulted ciphers with a specific number of faulted diagonals regarding the delay of injection

2 2.5 3 3.5 4 4.5 5 5.5 6

·10−7

5 10 15 Delay (s) Number of faulted ciphers Number of faulted diagonals: 1 2 3 4

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 12 / 19

Exploitation - OpenSSL AES

Number of faulted ciphers with a specific number of faulted diagonals regarding the delay of injection

2 2.5 3 3.5 4 4.5 5 5.5 6

·10−7

5 10 15 Delay (s) Number of faulted ciphers Number of faulted diagonals: 1 2 3 4

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 13 / 19

Exploitation - Forced authentication

Default sudo behavior

sudo sudoers.so libpam.so pam_unix.so dynamically load dynamically load depends on

sudoers_policy_check() sudoers_policy_main() check_user() check_user_interactive() verify_user() sudo_pam_verify() pam_authenticate() _pam_dispatch() _pam_dispatch_aux() pam_sm_authenticate() _unix_verify_password() verify_pwd_hash()

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 14 / 19

Exploitation - Forced authentication

sudo source code /* Initialize plugin... */

• k = policy_check(&policy_plugin, nargc, nargv, env_add,

&command_info, &argv_out, &user_env_out); if (ok != 1) { /* Critical if comparison */ if (ok == -2) usage(1); exit(EXIT_FAILURE); } /* Execute command as root... */

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 15 / 19

Exploitation - Forced authentication

Traces acquired on BCM2711b0 (Laser Fault Injection)

hash comparison based on strncmp() function

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 16 / 19

Exploitation - Forced authentication

Target program execution flow

Bench Send signal Wait trigger Perturb Wait response Thread 1 Wait signal Send (dummy) password Wait response Send response Thread 2 sudo ‘command’ Wait password Verify password Send response Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 17 / 19

Exploitation - Forced authentication

Target program execution flow

Bench Send signal Wait trigger Perturb Wait response Thread 1 Wait signal Send (dummy) password Wait response Send response Thread 2 sudo ‘command’ Wait password Verify password Send response Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 17 / 19

Exploitation - Forced authentication

Target program execution flow

Bench Send signal Wait trigger Perturb Wait response Thread 1 Wait signal Send (dummy) password Wait response Send response Thread 2 sudo ‘command’ Wait password Verify password Send response Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 17 / 19

Exploitation - Forced authentication

Target program execution flow

Bench Send signal Wait trigger Perturb Wait response Thread 1 Wait signal Send (dummy) password Wait response Send response Thread 2 sudo ‘command’ Wait password Verify password Send response Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 17 / 19

Exploitation - Forced authentication

Target program execution flow

Bench Send signal Wait trigger Perturb Wait response Thread 1 Wait signal Send (dummy) password Wait response Send response Thread 2 sudo ‘command’ Wait password Verify password Send response Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 17 / 19

Conclusion

Classical fault injection mediums (EMFI, Laser) are:

efficient on modern CPUs characterizable and understandable

Modern CPUs have shown sensitive to faults elements, in particular the cache memory Modern CPUs asynchronous behavior and high frequencies does not protect against timing precision demanding attacks like DFA

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 18 / 19

Future works

Achieve a forced authentication on the targets Link side-channel activity with chip activity Realize tests on in production chips (embedded in smartphones for instance) Determine how the cache is faulted and design an adapted countermeasure

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 19 / 19

Questions?

Perturbation on CPUs Thomas TROUCHKINE (ANSSI) September, 24th 2020 19 / 19