Protecting the Control Flow of Embedded Processors against Fault - - PowerPoint PPT Presentation
W I S S E N T E C H N I K L E I D E N S C H A F T Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich Wenger 2 , and Stefan Mangard 1 , 1 Graz University of Technology 2 Infineon
W I S S E N T E C H N I K L E I D E N S C H A F T www.iaik.tugraz.at
Mario Werner1, Erich Wenger2, and Stefan Mangard1,
1 Graz University of Technology 2 Infineon Technologies AG, Munich
5th November 2015, Bochum
www.iaik.tugraz.at
Embedded systems are everywhere Assets in malicious environment
System Memory Processor Crypto
Various assets Protecting cryptographic primitives is insufficient
Werner, Wenger, Mangard, 5th November 2015, Bochum 2
www.iaik.tugraz.at
unsigned pin = read_pin(); bool auth = tpm_check(pin); if( auth ) {
} else { alert_police(); } log_event(); read_pin() tpm_check(pin) check if auth == true
alert_police() log_event()
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
unsigned pin = read_pin(); bool auth = tpm_check(pin); if( auth ) {
} else { alert_police(); } log_event(); check condition perform action handle error continue
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
check_auth: // auth in R0 (1 if true) LDR R1, #1 CMP R0, R1 BNE not_authenticated authenticated: // open door // ... B next not_authenticated: // alert police next: // log event
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
check_auth: // auth in R0 (1 if true) LDR R1, #1 CMP R0, R1 BEQ not_authenticated authenticated: // open door // ... B next not_authenticated: // alert police next: // log event
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
check_auth: // auth in R0 (1 if true) LDR R1, #1 CMP R0, R0 BNE not_authenticated authenticated: // open door // ... B next not_authenticated: // alert police next: // log event
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
check_auth: // auth in R0 (1 if true) LDR R1, #1 CMP R0, R1 BNE not_authenticated authenticated: // open door // ... B next not_authenticated: // alert police next: // log event
Werner, Wenger, Mangard, 5th November 2015, Bochum 3
www.iaik.tugraz.at
Goal: Enforce control-flow integrity Results: Analysis and evaluation of signature functions Detect a faulty instruction with 99.9 % within 3 cycles (arbitrary fault) Resistant against at least 7 precise bit flips injected across two instructions HDL implementation for a Cortex-M3 clone LLVM based toolchain 6.4 % hardware overhead 2 % to 71 % runtime overhead
Werner, Wenger, Mangard, 5th November 2015, Bochum 4
www.iaik.tugraz.at
Perform only intended function calls Traverse control flow graph along programmed edges Execute basic blocks from start to end Preserve instructions and their order
main
read_pin check_pin unlock_door alert_police log_event
Werner, Wenger, Mangard, 5th November 2015, Bochum 5
www.iaik.tugraz.at
Perform only intended function calls Traverse control flow graph along programmed edges Execute basic blocks from start to end Preserve instructions and their order
check auth
alert_police() log_event()
Werner, Wenger, Mangard, 5th November 2015, Bochum 5
www.iaik.tugraz.at
Perform only intended function calls Traverse control flow graph along programmed edges Execute basic blocks from start to end Preserve instructions and their order
check auth
alert_police() log_event()
Werner, Wenger, Mangard, 5th November 2015, Bochum 5
www.iaik.tugraz.at
Perform only intended function calls Traverse control flow graph along programmed edges Execute basic blocks from start to end Preserve instructions and their order
check_auth: // auth in R0 (1 if true) LDR R1, #1 CMP R0, R0 BNE not_authenticated
Werner, Wenger, Mangard, 5th November 2015, Bochum 5
www.iaik.tugraz.at
Instruction stream integrity through derived signatures [MM88] Generalized path signature analysis (GPSA) [WS90] Optimize against fault attacks Implemented as hybrid scheme Dedicated assertions Continuous checks
Werner, Wenger, Mangard, 5th November 2015, Bochum 6
www.iaik.tugraz.at
R e s e t _ H a n d l e r x x b 5 b b 5 b : p u s h { r 4 , r 5 , r 7 , l r } x 1 6 4 b 2 a f 2 : a d d r 7 , s p , # 8 x 1 a c b f 4 8 d : l d r r , [ p c , # 5 2 ] x 1 f 5 c d 4 9 e : l d r r 1 , [ p c , # 5 6 ] x 2 3 8 5 5 4 2 8 8 : c m p r , r 1 x 3 a 6 2 d 2 d : b h s # 2 6 R e s e t _ H a n d l e r : 1 x 3 a 6 2 x 3 5 4 6 f 4 a d : l d r r 2 , [ p c , # 5 2 ] . . . R e s e t _ H a n d l e r : 2 x 3 a 6 2 x 3 5 6 6 8 4 c 6 : l d r r 4 , [ p c , # 2 4 ] . . . ???
Werner, Wenger, Mangard, 5th November 2015, Bochum 7
www.iaik.tugraz.at
% 1 ( i f ) / / . . . % 2 / / . . . / / . . . % 3 / / . . . % 4 / / . . . / / . . .
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 1 ( i f ) / / . . . % 2 / / . . . / / . . . % 3 / / . . . update(sig1) % 4 / / . . . / / . . .
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 1 ( i f ) / / . . . % 2 / / . . . / / . . . % 3 / / . . . update(sig1) % 4 / / . . . / / . . . check(sig2)
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 1 ( i f ) / / . . . % 2 / / . . . / / . . . % 3 / / . . . update(sig1) % 4 / / . . . / / . . . check(sig2)
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 2 ( w h i l e ) / / . . . % 1 / / . . . % 3 ( i f ) / / . . . % 6 / / . . . r e t u r n % 4 / / . . . % 5 / / . . . r e t u r n
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 2 ( w h i l e ) / / . . . % 1 / / . . . % 3 ( i f ) / / . . . % 6 / / . . . r e t u r n % 4 / / . . . update(sig1) % 5 / / . . . r e t u r n
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
% 2 ( w h i l e ) / / . . . % 1 / / . . . % 3 ( i f ) / / . . . % 6 update(sig2) / / . . . r e t u r n % 4 / / . . . update(sig1) % 5 / / . . . r e t u r n
Werner, Wenger, Mangard, 5th November 2015, Bochum 8
www.iaik.tugraz.at
Compression function Avoid collisions within one cycle Qualitative Requirements for GPSA: Reliability: Sj+1 ⊕ ∆Sj+1 = f(Sj, Ij ⊕ ∆Ij) Error preservation: Sj+1 ⊕ ∆Sj+1 = f(Sj ⊕ ∆Sj, Ij) Non associativity: f(f(Sj, Ij), Ik) = f(f(Sj, Ik), Ij) Invertibility: Sj = f −1(Sj+1, Ij) → single faulty instructions detectable
Werner, Wenger, Mangard, 5th November 2015, Bochum 9
www.iaik.tugraz.at
MISRs and CRCs with various polynomials How hard is it to bypass the protection? Quality function: q(j, t) = HW(∆Ij) + HW(∆Ij+t) Worst case behavior min(q) matters → CRCs are better than MISRs against faults → min(q) = 8 for CRC-32C and CRC-32Q
Werner, Wenger, Mangard, 5th November 2015, Bochum 10
www.iaik.tugraz.at
Hardware: Monitor for derived signatures Extended fetch unit Software: Compiler for ... GPSA signature updates ... assertions Post-processing tool for ... update and check constants ... continuous signature monitoring (CSM)
Werner, Wenger, Mangard, 5th November 2015, Bochum 11
www.iaik.tugraz.at
Cortex-M3 Execute Decode Fetch ALU MUL/ DIV Code Addr. CodeIn Address DataIn Register File DataOut Fetch Controller Address Generation Unit System Address Space Signature Monitor RAM Peripherals Fetched Instructions Reference Signatures for CSM Controller f u signature Werner, Wenger, Mangard, 5th November 2015, Bochum
12
www.iaik.tugraz.at
Hardware: CPU Core: 37 kGE Monitor: 1.5 kGE (4 %) Monitor + Core with CSM: 39 kGE (6.4 %) Benchmarks: Modified vs stock LLVM Coremark AES-256 Elliptic Curve Cryptography in C and with ASM
Werner, Wenger, Mangard, 5th November 2015, Bochum 13
www.iaik.tugraz.at
2.3 69 56.7 9.6 29 36.7 9 78.9 33.3 8 53.5 1.9
Werner, Wenger, Mangard, 5th November 2015, Bochum 14
www.iaik.tugraz.at
Werner, Wenger, Mangard, 5th November 2015, Bochum 15
www.iaik.tugraz.at
Analysis and evaluation of signature functions Detect a faulty instruction with 99.9 % within 3 cycles (arbitrary fault) Resistant against at least 7 precise bit flips injected across two instructions HDL implementation for a Cortex-M3 clone LLVM based toolchain 6.4 % hardware overhead 2 % to 71 % runtime overhead
Werner, Wenger, Mangard, 5th November 2015, Bochum 16
W I S S E N T E C H N I K L E I D E N S C H A F T www.iaik.tugraz.at
Mario Werner1, Erich Wenger2, and Stefan Mangard1,
1 Graz University of Technology 2 Infineon Technologies AG, Munich
5th November 2015, Bochum
www.iaik.tugraz.at
[MM88] A Mahmood and E.J. McCluskey, Concurrent error detection using watchdog processors-a survey, IEEE Transactions on Computers 37 (1988), no. 2, 160–174. [WS90] Kent D. Wilken and John Paul Shen, Continuous signature monitoring: low-cost concurrent detection of processor control errors, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 9 (1990), no. 6, 629–641.
Werner, Wenger, Mangard, 5th November 2015, Bochum 18