Pengfei Qiu,Dongsheng Wang,Yongqiang Lyu,Gang Qu

DOI: https://doi.org/10.1109/asp-dac52403.2022.9712588

2022-01-01

Abstract:Dynamic Voltage and Frequency Scaling (DVFS) is a widely deployed low-power technology in modern systems. In this paper, we discover a vulnerability in the implementation of the DVFS technology that allows us to measure the processor's frequency in the userspace. By exploiting this vulnerability, we successfully implement a covert channel on the commercial Intel platform and demonstrate that the covert channel can reach a throughput of 28.41bps with an error rate of 0.53%. This work indicates that the processor's hardware information that is unintentionally leaked to the userspace by the privileged kernel modules may cause security risks.

Pengfei Qui,Dongsheng Wang,Yongqiang Lyu,Gang Qu

DOI: https://doi.org/10.1145/3427384.3427394

2020-01-01

Abstract:AbstractBased on the concept of hardware separation, ARM introduced TrustZone to build a trusted execution environment for applications. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. In this article, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. We deliberately manipulate the processor voltage via DVFS to induce hardware faults into the victim cores, and therefore breaking TrustZone. The entire attack process is based on software without any involvement of hardware, which makes VoltJockey stealthy and hard to prevent.

Pengfei Qiu,Dongsheng Wang,Yongqiang Lyu,Gang Qu

DOI: https://doi.org/10.1145/3319535.3354201

2019-01-01

Abstract:ARM TrustZone builds a trusted execution environment based on the concept of hardware separation. It has been quite successful in defending against various software attacks and forcing attackers to explore vulnerabilities in interface designs and side channels. The recently reported CLKscrew attack breaks TrustZone through software by overclocking CPU to generate hardware faults. However, overclocking makes the processor run at a very high frequency, which is relatively easy to detect and prevent, for example by hardware frequency locking. In this paper, we propose an innovative software-controlled hardware fault-based attack, VoltJockey, on multi-core processors that adopt dynamic voltage and frequency scaling (DVFS) techniques for energy efficiency. Unlike CLKscrew, we manipulate the voltages rather than the frequencies via DVFS unit to generate hardware faults on the victim cores, which makes VoltJockey stealthier and harder to prevent than CLKscrew. We deliberately control the fault generation to facilitate differential fault analysis to break TrustZone. The entire attack process is based on software without any involvement of hardware. We implement VoltJockey on an ARM-based Krait processor from a commodity Android phone and demonstrate how to reveal the AES key from TrustZone and how to breach the RSA-based TrustZone authentication. These results suggest that VoltJockey has a comparable efficiency to side channels in obtaining TrustZone-guarded credentials, as well as the potential of bypassing the RSA-based verification to load untrusted applications into TrustZone. We also discuss both hardware-based and software-based countermeasures and their limitations.

Cheng Zhuo,Shaoheng Luo,Houle Gan,Jiang Hu,Zhiguo Shi

DOI: https://doi.org/10.1109/TCAD.2019.2917844

IF: 2.9

2020-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Low power system-on-chips (SoCs) are now at the heart of Internet-of-Things (IoT) devices, which are well-known for their bursty workloads and limited energy storage-usually in the form of tiny batteries. To ensure battery lifetime, dynamic voltage frequency scaling (DVFS) has become an essential technique in such SoC chips. With continuously decreasing supply level, noise margins in these devices...

Junge Xu,Fan Zhang,Wenguang Jin,Kun Yang,Zeke Wang,Weixiong Jiang,Yajun Ha

DOI: https://doi.org/10.1109/tcad.2024.3426364

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With increasing computation of various applications, dynamic voltage and frequency scaling (DVFS) is gradually deployed on FPGAs to improve performance and save energy. However, its reliability and security have not been sufficiently evaluated, which incurs quite many concerns. In this paper, we propose an evaluation framework for deep investigation of stealthy DVFS fault injection attacks on the state-of-the-art deep neural networks (DNNs) deployed on modern FPGAs. The evaluation framework mainly consists of a DVFS attack striker and a time-to-digital converter (TDC) based hardware profiler. Two modes of evaluation are derived, and their effectiveness is demonstrated on a platform composed of a SkyNet accelerator and three ImageNet models built on a Xilinx deep learning processor unit (DPU). Experimental results show that more than 99% detection accuracy loss can be measured targeting at all tested DNN models under prospective operation mode but without any performance degradation in frame per second (FPS). In our investigation of sensitive layer mode, more than 93% average accuracy loss with 84.7% fault probability can be measured on a single bundle of the SkyNet. We characterize the vulnerabilities of different DNN layers subject to DVFS attacks through leveraging the TDC-based hardware profiler to precisely control the timing of fault injection.

Pengfei Qiu,Dongsheng Wang,Yongqiang Lyu,Gang Qu

DOI: https://doi.org/10.1109/AsianHOST47458.2019.9006701

2019-01-01

Abstract:Intel software-guard extensions (SGX) allows applications to run in a trusted space (enclave), which provides a highly secure primitive for the running codes and data. Most state-of-the-art attacks on SGX either exploit software vulnerabilities in the enclave or utilize side channels. In this study, we propose the first fault injection attack to break SGX by using voltage-induced hardware faults. This attack is completely controlled by software. It does not require the availability of any software vulnerability. Our proposed attack targets multi-core processors where dynamic voltage and frequency scaling (DVFS) is equipped, which covers most of the commercial processors including those by Intel and ARM. We follow the basic principle for frequency and voltage based fault injection attacks which adjust the frequency or voltage levels deliberately to create hardware faults. We have demonstrated that the software-controlled voltage glitches are effective to fault ARM processors in the previous work. However, to the best of our knowledge, this is the first realization of such attacks on SGX. More specifically, we develop a kernel module to schedule frequency and voltage for Intel processors through their model-specific registers (MSR). We firstly utilize the module to furnish the processor a transient low voltage with controlled timing to inject a temporal fault into the target location of the program running on SGX. Then we perform differential fault analysis on the outputs before and after the injection of faults. This allows us to obtain the SGX-protected confidential data such as encryption keys, with which we can access program and data in the enclave or run any application in the enclave. For demonstration, we successfully deploy the proposed attack to extract the key of an AES executed in the SGX enclave.

Cheng Zhuo,Di Gao,Yuan Cao,Tianhao Shen,Li Zhang,Jinfang Zhou,Xunzhao Yin

DOI: https://doi.org/10.1109/mdat.2021.3119279

2021-01-01

IEEE Design and Test

Abstract:Dynamic voltage and frequency scaling (DVFS) is an essential approach to optimize the performance and energy tradeoff. In this article, learning models predict the workload and then estimate the corresponding power and thermal dissipation. The proposed framework utilizes a deep reinforcement learning (DRL)-based controller. —Ulf Schlichtmann, Technical University of Munich

Marvin Saß,Richard Mitev,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.2302.06932

2023-03-01

Abstract:Voltage Fault Injection (VFI), also known as power glitching, has proven to be a severe threat to real-world systems. In VFI attacks, the adversary disturbs the power-supply of the target-device forcing the device to illegitimate behavior. Various countermeasures have been proposed to address different types of fault injection attacks at different abstraction layers, either requiring to modify the underlying hardware or software/firmware at the machine instruction level. Moreover, only recently, individual chip manufacturers have started to respond to this threat by integrating countermeasures in their products. Generally, these countermeasures aim at protecting against single fault injection (SFI) attacks, since Multiple Fault Injection (MFI) is believed to be challenging and sometimes even impractical. In this paper, we present {\mu}-Glitch, the first Voltage Fault Injection (VFI) platform which is capable of injecting multiple, coordinated voltage faults into a target device, requiring only a single trigger signal. We provide a novel flow for Multiple Voltage Fault Injection (MVFI) attacks to significantly reduce the search complexity for fault parameters, as the search space increases exponentially with each additional fault injection. We evaluate and showcase the effectiveness and practicality of our attack platform on four real-world chips, featuring TrustZone-M: The first two have interdependent backchecking mechanisms, while the second two have additionally integrated countermeasures against fault injection. Our evaluation revealed that {\mu}-Glitch can successfully inject four consecutive faults within an average time of one day. Finally, we discuss potential countermeasures to mitigate VFI attacks and additionally propose two novel attack scenarios for MVFI.

Cryptography and Security

Bin Lin,Arindam Mallik,Peter A. Dinda,Gokhan Memik,Robert P. Dick

DOI: https://doi.org/10.1145/1269899.1254931

2007-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Dynamic Voltage and Frequency Scaling (DVFS) is one of the most commonly used power reduction techniques in high-performance processors. DVFS varies the frequency and voltage of a microprocessor in real-time according to processing needs. Although there are different versions of DVFS, at its core DVFS adapts power consumption and performance to the current workload of the CPU. Specifically, existing DVFS techniques in high-performance processors select an operating point (CPU frequency and voltage) based on the utilization of the processor. This approach integrates OS-level control, but such control is pessimistic. Existing DVFS techniques are pessimistic about the user. Indeed, they ignore the user, assuming that CPU utilization or the OS events prompting it are sufficient proxies. A high CPU utilization simply leads to a high frequency and high voltage, regardless of the user’s satisfaction or expectation of performance. Existing DVFS techniques are pessimistic about the CPU. They assume worst-case manufacturing process variation and operating temperature by basing their policies on loose worstcase bounds given by the processor manufacturer. A voltage level for a given frequency is set such that even the worst shipped processor of a given generation will be stable at the highest specified temperature. In response to these observations, we have developed, implemented, and evaluated the following two new power management techniques that can be readily employed independently or together. We elaborate on these techniques in detail elsewhere [4].

Debopriya Roy Dipta,Berk Gulmezoglu

DOI: https://doi.org/10.48550/arXiv.2206.13660

2022-08-09

Abstract:The arm race between hardware security engineers and side-channel researchers has become more competitive with more sophisticated attacks and defenses in the last decade. While modern hardware features improve the system performance significantly, they may create new attack surfaces for malicious people to extract sensitive information about users without physical access to the victim device. Although many previously exploited hardware and OS features were patched by OS developers and chip vendors, any feature that is accessible from userspace applications can be exploited to perform software-based side-channel attacks. In this paper, we present DF-SCA, which is a software-based dynamic frequency side-channel attack on Linux and Android OS devices. We exploit unprivileged access to cpufreq interface that exposes real-time CPU core frequency values directly correlated with the system utilization, creating a reliable side-channel for attackers. We show that Dynamic Voltage and Frequency Scaling (DVFS) feature in modern systems can be utilized to perform website fingerprinting attacks for Google Chrome and Tor browsers on modern Intel, AMD, and ARM architectures. We further extend our analysis to a wide selection of scaling governors on Intel and AMD CPUs, verifying that all scaling governors provide enough information on the visited web page. Moreover, we extract properties of keystroke patterns on frequency readings, that leads to 95% accuracy to distinguish the keystrokes from other activities on Android phones. We leverage inter-keystroke timings of a user by training a k-th nearest neighbor model, which achieves 88% password recovery rate in the first guess on Bank of America application. Finally, we propose several countermeasures to mask the user activity to mitigate DF-SCA on Linux-based systems.

Cryptography and Security

Arup Kumar Sarker,Md Khairul Islam,Yuan Tian

DOI: https://doi.org/10.48550/arXiv.2301.04591

2023-01-12

Abstract:With the significant development of the Internet of Things and low-cost cloud services, the sensory and data processing requirements of IoT systems are continually going up. TrustZone is a hardware-protected Trusted Execution Environment (TEE) for ARM processors specifically designed for IoT handheld systems. It provides memory isolation techniques to protect trusted application data from being exploited by malicious entities. In this work, we focus on identifying different vulnerabilities of the TrustZone extension of ARM Cortex-M processors. Then design and implement a threat model to execute those attacks. We have found that TrustZone is vulnerable to buffer overflow-based attacks. We have used this to create an attack called MOFlow and successfully leaked the data of another trusted app. This is done by intentionally overflowing the memory of one app to access the encrypted memory of other apps inside the secure world. We have also found that, by not validating the input parameters in the entry function, TrustZone has exposed a security weakness. We call this Achilles heel and present an attack model showing how to exploit this weakness too. Our proposed novel attacks are implemented and successfully tested on two recent ARM Cortex-M processors available on the market (M23 and M33).

Cryptography and Security

Jeferson González-Gómez,Mohammed Bakr Sikal,Heba Khdr,Lars Bauer,Jörg Henkel

DOI: https://doi.org/10.1109/tcad.2024.3438999

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:As the digital landscape continues to evolve, the security of computing systems has become a critical concern. Power-based covert channels (e.g., thermal covert channel s (TCCs)), a form of communication that exploits the system resources to transmit information in a hidden or unintended manner, have been recently studied as an effective mechanism to leak information between malicious entities via the modulation of CPU power. To this end, dynamic voltage and frequency scaling (DVFS) has been widely used as a countermeasure to mitigate TCCs by directly affecting the communication between the actors. Although this technique has proven effective in neutralizing such attacks, it introduces significant performance and energy penalties, that are particularly detrimental to energy-constrained embedded systems. In this article, we propose different system-informed countermeasures to power-based covert channels from the heuristic and machine learning (ML) domains. Our proposed techniques leverage task migration and DVFS to jointly mitigate the channels and maximize energy efficiency. Our extensive experimental evaluation on two commercial platforms: 1) the NVIDIA Jetson TX2 and 2) Jetson Orin shows that our approach significantly improves the overall energy efficiency of the system compared to the state-of-the-art solution while nullifying the attack at all times.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Somdip Dey,Amit Kumar Singh,Xiaohang Wang,Klaus Dieter McDonald-Maier

DOI: https://doi.org/10.48550/arXiv.2007.01377

2020-07-03

Abstract:Given the constant rise in utilizing embedded devices in daily life, side channels remain a challenge to information flow control and security in such systems. One such important security flaw could be exploited through temperature side-channel attacks, where heat dissipation and propagation from the processing elements are observed over time in order to deduce security flaws. In our proposed methodology, DATE: Defense Against TEmperature side-channel attacks, we propose a novel approach of reducing spatial and temporal thermal gradient, which makes the system more secure against temperature side-channel attacks, and at the same time increases the reliability of the device in terms of lifespan. In this paper, we have also introduced a new metric, Thermal-Security-in-Multi-Processors (TSMP), which is capable of quantifying the security against temperature side-channel attacks on computing systems, and DATE is evaluated to be 139.24% more secure at the most for certain applications than the state-of-the-art, while reducing thermal cycle by 67.42% at the most.

Cryptography and Security,Hardware Architecture,Computer Vision and Pattern Recognition,Machine Learning

Otto Bittner,Thilo Krachenfels,Andreas Galauner,Jean-Pierre Seifert

DOI: https://doi.org/10.48550/arXiv.2108.06131

2021-08-16

Abstract:Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as self-driving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation.

Cryptography and Security

Pengfei Qiu,Dongsheng Wang,Yongqiang Lyu,Ruidong Tian,Chunlu Wang,Gang Qu

DOI: https://doi.org/10.1109/TCAD.2020.3024853

IF: 2.9

2021-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Intel software guard extensions (SGX) increase the security of applications by enabling them to be performed in a highly trusted space (called enclave). Most state-of-the-art attacks on SGX focus on either mining the software vulnerabilities in the enclave or speculating the secret data with side channels. In this study, we report our recent work on breaking SGX by inducing voltage-oriented hardwa...

Dina G. Mahmoud,Beatrice Shokry,Vincent Lenders,Wei Hu,Mirjana Stojilović

DOI: https://doi.org/10.1109/access.2024.3353134

IF: 3.9

2024-01-01

IEEE Access

Abstract:Cloud computing environments increasingly provision field-programmable gate arrays (FPGAs) for their programmability and hardware-level parallelism. While FPGAs are typically used by one tenant at a time, multitenant schemes supporting spatial sharing of cloud FPGA resources have been proposed in the literature. However, the spatial multitenancy of FPGAs opens up new attack surfaces. Investigating potential security threats to multitenant FPGAs is thus essential for better understanding and eventually mitigating the security risks. This work makes a notable step forward by systematically analyzing the combined threat of FPGA power wasters and satisfiability don’t-care hardware Trojans in shared cloud FPGAs. We demonstrate a successful remote undervolting attack that activates a hardware Trojan concealed within a victim FPGA design and exploits the payload. The attack is carried out entirely remotely, assuming two spatially colocated FPGA users isolated from one another. The victim user’s circuit is infected with a Trojan, triggered by a pair of don’t-care signals that never reach the combined trigger condition during regular operation. The adversary, targeting the exploitation of the Trojan, deploys power waster circuits to lower the supply voltage of the FPGA. The assumption is that, under the effect of the lowered voltage, don’t-care signals may reach the particular state that triggers the Trojan. We name this exploit X-Attack and demonstrate its feasibility on an embedded FPGA and real-world cloud FPGA instances. Additionally, we study the effects of various attack tuning parameters on the exploit’s success. Finally, we discuss potential countermeasures against this security threat and present a lightweight self-calibrating countermeasure. To the best of our knowledge, this is the first work on undervolting-based fault-injection attacks in multitenant FPGAs to demonstrate the attack on commercially available cloud FPGA instances.

computer science, information systems,telecommunications,engineering, electrical & electronic

Robert Buhren,Hans-Niklas Jacob,Thilo Krachenfels,Jean-Pierre Seifert

DOI: https://doi.org/10.1145/3460120.3484779

2021-11-12

Abstract:AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms for virtual machines in untrusted environments through memory and register encryption. To separate security-sensitive operations from software executing on the main x86 cores, SEV leverages the AMD Secure Processor (AMD-SP). This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD-SP. We present a voltage glitching attack that allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3). The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory. Furthermore, using our approach, we can extract endorsement keys of SEV-enabled CPUs, which allows us to fake attestation reports or to pose as a valid target for VM migration without requiring physical access to the target host. Moreover, we reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. Building on the ability to extract the endorsement keys, we show how to derive valid VCEKs for arbitrary firmware versions. With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rogue administrators, on currently available CPUs.

Yifan Lu

DOI: https://doi.org/10.48550/arXiv.1903.08102

2019-02-14

Abstract:We show how voltage glitching can cause timing violations in CMOS behavior. Then we attack a real, security hardened, consumer device to gain code execution and dump the secure boot ROM.

Cryptography and Security

J. Longo,E. De Mulder,D. Page,M. Tunstall

DOI: https://doi.org/10.1007/978-3-662-48324-4_31

2015-01-01

Abstract:Increased complexity in modern embedded systems has presented various important challenges with regard to side-channel attacks. In particular, it is common to deploy SoC-based target devices with high clock frequencies in security-critical scenarios; understanding how such features align with techniques more often deployed against simpler devices is vital from both destructive (i.e., attack) and constructive (i.e., evaluation and/or countermeasure) perspectives. In this paper, we investigate electromagnetic-based leakage from three different means of executing cryptographic workloads (including the general purpose ARM core, an on-chip co-processor, and the NEON core) on the AM335x SoC. Our conclusion is that addressing challenges of the type above is feasible, and that key recovery attacks can be conducted with modest resources.

Lan Luo,Yue Zhang,Cliff C. Zou,Xinhui Shao,Zhen Ling,Xinwen Fu

DOI: https://doi.org/10.48550/arXiv.2007.05876

2020-07-12

Abstract:Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension for MCUs, is an emerging security technique fortifying MCU based IoT devices. This paper presents the first security analysis of potential software security issues in TrustZone-M enabled MCUs. We explore the stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against Non-secure Callable (NSC) functions in the context of TrustZone-M. We validate these attacks using the TrustZone-M enabled SAM L11 MCU. Strategies to mitigate these software attacks are also discussed.

Cryptography and Security