Xiang Wang,Zhun Zhang,Qiang Hao,Dongdong Xu,Jiqing Wang,Haoyu Jia,Zhiyu Zhou

DOI: https://doi.org/10.3390/mi12121450

2021-11-26

Abstract:The hardware security of embedded systems is raising more and more concerns in numerous safety-critical applications, such as in the automotive, aerospace, avionic, and railway systems. Embedded systems are gaining popularity in these safety-sensitive sectors with high performance, low power, and great reliability, which are ideal control platforms for executing instruction operation and data processing. However, modern embedded systems are still exposing many potential hardware vulnerabilities to malicious attacks, including software-level and hardware-level attacks; these can cause program execution failure and confidential data leakage. For this reason, this paper presents a novel embedded system by integrating a hardware-assisted security monitoring unit (SMU), for achieving a reinforced system-on-chip (SoC) on ensuring program execution and data processing security. This architecture design was implemented and evaluated on a Xilinx Virtex-5 FPGA development board. Based on the evaluation of the SMU hardware implementation in terms of performance overhead, security capability, and resource consumption, the experimental results indicate that the SMU does not lead to a significant speed degradation to processor while executing different benchmarks, and its average performance overhead reduces to 2.18% on typical 8-KB I/D-Caches. Security capability evaluation confirms the monitoring effectiveness of SMU against both instruction and data tampering attacks. Meanwhile, the SoC satisfies a good balance between high-security and resource overhead.

Zhenliang An,Weike Wang,Wenxin Li,Senyang Li,Dexue Zhang

DOI: https://doi.org/10.3390/mi14081525

IF: 3.4

2023-07-30

Micromachines

Abstract:The growing prevalence of embedded systems in various applications has raised concerns about their vulnerability to malicious code reuse attacks. Current software-based and hardware-assisted security techniques struggle to detect or block these attacks with minor performance and implementation overhead. To address this issue, this paper presents a lightweight hardware-assisted scheme to enhance the security of embedded systems against code reuse attacks. We develop an on-chip lightweight hardware shadow stack to validate target addresses at runtime for backward-edge control flow integrity, which backs up valid return addresses during function calls and automatically verifies actual return addresses during the return phase. Additionally, we propose a lightweight stream cipher circuit that encrypts and decrypts critical stack data related to control flow manipulation, preventing attackers from analyzing or tampering with them. When designing and implementing the security mechanism for embedded systems, we fully consider the constraints of limited system resources and performance, optimizing both the architecture design and implementation of the proposed hardware. Finally, we integrate both the proposed lightweight hardware shadow stack and the runtime data encryption hardware into the OR1200 processor. We have verified the system security function on the Terasic DE1-SoC FPGA platform and evaluated the system performance as well as implementation overhead. The results show that the proposed lightweight hardware-assisted scheme can provide a dedicated defense capability against code reuse attacks for embedded systems, with an average system performance overhead of 0.39% and an area footprint of 0.316 mm2.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Zili Shao,Chun Jason Xue,Qingfeng Zhuge,Edwin H.‐M. Sha,Bin Xiao

DOI: https://doi.org/10.1109/itcc.2004.1286489

2004-01-01

Abstract:With more embedded systems networked, it becomes an important research problem to effectively defend embedded systems against buffer overflow attacks and efficiently check if systems have been protected. In this paper, we propose the HSDefender (hardware/software Defender) technique that considers the protection and checking together to solve this problem. Our basic idea is to design a secure instruction set and require third-party software developers to use secure instructions to call functions. Then the security checking can be easily performed by system integrators even without the knowledge of the source code. We first classify buffer overflow attacks into two categories, stack smashing attacks and function pointer attacks, and then provide two corresponding defending strategies. We analyze the HSDefender technique in respect of hardware cost, security, and performance, and experiment with it on the SimpleScalar/ARM simulator using benchmarks from MiBench. The results show that HSDefender can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.

Jian Wang,Ying Li

DOI: https://doi.org/10.3390/info12040169

2021-01-01

Information

Abstract:Ensuring the security of IoT devices and chips at runtime has become an urgent task as they have been widely used in human life. Embedded memories are vital components of SoC (System on Chip) in these devices. If they are attacked or incur faults at runtime, it will bring huge losses. In this paper, we propose a run-time detection architecture for memory security (RDAMS) to detect memory threats (fault and Hardware Trojans attack). The architecture consists of a Security Detection Core (SDC) that controls and enforces the detection procedure as a “security brain”, and a memory wrapper (MEM_wrapper) which interacts with memory to assist the detection. We also design a low latency response mechanism to solve the SoC performance degradation caused by run-time detection. A block-based multi-granularity detection approach is proposed to render the design flexible and reduce the cost in implementation using the FPGA’s dynamic partial reconfigurable (DPR) technology, which enables online detection mode reconfiguration according to the requirements. Experimental results show that RDAMS can correctly detect and identify 10 modeled memory faults and two types of Hardware Trojans (HTs) attacks without leading a great performance degradation to the system.

Ying Li,Lan Chen,Jian Wang,Guanfei Gong

DOI: https://doi.org/10.1109/host54066.2022.9840090

2022-01-01

Abstract:Embedded memory are important components in system-on-chip, which may be crippled by aging and wear faults or Hardware Trojan attacks to compromise run-time security. The current built-in self-test and pre-silicon verification lack efficiency and flexibility to solve this problem. To this end, we address such vulnerabilities by proposing a run-time memory security detecting framework in this paper. The solution builds mainly upon a centralized security detection controller for partially reconfigurable inspection content, and a static memory wrapper to handle access conflicts and buffering testing cells. We show that a field programmable gate array prototype of the proposed framework can pursue 16 memory faults and 3 types Hardware Trojans detection with one reconfigurable partition, whereas saves 12.7% area and 2.9% power overhead compared to a static implementation. This architecture has more scalable capability with little impact on the memory accessing throughput of the original chip system in run-time detection.

Zhaojie Dong,Lan Chen,Ying Li

DOI: https://doi.org/10.1587/elex.19.20220167

2022-01-01

IEICE Electronics Express

Abstract:Existing functional validation approaches and post-manufacturing tests are inadequate to detect all hardware bugs and hardware Trojans in third-party intellectual property blocks (3PIPs). Especially for cryptographic IPs, a well-designed framework is needed for detecting and mitigating hardware security risks even after chip deployment. In this paper, we present an innovative multi-level architecture providing runtime hardware security detection and response. The proposed architecture consists of a controller and a security wrapper, enabling the collaborative operation of three different types of detection and three levels of response according to the potential malicious impact. We show that a field programmable gate array prototype of the proposed architecture can pursue 4 hardware bug and 6 hardware Trojan detection towards an AES IP, and make appropriate protective responses.

Shijia Wei,Aydin Aysu,Michael Orshansky,Andreas Gerstlauer,Mohit Tiwari

DOI: https://doi.org/10.1109/hst.2019.8740838

2019-05-01

Abstract:High-assurance embedded systems are deployed for decades and expensive to re-certify – hence, each new attack is an unpatchable problem that can only be detected by monitoring out-of-band channels such as the system’s power trace or electromagnetic emissions. Micro-Architectural attacks, for example, have recently come to prominence since they break all existing software-isolation based security – for example, by hammering memory rows to gain root privileges or by abusing speculative execution and shared hardware to leak secret data. This work is the first to use anomalies in an embedded system’s power trace to detect evasive micro-architectural attacks. To this end, we introduce power-mimicking micro-architectural attacks – including DRAM-rowhammer attacks, side/covert-channel and speculation-driven attacks – to study their evasiveness. We then quantify the operating range of the power-anomalies detector using the Odroid XU3 board – showing that rowhammer attacks cannot evade detection while covert channel and speculation-driven attacks can evade detection but are forced to operate at a 36 × and 7 × lower bandwidth . Our power-anomaly detector is efficient and can be embedded-of-band into (e.g.,) programmable batteries. While rowhammer, side-channel, and speculation-driven attack defenses require invasive code- and hardware-changes in general-purpose systems, we show that power-anomalies are a simple and effective defense for embedded systems. Power-anomalies can help future-proof embedded systems against vulnerabilities that are likely to emerge as new hardware like phase-change memories and accelerators become mainstream.

Zili Shao,Chun Xue,Qingfeng Zhuge,Meikang Qiu,Bin Xiao,Edwin H. -M. Sha

DOI: https://doi.org/10.1109/TC.2006.59

IF: 3.183

2006-01-01

IEEE Transactions on Computers

Abstract:With more embedded systems networked, it becomes an important problem to effectively defend embedded systems against buffer overflow attacks. Due to the increasing complexity and strict requirements, off-the-shelf software components are widely used in embedded systems, especially for military and other critical applications. Therefore, in addition to effective protection, we also need to provide an approach for system integrators to efficiently check whether software components have been protected. In this paper, we propose the HSDefender (Hardware/Software Defender) technique to perform protection and checking together. Our basic idea is to design secure call instructions so systems can be secured and checking can be easily performed. In the paper, we classify buffer overflow attacks into two categories and provide two corresponding defending strategies. We analyze the HSDefender technique with respect to hardware cost, security, and performance. We experiment with our HSDefender technique on the simplescalar/ARM simulator with benchmarks from MiBench, an embedded benchmark suite. The results show that our HSDefender technique can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.

Ronny Chevalier,Maugan Villatel,David Plaquin,Guillaume Hiet

DOI: https://doi.org/10.1145/3134600.3134622

2018-03-07

Abstract:Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 $\mu$s threshold defined by Intel).

Cryptography and Security

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.

Baleegh Ahmad,Wei-Kai Liu,Luca Collini,Hammond Pearce,Jason M. Fung,Jonathan Valamehr,Mohammad Bidmeshki,Piotr Sapiecha,Steve Brown,Krishnendu Chakrabarty,Ramesh Karri,Benjamin Tan

DOI: https://doi.org/10.1145/3508352.3549369

2022-09-03

Abstract:To help prevent hardware security vulnerabilities from propagating to later design stages where fixes are costly, it is crucial to identify security concerns as early as possible, such as in RTL designs. In this work, we investigate the practical implications and feasibility of producing a set of security-specific scanners that operate on Verilog source files. The scanners indicate parts of code that might contain one of a set of MITRE's common weakness enumerations (CWEs). We explore the CWE database to characterize the scope and attributes of the CWEs and identify those that are amenable to static analysis. We prototype scanners and evaluate them on 11 open source designs - 4 system-on-chips (SoC) and 7 processor cores - and explore the nature of identified weaknesses. Our analysis reported 53 potential weaknesses in the OpenPiton SoC used in Hack@DAC-21, 11 of which we confirmed as security concerns.

Cryptography and Security

Zhijiao Zhang,Yashuai Lü,Yu Chen,Yongqiang Lu,Yuanchun Shi

DOI: https://doi.org/10.1007/978-3-319-18467-8_29

2015-01-01

Abstract:Recently, code-reuse attack (CRA) is becoming the most prevalent attack vector which reuses fragments of existing code to make up malicious code. Recent studies show that CRAs especially jump-oriented programming (JOP) attacks are hard and costly to detect and protect from, especially on CISC processors. One reason for this is that the instructions of CISC architecture are of variable-length, and lots of unintended but legal instructions can be exploited by starting from in the middle of a legal instruction. This feature of CISC architectures makes the finding of so called gadgets for CRAs is much easier than that of RISC architectures. Most of previous studies for mitigating CRA on CISC processors rely on software-only means to tackle the unintended instruction problem, which makes their approaches either very costly or can only be applied under restricted conditions. In this paper, we propose two hardware supported techniques. The first, which is the main contribution of this paper, is to eliminate the execution of an unintended instruction. This technique only requires a few modifications to the processor and operating system. Furthermore, the proposed mechanism has little performance impact on the examined SPEC CPU 2006 benchmarks (-0.093% similar to 2.993%). Second, we propose using hardware control-flow locking as a complementary technique to our protection mechanism. By using the two techniques together, an attacker will have little chance to carry out CRAs on a CISC processor.

Yajin Zhou,Xiaoguang Wang,Yue Chen,Zhi Wang

DOI: https://doi.org/10.1145/2660267.2660344

2014-01-01

Abstract:Software fault isolation (SFI) is an effective mechanism to confine untrusted modules inside isolated domains to protect their host applications. Since its debut, researchers have proposed different SFI systems for many purposes such as safe execution of untrusted native browser plugins. However, most of these systems focus on the x86 architecture. In recent years, ARM has become the dominant architecture for mobile devices and gains in popularity in data centers. Hence there is a compelling need for an efficient SFI system for the ARM architecture. Unfortunately, existing systems either have prohibitively high performance overhead or place various limitations on the memory layout and instructions of untrusted modules.In this paper, we propose ARMlock, a hardware-based fault isolation for ARM. It uniquely leverages the memory domain support in ARM processors to create multiple sandboxes. Memory accesses by the untrusted module (including read, write, and execution) are strictly confined by the hardware, and instructions running inside the sandbox execute at the same speed as those outside it. ARMlock imposes virtually no structural constraints on untrusted modules. For example, they can use self-modifying code, receive exceptions, and make system calls. Moreover, system calls can be interposed by ARMlock to enforce the policies set by the host. We have implemented a prototype of ARMlock for Linux that supports the popular ARMv6 and ARMv7 sub-architecture. Our security assessment and performance measurement show that ARMlock is practical, effective, and efficient.

Jianfeng Zhu,Ao Luo,Guanhua Li,Bowei Zhang,Yong Wang,Gang Shan,Yi Li,Jianfeng Pan,Chenchen Deng,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/JSSC.2021.3058551

IF: 5.4

2021-01-01

IEEE Journal of Solid-State Circuits

Abstract:Nowadays, hardware security has become a serious concern for modern CPUs. State-of-the-art detection approaches rely heavily on trustworthy and intimate internal states, incurring significant design/operation overheads and additional risks to security and intellectual property. This article proposes an architecture called Jintide, which utilizes trusted external monitors to validate an untrusted CPU chip at runtime. This architecture records, replays, and analyzes the CPU’s IO and memory behavior with the architectural states. The Jintide simultaneously verifies whether the records are correctly replayed with the instruction set architecture and whether the records involve malicious behavior. Consequently, not only architectural but also micro-architectural threats can be detected. The Jintide adopts the states from the untrusted source because it has a built-in function to detect spurious states. The monitors comprise three types of chips (with 28-/40-nm TSMC technology): a tracer chip to record the behavior of IO ports, multiple tracer chips to record the behavior of DDR4 DIMMs, and a reconfigurable chip to verify these records with software states. As runtime external monitors, the Jintide would be especially suitable to constitute distributed large-scale clusters, which can amortize operation overheads. This scheme is effective in detecting pervasive hardware security issues, including vulnerabilities, backdoors, and hardware Trojans. The measured results show that a system composed of 300 000 Jintide CPUs containing Intel Xeon Skylake processors can detect over 99.8% of recognizable attacks at the cost of 0.98% performance loss. Hence, the Jintide is an extensible, low-cost, and effective solution to improve the hardware security of large-scale CPU clusters.

Tai Yue,Fengwei Zhang,Zhenyu Ning,Pengfei Wang,Xu Zhou,Kai Lu,Lei Zhou

DOI: https://doi.org/10.1109/tifs.2024.3372816

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Many modern processors have embedded hardware tracing techniques (e.g., Intel Processor Trace or ARM CoreSight). While these techniques are widely used due to their transparency and low overhead, they also bring serious security threats. Attackers can utilize hardware tracing to trace the trusted applications from a non-secure application. Existing protection techniques fail to effectively protect the runtime information when hardware tracing is employed. To counter these threats, in this paper, we propose a novel direction called anti-hardware tracing. Our key idea is to exploit the limitations of hardware tracing: trace buffer overflow can cause trace data loss. We build a model to analyse the overflow and outline three principles for efficient triggering overflows and achieving anti-hardware tracing: numerous branches in the program, high-speed execution of the program, and the high-water mark of the trace buffer. We develop a framework called Armor on ARM Juno R2 to realize our approach. Armor protects software against the trace unit Embedded Trace Macrocell (ETM) in CoreSight by instrumenting protection and loop functions. The protection function detects runtime environments, efficiently fills the trace buffer, and employs various protection strategies like PID (process identifier) replacement and PIE+STRIP+ASLR. Meanwhile, the loop function triggers overflows efficiently based on context-based calculations and anti-ETM loop. Our evaluation demonstrates that the overhead of Armor is 77.31% lower than that of OLLVM [1] on SPEC2006. Armor effectively hides 54.51% of basic blocks across 16 real-world applications, triggering 113× more overflows. Moreover, we showcase two practical applications of Armor. Firstly, we conduct a cryptographic and cross-world attack on GnuPG 1.4.13 RSA private keys using ETM, which can steal entire keys from a program in the Secure world with a single run. Armor successfully reduces leaked bits by 84.5%. Secondly, Armor impedes hardware-assisted fuzzing by reducing throughput by 89.71% and branch coverage by 47.99%.

computer science, theory & methods,engineering, electrical & electronic

Yuanyuan Zhang,Dawu Gu,Fangyong Hou,Mengqi Zeng,Tao Cheng

DOI: https://doi.org/10.1080/15501320802575161

IF: 1.938

2009-01-01

International Journal of Distributed Sensor Networks

Abstract:Propose a secure architecture for embedded systems by adding a secure engine to processors. This secure engine provides data confidentiality and integrity, which ensures data cannot be comprehended and modified outside CPU or SoC. Galois/Counter Mode is introduced in our secure engine, which can generate ciphertext and its message authentication code(MAC) simultaneously. Moreover, we introduce several schemes to reduce memory latency and prompt system performance. Evaluation results reveals that our scheme advances in both security and performance than former security architectures for embedded systems.

genxian liu,xi zhang,dongsheng wang,zhenyu liu,haixia wang

DOI: https://doi.org/10.1007/978-3-662-43908-1_1

2014-01-01

Abstract:Security is a crucial element of information systems. Extensive research for cryptographic algorithms that provide the sound theoretical basis of security. Among them security and integrity of memory has been a longstanding issue in trusted system design. Main memory is a critical component of all computing systems. Most of those systems are vulnerable to memory attacks, in which an attacker gains physical accesses to the unattended hardware, obtains the decryption keys from memory. We propose a method for protecting memory systems against attacks with hardware authentication and full memory encryption. The method is secure against all known type of memory attack. We have tested the method with software simulator and Field Programmable Gate Array (FPGA) platform. The results show that the method can authenticate and encrypt the contents of DRAM with 2.5 % performance penalties.

MAO Jian,ZHOU Yu-jie

DOI: https://doi.org/10.3969/j.issn.1009-2552.2006.06.009

2006-01-01

Abstract:The information security chip design has changed significantly into a world of SoC and platform modules,with a growing threat from the various types of hardware attacks.This paper introduces some representative hardware attack measures,including active/passive side-channel attacks,and gives some effective countermeasures against these attacks in a practical case.