Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure
RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack...
Guardado en:
| Autores principales: | , , , |
|---|---|
| Formato: | article |
| Lenguaje: | EN |
| Publicado: |
Ruhr-Universität Bochum
2021
|
| Materias: | |
| Acceso en línea: | https://doaj.org/article/20acd16b715a47dcb012b21010bed659 |
| Etiquetas: |
Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| id |
oai:doaj.org-article:20acd16b715a47dcb012b21010bed659 |
|---|---|
| record_format |
dspace |
| spelling |
oai:doaj.org-article:20acd16b715a47dcb012b21010bed6592021-11-19T14:36:14ZBypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure10.46586/tches.v2022.i1.28-682569-2925https://doaj.org/article/20acd16b715a47dcb012b21010bed6592021-11-01T00:00:00Zhttps://tches.iacr.org/index.php/TCHES/article/view/9289https://doaj.org/toc/2569-2925 RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack. Shoei NashimotoDaisuke SuzukiRei UenoNaofumi HommaRuhr-Universität BochumarticleFault InjectionRISC-VMemory ProtectionTrusted Execution EnvironmentComputer engineering. Computer hardwareTK7885-7895Information technologyT58.5-58.64ENTransactions on Cryptographic Hardware and Embedded Systems, Vol 2022, Iss 1 (2021) |
| institution |
DOAJ |
| collection |
DOAJ |
| language |
EN |
| topic |
Fault Injection RISC-V Memory Protection Trusted Execution Environment Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 |
| spellingShingle |
Fault Injection RISC-V Memory Protection Trusted Execution Environment Computer engineering. Computer hardware TK7885-7895 Information technology T58.5-58.64 Shoei Nashimoto Daisuke Suzuki Rei Ueno Naofumi Homma Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| description |
RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack.
|
| format |
article |
| author |
Shoei Nashimoto Daisuke Suzuki Rei Ueno Naofumi Homma |
| author_facet |
Shoei Nashimoto Daisuke Suzuki Rei Ueno Naofumi Homma |
| author_sort |
Shoei Nashimoto |
| title |
Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| title_short |
Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| title_full |
Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| title_fullStr |
Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| title_full_unstemmed |
Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| title_sort |
bypassing isolated execution on risc-v using side-channel-assisted fault-injection and its countermeasure |
| publisher |
Ruhr-Universität Bochum |
| publishDate |
2021 |
| url |
https://doaj.org/article/20acd16b715a47dcb012b21010bed659 |
| work_keys_str_mv |
AT shoeinashimoto bypassingisolatedexecutiononriscvusingsidechannelassistedfaultinjectionanditscountermeasure AT daisukesuzuki bypassingisolatedexecutiononriscvusingsidechannelassistedfaultinjectionanditscountermeasure AT reiueno bypassingisolatedexecutiononriscvusingsidechannelassistedfaultinjectionanditscountermeasure AT naofumihomma bypassingisolatedexecutiononriscvusingsidechannelassistedfaultinjectionanditscountermeasure |
| _version_ |
1718420057764134912 |