Andreas Zankl

Exploiting Bus Communication to Improve Cache Attacks on Systems-on-Chips

Systems-on-Chips (SoCs) are one of the key enabling technologies for the Internet-of-Things (IoT). Given the continuous distribution of IoT devices, data confidentiality and user privacy are of utmost importance. However, with the growing complexity of SoCs, the risk of malware infections and trojans introduced at design time increases significantly. A vital threat to system security are so-called side-channel attacks based on cache observations. While mainly studied on desktop and server systems, recent publications have analyzed cache attacks on mobile devices and network-on-chip platforms. In this work, we investigate cache attacks on System-on-Chips implementing bus based communication. To this end, we present two contributions. First, we demonstrate an improved Prime+Probe based cache attack on AES-128 that, for the first time, exploits the bus communication to increase its efficiency. Second, we integrate two countermeasures (Shuffling and Mini-table) and evaluate their impact on the attack. The results show that our improved attack recovers the full key twice as fast as Prime+Probe without exploiting bus communication. Moreover, we propose protection techniques that are feasible and effectively mitigate both original and improved attack.

PerfWeb: How to Violate Web Privacy with Hardware Performance Events

The browser history reveals highly sensitive information about users, such as financial status, health conditions, or political views. Private browsing modes and anonymity networks are consequently important tools to preserve the privacy not only of regular users but in particular of whistleblowers and dissidents. Yet, in this work we show how a malicious application can infer opened websites from Google Chrome in Incognito mode and from Tor Browser by exploiting hardware performance events (HPEs). In particular, we analyze the browsers’ microarchitectural footprint with the help of advanced Machine Learning techniques: k-th Nearest Neighbors, Decision Trees, Support Vector Machines, and in contrast to previous literature also Convolutional Neural Networks. We profile 40 different websites, 30 of the top Alexa sites and 10 whistleblowing portals, on two machines featuring an Intel and an ARM processor. By monitoring retired instructions, cache accesses, and bus cycles for at most 5 s we manage to classify the selected websites with a success rate of up to 86.3%. The results show that hardware performance events can clearly undermine the privacy of web users. We therefore propose mitigation strategies that impede our attacks and still allow legitimate use of HPEs.

Automated Detection of Instruction Cache Leaks in Modular Exponentiation Software

The shared instruction cache of modern processors is an established side-channel that allows adversaries to observe the execution flow of other applications. This has been shown to be a threat to cryptographic software whose execution flow depends on the processed secrets. Testing implementations for these dependencies, or leaks, is essential to develop protected cryptographic software. In this work, we present an automated testing methodology that allows to detect execution flow leaks in implementations of modular exponentiation, a key operation in schemes like RSA, ElGamal, and Diffie-Hellman. We propose a simple and effective leakage test that captures problematic properties of vulnerable exponentiation algorithms. The execution flow of an implementation is directly monitored during exponentiation using a dynamic binary instrumentation framework. This allows to efficiently detect leaking code with instruction-level granularity in a noiseless and controlled environment. As a practical demonstration, we test multiple RSA implementations of modern cryptographic libraries with the proposed methodology. It reliably detects leaking code in vulnerable implementations and also identifies leaks in a protected implementation that are non-trivial to spot in a code review. We present a fix for these leaks and strongly recommend to also patch the other implementations. Because instruction cache attacks have been shown to be a threat in practice, it seems advisable to integrate an automated leakage test in the software release process of cryptographic libraries.

Towards Protected MPSoC Communication for Information Protection against a Malicious NoC

Abstract Multiprocessor System-on-Chip (MPSoC) design is based on the integration of several third-party Intellectual Property (IP) cores. Some of those IPs may include Trojans, extra hardware that can be triggered during operation time in order to perform an attack. Network-on-Chip (NoC), the communication IP of MPSoCs, can include Trojans that spy, modify and constrain the sensitive communication inside the chip. Although previous works address the malicious NoC threat, finding secure and efficient solutions is still a challenge. In this work, we propose a novel and secure network interface which implements a tunnel-based protocol that enables the secure exchange of sensitive data even in the presence of a malicious NoC. We test our technique with synthetic traffic as well as in several real application scenarios, and show that it is a secure and efficient solution.

Compromising FPGA SoCs using malicious hardware blocks

Modern FPGA System-on-Chips (SoCs) combine high performance application processors with reconfigurable hardware. This allows to enhance complex software systems with reconfigurable hardware accelerators. Unfortunately, even when state-of-the-art software security mechanisms are implemented, this combination creates new security threats. Attacks on the software are now possible through the reconfigurable hardware as these cores share resources with the processor and may contain unwanted functionality. In this paper, we discuss software protection mechanisms offered in conventional SoCs and how they can be circumvented by malicious hardware blocks. As a concrete example, we show how the malicious functionality within an IP core accesses and replaces critical memory sections. We refer to this type of attacks as hardware-assisted attacks against running software systems. We carry-out a proof-of-concept on the Xilinx Zynq device which runs a Linux OS and a software application that verifies system updates. The malicious IP core replaces the public key used to verify system updates, thus, allowing an attacker to maliciously update the FPGA SoC. Additionally, we propose a countermeasure that can be applied against such threats in the form of a security wrapper for hardware modules.

Towards trace-driven cache attacks on Systems-on-Chips — exploiting bus communication

The growing complexity of Systems-on-Chips (SoCs) increases the risk of software attacks during runtime. A critical threat to system security are so-called side-channel attacks based on the processor cache and its usage during the execution of cryptographic algorithms. Recent publications have analyzed cache attacks on mobile devices and network-on-chip platforms. In this work, we investigate cache attacks on bus-like tile-based Multi-Processor Systems-on-Chips (MPSoCs). This work presents two contributions. First, we demonstrate a trace-driven cache attack on AES-128 based on the exploitation of bus communication. Second, we integrate two countermeasures (Shuffling and Mini-table) and evaluate their impact on the trace-based cache attack and on the performance of the system. The results illustrate that trace-driven attacks based on bus communication are a non-negligible threat in SoC environments. The results also show that the protection techniques are feasible to implement and that they are able to mitigate the attacks.

How to Break Secure Boot on {FPGA} SoCs Through Malicious Hardware

Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.