A Secure Exception Mode for Fault-Attack-Resistant Processing
Abstract: Fault attacks are a known threat to secure embedded implementations. We propose a generic technique to detect and react to fault attacks on embedded software. The countermeasure combines a micro-architecture extension in hardware with a secure trap in software. The combined extension leads to a secure exception mode to handle fault attacks. The microprocessor hardware uses a low-level hardware checkpointing mechanism to recover from fault injection. A high-level secure trap in software then enables an application-specific response. The trap is user-defined and can be co-developed with the application. The combination of hardware fault detection and recovery, with a high-level fault response policy in software leads to significantly lower overhead when compared to traditional redundancy-based techniques in hardware or software. We demonstrate a prototype implementation of the proposed secure exception mode. The prototype is based on a modified LEON3 processor and it is able to detect and respond to setup-time violation attacks. We have realized the design in a 180nm standard cell ASIC with integrated memory. Using several driver application examples, we characterize the software and hardware overhead of the proposed solution, and we compare it to the conventional redundancy-based solutions. In our understanding this is the first
proof-in-silicon processor to offer a comprehensive secure exception mode against fault-injection attacks. Existing system: The instruction- or data-faults that occur during execution of the application are the starting point of a fault analysis, which eventually enables the adversary to extract the cryptographic key. To decide on the fault injection parameters (time, location, strength), the adversary will first study the software application and decide on a desired instruction- or data-fault. The selection of fault injection parameters that yields the desired fault is often by trial and error, although the efficiency of the search can be greatly increased by building on internals of the processor pipeline structure. Very powerful fault analysis techniques have been developed using differential techniques. For example, a full 128-bit AES key can be recovered after a single well-placed fault. Proposed system: We program secure trap handlers on the resulting FAME processor for several common secure applications including PIN code checking, secure random number generation, and symmetric encryption using AES. We compare the implementation cost and performance of the proposed solution to a redundancy based solution. We demonstrate a novel and flexible strategy against fault injection attacks on embedded software with significantly lower overhead compared to traditional redundancy-based countermeasures. The technique is compatible with existing cryptographic software, and it does not require major modifications such as recoding of the algorithm. Advantages: We consider timing violation attacks, a common form of fault attack that can be implemented with a broad range of attack vectors such as clock glitches, EM pulses, power glitches or voltage starvation. We present a prototype implementation of FAME with protection against timing violation attacks, and describe the micro-architecture extensions and the secure trap handler mechanism.
We present an implementation of the proposed design in 180nm standard cell ASIC technology. We characterize the performance and area overhead for the proposed extensions. We analyze the fault sensitivity of the resulting chip using clock glitch injection. Disadvantages: To decide on the fault injection parameters (time, location, strength), the adversary will first study the software application and decide on a desired instruction- or data-fault. The selection of fault injection parameters that yields the desired fault is often by trial and error, although the efficiency of the search can be greatly increased by building on internals of the processor pipeline structure. Very powerful fault analysis techniques have been developed using differential techniques. For example, a full 128-bit AES key can be recovered after a single well-placed fault. These techniques require precise control over the nature of the fault. Modules: Attacker Model: In the main section of this paper, we assume the following attacker model. First, the attacker can observe and tamper chip input/output pins, clock pins and power/ground pins. For example, the attacker can mount clock-glitching and power-glitching attacks. These attacks affect the entire chip network, and they can be caught with a single sensor. Second, we assume that the attacker cannot mount localized fault injection, such as using directed electromagnetic pulses or laser pulses into a de-capped chip. Critical State Check pointing For fault-attack-resistant execution of the secure trap mechanism, FAME provides a hardware-level checkpointing support, the fault response registers (FRR). FRR maintain the critical system state needed to recover from the fault injection. They include the status register of the processor, the return address to the interrupted program, and the register file inputs of the writeback stage. FRR utilize doublebuffer redundancy to ensure fault-free recovery data. Using the contents of FRR,
the secure trap handler is able to restore the processor state back to the fault-free state just before the fault injection. Fault Detection FAME relies on a hardware fault detection unit (FDU), which is a set of detectors monitoring processor’s operation to detect anomalies. During the normal operation, an application runs in the nominal mode and no overhead is accrued. Upon detection of a fault, FDU asserts an alarm signal to notify the processor of a potential fault attack. The detector configuration and sensitivity level of FDU depend on the application domain and the attacker model. Based on the requirements, FDU is able to derive the fault status of the overall processor by combining different types and number of fault detectors. Fault Response To handle the fault injection, FAME first applies hardwarelevel precautions to prevent fault effects from spreading further. Then, FAME initiates a software trap handler to apply a user-defined and application-specific fault response. The hardware-level Fault Control Unit (FCU) manages the invocation and execution of the secure trap mechanism. It acknowledges the alarm signal of the FDU and takes immediate actions on the hardware level. FCU locks the fault recovery information into FRR, annuls the instructions being executed in the pipeline, and disables write operations into the register file as well as memory.