Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure
RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack...
Gespeichert in:
| Veröffentlicht in: | IACR transactions on cryptographic hardware and embedded systems Jg. 2022; H. 1; S. 28 - 68 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Journal Article |
| Sprache: | Englisch |
| Veröffentlicht: |
Ruhr-Universität Bochum
19.11.2021
|
| Schlagworte: | |
| ISSN: | 2569-2925, 2569-2925 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack. |
|---|---|
| AbstractList | RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack. |
| Author | Homma, Naofumi Ueno, Rei Suzuki, Daisuke Nashimoto, Shoei |
| Author_xml | – sequence: 1 givenname: Shoei surname: Nashimoto fullname: Nashimoto, Shoei – sequence: 2 givenname: Daisuke surname: Suzuki fullname: Suzuki, Daisuke – sequence: 3 givenname: Rei surname: Ueno fullname: Ueno, Rei – sequence: 4 givenname: Naofumi surname: Homma fullname: Homma, Naofumi |
| BookMark | eNpNkFtLxDAQhYMoeP0JQv9A1km6SZNHLV4KguDtNUyTWc1SU2la0X_vbhURBuYwc873cA7ZbuoTMXYqYLHUyuiz0b9SXnxIkHIRxUIars0OO5BKWy6tVLv_9D47yXkNAFKBEpU9YPHi6x1zjumlaHLf4UihuPwkP42xT8Vm7puHmj8X02x5iIF4_YopUcfPN7G89V_h1I28SWvycwpTKJoxF3U_pZGGN8I8DXTM9lbYZTr53Ufs6erysb7ht3fXTX1-y720ynBjPVUCV7Y0K-vtEmQbDGCF6Cvp_eZpPOrSW0AJoIMIrdZQ2o0ktGTLI9b8cEOPa_c-xDccvlyP0c2HfnhxOIzRd-QkoA9Ct5VQuKyCb0HIVgoQ0FLQastSPyw_9DkPtPrjCXBz_W6u3831uyicNE6b8hu0b31p |
| ContentType | Journal Article |
| DBID | AAYXX CITATION DOA |
| DOI | 10.46586/tches.v2022.i1.28-68 |
| DatabaseName | CrossRef DOAJ Directory of Open Access Journals |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| Database_xml | – sequence: 1 dbid: DOA name: DOAJ Directory of Open Access Journals url: https://www.doaj.org/ sourceTypes: Open Website |
| DeliveryMethod | fulltext_linktorsrc |
| EISSN | 2569-2925 |
| EndPage | 68 |
| ExternalDocumentID | oai_doaj_org_article_20acd16b715a47dcb012b21010bed659 10_46586_tches_v2022_i1_28_68 |
| GroupedDBID | AAFWJ AAYXX AFPKN ALMA_UNASSIGNED_HOLDINGS CITATION GROUPED_DOAJ M~E |
| ID | FETCH-LOGICAL-c2958-89ce71af938f9c9402bd80a7aac72ccce78ca63c90a2006d1db6603906dea9e93 |
| IEDL.DBID | DOA |
| ISSN | 2569-2925 |
| IngestDate | Tue Oct 14 19:04:30 EDT 2025 Sat Nov 29 02:10:49 EST 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 1 |
| Language | English |
| License | https://creativecommons.org/licenses/by/4.0 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c2958-89ce71af938f9c9402bd80a7aac72ccce78ca63c90a2006d1db6603906dea9e93 |
| OpenAccessLink | https://doaj.org/article/20acd16b715a47dcb012b21010bed659 |
| PageCount | 41 |
| ParticipantIDs | doaj_primary_oai_doaj_org_article_20acd16b715a47dcb012b21010bed659 crossref_primary_10_46586_tches_v2022_i1_28_68 |
| PublicationCentury | 2000 |
| PublicationDate | 2021-11-19 |
| PublicationDateYYYYMMDD | 2021-11-19 |
| PublicationDate_xml | – month: 11 year: 2021 text: 2021-11-19 day: 19 |
| PublicationDecade | 2020 |
| PublicationTitle | IACR transactions on cryptographic hardware and embedded systems |
| PublicationYear | 2021 |
| Publisher | Ruhr-Universität Bochum |
| Publisher_xml | – name: Ruhr-Universität Bochum |
| SSID | ssj0002505179 |
| Score | 2.2660673 |
| Snippet | RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted... |
| SourceID | doaj crossref |
| SourceType | Open Website Index Database |
| StartPage | 28 |
| SubjectTerms | Fault Injection Memory Protection RISC-V Trusted Execution Environment |
| Title | Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure |
| URI | https://doaj.org/article/20acd16b715a47dcb012b21010bed659 |
| Volume | 2022 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAON databaseName: DOAJ Directory of Open Access Journals customDbUrl: eissn: 2569-2925 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0002505179 issn: 2569-2925 databaseCode: DOA dateStart: 20180101 isFulltext: true titleUrlDefault: https://www.doaj.org/ providerName: Directory of Open Access Journals – providerCode: PRVHPJ databaseName: ROAD: Directory of Open Access Scholarly Resources customDbUrl: eissn: 2569-2925 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0002505179 issn: 2569-2925 databaseCode: M~E dateStart: 20180101 isFulltext: true titleUrlDefault: https://road.issn.org providerName: ISSN International Centre |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1LS8QwEA6yePAiiopvcvCatekjj6Muu7gHRXzhLSSTFCpSF_eBXvztTtJV9uZFKKW0oZRvppn5wswXQs6KPLM5eBX1tD0rpQCmvMiYdVHZRdZFIV3abELe3KjnZ327stVXrAnr5IE74JCcW_BcOMkrW0oPDmdUhzyFZy54UaXWPcx6VshUnINjYEdX61p2Soyy4jyCMO0vkOzn_QaZoWJRXnUlGK1o9qfgMtoim8uskF50X7NN1kK7Q5rLzwmmthhb6Bg9BJNCT4cfAZKrUDzuxvcD9kTnach94wOLvQJteGUIejSfpyM7f52xcfuSKq5aaltPx7Mpja3ocVLuVgh3yeNo-DC4YsudERjkulJMaQiS21oXqtagkQM6rzIrrQWZA-BDBVYUoNEQ-Ft57p0QWaHxMlgddLFHeu1bG_YJtSUoxyvnMVUs61ArCLzynIPKQuYyf0D6PxCZSSeAYZA4JExNwtQkTE3DTa6MUAfkMgL5OzjqV6cbaFWztKr5y6qH__GSI7KRxwqUWLSnj0lv9j4PJ2QdFrNm-n6aHAbP11_Db9Emx8I |
| linkProvider | Directory of Open Access Journals |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Bypassing+Isolated+Execution+on+RISC-V+using+Side-Channel-Assisted+Fault-Injection+and+Its+Countermeasure&rft.jtitle=IACR+transactions+on+cryptographic+hardware+and+embedded+systems&rft.au=Nashimoto%2C+Shoei&rft.au=Suzuki%2C+Daisuke&rft.au=Ueno%2C+Rei&rft.au=Homma%2C+Naofumi&rft.date=2021-11-19&rft.issn=2569-2925&rft.eissn=2569-2925&rft.spage=28&rft.epage=68&rft_id=info:doi/10.46586%2Ftches.v2022.i1.28-68&rft.externalDBID=n%2Fa&rft.externalDocID=10_46586_tches_v2022_i1_28_68 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2569-2925&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2569-2925&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2569-2925&client=summon |