Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure

RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:IACR transactions on cryptographic hardware and embedded systems Ročník 2022; číslo 1; s. 28 - 68
Hlavní autoři: Nashimoto, Shoei, Suzuki, Daisuke, Ueno, Rei, Homma, Naofumi
Médium: Journal Article
Jazyk:angličtina
Vydáno: Ruhr-Universität Bochum 19.11.2021
Témata:
Fault Injection
Memory Protection
RISC-V
Trusted Execution Environment
ISSN:2569-2925, 2569-2925
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack.
ISSN:2569-2925
2569-2925
DOI:10.46586/tches.v2022.i1.28-68