Presentation Material
Abstract
RISC-V is a new, free and open Instruction Set Architecture (ISA), that is becoming increasingly popular in the recent past. In RISC-V ISA, it is not possible to directly access Program Counter (PC), unlike other widely used architectures such as AArch32. Hence, corrupting a RISC-V instruction in order to to store the payload address into PC directly using fault injection is not possible. In this research, we propose alternative techniques to gain code execution using fault attacks by targeting the instructions that change the control flow of a program. They include corrupting return address register, stack pointer register, among others. Based on the experimental results, we identify new fault models that that can not be explained using the programmer model of the ISA but requires understanding of the underlying hardware implementation. We demonstrate the practicality of these attacks on a commercially available RISC-V SoC. These results have wide-ranging implications on the security of embedded devices against attackers with physical access to the device, most notably the secure boot.