Hackers of India

Arbitrary code execution on RISC-V using fault injection

 Praveen Vadnala  , Nils Wiersma 

2021/03/05

Presentation Material

Abstract

RISC-V is a new, free and open Instruction Set Architecture (ISA), that is becoming increasingly popular in the recent past. In RISC-V ISA, it is not possible to directly access Program Counter (PC), unlike other widely used architectures such as AArch32. Hence, corrupting a RISC-V instruction in order to to store the payload address into PC directly using fault injection is not possible. In this research, we propose alternative techniques to gain code execution using fault attacks by targeting the instructions that change the control flow of a program. They include corrupting return address register, stack pointer register, among others. Based on the experimental results, we identify new fault models that that can not be explained using the programmer model of the ISA but requires understanding of the underlying hardware implementation. We demonstrate the practicality of these attacks on a commercially available RISC-V SoC. These results have wide-ranging implications on the security of embedded devices against attackers with physical access to the device, most notably the secure boot.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discusses fault injection attacks,<|begin_of_text|>1y exploitation techniques to bypass secure boot mechanisms and achieve privileged escalation on CPUs. They explain that by manipulating the program counter register, an attacker can control the flow of execution without relying on return address interactions.

The presentation covers two successful experiments:

  1. Targeting the program counter register directly: Although not exposed in the instruction set architecture, a data path exists to reach the program counter register, allowing attackers to update it with their payload.
  2. Targeting the stack pointer register: This approach is more powerful as it allows attacks on non-leave functions and enables classical stack overflow exploitation.

The speaker highlights that fault injection can be used to bypass secure boot mechanisms before reaching any authentication stage. They also mention potential future research directions, such as exploring countermeasures against these types of attacks and investigating ways to circumvent those protections.

Finally, the speaker answers a question about alternative methods for extracting instructions on an actual device, concluding that side-channel attacks are currently the only viable option.