Session Chair: Mengmei Ye, IBM

Thursday, June 30, 2022 | Time: 09:50 - 11:10

Location: Int'l Ballroom C

• 95. TRRScope: Understanding Target Row Refresh Mechanism for Modern DDR Protection
  Yichen Jiang, Huifeng Zhu, Haoqi Shan, Xiaolong Guo, Xuan Zhang and Yier Jin
  Abstract: Advanced DDR memories are widely used in almost all electronic devices and computing systems. Therefore, Rowhammer attack, a hardware-based attack targeting DDR memory, severely threatens data security and privacy in modern computing systems. Among existing solutions, the leading and most effective example is the Target Row Refresh (TRR) mechanism. TRR is proposed as the standard protection mechanism by JEDEC [1] and is widely used in DDR4 memory. As a protection scheme, TRR will refresh the victim row once a Rowhammer attack is detected. However, recent work such as TRRespass [2] shows that TRR can be bypassed and Rowhammer attack is still possible even on the latest DDR4 memory. While it is still believed that TRR-like protection mechanisms are promising solutions against the Rowhammer attack, it becomes an urgent task to improve the security of TRR mechanisms. However, TRR implementation details are proprietary to the DDR4 manufacturers. In order to better understand TRR protection mechanisms and help improve the TRR implementation, in this paper, we propose a novel timing side-channel based reverse engineering method to understand the underlying mechanisms of TRR. We then thoroughly analyze different implementations which are integrated into various DDR4 memory chips from different manufacturers. With experimental results collected from a range of DDR4 memory chips, we prove the effectiveness of the proposed TRR recovery mechanism.


• 17. FaultLine: Software-based Fault Injection on Memory Transfers
  Joseph Gravellier, Jean-Max Dutertre, Yannick Teglia and Philippe Loubet Moundi
  Abstract: Today’s integrated memory controllers use complex hardware such as delay-lines to monitor and control signal timings during external memory transfers. Because memory chips with different timing specifications may be used, delay-line tuning registers often remain accessible and programmable from the application processor. In this paper, we introduce FaultLine and the concept of delay-line-based fault injection. First, we demonstrate that by modifying the delay-line calibration value through a simple register access, a malware may induce faults in memory transfers and jeopardize the security of concurrently running assets. Then, we experimentally evaluate the fault injection on an OS-capable system-on-chip by exposing cryptographic applications to corrupted data and retrieving their secret keys. We finally discuss why delay-line-based fault injection should be systematically considered as a potential threat in modern systems where entities with different privileges share external memories. Index Terms—Fault Injection Attack, Software-based, External Memory, Delay-Lines, SoC, PFA, DFA


• 20. SecWalk: Protecting Page Table Walks Against Fault Attacks
  Robert Schilling, Pascal Nasahl, Stefan Weiglhofer and Stefan Mangard
  Abstract: The correct execution of a memory load and store is essential for the flawless execution of a program. However, as soon as devices are deployed in hostile environments, fault attacks can manipulate memory operations and subsequently alter the execution of a program. While memory accesses for simple processors with direct memory access can efficiently be protected against fault attacks, larger processors with virtual addressing lack this protection. However, the number of systems with larger application-class processors is growing, leaving many applications unprotected. It requires new countermeasures to efficiently protect memory accesses of processors with virtual memory against fault attacks. In this work, we present SecWalk, a design to efficiently protect all memory accesses of a program in the virtual and physical memory domain against fault attacks. We enhance residual-based pointer protection with a hardware-based secure page table walk inside the memory management unit. The page table walk securely translates a protected virtual address to a protected physical address by exploiting the redundancy properties of encoded addresses and a linking mechanism in the memory management unit. Furthermore, we extend the protection domain for virtual addresses to the TLB to also protect fast translations. To evaluate the overhead, we integrate SecWalk to an FPGA-based open-source RISC-V core, where SecWalk extends the area of the design by 10 %. The software evaluation on a set of microbenchmarks shows an average code overhad of 11.05 % and runtime overhead of 7.17 %. To show the applicability on real-life applications, we port the microkernel seL4 to SecWalk, which yields a code overhead of 13.1% and a runtime overhead of 11.6 %. The evaluation shows the overhead is small considering that SecWalk automatically protects all memory accesses of arbitrary applications against faults.


• 21. Protecting Indirect Branches against Fault Attacks using ARM Pointer Authentication
  Pascal Nasahl, Robert Schilling and Stefan Mangard
  Abstract: Physically exposed embedded devices used in the IoT or automotive area are frequently targeted by fault attacks. Mitigating this threat is crucial as such attacks can be used to hijack the control-flow and bypass secure boot, gain arbitrary code execution, or retrieve sensitive information. However, control-flow integrity (CFI), which aims to be an effective countermeasure thwarting fault induced control-flow hijacking attacks, do not protect addresses, allowing an attacker to still hijack the controlflow of indirect branches. To counteract unwanted bit flips, data encoding schemes are frequently used to add redundancy to these addresses. However, as software-based data encoding schemes yield large runtime overheads, encoding schemes typically require custom CPU changes, which are not feasible for off-the-shelf systems. Hence, software based address redundancy schemes for commodity devices are needed to thwart fault attacks on indirect branches. In this paper, we utilize the ARM pointer authentication feature of recent ARM architectures to efficiently protect the target addresses of indirect calls. In addition to the address protection, we further enhance the state update function of existing CFI schemes to protect the link between indirect control-flow transfers. To demonstrate how these defense mechanisms improve the protection of state-of-the-art CFI countermeasures, we integrate our address encoding and linking strategy into a previously introduced CFI scheme. We further extend a LLVM-based toolchain to automatically thwart fault attacks on indirect branches without user interaction. Our analysis shows an negligible overhead of less than 2.34% on average for protecting target addresses of indirect branches and the link between indirect branches for SPEC2017.