SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la sécurité des systèmes d’information Journée JAIF – PARIS – 29 Mai 2018
ANSSI? Késako? These missions concern: Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? the general public. companies and governmental entities, protection. ANSSI (French Network and Information Security Agency) has InfoSec (and no communicate on information security threats and the related means of provide reliable advice and support and services, prevent threats by supporting the development of trusted products and detect and early react to cyber attacks, Intelligence) missions: 1 / 14
From the SE to the SoC Sensitive assets are in and computed on the Secure Element (SE). Secure Element are designed to be tamper-resistant against physical and sofuware attacks. System on Chips (SoC) are everywhere: Secure Element are limited resources devices. For sensitive operations where more resources are required, SoCs are used. What about security of the SoC? SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 2 / 14 ◮ Automotive ◮ Smartphone ◮ IoT
From the SE to the SoC Sensitive assets are in and computed on the Secure Element (SE). Secure Element are designed to be tamper-resistant against physical and sofuware attacks. System on Chips (SoC) are everywhere: Secure Element are limited resources devices. For sensitive operations where more resources are required, SoCs are used. What about security of the SoC? SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 2 / 14 ◮ Automotive ◮ Smartphone ◮ IoT
What’s a System On Chip (SoC) ? Less space needed Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Package mini PCB Wirebounds BGA SoC Stacked RAM Low power consumption Why ? SoC FPGA Communication BUS Voltage regulators/PMICs ADCs/DACs I/O Timers Timing sources Memories DSPs 3 / 14 µ Controllers µ Processors No data storage → Package On Package
SoC Manufacturers G-series by AMD Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? SoC architectures distribution x86 8.3 % ARM 91.7 % Allwinner A by Allwinner AML by Amlogic MSM & APQ (Snapdragon) by OMAP by Texas Instrument Kirin by Hisilicon RK by Fuzhou RockChip Atom by Intel (x86) Tegra by Nvidia Apple A by Apple MT & Helio by MediaTek Exynos by Samsung Qualcomm 4 / 14
Sofuware-security oriented component (Source: https://developer.arm.com/technologies/trustzone ) SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 5 / 14
Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities Rich OS integrity is ensured by the secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14
Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities Rich OS integrity is ensured by the secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14
Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the
Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the ◮ Rich OS might be jailbreaked (like
Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the ◮ Rich OS might be jailbreaked (like
State-of-the-art physical attacks Pipeline Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Virtual to physical MMU Injection medium Cache Bus Register Clock RAM UV BBI EM Laser Glitch voltage Sofuware Sofuware security Sofuware target Physical target 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Project Zero attack/Drammer (2015 - 2016) [Vee+16] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Project Zero NaCl/Rowhammer on TrustZone (2015) [Car17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? ClkScrew (2017) [TSS17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Cryptography Key Instruction Return value Program counter User rights Memory partitioning Secure boot Virtual to physical Execution flow integry ? Controlling PC on ARM (2016) [TSW16] SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Attack on PS3 Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Attack on Xbox 360 (2015) [Bla15] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Laser induced fault on smartphone (2017) [Vas+17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14
Recommend
More recommend