基于RISC-V内核的原始线性代码提取攻击的轻量级对策

2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) Pub Date : 2023-05-01 DOI:10.1109/HOST55118.2023.10133316

Théophile Gousselot, Olivier Thomas, J. Dutertre, O. Potin, J. Rigaud

{"title":"基于RISC-V内核的原始线性代码提取攻击的轻量级对策","authors":"Théophile Gousselot, Olivier Thomas, J. Dutertre, O. Potin, J. Rigaud","doi":"10.1109/HOST55118.2023.10133316","DOIUrl":null,"url":null,"abstract":"Linear Code Extraction (LCE) is an invasive attack aiming at fully extracting a code from a device’s memory for reverse engineering purposes. The core instruction bus is identified and microprobed using Failure Analysis tools. Meanwhile, other microprobes force internal nodes of the core to logic states which allow a full memory linear extraction. This paper demonstrates the first assessment of a RISC-V core vulnerability to LCE. It evaluates the complexity to extract the code in the right order by freezing the instruction register or by editing the incoming instructions. This paper introduces three original countermeasures to detect an ongoing LCE by monitoring symptoms such as the lack of branch instruction execution. These hardware countermeasures are lightweight and adaptable to other core architectures. We develop an experimental setup based on a functional simulation framework and an FPGA-based demonstration. This setup made it possible to study and assess the LCE vulnerabilities of our RISC-V target and to validate the effectiveness of our proposed countermeasures. The area overhead was measured between 0.52% and 1.47% of the cv32e40p RISC-V core. Depending on the detection latency target, the clock cycle overhead using the EmbenchTM benchmarks can be null or kept below 1%.","PeriodicalId":128125,"journal":{"name":"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Lightweight Countermeasures Against Original Linear Code Extraction Attacks on a RISC-V Core\",\"authors\":\"Théophile Gousselot, Olivier Thomas, J. Dutertre, O. Potin, J. Rigaud\",\"doi\":\"10.1109/HOST55118.2023.10133316\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Linear Code Extraction (LCE) is an invasive attack aiming at fully extracting a code from a device’s memory for reverse engineering purposes. The core instruction bus is identified and microprobed using Failure Analysis tools. Meanwhile, other microprobes force internal nodes of the core to logic states which allow a full memory linear extraction. This paper demonstrates the first assessment of a RISC-V core vulnerability to LCE. It evaluates the complexity to extract the code in the right order by freezing the instruction register or by editing the incoming instructions. This paper introduces three original countermeasures to detect an ongoing LCE by monitoring symptoms such as the lack of branch instruction execution. These hardware countermeasures are lightweight and adaptable to other core architectures. We develop an experimental setup based on a functional simulation framework and an FPGA-based demonstration. This setup made it possible to study and assess the LCE vulnerabilities of our RISC-V target and to validate the effectiveness of our proposed countermeasures. The area overhead was measured between 0.52% and 1.47% of the cv32e40p RISC-V core. Depending on the detection latency target, the clock cycle overhead using the EmbenchTM benchmarks can be null or kept below 1%.\",\"PeriodicalId\":128125,\"journal\":{\"name\":\"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)\",\"volume\":\"12 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/HOST55118.2023.10133316\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HOST55118.2023.10133316","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

线性代码提取(LCE)是一种侵入式攻击，旨在从设备内存中完全提取代码，用于逆向工程目的。使用故障分析工具对核心指令总线进行了识别和微探测。同时，其他微探针迫使核心的内部节点进入逻辑状态，从而允许全内存线性提取。本文演示了对RISC-V核心LCE漏洞的首次评估。它通过冻结指令寄存器或编辑传入指令来评估以正确顺序提取代码的复杂性。本文介绍了三种原始对策，通过监视诸如缺少分支指令执行等症状来检测正在进行的LCE。这些硬件对策是轻量级的，可适应于其他核心体系结构。我们开发了一个基于功能仿真框架和基于fpga的演示的实验装置。这种设置可以研究和评估我们的RISC-V目标的LCE漏洞，并验证我们提出的对策的有效性。测量的面积开销在cv32e40p RISC-V内核的0.52%到1.47%之间。根据检测延迟目标，使用EmbenchTM基准测试的时钟周期开销可以为零或保持在1%以下。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Lightweight Countermeasures Against Original Linear Code Extraction Attacks on a RISC-V Core

Linear Code Extraction (LCE) is an invasive attack aiming at fully extracting a code from a device’s memory for reverse engineering purposes. The core instruction bus is identified and microprobed using Failure Analysis tools. Meanwhile, other microprobes force internal nodes of the core to logic states which allow a full memory linear extraction. This paper demonstrates the first assessment of a RISC-V core vulnerability to LCE. It evaluates the complexity to extract the code in the right order by freezing the instruction register or by editing the incoming instructions. This paper introduces three original countermeasures to detect an ongoing LCE by monitoring symptoms such as the lack of branch instruction execution. These hardware countermeasures are lightweight and adaptable to other core architectures. We develop an experimental setup based on a functional simulation framework and an FPGA-based demonstration. This setup made it possible to study and assess the LCE vulnerabilities of our RISC-V target and to validate the effectiveness of our proposed countermeasures. The area overhead was measured between 0.52% and 1.47% of the cv32e40p RISC-V core. Depending on the detection latency target, the clock cycle overhead using the EmbenchTM benchmarks can be null or kept below 1%.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

自引率

0.00%

发文量