SlideShare a Scribd company logo

Controlling PC on ARM using Fault Injection

Riscure
Riscure

The slides from the presentation by Riscure's Niek Timmers, Albert Spruyt and Marc Whitteman. The paper describes an ARM specific fault injection attack strategy for exploiting embedded systems where externally controlled data is loaded in the program counter (PC) register of the processor.

Technology
1 of 86
Download to read offline
Public 1 Controlling PC on ARM using Fault Injection Niek Timmers timmers@riscure.com Albert Spruyt spruyt@riscure.com Marc Witteman witteman@riscure.com August 16, 2016
Public 2 Table of contents 1 Attack strategy 2 Practical attack scenario 3 Simulation 4 Experimentation 5 Countermeasures 6 Conclusion
Public 3 Fault injection techniques clock voltage electromagnetic laser
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
Public 14 Experimentation - Test setup
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
Public 16 Experimentation - Characterization
Public 17 Experimentation - Test application (LDR) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldr r0, [r1];" // 9 <repeat x1000> // GLITCH HERE 10 "ldr r0, [r1]" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: ""
Public 18 Experimentation - LDR - 10k
Public 19 Experimentation - Test application (LDMIA) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldmia r0!, r4-r7;" // 9 <repeat x1000> // GLITCH HERE 10 "ldmia r0!, r4-r7" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: "" ]
Public 20 Experimentation - LDMIA - 10k
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com
Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com

Recommended

Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 

Recommended

Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Understanding and Improving Device Access Complexity
Understanding and Improving Device Access ComplexityUnderstanding and Improving Device Access Complexity
Understanding and Improving Device Access Complexityasimkadav
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCERiscure
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionLinaro
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Arm architecture
Arm architectureArm architecture
Arm architecturePantech ProLabs India Pvt Ltd
 
ARM.ppt
ARM.pptARM.ppt
ARM.pptMostafaParvin1
 

More Related Content

What's hot

Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCERiscure
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionLinaro
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 

What's hot (20)

Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 

Similar to Controlling PC on ARM using Fault Injection

The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecturesreea4
 
Arm teaching material
Arm teaching materialArm teaching material
Arm teaching materialJohn Williams
 
Lect05 Prog Model
Lect05 Prog ModelLect05 Prog Model
Lect05 Prog Modelanoosdomain
 
ESD_05_ARM_Instructions set for preparation
ESD_05_ARM_Instructions set for preparationESD_05_ARM_Instructions set for preparation
ESD_05_ARM_Instructions set for preparationssuser026e94
 
LPC 2148 Instructions Set.ppt
LPC 2148 Instructions Set.pptLPC 2148 Instructions Set.ppt
LPC 2148 Instructions Set.pptProfBadariNathK
 
ARM - Advance RISC Machine
ARM - Advance RISC MachineARM - Advance RISC Machine
ARM - Advance RISC MachineEdutechLearners
 
Arm instruction set
Arm instruction setArm instruction set
Arm instruction setRavi Babu
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 

Similar to Controlling PC on ARM using Fault Injection (20)

Arm architecture
Arm architectureArm architecture
Arm architecture
 
ARM.ppt
ARM.pptARM.ppt
ARM.ppt
 
The ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM ArchitectureThe ARM Architecture: ARM : ARM Architecture
The ARM Architecture: ARM : ARM Architecture
 
Arm
ArmArm
Arm
 
Arm teaching material
Arm teaching materialArm teaching material
Arm teaching material
 
Arm teaching material
Arm teaching materialArm teaching material
Arm teaching material
 
Ch2 arm-1
Ch2 arm-1Ch2 arm-1
Ch2 arm-1
 
Lect05 Prog Model
Lect05 Prog ModelLect05 Prog Model
Lect05 Prog Model
 
ch2-arm-1.ppt
ch2-arm-1.pptch2-arm-1.ppt
ch2-arm-1.ppt
 
arm-intro.ppt
arm-intro.pptarm-intro.ppt
arm-intro.ppt
 
ARM Introduction
ARM IntroductionARM Introduction
ARM Introduction
 
Arm (2)
Arm (2)Arm (2)
Arm (2)
 
Embedded system - introduction to arm7
Embedded system - introduction to arm7Embedded system - introduction to arm7
Embedded system - introduction to arm7
 
ESD_05_ARM_Instructions set for preparation
ESD_05_ARM_Instructions set for preparationESD_05_ARM_Instructions set for preparation
ESD_05_ARM_Instructions set for preparation
 
S emb t4-arch_cpu
S emb t4-arch_cpuS emb t4-arch_cpu
S emb t4-arch_cpu
 
LPC 2148 Instructions Set.ppt
LPC 2148 Instructions Set.pptLPC 2148 Instructions Set.ppt
LPC 2148 Instructions Set.ppt
 
ARM - Advance RISC Machine
ARM - Advance RISC MachineARM - Advance RISC Machine
ARM - Advance RISC Machine
 
arm
armarm
arm
 
Arm instruction set
Arm instruction setArm instruction set
Arm instruction set
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 

More from Riscure

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyRiscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure IntroductionRiscure
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresRiscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 

More from Riscure (9)

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Recently uploaded

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

Controlling PC on ARM using Fault Injection

  • 1. Public 1 Controlling PC on ARM using Fault Injection Niek Timmers timmers@riscure.com Albert Spruyt spruyt@riscure.com Marc Witteman witteman@riscure.com August 16, 2016
  • 2. Public 2 Table of contents 1 Attack strategy 2 Practical attack scenario 3 Simulation 4 Experimentation 5 Countermeasures 6 Conclusion
  • 3. Public 3 Fault injection techniques clock voltage electromagnetic laser
  • 4. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 5. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 6. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 7. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 8. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 9. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 10. Public 4 Fault injection fault model Instruction corruption MOV R0, R1 11100001101000000000000000000000 MOV R0, R2 11100001101000000000000000000010 MOV R0, R1 11100001101000000000000000000001 STR R7, [R7, #16] 11100101100010010111000000010000 Instruction skipping MOV R0, R1 11100001101000000000000000000001 MOV R1, R1 11100001101000000001000000000001 MOV R0, R1 11100001101000000000000000000001 MOV R6, R6 11100001101000000110000000000110
  • 11. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 12. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 13. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 14. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 15. Public 5 Why ARM? • ARM is everywhere • The PC register is directly accessible in ARM (AArch32)
  • 16. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 17. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 18. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 19. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 20. Public 6 All systems copy data from A to B! Single word copy using LDR / STR 1 WordCopy: 2 LDR r3, [r1], #4 3 STR r3, [r0], #4 4 SUBS r2, r2, #4 5 BGE WordCopy Multi-word copy using LDMIA / STMIA 1 MultiWorldCopy: 2 LDMIA r1!, {r3 - r10} 3 STMIA r0!, {r3 - r10} 4 SUBS r2, r2, #32 5 BGE MultiWorldCopy
  • 21. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 22. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 23. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 24. Public 7 Why are copy operations interesting? • They operate on attacker controlled data • They are executed multiple times consecutively • They are typically not protected
  • 25. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 26. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 27. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 28. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 29. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 30. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 31. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 32. Public 8 Corrupting load instructions to control PC Controlling PC using LDR LDR r3, [r1], #4 11100100100100010011000000000100 LDR PC, [r1], #4 11100100100100011111000000000100 Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 Important: The destination register(s) is encoded differently!
  • 33. Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
  • 34. Public 9 Practical attack: Secure Boot http://infocenter.arm.com/help/index.jsp?topic= /com.arm.doc.prd29-genc-009492c/ch05s02s01.html
  • 35. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 36. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 37. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 38. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 39. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 40. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 41. Public 10 Boot time attack - Possible approach 1) Destination must be known for the pointer value 2) Original contents in flash must be modified 3) Fault is injected while the pointers are copied 4) Target is compromised when the pointer is loaded into PC
  • 42. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 43. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 44. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 45. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 46. Public 11 Simulation - LDR Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldr r3, [r0];" // target instruction 7 ) 8 } Results ldr r3, [r0] 00000000001100001001000011100101 ldr pc, [r0] 00000000111100001001000011100101 ldrle pc, [r0] 00000000111100001001000011010101 ldr pc, [r0, #4] 00000100111100001001000011100101 ldrne pc, [r0], #8 00001000111100001001000000010100
  • 47. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 48. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 49. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 50. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 51. Public 12 Simulation - LDMIA Test code 1 void print_string (void) { printf("success"); } 2 void main(void) { 3 unsigned int buffer = { &print_string, ... } 4 asm volatile ( 5 "ldr r0, &buffer;" 6 "ldmia r0!, {r4-r7};" // target instruction 7 ) 8 } Results ldmia r0!,{r4-r7} 11110000000000001011000011101000 ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000 ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000 ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000 ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
  • 52. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 53. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 54. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 55. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 56. Public 13 Experimentation - Target modification • Power cut • Removal of capacitors • Reset • Trigger
  • 58. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 59. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 60. Public 15 Experimentation - Characterization 1 void main(void) { 2 volatile unsigned int counter = 0; 3 set_trigger(1); 4 asm volatile ( 5 "add r0, r0, #1;" // 6 <repeat x1000> // GLITCH HERE 7 "add r0, r0, #1;" // 8 ); 9 set_trigger(0); 10 printf("%08xn", counter); 11 } Output 1: "00001000" Output 2: "00000fff" Output 3: ""
  • 62. Public 17 Experimentation - Test application (LDR) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldr r0, [r1];" // 9 <repeat x1000> // GLITCH HERE 10 "ldr r0, [r1]" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: ""
  • 64. Public 19 Experimentation - Test application (LDMIA) 1 void print_string (void) { printf("success"); } 2 unsigned int buffer[8] = { &print_string, ...} 3 4 void main(void) { 5 set_trigger(1); 6 asm volatile ( 7 "ldr r1, =buffer;" 8 "ldmia r0!, r4-r7;" // 9 <repeat x1000> // GLITCH HERE 10 "ldmia r0!, r4-r7" // 11 ); 12 set_trigger(0); 13 printf("no!"); 14 } Output 1: "success" Output 2: "no!" Output 3: "" ]
  • 66. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 67. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 68. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 69. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 70. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 71. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 72. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 73. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 74. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 75. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 76. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 77. Public 21 Countermeasures • Dedicated hardware countermeasures • Fault injection detectors/sensors • Integrity checks (e.g. instruction parity) • Dedicated software countermeasures • Deflect (e.g. random delays) • Detect (e.g. double check) • React (e.g. reset) • Software exploitation mitigations • Only enable execution from memory when needed • Randomize copy destination You can lower the probability but you cannot rule it out!
  • 78. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 79. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 80. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 81. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 82. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 83. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 84. Public 22 Conclusion • The target is vulnerable to voltage FI • The PC register on ARM is controllable using FI • Combining fault injection and software exploitation is effective • Success rate is different for ldr and ldmia • The instruction encoding matters • Software FI countermeasures may not be effective • Software exploitation mitigations may complicate attack • Other instructions and code constructions may be vulnerable • Other architectures may be vulnerable using specific code constructions
  • 85. Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com
  • 86. Contact: Niek Timmers Senior Security Analyst timmers@riscure.com We are hiring! inforequest@riscure.com