Abstract
In this paper, we present a hardware/software co-attack to hijack a program flow on microcontrollers. The basic idea is to skip a few instructions using multiple fault injection in microcontrollers in cooperation with a software attack. We focus on buffer overflow (BOF) attacks together with such multiple fault injection. The proposed attack can be applied to a program code with a typical software countermeasure against BOF attacks. The attack manipulates the program control flow by skipping specific instructions related to the countermeasure, and thus, the subsequent BOF attack code is successfully executed on the microcontroller. We show the effectiveness of our proposed attack through experiments using an 8-bit AVR ATmega163 microcontroller and a 32-bit ARM Cortex-M0+ microcontroller, where the target software was equipped with a countermeasure limiting the size of user input against BOF attacks. The result showed that our attack can overwrite a return address stored in a stack and call an arbitrary malicious function. We also propose a software countermeasure against our attack and prove its validity by examining all the possible instruction skips.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aaron, G., Josh, Y.: The outer limits: hacking the samsung smart tv. In: Black Hat USA 2013 (2013)
Agoyan, M., Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A.: How to flip a bit? In: Proceedings of the 2010 IEEE 16th International On-Line Testing Symposium, pp. 235–239. IEEE Computer Society (2010)
AIST: Evaluation environment for side-channel attacks. http://www.risec.aist.go.jp/project/sasebo/
Andersen, S., Abella, V.: Data execution prevention. changes to functionality in microsoft windows xp service pack 2, part 3: memory protection technologies (2004). https://technet.microsoft.com/en-us/library/bb457155.aspx
Atmel: Atmel avr 8- and 32-bit microcontrollers. http://www.atmel.com/products/microcontrollers/avr/default.aspx
Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit mcus. In: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2011 Workshop on, pp. 105–114. IEEE (2011)
Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Smart Card Research and Advanced Application, pp. 148–163. Springer (2010)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology-CRYPTO’97, pp. 513–525. Springer (1997)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Advances in Cryptology-EUROCRYPT’ 97, pp. 37–51. Springer (1997)
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. Usenix Secur. 98, 63–78 (1998)
Craig, H.: Exploiting network surveillance cameras like a hollywood hacker. In: Black Hat USA 2013 (2013)
Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on aes. In: Applied Cryptography and Network Security, pp. 293–306. Springer (2003)
Endo, S., Homma, N., Hayashi, Y.i., Takahashi, J., Fuji, H., Aoki, T.: A multiple-fault injection attack by adaptive timing control under black-box conditions and a countermeasure. In: Constructive Side-Channel Analysis and Secure Design, pp. 214–228. Springer (2014)
Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve montgomery ladder implementation. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008. FDTC’08, pp. 92–98. IEEE (2008)
Fouque, P.A., Leresteux, D., Valette, F.: Using faults for buffer overflow effects. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1638–1639. ACM (2012)
Govindavajhala, S., Appel, A.W.: Using memory errors to attack a virtual machine. In: 2003 Symposium on Security and Privacy, 2003. Proceedings, pp. 154–165. IEEE (2003)
Krak, T., Hoefler, M.: On the effects of clock and power supply tampering on two microcontroller platforms. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 8–17. IEEE (2014)
Molnar, I.: Exec shield. new Linux security feature (2003)
SeungJin Beist, L.: Hacking, surveilling, and deceiving victims on smart tv. In: Black Hat USA 2013 (2013)
Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security, pp. 298–307. ACM (2004)
Sho, E., Sugawara, T., Homma, N., Satoh, A.: A configurable on-chip glitchy-clock generator for fault injection experiments. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 95(1), 263–266 (2012)
Witteman, M., Oostdijk, M.: Secure application programming in the presence of side channel attacks. In: RSA Conference, vol. 2008 (2008)
Acknowledgments
This work has mainly been done when Shoei Nashimoto had been in Tohoku University. This work has been supported by JSPS KAKENHI Grant Nos. 25240006 and 16K12436.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Nashimoto, S., Homma, N., Hayashi, Yi. et al. Buffer overflow attack with multiple fault injection and a proven countermeasure. J Cryptogr Eng 7, 35–46 (2017). https://doi.org/10.1007/s13389-016-0136-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-016-0136-3