Skip to main content
SpringerLink
Log in

Buffer overflow attack with multiple fault injection and a proven countermeasure

  • Special Section on Proofs 2015
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In this paper, we present a hardware/software co-attack to hijack a program flow on microcontrollers. The basic idea is to skip a few instructions using multiple fault injection in microcontrollers in cooperation with a software attack. We focus on buffer overflow (BOF) attacks together with such multiple fault injection. The proposed attack can be applied to a program code with a typical software countermeasure against BOF attacks. The attack manipulates the program control flow by skipping specific instructions related to the countermeasure, and thus, the subsequent BOF attack code is successfully executed on the microcontroller. We show the effectiveness of our proposed attack through experiments using an 8-bit AVR ATmega163 microcontroller and a 32-bit ARM Cortex-M0+ microcontroller, where the target software was equipped with a countermeasure limiting the size of user input against BOF attacks. The result showed that our attack can overwrite a return address stored in a stack and call an arbitrary malicious function. We also propose a software countermeasure against our attack and prove its validity by examining all the possible instruction skips.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. Aaron, G., Josh, Y.: The outer limits: hacking the samsung smart tv. In: Black Hat USA 2013 (2013)

  2. Agoyan, M., Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A.: How to flip a bit? In: Proceedings of the 2010 IEEE 16th International On-Line Testing Symposium, pp. 235–239. IEEE Computer Society (2010)

  3. AIST: Evaluation environment for side-channel attacks. http://www.risec.aist.go.jp/project/sasebo/

  4. Andersen, S., Abella, V.: Data execution prevention. changes to functionality in microsoft windows xp service pack 2, part 3: memory protection technologies (2004). https://technet.microsoft.com/en-us/library/bb457155.aspx

  5. Atmel: Atmel avr 8- and 32-bit microcontrollers. http://www.atmel.com/products/microcontrollers/avr/default.aspx

  6. Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit mcus. In: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2011 Workshop on, pp. 105–114. IEEE (2011)

  7. Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In: Smart Card Research and Advanced Application, pp. 148–163. Springer (2010)

  8. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology-CRYPTO’97, pp. 513–525. Springer (1997)

  9. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Advances in Cryptology-EUROCRYPT’ 97, pp. 37–51. Springer (1997)

  10. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. Usenix Secur. 98, 63–78 (1998)

    Google Scholar 

  11. Craig, H.: Exploiting network surveillance cameras like a hollywood hacker. In: Black Hat USA 2013 (2013)

  12. Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on aes. In: Applied Cryptography and Network Security, pp. 293–306. Springer (2003)

  13. Endo, S., Homma, N., Hayashi, Y.i., Takahashi, J., Fuji, H., Aoki, T.: A multiple-fault injection attack by adaptive timing control under black-box conditions and a countermeasure. In: Constructive Side-Channel Analysis and Secure Design, pp. 214–228. Springer (2014)

  14. Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve montgomery ladder implementation. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008. FDTC’08, pp. 92–98. IEEE (2008)

  15. Fouque, P.A., Leresteux, D., Valette, F.: Using faults for buffer overflow effects. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1638–1639. ACM (2012)

  16. Govindavajhala, S., Appel, A.W.: Using memory errors to attack a virtual machine. In: 2003 Symposium on Security and Privacy, 2003. Proceedings, pp. 154–165. IEEE (2003)

  17. Krak, T., Hoefler, M.: On the effects of clock and power supply tampering on two microcontroller platforms. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 8–17. IEEE (2014)

  18. Molnar, I.: Exec shield. new Linux security feature (2003)

  19. SeungJin Beist, L.: Hacking, surveilling, and deceiving victims on smart tv. In: Black Hat USA 2013 (2013)

  20. Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security, pp. 298–307. ACM (2004)

  21. Sho, E., Sugawara, T., Homma, N., Satoh, A.: A configurable on-chip glitchy-clock generator for fault injection experiments. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 95(1), 263–266 (2012)

    Google Scholar 

  22. Witteman, M., Oostdijk, M.: Secure application programming in the presence of side channel attacks. In: RSA Conference, vol. 2008 (2008)

Download references

Acknowledgments

This work has mainly been done when Shoei Nashimoto had been in Tohoku University. This work has been supported by JSPS KAKENHI Grant Nos. 25240006 and 16K12436.

Author information

Authors and Affiliations

  1. Information Technology R&D Center, Mitsubishi Electric Corporation, 5-1-1, Ofuna, Kamakura City, 247-8501, Japan

    Shoei Nashimoto

  2. Tohoku University, 6-6-05, Aramaki Aza Aoba, Aoba-ku, Sendai-shi, Miyagi, 980-8579, Japan

    Naofumi Homma, Yu-ichi Hayashi & Takafumi Aoki

  3. NTT Secure Platform Laboratories, Nippon Telegraph and Telephone Corporation, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585, Japan

    Junko Takahashi & Hitoshi Fuji

Authors
  1. Shoei Nashimoto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Naofumi Homma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu-ichi Hayashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junko Takahashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hitoshi Fuji
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Takafumi Aoki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shoei Nashimoto.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Nashimoto, S., Homma, N., Hayashi, Yi. et al. Buffer overflow attack with multiple fault injection and a proven countermeasure. J Cryptogr Eng 7, 35–46 (2017). https://doi.org/10.1007/s13389-016-0136-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-016-0136-3

Keywords

Search

Navigation