Ahmad-Reza Sadeghi
ABSTRACT
The recent trend of providing fast and flexible hardware platforms as-a-service coupled with the advancements in hardware design tools have significantly reduced the effort of designing new hardware. Additionally, with the advent of open-source Instruction Set Architectures (ISAs) such as OpenRISC and RISC-V, we witness the rise of a wide variety of open-source and commercial processor cores and System-On-Chip (SoC) designs in a short time.
However, this development bears the risk of growing hardware security vulnerabilities. Indeed, we are witnessing new forms of sophisticated cross-layer attacks that use software to exploit hardware vulnerabilities and design flaws with fatal consequences. At the same time, the existing hardware verification techniques are unable to keep up with the increased complexity and diversity of SoC designs.
In this paper, we present our efforts and insightful findings on taking a deep dive into hardware security and cross-layer attacks. Inspired by real-world vulnerabilities and insights from our industry collaborator, we have been conducting the world's largest hardware security competitions since 2018. The main goal is to significantly advance SoC vulnerability detection methods and techniques and their automation. Throughout this competition, we have provided a representative testbed of real-world software-exploitable RTL bugs based on RISC-V SoCs. We envision our RISC-V testbed of RTL bugs offered as a cloud-based service providing a rich exploratory ground for future research in hardware security verification and contributing to the open-source hardware landscape.
Supplemental Material
- 2019. Pulpino SoC source code. https://github.com/pulp-platform/pulpino. Accessed: 2021-04-28.Google Scholar
- 2021. Hack the Box. https://www.hackthebox.eu/. Accessed: 2021-04-28.Google Scholar
- 2021. Hack@EVENT competitions. https://hackatevent.org/. Accessed: 2021-05- 02.Google Scholar
- 2021. Proxy Kernel source code. https://github.com/riscv/riscv-pk. Accessed: 2021-04-28.Google Scholar
- 2021. Pulpissimo SoC source code. https://github.com/pulp-platform/pulpissimo. Accessed: 2021-04-28.Google Scholar
- Architecture ARM. 2009. Security technology building a secure system using trustzone technology (white paper). ARM Limited (2009).Google Scholar
- Averant. 2018. Solidify. http://www.averant.com/storage/documents/Solidify.pdf. Accessed: 2021-04-28.Google Scholar
- R. Bahmani, F. Brasser, G. Dessouky, P. Jauernig, M. Klimmek, A-R Sadeghi, and E. Stapf. 2021. CURE: A Security Architecture with CUstomizable and Resilient Enclaves. 30th USENIX Security Symposium (2021).Google Scholar
- L. Bening and H. Foster. 2001. Principles of Verifiable RTL Design. Springer.Google Scholar
- M. M Bidmeshki, Y. Zhang, M. Zaman, L. Zhou, and Y. Makris. 2021. Hunting Security Bugs in SoC Designs: Lessons Learned. IEEE Design & Test, Vol. 38, 1 (2021), 22--29.Google ScholarCross Ref
- F. Brasser, D. Gens, P. Jauernig, A-R Sadeghi, and E. Stapf. 2019. SANCTUARY: ARMing TrustZone with User-space Enclaves. Network and Distributed System Security Symposium (NDSS) (2019).Google Scholar
- Cadence. 2014a. Incisive Enterprise Simulator. https://www.cadence.com. Accessed: 2021-04-28.Google Scholar
- Cadence. 2014b. JasperGold Formal Verification Platform. https://www.cadence.com/content/cadence-www/global/en_US/home/tools/system-design-and-verification/formal-and-static-verification/jasper-gold-verification-platform.html. Accessed: 2021-04-28.Google Scholar
- N. Corteggiani, G. Camurati, M. Muench, S. Poeplau, and A. Francillon. 2021. SoC Security Evaluation: Reflections on Methodology and Tooling. IEEE Design & Test, Vol. 38, 1 (2021), 7--13.Google ScholarCross Ref
- V. Costan, I. Lebedev, and S. Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. USENIX Security Symposium (2016), 857--874.Google Scholar
- DARPA. 2020. Cyber Grand Challenge. https://www.darpa.mil/about-us/timeline/cyber-grand-challenge. Accessed: 2021-04-28.Google Scholar
- G. Dessouky, D. Gens, P. Haney, G. Persyn, A. Kanuparthi, H. Khattri, J. M Fung, A-R Sadeghi, and J. Rajendran. 2019. HardFails: Insights into Software-Exploitable Hardware Bugs. USENIX Security (2019), 213--230.Google Scholar
- S. Gogri, P. Joshi, P. Vurikiti, N. Fern, M. Quinn, and J. Valamehr. 2021. Texas A & M Hackin' Aggies' Security Verification Strategies for the 2019 Hack@DAC Competition. IEEE Design & Test, Vol. 38, 1 (2021), 30--38.Google ScholarCross Ref
- Google. 2021. Capture the Flag competition. https://capturetheflag.withgoogle.com/. Accessed: 2021-04-28.Google Scholar
- B. Gras, K. Razavi, H. Bos, and C. Giuffrida. 2018. Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. USENIX Security Symposium (2018).Google Scholar
- OpenHW Group. 2021. Ariane SoC source code. https://github.com/openhwgroup/cva6. Accessed: 2021-04-28.Google Scholar
- S. L He, N. H Roe, E. CL Wood, N. Nachtigal, J. Helms, and Team Lead. 2015. Model of the Product Development Lifecycle. Sandia Report (2015), 1--49.Google ScholarCross Ref
- M. Hicks, C. Sturton, S. T King, and J. M Smith. 2015. Specs: A lightweight runtime mechanism for protecting software from security-critical processor bugs. Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (2015), 517--529.Google ScholarDigital Library
- M. Howard and S. Lipner. 2006. The security development lifecycle. Microsoft Press Redmond (2006).Google Scholar
- Intel. 2016. Intel Software Guard Extensions (Intel SGX). https://software.intel.com/en-us/sgx. Accessed: 2021-05-02.Google Scholar
- Z. Kenjar, T. Frassetto, D. Gens, M. Franz, and A-R Sadeghi. 2020. V0ltpwn: Attacking x86 processor integrity from software. In 29th USENIX Security Symposium. 1445--1461.Google Scholar
- H. Khattri, N. K. V Mangipudi, and S. Mandujano. 2012. Hsdl: A security development lifecycle for hardware technologies. IEEE International Symposium on Hardware-Oriented Security and Trust (2012), 116--121.Google ScholarCross Ref
- P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, et al. 2019. Spectre attacks: Exploiting speculative execution. 2019 IEEE Symposium on Security and Privacy (SP) (2019), 1--19.Google ScholarCross Ref
- KOTH. 2018. CoreWars. http://www.koth.org/index.html. Accessed: 2021-04-28.Google Scholar
- Dayeol L. 2018. Keystone Enclave: An Open-Source Secure Enclave for RISC-V. https://keystone-enclave.org/. Accessed: 2021-04-28.Google Scholar
- K. Laeufer, J. Koenig, D. Kim, J. Bachrach, and K. Sen. 2018. RFUZZ: Coverage-directed Fuzz Testing of RTL on FPGAs. IEEE/ACM International Conference on Computer-Aided Design (2018), 1--8.Google Scholar
- M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, et al. 2018. Meltdown: Reading kernel memory from user space. 27th USENIX Security Symposium (2018), 973--990.Google Scholar
- V. J. M Manès, H. Han, C. Han, Sang K. Cha, M. Egele, E. J Schwartz, and M. Woo. 2019. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering (2019).Google Scholar
- Mentor. 2018. Questa Verification Solution. https://www.mentor.com/products/fv/questa-verification-platform. Accessed: 2021-05-02.Google Scholar
- MITRE. 2021. Hardware CWEs. https://cwe.mitre.org/data/definitions/1194.html. Accessed: 2021-04-28.Google Scholar
- S.K. Muduli, G. Takhar, and P. Subramanyan. 2020. Hyperfuzzing for SoC Security Validation. IEEE/ACM International Conference on Computer-Aided Design (2020), 1--9.Google Scholar
- F. Nielson, H. R Nielson, and C. Hankin. 1999. Principles of program analysis. Springer.Google Scholar
- NIST. 2012. Broadcom Wi-Fi chips denial of service. https://nvd.nist.gov/vuln/detail/CVE-2012-2619. Accessed: 2021-04-28.Google Scholar
- NIST. 2018a. AMD: Backdoors in security co-processor ASIC. https://nvd.nist.gov/vuln/detail/CVE-2018-8935. Accessed: 2021-04-28.Google Scholar
- NIST. 2018b. AMD: EPYC server processors have insufficient access control for protected memory regions. https://nvd.nist.gov/vuln/detail/CVE-2018-8934. Accessed: 2021-04-28.Google Scholar
- NIST. 2021. CVSS. https://nvd.nist.gov/vuln-metrics/cvss. Accessed: 2021-04-28.Google Scholar
- OneSpin Solutions. 2013. OneSpin 360. https://www.onespin.com/products/360-dv-inspect. Accessed: 2021-04-28.Google Scholar
- A. Tang, S. Sethumadhavan, and S. Stolfo. 2017. CLKSCREW: exposing the perils of security-oblivious energy managemen. USENIX Security Symposium (2017), 1057--1074.Google Scholar
- T. Trippel, K. G Shin, A. Chernyakhovsky, G. Kelly, D. Rizzo, and M. Hicks. 2021. Fuzzing Hardware Like Software. arXiv preprint arXiv:2102.02308 (2021).Google Scholar
- Princeton University. 2020. Openpiton SoC source code. https://github.com/PrincetonUniversity/openpiton. Accessed: 2021-04-28.Google Scholar
Index Terms
- Organizing The World's Largest Hardware Security Competition: Challenges, Opportunities, and Lessons Learned
Recommendations
Security Primitives for Reconfigurable Hardware-Based Systems
Computing systems designed using reconfigurable hardware are increasingly composed using a number of different Intellectual Property (IP) cores, which are often provided by third-party vendors that may have different levels of trust. Unlike traditional ...
Designing secure systems on reconfigurable hardware
The extremely high cost of custom ASIC fabrication makes FPGAs an attractive alternative for deployment of custom hardware. Embedded systems based on reconfigurable hardware integrate many functions onto a single device. Since embedded designers often ...
Physical Security Evaluation of the Bitstream Encryption Mechanism of Altera Stratix II and Stratix III FPGAs
To protect Field-Programmable Gate Array (FPGA) designs against Intellectual Property (IP) theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream that is used to configure the FPGA. From ...
Comments