controlling pc on arm using fault injection
TRANSCRIPT
![Page 1: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/1.jpg)
Public
1
Controlling PC on ARM using Fault Injection
Niek [email protected]
Albert [email protected]
Marc [email protected]
August 16, 2016
![Page 2: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/2.jpg)
Public
2
Table of contents
1 Attack strategy
2 Practical attack scenario
3 Simulation
4 Experimentation
5 Countermeasures
6 Conclusion
![Page 3: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/3.jpg)
Public
3
Fault injection techniques
clock voltage electromagnetic laser
![Page 4: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/4.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 5: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/5.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 6: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/6.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 7: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/7.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 8: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/8.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 9: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/9.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 10: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/10.jpg)
Public
4
Fault injection fault model
Instruction corruption
MOV R0, R1 11100001101000000000000000000000MOV R0, R2 11100001101000000000000000000010
MOV R0, R1 11100001101000000000000000000001STR R7, [R7, #16] 11100101100010010111000000010000
Instruction skipping
MOV R0, R1 11100001101000000000000000000001MOV R1, R1 11100001101000000001000000000001
MOV R0, R1 11100001101000000000000000000001MOV R6, R6 11100001101000000110000000000110
![Page 11: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/11.jpg)
Public
5
Why ARM?• ARM is everywhere
• The PC register is directly accessible in ARM (AArch32)
![Page 12: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/12.jpg)
Public
5
Why ARM?• ARM is everywhere
• The PC register is directly accessible in ARM (AArch32)
![Page 13: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/13.jpg)
Public
5
Why ARM?• ARM is everywhere
• The PC register is directly accessible in ARM (AArch32)
![Page 14: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/14.jpg)
Public
5
Why ARM?• ARM is everywhere
• The PC register is directly accessible in ARM (AArch32)
![Page 15: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/15.jpg)
Public
5
Why ARM?• ARM is everywhere
• The PC register is directly accessible in ARM (AArch32)
![Page 16: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/16.jpg)
Public
6
All systems copy data from A to B!
Single word copy using LDR / STR
1 WordCopy:2 LDR r3, [r1], #43 STR r3, [r0], #44 SUBS r2, r2, #45 BGE WordCopy
Multi-word copy using LDMIA / STMIA
1 MultiWorldCopy:2 LDMIA r1!, {r3 - r10}3 STMIA r0!, {r3 - r10}4 SUBS r2, r2, #325 BGE MultiWorldCopy
![Page 17: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/17.jpg)
Public
6
All systems copy data from A to B!
Single word copy using LDR / STR
1 WordCopy:2 LDR r3, [r1], #43 STR r3, [r0], #44 SUBS r2, r2, #45 BGE WordCopy
Multi-word copy using LDMIA / STMIA
1 MultiWorldCopy:2 LDMIA r1!, {r3 - r10}3 STMIA r0!, {r3 - r10}4 SUBS r2, r2, #325 BGE MultiWorldCopy
![Page 18: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/18.jpg)
Public
6
All systems copy data from A to B!
Single word copy using LDR / STR
1 WordCopy:2 LDR r3, [r1], #43 STR r3, [r0], #44 SUBS r2, r2, #45 BGE WordCopy
Multi-word copy using LDMIA / STMIA
1 MultiWorldCopy:2 LDMIA r1!, {r3 - r10}3 STMIA r0!, {r3 - r10}4 SUBS r2, r2, #325 BGE MultiWorldCopy
![Page 19: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/19.jpg)
Public
6
All systems copy data from A to B!
Single word copy using LDR / STR
1 WordCopy:2 LDR r3, [r1], #43 STR r3, [r0], #44 SUBS r2, r2, #45 BGE WordCopy
Multi-word copy using LDMIA / STMIA
1 MultiWorldCopy:2 LDMIA r1!, {r3 - r10}3 STMIA r0!, {r3 - r10}4 SUBS r2, r2, #325 BGE MultiWorldCopy
![Page 20: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/20.jpg)
Public
6
All systems copy data from A to B!
Single word copy using LDR / STR
1 WordCopy:2 LDR r3, [r1], #43 STR r3, [r0], #44 SUBS r2, r2, #45 BGE WordCopy
Multi-word copy using LDMIA / STMIA
1 MultiWorldCopy:2 LDMIA r1!, {r3 - r10}3 STMIA r0!, {r3 - r10}4 SUBS r2, r2, #325 BGE MultiWorldCopy
![Page 21: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/21.jpg)
Public
7
Why are copy operations interesting?
• They operate on attacker controlled data
• They are executed multiple times consecutively
• They are typically not protected
![Page 22: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/22.jpg)
Public
7
Why are copy operations interesting?
• They operate on attacker controlled data
• They are executed multiple times consecutively
• They are typically not protected
![Page 23: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/23.jpg)
Public
7
Why are copy operations interesting?
• They operate on attacker controlled data
• They are executed multiple times consecutively
• They are typically not protected
![Page 24: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/24.jpg)
Public
7
Why are copy operations interesting?
• They operate on attacker controlled data
• They are executed multiple times consecutively
• They are typically not protected
![Page 25: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/25.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 26: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/26.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 27: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/27.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 28: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/28.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 29: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/29.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 30: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/30.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 31: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/31.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 32: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/32.jpg)
Public
8
Corrupting load instructions to control PC
Controlling PC using LDR
LDR r3, [r1], #4 11100100100100010011000000000100
LDR PC, [r1], #4 11100100100100011111000000000100
Controlling PC using LDMIA
LDMIA r1!,{r3-r10} 11101000101100010000011111111000
LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000
Important: The destination register(s) is encoded differently!
![Page 33: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/33.jpg)
Public
9
Practical attack: Secure Boot
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/ch05s02s01.html
![Page 34: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/34.jpg)
Public
9
Practical attack: Secure Boot
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/ch05s02s01.html
![Page 35: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/35.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 36: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/36.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 37: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/37.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 38: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/38.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 39: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/39.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 40: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/40.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 41: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/41.jpg)
Public
10
Boot time attack - Possible approach
1) Destination must be known for the pointer value2) Original contents in flash must be modified3) Fault is injected while the pointers are copied
4) Target is compromised when the pointer is loaded into PC
![Page 42: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/42.jpg)
Public
11
Simulation - LDR
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldr r3, [r0];" // target instruction
7 )8 }
Results
ldr r3, [r0] 00000000001100001001000011100101ldr pc, [r0] 00000000111100001001000011100101ldrle pc, [r0] 00000000111100001001000011010101ldr pc, [r0, #4] 00000100111100001001000011100101ldrne pc, [r0], #8 00001000111100001001000000010100
![Page 43: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/43.jpg)
Public
11
Simulation - LDR
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldr r3, [r0];" // target instruction
7 )8 }
Results
ldr r3, [r0] 00000000001100001001000011100101ldr pc, [r0] 00000000111100001001000011100101ldrle pc, [r0] 00000000111100001001000011010101ldr pc, [r0, #4] 00000100111100001001000011100101ldrne pc, [r0], #8 00001000111100001001000000010100
![Page 44: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/44.jpg)
Public
11
Simulation - LDR
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldr r3, [r0];" // target instruction
7 )8 }
Results
ldr r3, [r0] 00000000001100001001000011100101ldr pc, [r0] 00000000111100001001000011100101ldrle pc, [r0] 00000000111100001001000011010101ldr pc, [r0, #4] 00000100111100001001000011100101ldrne pc, [r0], #8 00001000111100001001000000010100
![Page 45: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/45.jpg)
Public
11
Simulation - LDR
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldr r3, [r0];" // target instruction
7 )8 }
Results
ldr r3, [r0] 00000000001100001001000011100101ldr pc, [r0] 00000000111100001001000011100101ldrle pc, [r0] 00000000111100001001000011010101ldr pc, [r0, #4] 00000100111100001001000011100101ldrne pc, [r0], #8 00001000111100001001000000010100
![Page 46: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/46.jpg)
Public
11
Simulation - LDR
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldr r3, [r0];" // target instruction
7 )8 }
Results
ldr r3, [r0] 00000000001100001001000011100101ldr pc, [r0] 00000000111100001001000011100101ldrle pc, [r0] 00000000111100001001000011010101ldr pc, [r0, #4] 00000100111100001001000011100101ldrne pc, [r0], #8 00001000111100001001000000010100
![Page 47: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/47.jpg)
Public
12
Simulation - LDMIA
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldmia r0!, {r4-r7};" // target instruction
7 )8 }
Results
ldmia r0!,{r4-r7} 11110000000000001011000011101000ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
![Page 48: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/48.jpg)
Public
12
Simulation - LDMIA
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldmia r0!, {r4-r7};" // target instruction
7 )8 }
Results
ldmia r0!,{r4-r7} 11110000000000001011000011101000ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
![Page 49: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/49.jpg)
Public
12
Simulation - LDMIA
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldmia r0!, {r4-r7};" // target instruction
7 )8 }
Results
ldmia r0!,{r4-r7} 11110000000000001011000011101000ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
![Page 50: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/50.jpg)
Public
12
Simulation - LDMIA
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldmia r0!, {r4-r7};" // target instruction
7 )8 }
Results
ldmia r0!,{r4-r7} 11110000000000001011000011101000ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
![Page 51: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/51.jpg)
Public
12
Simulation - LDMIA
Test code
1 void print_string (void) { printf("success"); }2 void main(void) {3 unsigned int buffer = { &print_string, ... }4 asm volatile (5 "ldr r0, &buffer;"
6 "ldmia r0!, {r4-r7};" // target instruction
7 )8 }
Results
ldmia r0!,{r4-r7} 11110000000000001011000011101000ldmia r0!,{r4-r7,pc} 11110000100000001011000011101000ldmle r0!,{r4-r7, pc} 11110000100000001011000011011000ldmia r0!,{r0,r1,r6,r7,pc} 11000011100000001011000011101000ldmibne r0!,{r0-r3,r8-r14,pc} 00001111111111111011000000011001
![Page 52: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/52.jpg)
Public
13
Experimentation - Target modification
• Power cut• Removal of capacitors• Reset• Trigger
![Page 53: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/53.jpg)
Public
13
Experimentation - Target modification
• Power cut• Removal of capacitors• Reset• Trigger
![Page 54: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/54.jpg)
Public
13
Experimentation - Target modification
• Power cut• Removal of capacitors• Reset• Trigger
![Page 55: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/55.jpg)
Public
13
Experimentation - Target modification
• Power cut• Removal of capacitors• Reset• Trigger
![Page 56: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/56.jpg)
Public
13
Experimentation - Target modification
• Power cut• Removal of capacitors• Reset• Trigger
![Page 57: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/57.jpg)
Public
14
Experimentation - Test setup
![Page 58: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/58.jpg)
Public
15
Experimentation - Characterization
1 void main(void) {2 volatile unsigned int counter = 0;3 set_trigger(1);4 asm volatile (5 "add r0, r0, #1;" //
6 <repeat x1000> // GLITCH HERE
7 "add r0, r0, #1;" //
8 );9 set_trigger(0);
10 printf("%08x\n", counter);11 }
Output 1: "00001000"Output 2: "00000fff"Output 3: ""
![Page 59: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/59.jpg)
Public
15
Experimentation - Characterization
1 void main(void) {2 volatile unsigned int counter = 0;3 set_trigger(1);4 asm volatile (5 "add r0, r0, #1;" //
6 <repeat x1000> // GLITCH HERE
7 "add r0, r0, #1;" //
8 );9 set_trigger(0);
10 printf("%08x\n", counter);11 }
Output 1: "00001000"Output 2: "00000fff"Output 3: ""
![Page 60: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/60.jpg)
Public
15
Experimentation - Characterization
1 void main(void) {2 volatile unsigned int counter = 0;3 set_trigger(1);4 asm volatile (5 "add r0, r0, #1;" //
6 <repeat x1000> // GLITCH HERE
7 "add r0, r0, #1;" //
8 );9 set_trigger(0);
10 printf("%08x\n", counter);11 }
Output 1: "00001000"Output 2: "00000fff"Output 3: ""
![Page 61: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/61.jpg)
Public
16
Experimentation - Characterization
![Page 62: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/62.jpg)
Public
17
Experimentation - Test application (LDR)
1 void print_string (void) { printf("success"); }2 unsigned int buffer[8] = { &print_string, ...}34 void main(void) {5 set_trigger(1);6 asm volatile (7 "ldr r1, =buffer;"
8 "ldr r0, [r1];" //
9 <repeat x1000> // GLITCH HERE
10 "ldr r0, [r1]" //
11 );12 set_trigger(0);13 printf("no!");14 }
Output 1: "success"Output 2: "no!"Output 3: ""
![Page 63: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/63.jpg)
Public
18
Experimentation - LDR - 10k
![Page 64: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/64.jpg)
Public
19
Experimentation - Test application (LDMIA)
1 void print_string (void) { printf("success"); }2 unsigned int buffer[8] = { &print_string, ...}34 void main(void) {5 set_trigger(1);6 asm volatile (7 "ldr r1, =buffer;"
8 "ldmia r0!, r4-r7;" //
9 <repeat x1000> // GLITCH HERE
10 "ldmia r0!, r4-r7" //
11 );12 set_trigger(0);13 printf("no!");14 }
Output 1: "success"Output 2: "no!"Output 3: "" ]
![Page 65: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/65.jpg)
Public
20
Experimentation - LDMIA - 10k
![Page 66: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/66.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 67: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/67.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 68: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/68.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 69: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/69.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 70: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/70.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 71: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/71.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 72: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/72.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 73: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/73.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 74: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/74.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 75: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/75.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 76: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/76.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 77: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/77.jpg)
Public
21
Countermeasures
• Dedicated hardware countermeasures• Fault injection detectors/sensors• Integrity checks (e.g. instruction parity)
• Dedicated software countermeasures• Deflect (e.g. random delays)• Detect (e.g. double check)• React (e.g. reset)
• Software exploitation mitigations• Only enable execution from memory when needed• Randomize copy destination
You can lower the probability but you cannot rule it out!
![Page 78: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/78.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 79: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/79.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 80: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/80.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 81: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/81.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 82: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/82.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 83: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/83.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions
![Page 84: Controlling PC on ARM using Fault Injection](https://reader030.vdocument.in/reader030/viewer/2022032610/623a43301763bd1b4f1004ad/html5/thumbnails/84.jpg)
Public
22
Conclusion• The target is vulnerable to voltage FI
• The PC register on ARM is controllable using FI• Combining fault injection and software exploitation is effective
• Success rate is different for ldr and ldmia• The instruction encoding matters
• Software FI countermeasures may not be effective• Software exploitation mitigations may complicate attack
• Other instructions and code constructions may be vulnerable
• Other architectures may be vulnerable using specific codeconstructions