IEEE Access (Jan 2023)
Fault Attacks on Access Control in Processors: Threat, Formal Analysis and Microarchitectural Mitigation
Abstract
Process isolation is a key component of the security architecture in any hardware/software system. However, even when implemented correctly and comprehensively at the software (SW) level, process isolation may be compromised by weaknesses of the hardware (HW). Therefore, at the HW level, an exhaustive verification is desirable which provides the needed formal guarantees ensuring the confidentiality and integrity of the microarchitecture. The situation is further exacerbated if the attacker is able to inject faults, a threat requiring additional attention in formal security analysis. In this paper, we consider a threat model where the attacker is able to inject faults and, at the same time, execute user-level programs. We show that this poses a severe security threat even in systems which have been hardened against fault attacks for specific, security-critical system software. For protection against this threat, we present an exhaustive formal verification methodology that provides security guarantees for access control in processors, and demonstrate how such guarantees are sustained in the presence of fault injection. Guaranteeing correct and robust access control is crucial since it is the basis for process isolation in hardware. The proposed approach implicitly models all possible single and multiple bit flips as well as all stuck-at faults. We leverage the results of our formal analysis to augment the system with protection mechanisms that guarantee security w.r.t. the considered threat model. At the example of several open source RISC-V processors, we demonstrate both the scalability of our formal analysis and the efficiency of the generated defenses.
Keywords