Practical Mitigations Against Memory Corruption and Transient Execution Attacks

Ismail, Mohannad Adel Abdelmoniem Ahmed

31 May 2024

Memory corruption attacks have existed in C and C++ for more than 30 years, and over the years many defenses have been proposed. In addition to that, a new class of attacks, Spectre, has emerged that abuse speculative execution to leak secrets and sensitive data through micro-architectural side channels. Many defenses have been proposed to mitigate Spectre as well. However, with every new defense a new attack emerges, and then a new defense is proposed. This is an ongoing cycle between attackers and defenders. There exists many defenses for many different attack avenues. However, many suffer from either practicality or effectiveness issues, and security researchers need to balance out their compromises. Recently, many hardware vendors, such as Intel and ARM, have realized the extent of the issue of memory corruption attacks and have developed hardware security mechanisms that can be utilized to defend against these attacks. ARM, in particular, has released a mechanism called Pointer Authentication in which its main intended use is to protect the integrity of pointers by generating a Pointer Authentication Code (PAC) using a cryptographic hash function, as a Message Authentication Code (MAC), and placing it on the top unused bits of a 64-bit pointer. Placing the PAC on the top unused bits of the pointer changes its semantics and the pointer cannot be used unless it is properly authenticated. Hardware security features such as PAC are merely mechanisms not full fledged defences, and their effectiveness and practicality depends on how they are being utililzed. Naive use of these defenses doesn't alleviate the issues that exist in many state-of-the-art software defenses. The design of the defense that utilizes these hardware security features needs to have practicality and effectiveness in mind. Having both practicality and effectiveness is now a possible reality with these new hardware security features. This dissertation describes utilizing hardware security features, namely ARM PAC, to build effective and practical defense mechanisms. This dissertation first describes my past work called PACTight, a PAC based defense mechanism that defends against control-flow hijack- ing attacks. PACTight defines three security properties of a pointer such that, if achieved, prevent pointers from being tampered with. They are: 1) unforgeability: A pointer p should always point to its legitimate object; 2) non-copyability: A pointer p can only be used when it is at its specific legitimate location; 3) non-dangling: A pointer p cannot be used after it has been freed. PACTight tightly seals pointers and guarantees that a sealed pointer cannot be forged, copied, or dangling. PACTight protects all sensitive pointers, which are code pointers and pointers that point to code pointers. This completely prevents control-flow hijacking attacks, all while having low performance overhead. In addition to that, this dissertation proposes Scope-Type Integrity (STI), a new defense policy that enforces pointers to conform to the programmer's intended manner, by utilizing scope, type, and permission information. STI collects information offline about the type, scope, and permission (read/write) of every pointer in the program. This information can then be used at runtime to ensure that pointers comply with their intended purpose. This allows STI to defeat advanced pointer attacks since these attacks typically violate either the scope, type, or permission. We present Runtime Scope-Type Integrity (RSTI). RSTI leverages ARM Pointer Authentication (PA) to generate Pointer Authentication Codes (PACs), based on the information from STI, and place these PACs at the top bits of the pointer. At runtime, the PACs are then checked to ensure pointer usage complies with STI. RSTI overcomes two drawbacks that were present in PACTight: 1) PACTight relied on a large external metadata for protection, whereas RSTI uses very little metadata. 2) PACTight only protected a subset of pointers, whereas RSTI protects all pointers in a program. RSTI has large coverage with relatively low overhead. Also, this dissertation proposes sPACtre, a new and novel defense mechanism that aims to prevent Spectre control-flow attacks on existing hardware. sPACtre is an ARM-based defense mechanism that prevents Spectre control-flow attacks by relying on ARM's Pointer Authentication hardware security feature, annotations added to the program on the secrets that need to be protected from leakage and a dynamic tag-based bounds checking mechanism for arrays. We show that sPACtre can defend against these attacks. We evaluate sPACtre on a variety of cryptographic libraries with several cryptographic algorithms, as well as a synthetic benchmark, and show that it is efficient and has low performance overhead Finally, this dissertation explains a new direction for utilizing hardware security features to protect energy harvesting devices from checkpoint-recovery errors and malicious attackers. / Doctor of Philosophy / In recent years, cyber-threats against computer systems have become more and more preva- lent. In spite of many recent advancements in defenses, these attacks are becoming more threatening. However, many of these defenses are not implemented in the real-world. This is due to their high performance overhead. This limited efficiency is not acceptable in the real-world. In addition to that, many of these defenses have limited coverage and do not cover a wide variety of attacks. This makes the performance tradeoff even less convincing. Thus, there is a need for effective and practical defenses that can cover a wide variety of attacks. This dissertation first provides a comprehensive overview of the current state-of-the-art and most dangerous attacks. More specifically, three types of attacks are examined. First, control-flow hijacking attacks, which are attacks that divert the proper execution of a pro- gram to a malicious execution. Second, data oriented attacks. These are attacks that leak sensitive data in a program. Third, Spectre attacks, which are attacks that rely on sup- posedly hidden processor features to leak sensitive data. These "hidden" features are not entirely hidden. This dissertation explains these attacks in detail and the corresponding state-of-the-art defenses that have been proposed by the security research community to mitigate them. This dissertation then discusses effective and practical defense mechanisms that can mitigate these attacks. The dissertation discusses past work, PACTight, as well as its contributions, RSTI and sPACtre, presenting the full design, threat model, implementation, security eval- uation and performance evaluation of each one of these mechanisms. The dissertation relies on insights derived from the nature of the attack and compiler techniques. A compiler is a tool that transforms human-written code into machine code that is understandable by the computer. The compiler can be modified and used to make programs more secure with compiler techniques. The past work, PACTight, is a defense mechanism that defends against the first type of attacks, control-flow hijacking attacks, by preventing an attacker from abusing specific code in the program to divert the program to a malicious execution. Then, this dissertation presents RSTI, a new defense mechanism that overcomes the limitations of PACTight and extends it to cover data oriented attacks and prevent attackers from leaking sensitive data from the program. In addition to that, this dissertation presents sPACtre, a novel defesnse mechanism that defends against Spectre attacks, and prevents an attacker from abusing a processor's hidden features. Finally, this dissertation briefly discusses a possible future direction to protect a different class of devices, referred to as energy-harvesting devices, from attackers.

Hijacking

Data Oriented Attacks

Hardware Security Features

Speculative Execution

Compiler-enabled Defenses

Practical Design

System Software

Control-flow Spectre

Assuring Post Processed Telemetry Data Integrity With a Secure Data Auditing Appliance

Kalibjian, Jeff, Wierenga, Steven

10 1900

ITC/USA 2005 Conference Proceedings / The Forty-First Annual International Telemetering Conference and Technical Exhibition / October 24-27, 2005 / Riviera Hotel & Convention Center, Las Vegas, Nevada / Recent federal legislation (e.g. Sarbanes Oxley, Graham Leach Bliley) has introduced requirements for compliance including records retention and records integrity. Many industry sectors (e.g. Energy, under the North American Energy Reliability Council) are also introducing their own voluntary compliance mandates to avert possible additional federal regulation. A trusted computer appliance device dedicated to data auditing may soon be required in all corporate IT infrastructures to accommodate various compliance directives. Such an auditing device also may have application in telemetry post processing environments, as it maybe used to guarantee the integrity of post-processed telemetry data.

Compliance

Audit

Hardware Security Modules (HSM)

Common Criteria (CC)

security boundary

key management

Emerging Non-Volatile Memory Technologies for Computing and Security

Govindaraj, Rekha

31 May 2018

With CMOS technology scaling reaching its limitations rigorous research of alternate and competent technologies is paramount to push the boundaries of computing. Spintronic and resistive memories have proven to be effective alternatives in terms of area, power and performance to CMOS because of their non-volatility, ability for logic computing and easy integration with CMOS. However, deeper investigations to understand their physical phenomenon and improve their properties such as writability, stability, reliability, endurance, uniformity with minimal device-device variations is necessary for deployment as memories in commercial applications. Application of these technologies beyond memory and logic are investigated in this thesis i.e. for security of integrated circuits and systems and special purpose memories. We proposed a spintonic based special purpose memory for search applications, present design analysis and techniques to improve the performance for larger word lengths upto 256 bits. Salient characteristics of RRAM is studied and exploited in the design of widely accepted hardware security primitives such as Physically Unclonable Function (PUF) and True Random Number Generators (TRNG). Vulnerability of these circuits to adversary attacks and countermeasures are proposed. Proposed PUF can be implemented within 1T-1R conventional memory architecture which offers area advantages compared to RRAM memory and cross bar array PUFs with huge number of challenge response pairs. Potential application of proposed strong arbiter PUF in the Internet of things is proposed and performance is evaluated theoretically with valid assumptions on the maturity of RRAM technology. Proposed TRNG effectively utilizes the random telegraph noise in RRAM current to generate random bit stream. TRNG is evaluated for sufficient randomness in the random bit stream generated. Vulnerability and countermeasures to adversary attacks are also studied. Finally, in thesis we investigated and extended the application of emerging non-volatile memory technologies for search and security in integrated circuits and systems.

Content Addressable Memory

Hardware Security

Magnetic Tunnel Junction

Random Telegraph Noise

Resistive Random Access Memory

Spintronic Memory

Computer Engineering

Computer Sciences

GDPR: Securing Personal Data in Compliance with new EU-Regulations

Bitar, Hadi, Jakobsson, Björn

January 2017

New privacy regulations bring new challenges to organizations that are handling and processing personal data regarding persons within the EU. These challenges come mainly in the form of policies and procedures but also with some opportunities to use technology often used in other sectors to solve problems. In this thesis, we look at the new General Data Protection Regulation (GDPR) in the EU that comes into full effect in May of 2018, we analyze what some of the requirements of the regulation means for the industry of processing personal data, and we look at the possible solution of using hardware security modules (HSMs) to reach compliance with the regulation. We also conduct an empirical study using the Delphi method to ask security professionals what they think the most important aspects of securing personal data, and put that data in relation to the identified compliance requirements of the GDPR to see what organizations should focus on in their quest for compliance with the new regulation. We found that a successful implementation of HSMs based on industry standards and best practices address four of the 35 identified GDPR compliance requirements, mainly the aspects concerning compliance with anonymization through encryption, and access control. We also deduced that the most important aspect of securing personal data according to the experts of the Delphi study is access control followed by data inventory and classification.

GDPR

General Data Protection Regulation

Data Protection

Personal Data

EU

European Union

Encryption

Key Management

Hardware Security Module

HSM

Delphi Study

Compliance

Computer and Information Sciences

Data- och informationsvetenskap

Autenticação de circuitos integrados usando physical unclonable functions / Authentication of integrated circuits using physical unclonable functions

Santana, Marcelo Fontes, 1983-

21 August 2018

Orientadores: Guido Costa Souza de Araújo, Mario Lúcio Côrtes / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-21T20:47:12Z (GMT). No. of bitstreams: 1 Santana_MarceloFontes_M.pdf: 4262688 bytes, checksum: 3e2635e36cd3272eb4bd09c07b05bf63 (MD5) Previous issue date: 2012 / Resumo: O resumo, poderá ser visualizado no texto completo da tese digital / Abstract The abstract is available with the full electronic document / Mestrado / Ciência da Computação / Mestre em Ciência da Computação

Funções físicas inclonáveis

Autenticação (Circuitos integrados)

Variações do processo de fabricação

Par de desafio-resposta

Physical unclonable function

Authentication (Integrated circuits)

Manufacturing process variations

Hardware security measures

Challenge-response pairs

Data Security Architecture Considerations for Telemetry Post Processing Environments

Kalibjian, Jeff

10 1900

Telemetry data has great value, as setting up a framework to collect and gather it involve significant costs. Further, the data itself has product diagnostic significance and may also have strategic national security importance if the product is defense or intelligence related. This potentially makes telemetry data a target for acquisition by hostile third parties. To mitigate this threat, data security principles should be employed by the organization to protect telemetry data. Data security is in an important element of a layered security strategy for the enterprise. The value proposition centers on the argument that if organization perimeter/internal defenses (e.g. firewall, IDS, etc.) fail enabling hostile entities to be able to access data found on internal company networks; they will be unable to read the data because it will be encrypted. After reviewing important encryption background including accepted practices, standards, and architectural considerations regarding disk, file, database and application data protection encryption strategies; specific data security options applicable to telemetry post processing environments will be discussed providing tangible approaches to better protect organization telemetry data.

encryption

key management

data security

disk encryption

file encryption

database encryption

application encryption

Hardware Security Module

FIPS 140-2

Common Criteria

tokenization

Format Preserving Encryption (FPE)

Exploiting On-Chip Voltage Regulators as a Countermeasure Against Power Analysis Attacks

Yu, Weize

24 May 2017

Non-invasive side-channel attacks (SCA) are powerful attacks which can be used to obtain the secret key in a cryptographic circuit in feasible time without the need for expensive measurement equipment. Power analysis attacks (PAA) are a type of SCA that exploit the correlation between the leaked power consumption information and processed/stored data. Differential power analysis (DPA) and leakage power analysis (LPA) attacks are two types of PAA that exploit different characteristics of the side-channel leakage profile. DPA attacks exploit the correlation between the input data and dynamic power consumption of cryptographic circuits. Alternatively, LPA attacks utilize the correlation between the input data and leakage power dissipation of cryptographic circuits. There is a growing trend to integrate voltage regulators fully on-chip in modern integrated circuits (ICs) to reduce the power noise, improve transient response time, and increase power efficiency. Therefore, when on-chip voltage regulation is utilized as a countermeasure against power analysis attacks, the overhead is low. However, a one-to-one relationship exists between the input power and load power when a conventional on-chip voltage regulator is utilized. In order to break the one-to-one relationship between the input power and load power, two methodologies can be considered: (a) selecting multi-phase on-chip voltage regulator and using pseudo-random number generator (PRNG) to scramble the activation or deactivation pattern of the multi-phase voltage regulator in the input power profile, (b) enabling random voltage/scaling on conventional on-chip voltage regulators to insert uncertainties to the load power profile. In this dissertation, on-chip voltage regulators are utilized as lightweight countermeasures against power analysis attacks. Converter-reshuffling (CoRe) technique is proposed as a countermeasure against DPA attacks by using a PRNG to scramble the input power profile. The time-delayed CoRe technique is designed to eliminate machine learning-based DPA attacks through inserting a certain time delay. The charge-withheld CoRe technique is proposed to enhance the entropy of the input power profile against DPA attacks with two PRNGs. The security-adaptive (SA) voltage converter is designed to sense LPA attacks and activate countermeasure with low overhead. Additionally, three conventional on-chip voltage regulators: low-dropout (LDO) regulator, buck converter, and switched-capacitor converter are combined with three different kinds of voltage/frequency scaling techniques: random dynamic voltage and frequency scaling (RDVFS), random dynamic voltage scaling (RDVS), and aggressive voltage and frequency scaling (AVFS), respectively, against both DPA and LPA attacks.

Hardware security

Side-channel attacks

Differential power analysis attacks

Leakage power analysis attacks

On-chip voltage regulation

Computer Engineering

Electrical and Computer Engineering

Rétro-conception matérielle partielle appliquée à l'injection ciblée de fautes laser et à la détection efficace de Chevaux de Troie Matériels / Partial hardware reverse engineering applied to fine grained laser fault injection and efficient hardware trojans detection

Courbon, Franck

03 September 2015

Le travail décrit dans cette thèse porte sur une nouvelle méthodologie de caractérisation des circuits sécurisés basée sur une rétro-conception matérielle partielle : d’une part afin d’améliorer l’injection de fautes laser, d’autre part afin de détecter la présence de Chevaux de Troie Matériels (CTMs). Notre approche est dite partielle car elle est basée sur une seule couche matérielle du composant et car elle ne vise pas à recréer une description schématique ou fonctionnelle de l’ensemble du circuit.Une méthodologie invasive de rétro-conception partielle bas coût, rapide et efficace est proposée. Elle permet d’obtenir une image globale du circuit où seule l’implémentation des caissons des transistors est visible. La mise en œuvre de cette méthodologie est appliquée sur différents circuits sécurisés. L’image obtenue selon la méthodologie déclinée précédemment est traitée afin de localiser spatialement les portes sensibles, voire critiques en matière de sécurité. Une fois ces portes sensibles identifiées, nous caractérisons l’effet du laser sur différentes parties de ces cellules de bases et nous montrons qu’il est possible de contrôler à l’aide d’injections de fautes laser la valeur contenue dans ces portes. Cette technique est inédite car elle valide le modèle de fautes sur une porte complexe en technologie 90 nm. Pour finir une méthode de détection de CTMs est proposée avec le traitement de l’image issue de la rétro-conception partielle. Nous mettons en évidence l’ajout de portes non répertoriées avec l’application sur un couple de circuits. La méthode permet donc de détecter, à moindre coût, de manière rapide et efficace la présence de CTMs. / The work described in this thesis covers an integrated circuit characterization methodology based on a partial hardware reverse engineering. On one hand in order to improve integrated circuit security characterization, on the other hand in order to detect the presence of Hardware Trojans. Our approach is said partial as it is only based on a single hardware layer of the component and also because it does not aim to recreate a schematic or functional description of the whole circuit. A low cost, fast and efficient reverse engineering methodology is proposed. The latter enables to get a global image of the circuit where only transistor's active regions are visible. It thus allows localizing every standard cell. The implementation of this methodology is applied over different secure devices. The obtained image according to the methodology declined earlier is processed in order to spatially localize sensible standard cells, nay critical in terms of security. Once these cells identified, we characterize the laser effect over different location of these standard cells and we show the possibility with the help of laser fault injection the value they contain. The technique is novel as it validates the fault model over a complex gate in 90nm technology node.Finally, a Hardware Trojan detection method is proposed using the partial reverse engineering output. We highlight the addition of few non listed cells with the application on a couple of circuits. The method implementation therefore permits to detect, without full reverse-engineering (and so cheaply), quickly and efficiently the presence of Hardware Trojans.

Sécurité Matérielle

Rétro-conception partielle

Localisation de portes

Injection laser

Modèles de fautes

Chevaux de troie matériels

Hardware security

Partial reverse engineering

Cells localization

Laser injection

Fault model

Hardware Trojans

Système embarque de mesure de la tension pour la détection de contrefaçons et de chevaux de Troie matériels / On-chip voltage measurement system for counterfeits and hardware Trojans detection

Lecomte, Maxime

05 October 2016

Avec la mondialisation du marché des semi-conducteurs, l'intégrité des circuits intégrés (CI) est devenue préoccupante... On distingue deux menaces principales : les chevaux de Troie matériel (CTM) et les contrefaçons. La principale limite des méthodes de vérification de l’intégrité proposées jusqu'à maintenant est le biais induit par les variations des procédés de fabrication. Cette thèse a pour but de proposer une méthode de détection embarquée de détection de CTM et de contrefaçons. À cette fin, une caractérisation de l'impact des modifications malveillantes sur un réseau de capteurs embarqué a été effectuée. L'addition malicieuse de portes logiques (CTM) ou la modification de l'implémentation du circuit (contrefaçons) modifie la distribution de la tension à la l'intérieur du circuit. Une nouvelle approche est proposée afin d'éliminer l'influence des variations des procédés. Nous posons que pour des raisons de cout et de faisabilité, une infection est faite à l'échelle d'un lot de production. Un nouveau modèle de variation de performance temporelle des structures CMOS en condition de design réel est introduit. Ce modèle est utilisé pour créer des signatures de lots indépendantes des variations de procédé et utilisé pour définir une méthode permettant de détecter les CTMs et les contrefaçons.Enfin nous proposons un nouveau distingueur permettant de déterminer, avec un taux de succès de 100%, si un CI est infecté ou non. Ce distingueur permet de placer automatiquement un seuil de décision adapté à la qualité des mesures et aux variations de procédés. Les résultats ont été expérimentalement validés sur un lot de cartes de prototypage FPGA. / Due to the trend to outsourcing semiconductor manufacturing, the integrity of integrated circuits (ICs) became a hot topic. The two mains threats are hardware Trojan (HT) and counterfeits. The main limit of the integrity verification techniques proposed so far is that the bias, induced by the process variations, restricts their efficiency and practicality. In this thesis we aim to detect HTs and counterfeits in a fully embedded way. To that end we first characterize the impact of malicious insertions on a network of sensors. The measurements are done using a network of Ring oscillators. The malicious adding of logic gates (Hardware Trojan) or the modification of the implementation of a different design (counterfeits) will modify the voltage distribution within the IC.Based on these results we present an on-chip detection method for verifying the integrity of ICs. We propose a novel approach which in practice eliminates this limit of process variation bias by making the assumption that IC infection is done at a lot level. We introduce a new variation model for the performance of CMOS structures. This model is used to create signatures of lots which are independent of the process variations. A new distinguisher has been proposed to evaluate whether an IC is infected. This distinguisher allows automatically setting a decision making threshold that is adapted to the measurement quality and the process variation. The goal of this distinguisher is to reach a 100\% success rate within the set of covered HTs family. All the results have been experientially validated and characterized on a set of FPGA prototyping boards.

Chevaux de Troie matériels

Contrefaçons

Sécurité matérielle

FPGA

Oscillateurs en anneaux

Variation des procédés

Circuits intégrés

Intégrité des circuits intégrés

Hardware security

Hardware Trojan

Counterfeit

Ring Oscillator

FPGA

Attaques électromagnétiques ciblant les générateurs d'aléa / Electromagnetic attacks on true random number generators

Bayon, Pierre

31 January 2014

Aujourd'hui, nous utilisons de plus en plus d'appareils "connectés" (téléphone portable, badge d'accès ou de transport, carte bancaire NFC, ...), et cette tendance ne va pas s'inverser. Ces appareils requièrent l'utilisation de primitives cryptographiques, embarquées dans des composants électroniques, dans le but de protéger les communications. Cependant, des techniques d'attaques permettent d'extraire de l'information du composant électronique ou fauter délibérément son fonctionnement. Un nouveau médium d'attaque, exploitant les ondes électromagnétiques est en pleine expansion. Ce médium, par rapport à des techniques de fautes à base de perturbations par faisceau LASER, propose l'avantage d’être à relativement faible coût. Nous présentons dans cette thèse la résistance d'un type de bloc cryptographique, à savoir les générateurs de nombres réellement aléatoires, aux ondes électromagnétiques. Nous montrons qu'il est possible d'extraire de l'information sensible du champ électromagnétique produit par le composant électronique, et qu'il est également possible de perturber un générateur en le soumettant à un fort champ électromagnétique harmonique / Nowadays, our society is using more and more connected devices (cellphones, transport or access card NFC debit card, etc.), and this trend is not going to reverse. These devices require the use of cryptographic primitives, embedded in electronic circuits, in order to protect communications. However, some attacks can allow an attacker to extract information from the electronic circuit or to modify its behavior. A new channel of attack, using electromagnetic waves is skyrocketing. This channel, compared to attacks based on LASER beam, is relatively inexpensive. We will, in this thesis, present a new attack, using electromagnetic waves, of a certain type of cryptographic primitive: the true random number generator. We will show that it is possible to extract sensitive information from the electromagnetic radiation coming from the electronic device. We will also show that it is possible to completly modify the behavior of the true random number generator using a strong electromagnetic field

Générateur d'aléa

Attaques électromagnétiques

Cryptographie

Sécurité matérielle

Oscillateur en anneau

Attaque en faute

Random number generator

Electromagnetic attacks

Cryptography

Hardware security

Ring oscillator

Attack at fault