

# Protecting the Control Flow of Embedded Processors against Fault Attacks

Mario Werner<sup>1</sup>, Erich Wenger<sup>2</sup>, and Stefan Mangard<sup>1</sup>,

- <sup>1</sup> Graz University of Technology
- <sup>2</sup> Infineon Technologies AG, Munich

5th November 2015, Bochum

#### Context and Motivation

- Embedded systems are everywhere
- Assets in malicious environment



- Various assets
- Protecting cryptographic primitives is insufficient

```
unsigned pin = read pin();
bool auth = tpm check(pin);
if( auth ) {
    open door();
} else {
    alert police();
log_event();
               read pin()
             tpm check(pin)
          check if auth == true
open door()
                             alert_police()
               log_event()
```

```
unsigned pin = read pin();
 bool auth = tpm check(pin);
 if( auth ) {
     open_door();
} else {
     alert police();
 log_event();
              check condition
perform action
                              handle error
                 continue
```

```
check auth: // auth in R0 (1 if true)
    LDR R1, #1
    CMP R0, R1
    BNE not authenticated
authenticated:
    // open door
    // ...
    B next
not authenticated:
    // alert police
next:
    // log event
```

```
check auth: // auth in R0 (1 if true)
    LDR R1, #1
    CMP R0, R1
    BEQ not authenticated
authenticated:
    // open door
    // ...
    B next
not authenticated:
    // alert police
next:
    // log event
```

```
check auth: // auth in R0 (1 if true)
    LDR R1, #1
    CMP R0, R0
    BNE not authenticated
authenticated:
    // open door
    // ...
    B next
    // alert police
next:
    // log event
```



#### Goal and Results

- Goal: Enforce control-flow integrity
- Results:
  - Analysis and evaluation of signature functions
  - Detect a faulty instruction with 99.9 % within 3 cycles (arbitrary fault)
  - Resistant against at least 7 precise bit flips injected across two instructions
  - HDL implementation for a Cortex-M3 clone
  - LLVM based toolchain
  - 6.4 % hardware overhead
  - 2 % to 71 % runtime overhead

- Perform only intended function calls
- Traverse control flow graph along programmed edges
- Execute basic blocks from start to end
- Preserve instructions and their order



- Perform only intended function calls
- Traverse control flow graph along programmed edges
- Execute basic blocks from start to end
- Preserve instructions and their order



- Perform only intended function calls
- Traverse control flow graph along programmed edges
- Execute basic blocks from start to end
- Preserve instructions and their order



- Perform only intended function calls
- Traverse control flow graph along programmed edges
- Execute basic blocks from start to end
- Preserve instructions and their order

```
check_auth: // auth in R0 (1 if true)
LDR R1, #1
CMP R0, R0
BNE not_authenticated
```

#### Concept

- Instruction stream integrity through derived signatures [MM88]
- Generalized path signature analysis (GPSA) [WS90]
- Optimize against fault attacks
- Implemented as hybrid scheme
- Dedicated assertions
- Continuous checks

## Derived Signatures [MM88]

















## Signature Functions against Fault Attacks

- Compression function
- Avoid collisions within one cycle
- Qualitative Requirements for GPSA:
  - lacksquare Reliability:  $S_{j+1} \oplus \Delta_{S_{j+1}} = f(S_j, I_j \oplus \Delta_{I_j})$
  - Error preservation:  $S_{j+1} \oplus \Delta_{S_{j+1}} = f(S_j \oplus \Delta_{S_j}, I_j)$
  - Non associativity:  $f(f(S_j, I_j), I_k) \neq f(f(S_j, I_k), I_j)$
  - Invertibility:  $S_j = f^{-1}(S_{j+1}, I_j)$
  - $\rightarrow$  single faulty instructions detectable

#### Quantitative Evaluation

- MISRs and CRCs with various polynomials
- How hard is it to bypass the protection?
- Quality function:  $q(j, t) = HW(\Delta_{l_j}) + HW(\Delta_{l_{j+t}})$
- Worst case behavior min(q) matters
  - → CRCs are better than MISRs against faults
  - $ightarrow \min(q) = 8$  for CRC-32C and CRC-32Q

#### Implementation

- Hardware:
  - Monitor for derived signatures
  - Extended fetch unit
- Software:
  - Compiler for
  - ... GPSA signature updates
  - ... assertions
  - Post-processing tool for
  - ... update and check constants
  - ... continuous signature monitoring (CSM)

#### Hardware Modifications



#### Evaluation

- Hardware:
  - CPU Core: 37 kGE
  - Monitor: 1.5 kGE (4 %)
  - Monitor + Core with CSM: 39 kGE (6.4 %)
- Benchmarks: Modified vs stock LLVM
  - Coremark
  - AES-256
  - Elliptic Curve Cryptography in C and with ASM





#### Conclusion

- Analysis and evaluation of signature functions
- Detect a faulty instruction with 99.9 % within 3 cycles (arbitrary fault)
- Resistant against at least 7 precise bit flips injected across two instructions
- HDL implementation for a Cortex-M3 clone
- LLVM based toolchain
- 6.4 % hardware overhead
- 2 % to 71 % runtime overhead



# Protecting the Control Flow of Embedded Processors against Fault Attacks

Mario Werner<sup>1</sup>, Erich Wenger<sup>2</sup>, and Stefan Mangard<sup>1</sup>,

- <sup>1</sup> Graz University of Technology
- <sup>2</sup> Infineon Technologies AG, Munich

5th November 2015, Bochum

#### References I

- [MM88] A Mahmood and E.J. McCluskey, Concurrent error detection using watchdog processors-a survey, IEEE Transactions on Computers **37** (1988), no. 2, 160–174.
- [WS90] Kent D. Wilken and John Paul Shen, Continuous signature monitoring: low-cost concurrent detection of processor control errors, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems **9** (1990), no. 6, 629–641.