ARCHI-SEC: Micro-Architectural Security – ARCHI-SEC
Security Analysis at Micro-Architectural level
Analyze security and vulnerabilities at the micro-architecture level of processors and their peripherals with the simulation platform GEM5.
The objectives are as follows:<br />* Highlight the architectural vulnerabilities of processors at model level and anticipate attacks that take advantage of it. We limit our study to Systems based on ARM and RISC-V processors. For software, we use either a custom operating system type «BareMetal« or Linux. We plan to use different modes for the same class of security issues.<br />* Find the optimal compromise between speed and simulation precision to assess safety issues. Vulnerabilities at the micro-architecture level are often linked to architectures that increase performance, such as speculative branch predictions, the use of cache memories ... A balance<br />performance / safety must be studied.<br />* Study integrated systems and heterogeneous SoC “System on a Chip”, ie with many peripheral interfaces or integrating GPU type processors, FPGA programmable circuits, several processor cores with a coherence management unit of cache,… To make HDL models usable in GEM5, we<br />will use the transaction level modeling (SystemC TLM II) for FPGA blocks.<br />* Incorporate Trusted Execution Models (TEE) into GEM5. We limit our scope to a secure open source OPTEE (Open Trusted Execution Environment) hypervisor that is based on ARM Trustzone technology.
The GEM5 platform is modified to identify vulnerabilities, develop attacks on processor cores and SoCs, study countermeasures. The heart of the approach is based on the implementation of a GEM5 virtual platform for security assessment. More precisely the method consists of three steps:
1. Identification of potential vulnerabilities in the source code and in the micro-architecture.
2. Propose and develop attacks exploiting vulnerabilities and simulate them on the GEM5 platform.
3. Validate attacks on a real platform.
The attacks and vulnerabilities are studied for the processors and the elements composing the SoC architecture:
* CPU core with and without protection like ARM TrustZone.
* Cache memory
* Main memory and emerging memory technology
* GPU / FPGA accelerators
Some mid-term results:
* Implementation of the open virtual platform
* GEM5 modification to support OPTEE
* Validation of attacks on cache memories with GEM5
* Validation of «transient« attacks like Specter with GEM5
* Validation of the attack on «Dynamic Voltage and Frequency Scaling« DVFS with GEM5.
* Integration of the Ramulator tool in Gem5 to simulate «RowHammer« attacks
The perspectives are to research and validate attacks with the Gem5 virtual platform. Here is a non-exhaustive list of the different targeted architectures:
* CPU in a secure environment such as OPTEE running on ARM / Trustzone
* CPU using a simple («Baremetal« type) and secure operating system
* Interfaces between CPU and peripherals in an SoC, such as accelerators.
* Non-volatile memories, to cope with «RowHammer« and «cold boot« type fault attacks, in particular memories of emerging non-volatile technologies.
Pierre Ayoub, Clémentine Maurice«Reproducing Spectre Attack
with gem5: How To Do It Right? “,, 14th European Workshop on
Loïc France, Maria Mushtaq, Florent Bruguier, David Novo and
Pascal Benoit «Vulnerability Assessment of the Rowhammer
Attack Using Machine Learning and the gem5 Simulator — Work
in Progress« ACM SaT-CPS '21 conference
Lilian Bossuet, El Mehdi Benhani. Security Assessment of
Heterogenous SoC-FPGA: On the Practicability of Cache Timing
Attacks.In Proceedings of 29 th IFIP/IEEE International
Conference on very Large Scale Integration, VLSI-SoC 2021,
Singapore, October 2021.
Sylvain Guilley, Michel Le Rolland, Damien Quenson.
Implementing Secure Applications thanks to an Integrated
Secure Element. 7th International Conference on Information
Systems Security and Privacy, INSTICC, Feb 2021, Vienne (en
ligne), Austria. ?hal-03084250v2?
ARCHI-SEC partners, “Virtual Platform to Analyze the Security of
aSystem on Chip at Microarchitectural Level “. Work in Progress, SILM Workshop,
Attacks exploiting micro-architectural vulnerabilities, such as Meltdown, Spectre, Rowhammer,etc., are on the rise. Modern day SoCs "System-on a Chips" embed increasingly complex design features, such as branchprediction, Out-of-Order execution, cache coherency protocols, integrated GPUs/FPGAs, new nonvolatile memories. The security aspect of these new architectures and technologies remains under-studied. This project aims at modeling the architectural problems with a virtual platform based on gem5. It will be used for penetration testing, evaluate the performance cost of countermeasures,anticipate new attacks and propose protections. These latter are validated on platforms based on ARMand RISC-V processors. The major impact of this project will be through the creation of a community around the virtual platform. The project will be carried out in collaboration with the SME Secure-IC,which will give industrial insights to the project.
Monsieur Jean-Luc Danger (LTCI)
The author of this summary is the project coordinator, who is responsible for the content of this summary. The ANR declines any responsibility as for its contents.
SIC SECURE-IC SAS
UM-LIRMM Laboratoire d'Informatique, de Robotique et de Microélectronique de Montpellier
IRISA Institut de Recherche en Informatique et Systèmes Aléatoires
UJM/LabHC Laboratoire Hubert Curien
Help of the ANR 844,034 euros
Beginning and duration of the scientific project: September 2019 - 42 Months