ARCHI-SEC: Micro-Architectural Security – ARCHI-SEC

The GEM5 platform is modified to identify vulnerabilities, develop attacks on processor cores and SoCs, study countermeasures. The heart of the approach is based on the implementation of a GEM5 virtual platform for security assessment. More precisely the method consists of three steps:
1. Identification of potential vulnerabilities in the source code and in the micro-architecture.
2. Propose and develop attacks exploiting vulnerabilities and simulate them on the GEM5 platform.
3. Validate attacks on a real platform.

The attacks and vulnerabilities are studied for the processors and the elements composing the SoC architecture:
* CPU core with and without protection like ARM TrustZone.
* Cache memory
* Main memory and emerging memory technology
* GPU / FPGA accelerators

Some mid-term results:
* Implementation of the open virtual platform
* GEM5 modification to support OPTEE
* Validation of attacks on cache memories with GEM5
* Validation of «transient« attacks like Specter with GEM5
* Validation of the attack on «Dynamic Voltage and Frequency Scaling« DVFS with GEM5.
* Integration of the Ramulator tool in Gem5 to simulate «RowHammer« attacks

The perspectives are to research and validate attacks with the Gem5 virtual platform. Here is a non-exhaustive list of the different targeted architectures:
* CPU in a secure environment such as OPTEE running on ARM / Trustzone
* CPU using a simple («Baremetal« type) and secure operating system
* Interfaces between CPU and peripherals in an SoC, such as accelerators.
* Non-volatile memories, to cope with «RowHammer« and «cold boot« type fault attacks, in particular memories of emerging non-volatile technologies.

Pierre Ayoub, Clémentine Maurice«Reproducing Spectre Attack
with gem5: How To Do It Right? “,, 14th European Workshop on
Systems Security

Loïc France, Maria Mushtaq, Florent Bruguier, David Novo and
Pascal Benoit «Vulnerability Assessment of the Rowhammer
Attack Using Machine Learning and the gem5 Simulator — Work
in Progress« ACM SaT-CPS '21 conference

Lilian Bossuet, El Mehdi Benhani. Security Assessment of
Heterogenous SoC-FPGA: On the Practicability of Cache Timing
Attacks.In Proceedings of 29 th IFIP/IEEE International
Conference on very Large Scale Integration, VLSI-SoC 2021,
Singapore, October 2021.

Sylvain Guilley, Michel Le Rolland, Damien Quenson.
Implementing Secure Applications thanks to an Integrated
Secure Element. 7th International Conference on Information
Systems Security and Privacy, INSTICC, Feb 2021, Vienne (en
ligne), Austria. ?hal-03084250v2?

ARCHI-SEC partners, “Virtual Platform to Analyze the Security of
aSystem on Chip at Microarchitectural Level “. Work in Progress, SILM Workshop,
Vienna, 2021

Attacks exploiting micro-architectural vulnerabilities, such as Meltdown, Spectre, Rowhammer,etc., are on the rise. Modern day SoCs "System-on a Chips" embed increasingly complex design features, such as branchprediction, Out-of-Order execution, cache coherency protocols, integrated GPUs/FPGAs, new nonvolatile memories. The security aspect of these new architectures and technologies remains under-studied. This project aims at modeling the architectural problems with a virtual platform based on gem5. It will be used for penetration testing, evaluate the performance cost of countermeasures,anticipate new attacks and propose protections. These latter are validated on platforms based on ARMand RISC-V processors. The major impact of this project will be through the creation of a community around the virtual platform. The project will be carried out in collaboration with the SME Secure-IC,which will give industrial insights to the project.