#### In Hardware We Trust Enriching the World with Hardware Security

#### JV Rajendran Texas A&M University



#### Hack@DAC2018: Overview

• Deep dive into hardware bugs and detection techniques

#### Hack@DAC2018: Overview

- Deep dive into hardware bugs and detection techniques
- A RISC-V SoC testbed with injected bugs constructed in collaboration with Intel hardware security professionals
- 54 teams from industry & academia participated

#### Hack@DAC2018: Overview

- Deep dive into hardware bugs and detection techniques
- A RISC-V SoC testbed with injected bugs constructed in collaboration with Intel hardware security professionals
- 54 teams from industry & academia participated
- Own investigation of the effectiveness of approaches used

### Systematic RTL Bugs Construction



Dive In



#### **RISC-V SoC: RTL Bugs Testbed**







to AXI

Purpose I/O

#### to AXI interconnect



#### to AXI interconnect



#### to AXI interconnect

**Bug #20 Typ**e: sensitive information leakage

**Cause**: AES engine stores key in a memory address that is determined by the firmware at runtime

Effect: attacker can leak the key from memory if it is within unprotected range

Inspiring CVEs: CVE-2018-8933 / CVE-2014-0881 / CVE-2017-5704

MGMT

Control







Timer

AX

**AXI =** Advanced Extensible Interface

**SPI** = Serial Peripheral Interface

**DMA** = Direct Memory Access

**CLK** = Real-Time Clock

**HWPE** = Hardware Processing Elements

**GPIO** = General Purpose I/O

#### 2 RISC-V SoCs used: PULPino & PULPissimo

**GPIO** 

SPI

Master

 $|^2S$ 

 $|^2C$ 

UART

Camera

Interface

lem

Sensor

SPI

Master

 $|^2S$ 

 $|^2C$ 

UART

Camera

Interface

lem

Sensor

2 RISC-V SoCs used: PUL

GF

#### to AXI interconnect

Bug #20 Type: sensitive information leakage

**Cause**: AES engine stores key in a memory address that is determined by the firmware at runtime

Effect: attacker can leak the key from memory if it is within unprotected range

Inspiring CVEs: CVE-2018-8933 / CVE-2014-0881 / CVE-2017-5704

**Detection**: requires co-verification of both hardware RTL and firmware, not easily supported in existing tools



AX



Timer

**AXI =** Advanced Extensible Interface

**SPI** = Serial Peripheral Interface

**DMA** = Direct Memory Access

**CLK** = Real-Time Clock

**HWPE** = Hardware Processing Elements

**GPIO** = General Purpose I/O

## Software-Exploitable Bug





## Software-Exploitable Bug

to AXI interconnect

SPI Master  $|^2S$  $|^2C$ UART Camera Interface len Senso

Bug #7 Type: memory access violation

Cause: AXI bus address decoder finite state machine (FSM) ignores memory access faults that occur in a particular sequence

Inspiring CVEs: CVE-2018-4850

#### Effect:

- Usually operates normally
- However, a "faulty" transaction on the memory bus (e.g., disallowed memory access) causes subsequent transaction to slip the check and be "operational" unconditionally
- Trigger malicious memory access/privilege escalation

2 RISC-V SoCs used: PULPino & PULPissimo



Timer

**AXI =** Advanced Extensible Interface

**SPI** = Serial Peripheral Interface

**DMA** = Direct Memory Access

**CLK** = Real-Time Clock

**HWPE** = Hardware Processing Elements

**GPIO** = General Purpose I/O





#### Abstracted SoC to simplify!







Memory access requests are usually sanitized by the page table walker in the CPU core and at the AXI memory interconnect to check whether the memory access is allowed.





If a faulty/illegal access is detected, an interrupt is generated (even with the injected bug).







The interconnect is still processing a faulty memory access request, and another one comes in.

With this bug, the second request slips through the sanitization check and is allowed to occur even if it is illegal.

Resulting in faulty (illegal) memory access.



The interconnect is still processing a faulty memory access request, and another one comes in.

With this bug, the second request slips through the sanitization check and is allowed to occur even if it is illegal.

Resulting in faulty (illegal) memory access.



One malicious process can compromise the entire platform!



Attacker can register an interrupt handler and spam the bus wtih faulty memory accesses.

Eventually, a malicious memory access will slip through the checks and is allowed.

| 7  | AXI address decoder ignores errors.                                       | Inserted (CVE-2018-4850)                                    | × | 1 | × | 1  | 227   | 2                    |
|----|---------------------------------------------------------------------------|-------------------------------------------------------------|---|---|---|----|-------|----------------------|
| 8  | Address range overlap between GPIO, SPI, and SoC control peripherals.     | Inserted (CVE-2018-12206 /<br>(CVE-2017-5704)               | 1 | 1 | 1 | 68 | 14635 | 9.4×10 <sup>21</sup> |
| 9  | Incorrect password checking logic in debug unit.                          | Inserted (CVE-2018-8870)                                    | × | 1 | × | 4  | 436   | 1                    |
| 10 | Advanced debug unit only checks 31 of the 32 bits of the password.        | Inserted (CVE-2017-18347 /<br>CVE-2017-7564)                | × | 1 | × | 4  | 436   | 16                   |
| 11 | Able to access debug register when in halt mode.                          | Native (CVE-2017-18347 /                                    | × | 1 | 1 | 2  | 887   | 1                    |
| 12 | Password check for the debug unit does not reset after successful check.  | Inserted (CVE-2017-7564)                                    | × | 1 | 1 | 4  | 436   | 16                   |
| 13 | Faulty decoder state machine logic in RISC-V core results in a hang.      | Native                                                      | × | 1 | 1 | 2  | 1119  | 32                   |
| 14 | Incomplete case statement in ALU can cause unpredictable behavior.        | Native                                                      | × | 1 | 1 | 2  | 1152  | 4                    |
| 15 | Faulty timing logic in the RTC results in inaccurate calculation of time. | Native                                                      | × | 1 | × | 1  | 191   | 1                    |
| 16 | Reset for the advanced debug unit not operational.                        | Inserted (CVE-2017-18347)                                   | × | × | 1 | 4  | 436   | 16                   |
| 17 | Memory-mapped register file allows code injection.                        | Native                                                      | × | × | 1 | 1  | 134   | 1                    |
| 18 | Non-functioning cryptography module causes DOS.                           | Inserted                                                    | × | × | × | 24 | 2651  | 1                    |
| 19 | Insecure hash function in the cryptography module.                        | Inserted (CVE-2018-1751)                                    | × | × | × | 24 | 2651  | N/A                  |
| 20 | Cryptographic key for AES stored in unprotected memory.                   | Inserted (CVE-2018-8933 /<br>CVE-2014-0881 / CVE-2017-5704) | × | × | × | 57 | 8955  | 1                    |
| 21 | Temperature sensor is muxed with the cryptography modules.                | Inserted                                                    | × | × | 1 | 1  | 65    | 1                    |
| 22 | ROM size is too small preventing execution of security code.              | Inserted (CVE-2018-6242 / )<br>CVE-2018-15383)              | × | × | 1 | 1  | 751   | N/A                  |
| 23 | Disabled zero RISC-V core.                                                | Inserted (CVE-2018-12206)                                   | × | × | × | 1  | 282   | N/A                  |
| 24 | GPIO enable always high.                                                  | Inserted (CVE-2018-1959)                                    | × | × | × | 1  | 392   | 1                    |
| 25 | Secure mode not required to write to RISC-V core control registers.       | Inserted (CVE-2018-7522 /<br>CVE-2017-0352)                 | × | × | 1 | 1  | 745   | 1                    |
| 26 | Advanced debug unit password is hard-coded and set on reset.              | Inserted (CVE-2018-8870)                                    | × | × | 1 | 1  | 406   | 16                   |
| 27 | Secure mode is not required to write to interrupt registers.              | Inserted (CVE-2017-0352)                                    | × | × | 1 | 1  | 303   | 1                    |
| 28 | JTAG interface is not password protected.                                 | Native                                                      | × | × | 1 | 1  | 441   | 1                    |

| 7  | AXI address decoder ignores errors.                                       | Inserted (CVE-2018-4850)                                    | × | 1 | × | 1  | 227   | 2                    |
|----|---------------------------------------------------------------------------|-------------------------------------------------------------|---|---|---|----|-------|----------------------|
| 8  | Address range overlap between GPIO, SPI, and SoC control peripherals.     | Inserted (CVE-2018-12206 /<br>(CVE-2017-5704)               | 1 | 1 | 1 | 68 | 14635 | 9.4×10 <sup>21</sup> |
| 9  | Incorrect password checking logic in debug unit.                          | Inserted (CVE-2018-8870)                                    | × | 1 | × | 4  | 436   | 1                    |
| 10 | Advanced debug unit only checks 31 of the 32 bits of the password.        | Inserted (CVE-2017-18347 /<br>CVE-2017-7564)                | × | 1 | × | 4  | 436   | 16                   |
| 11 | Able to access debug register when in halt mode.                          | Native (CVE-2017-18347 /                                    | × | 1 | 1 | 2  | 887   | 1                    |
| 12 | Password check for the debug unit does not reset after successful check.  | Inserted (CVE-2017-7564)                                    | × | 1 | 1 | 4  | 436   | 16                   |
| 13 | Faulty decoder state machine logic in RISC-V core results in a hang.      | Native                                                      | × | 1 | 1 | 2  | 1119  | 32                   |
| 14 | Incomplete case statement in ALU can cause unpredictable behavior.        | Native                                                      | × | 1 | 1 | 2  | 1152  | 4                    |
| 15 | Faulty timing logic in the RTC results in inaccurate calculation of time. | Native                                                      | × | 1 | × | 1  | 191   | 1                    |
| 16 | Reset for the advanced debug unit not operational.                        | Inserted (CVE-2017-18347)                                   | × | × | 1 | 4  | 436   | 16                   |
| 17 | Memory-mapped register file allows code injection.                        | Native                                                      | × | × | 1 | 1  | 134   | 1                    |
| 18 | Non-functioning cryptography module causes DOS.                           | Inserted                                                    | × | × | × | 24 | 2651  | 1                    |
| 19 | Insecure hash function in the cryptography module.                        | Inserted (CVE-2018-1751)                                    | × | × | × | 24 | 2651  | N/A                  |
| 20 | Cryptographic key for AES stored in unprotected memory.                   | Inserted (CVE-2018-8933 /<br>CVE-2014-0881 / CVE-2017-5704) | × | × | × | 57 | 8955  | 1                    |
| 21 | Temperature sensor is muxed with the cryptography modules.                | Inserted                                                    | × | × | 1 | 1  | 65    | 1                    |
| 22 | ROM size is too small preventing execution of security code.              | Inserted (CVE-2018-6242 / )<br>CVE-2018-15383)              | × | × | 1 | 1  | 751   | N/A                  |
| 23 | Disabled zero RISC-V core.                                                | Inserted (CVE-2018-12206)                                   | × | × | × | 1  | 282   | N/A                  |
| 24 | GPIO enable always high.                                                  | Inserted (CVE-2018-1959)                                    | × | × | × | 1  | 392   | 1                    |
| 25 | Secure mode not required to write to RISC-V core control registers.       | Inserted (CVE-2018-7522 /<br>CVE-2017-0352)                 | × | × | 1 | 1  | 745   | 1                    |
| 26 | Advanced debug unit password is hard-coded and set on reset.              | Inserted (CVE-2018-8870)                                    | × | × | ~ | 1  | 406   | 16                   |
| 27 | Secure mode is not required to write to interrupt registers.              | Inserted (CVE-2017-0352)                                    | × | × | 1 | 1  | 303   | 1                    |
| 28 | JTAG interface is not password protected.                                 | Native                                                      | × | × | 1 | 1  | 441   | 1                    |

# Some bugs were very difficult to detect

| 7  | AXI address decoder ignores errors.                                       | Inserted (CVE-2018-4850)                                    | × | 1 | × | 1  | 227   | 2                    |
|----|---------------------------------------------------------------------------|-------------------------------------------------------------|---|---|---|----|-------|----------------------|
| 8  | Address range overlap between GPIO, SPI, and SoC control peripherals.     | Inserted (CVE-2018-12206 /<br>(CVE-2017-5704)               | 1 | ~ | 1 | 68 | 14635 | 9.4×10 <sup>21</sup> |
| 9  | Incorrect password checking logic in debug unit.                          | Inserted (CVE-2018-8870)                                    | × | ~ | × | 4  | 436   | 1                    |
| 10 | Advanced debug unit only checks 31 of the 32 bits of the password.        | Inserted (CVE-2017-18347 /<br>CVE-2017-7564)                | × | ~ | X | 4  | 436   | 16                   |
| 11 | Able to access debug register when in halt mode.                          | Native (CVE-2017-18347 /                                    | × | 1 | 1 | 2  | 887   | 1                    |
| 12 | Password check for the debug unit does not reset after successful check.  | Inserted (CVE-2017-7564)                                    | × | 1 | 1 | 4  | 436   | 16                   |
| 13 | Faulty decoder state machine logic in RISC-V core results in a hang.      | Native                                                      | × | 1 | 1 | 2  | 1119  | 32                   |
| 14 | Incomplete case statement in ALU can cause unpredictable behavior.        | Native                                                      | × | 1 | 1 | 2  | 1152  | 4                    |
| 15 | Faulty timing logic in the RTC results in inaccurate calculation of time. | Native                                                      | × | 1 | × | 1  | 191   | 1                    |
| 16 | Reset for the advanced debug unit not operational.                        | Inserted (CVE-2017-18347)                                   | × | × | 1 | 4  | 436   | 16                   |
| 17 | Memory-mapped register file allows code injection.                        | Native                                                      | × | × | 1 | 1  | 134   | 1                    |
| 18 | Non-functioning cryptography module causes DOS.                           | Inserted                                                    | × | × | × | 24 | 2651  | 1                    |
| 19 | Insecure hash function in the cryptography module.                        | Inserted (CVE-2018-1751)                                    | × | × | × | 24 | 2651  | N/A                  |
| 20 | Cryptographic key for AES stored in unprotected memory.                   | Inserted (CVE-2018-8933 /<br>CVE-2014-0881 / CVE-2017-5704) | × | × | × | 57 | 8955  | 1                    |
| 21 | Temperature sensor is muxed with the cryptography modules.                | Inserted                                                    | × | × | 1 | 1  | 65    | 1                    |
| 22 | ROM size is too small preventing execution of security code.              | Inserted (CVE-2018-6242 / )<br>CVE-2018-15383)              | × | × | 1 | 1  | 751   | N/A                  |
| 23 | Disabled zero RISC-V core.                                                | Inserted (CVE-2018-12206)                                   | × | × | × | 1  | 282   | N/A                  |
| 24 | GPIO enable always high.                                                  | Inserted (CVE-2018-1959)                                    | × | × | × | 1  | 392   | 1                    |
| 25 | Secure mode not required to write to RISC-V core control registers.       | Inserted (CVE-2018-7522 /<br>CVE-2017-0352)                 | × | × | 1 | 1  | 745   | 1                    |
| 26 | Advanced debug unit password is hard-coded and set on reset.              | Inserted (CVE-2018-8870)                                    | × | × | 1 | 1  | 406   | 16                   |
| 27 | Secure mode is not required to write to interrupt registers.              | Inserted (CVE-2017-0352)                                    | × | × | 1 | 1  | 303   | 1                    |
| 28 | JTAG interface is not password protected.                                 | Native                                                      | × | × | 1 | 1  | 441   | 1                    |

# Some bugs were very difficult to detect

## Some bugs could not be detected at all

| 7  | AXI address decoder ignores errors.                                       | Inserted (CVE-2018-4850)                                    | × | 1 | × | 1  | 227   | 2                    |
|----|---------------------------------------------------------------------------|-------------------------------------------------------------|---|---|---|----|-------|----------------------|
| 8  | Address range overlap between GPIO, SPI, and SoC control peripherals.     | Inserted (CVE-2018-12206 /<br>(CVE-2017-5704)               | 1 | 1 | 1 | 68 | 14635 | 9.4×10 <sup>21</sup> |
| 9  | Incorrect password checking logic in debug unit.                          | Inserted (CVE-2018-8870)                                    | × | 1 | × | 4  | 436   | 1                    |
| 10 | Advanced debug unit only checks 31 of the 32 bits of the password.        | Inserted (CVE-2017-18347 /<br>CVE-2017-7564)                | × | 1 | × | 4  | 436   | 16                   |
| 11 | Able to access debug register when in halt mode.                          | Native (CVE-2017-18347 /                                    | × | 1 | 1 | 2  | 887   | 1                    |
| 12 | Password check for the debug unit does not reset after successful check.  | Inserted (CVE-2017-7564)                                    | × | 1 | 1 | 4  | 436   | 16                   |
| 13 | Faulty decoder state machine logic in RISC-V core results in a hang.      | Native                                                      | × | 1 | 1 | 2  | 1119  | 32                   |
| 14 | Incomplete case statement in ALU can cause unpredictable behavior.        | Native                                                      | × | 1 | 1 | 2  | 1152  | 4                    |
| 15 | Faulty timing logic in the RTC results in inaccurate calculation of time. | Native                                                      | × | 1 | × | 1  | 191   | 1                    |
| 16 | Reset for the advanced debug unit not operational.                        | Inserted (CVE-2017-18347)                                   | × | × | 1 | 4  | 436   | 16                   |
| 17 | Memory-mapped register file allows code injection.                        | Native                                                      | × | × | 1 | 1  | 134   | 1                    |
| 18 | Non-functioning cryptography module causes DOS.                           | Inserted                                                    | × | × | × | 24 | 2651  | 1                    |
| 19 | Insecure hash function in the cryptography module.                        | Inserted (CVE-2018-1751)                                    | × | × | × | 24 | 2651  | N/A                  |
| 20 | Cryptographic key for AES stored in unprotected memory.                   | Inserted (CVE-2018-8933 /<br>CVE-2014-0881 / CVE-2017-5704) | × | × | × | 57 | 8955  | 1                    |
| 21 | Temperature sensor is muxed with the cryptography modules.                | Inserted                                                    | × | × | 1 | 1  | 65    | 1                    |
| 22 | ROM size is too small preventing execution of security code.              | Inserted (CVE-2018-6242 / )<br>CVE-2018-15383)              | × | × | 1 | 1  | 751   | N/A                  |
| 23 | Disabled zero RISC-V core.                                                | Inserted (CVE-2018-12206)                                   | × | × | × | 1  | 282   | N/A                  |
| 24 | GPIO enable always high.                                                  | Inserted (CVE-2018-1959)                                    | × | × | × | 1  | 392   | 1                    |
| 25 | Secure mode not required to write to RISC-V core control registers.       | Inserted (CVE-2018-7522 /<br>CVE-2017-0352)                 | × | × | 1 | 1  | 745   | 1                    |
| 26 | Advanced debug unit password is hard-coded and set on reset.              | Inserted (CVE-2018-8870)                                    | × | × | ~ | 1  | 406   | 16                   |
| 27 | Secure mode is not required to write to interrupt registers.              | Inserted (CVE-2017-0352)                                    | × | × | 1 | 1  | 303   | 1                    |
| 28 | JTAG interface is not password protected.                                 | Native                                                      | × | × | ~ | 1  | 441   | 1                    |

# Some bugs were very difficult to detect

## Some bugs could not be detected at all

And some of the teams detected "native" bugs not injected by us!

## Example of a "Native" Bug

#### to AXI interconnect

SPI Bug #15 Type: incorrect computation Master Cause: faulty logic in the real-time clock  $|^2S$ causing inaccurate time calculation  $|^2C$ Effect: can violate the integrity of securitycritical flows, e.g., Digital Rights Management and certificate revocation UART Similar to CVE-2018-4853 Camera Interface Power lem **GPIO** MGMT Sensor Control



**AXI =** Advanced Extensible Interface

**SPI** = Serial Peripheral Interface

**DMA** = Direct Memory Access

**CLK** = Real-Time Clock

**HWPE** = Hardware Processing Elements

**GPIO** = General Purpose I/O

## Study I: Competition Setup

- Phase I:
  - preliminary qualification where 54 teams participated world-wide over 12 weeks to detect the bugs
  - Pulpino SoC

## Study I: Competition Setup

- Phase I:
  - preliminary qualification where 54 teams participated world-wide over 12 weeks to detect the bugs
  - Pulpino SoC
- Phase II:
  - on-site final competition at DAC over an 8-hour time-frame
  - More complex PULPissimo SoC → enabled injection of more advanced bugs

## Study I: Competition Setup

- Phase I:
  - preliminary qualification where 54 teams participated world-wide over 12 weeks to detect the bugs
  - Pulpino SoC
- Phase II:
  - on-site final competition at DAC over an 8-hour time-frame
  - More complex PULPissimo SoC → enabled injection of more advanced bugs
- SoCs used are not toy examples yet not overly complex SoC designs for the teams to work with

| Manual     | Dynamic      | Formal       |
|------------|--------------|--------------|
| Inspection | Verification | Verification |



| Manual<br>Inspection                                                         | Dynamic<br>Verification                                                    | Formal<br>Verification |
|------------------------------------------------------------------------------|----------------------------------------------------------------------------|------------------------|
| <ul> <li>Most popular<br/>approach</li> </ul>                                | <ul> <li>Assertion-based<br/>simulation using<br/>SystemVerilog</li> </ul> |                        |
| <ul> <li>Prioritized high-<br/>risk areas</li> </ul>                         | <ul> <li>Software-based<br/>testing: running C</li> </ul>                  |                        |
| <ul> <li>Does not scale to<br/>cross-layer &amp;<br/>complex bugs</li> </ul> | code to try and<br>trigger memory<br>accesses to<br>privileged             |                        |
| <ul> <li>Relies strongly on<br/>human expertise</li> </ul>                   | memory                                                                     |                        |

| Manual<br>Inspection                                                                                                                 | Dynamic<br>Verification                                                                                                                    | Formal<br>Verification                                                                   |
|--------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
| <ul> <li>Most popular<br/>approach</li> <li>Prioritized high-</li> </ul>                                                             | <ul> <li>Assertion-based<br/>simulation using<br/>SystemVerilog</li> </ul>                                                                 | <ul> <li>Tried but failed</li> <li>Limited<br/>scalability</li> </ul>                    |
| <ul> <li>risk areas</li> <li>Does not scale to cross-layer &amp; complex bugs</li> <li>Relies strongly on human expertise</li> </ul> | <ul> <li>Software-based<br/>testing: running C<br/>code to try and<br/>trigger memory<br/>accesses to<br/>privileged<br/>memory</li> </ul> | <ul> <li>Extensive<br/>expertise &amp; time<br/>required to use<br/>the tools</li> </ul> |

#### Students



TECHNISCHE UNIVERSITÄT DARMSTADT

- Ghada Dessousky (Ph.D)
- Pouya Mahmoody (Ph.D)



- Rahul Kande (Ph.D)
- Chen Chen (Ph.D)
- Georges Alsankary (Ph.D)
- Bhagyaraja Adapa (Ph.D)
- Garrett Persyn (Grad)