Paper 2020/1193

Bypassing Isolated Execution on RISC-V with Fault Injection

Shoei Nashimoto, Daisuke Suzuki, Rei Ueno, and Naofumi Homma

Abstract

RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. One of the main objectives of PMP is to provide a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a fault injection attack to bypass the isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection under the assumption of a black-box environment. We implement a proof-of-concept TEE compatible with PMP in RISC-V, and we verify the feasibility and effectiveness of the proposed attack through some experiments conducted in the TEE. The results show that an attacker can bypass the isolation of the TEE and read data from the protected memory region.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
Fault InjectionRISC-VMemory ProtectionTrusted Execution Environment
Contact author(s)
nashimoto shoei @ bx mitsubishielectric co jp
History
2020-09-30: received
Short URL
https://ia.cr/2020/1193
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/1193,
      author = {Shoei Nashimoto and Daisuke Suzuki and Rei Ueno and Naofumi Homma},
      title = {Bypassing Isolated Execution on RISC-V with Fault Injection},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1193},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/1193}},
      url = {https://eprint.iacr.org/2020/1193}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.