- Goa 2021
- Praveen Vadnala and Nils Wiersma
Praveen Vadnala and Nils Wiersma
Arbitrary code execution on RISC-V using fault injection
RISC-V is a new, free and open Instruction Set Architecture (ISA), that is becoming increasingly popular in the recent past. In RISC-V ISA, it is not possible to directly access Program Counter (PC), unlike other widely used architectures such as AArch32. Hence, corrupting a RISC-V instruction in order to to store the payload address into PC directly using fault injection is not possible. In this research, we propose alternative techniques to gain code execution using fault attacks by targeting the instructions that change the control flow of a program. They include corrupting return address register, stack pointer register, among others. Based on the experimental results, we identify new fault models that that can not be explained using the programmer model of the ISA but requires understanding of the underlying hardware implementation. We demonstrate the practicality of these attacks on a commercially available RISC-V SoC. These results have wide-ranging implications on the security of embedded devices against attackers with physical access to the device, most notably the secure boot.
Praveen Vadnala is a Senior Security Analyst at Riscure, Delft, the Netherlands. His work is mostly focused on analyzing and testing the security of embedded devices. He holds a Ph.D. in computer science from University of Luxembourg, Luxembourg. His research interests are related to side-channel and fault-injection attacks and their countermeasures. He co-authored and presented papers at several conferences including CHES, FSE and RSA conference.
Nils Wiersma, after receiving his BSc. degree in general Computing Science at the University of Groningen, moved on to pursue a MSc. degree in the field of Cyber Security offered in a joint-venture between the Radboud University of Nijmegen and Eindhoven University of Technology. During the thesis stage of this master's degree, he focused specifically on embedded security in the automotive context. Now, he works at Riscure as a Senor Security Analyst.