MCU-Wide Timing Side Channels and Their Detection
Authors: 
Johannes Müller, Anna Lena Duque Antón, Lucas Deutschmann, Dino Mehmedagić, Cristiano Rodrigues, Daniel Oliveira, Mohammad Rahmani Fadiheh, Keerthikumara Devarajegowda, Sandro Pinto, Dominik Stoffel, Wolfgang KunzAuthors Info & Claims
Article No.: 292, Pages 1 - 6
Abstract
Microarchitectural timing side channels have been thoroughly investigated as a security threat in hardware designs featuring shared buffers (e.g., caches) and/or parallelism between attacker and victim task execution. However, contradicting common intuitions, recent activities demonstrate that this threat is real even in microcontroller SoCs without such features. In this paper, we describe SoC-wide timing side channels previously neglected by security analysis and present a new formal method to close this gap. In a case study on the RISC-V Pulpissimo SoC, our method detected a vulnerability to a previously unknown attack variant that allows an attacker to obtain information about a victim's memory access behavior. After implementing a conservative fix, we were able to verify that the SoC is now secure w.r.t. the considered class of timing side channels.
References
[1]
Marton Bognar, Jo Van Bulck, and Frank Piessens. 2022. Mind the Gap: Studying the Insecurity of Provably Secure Embedded Trusted Execution Architectures. In 2022 IEEE Symposium on Security and Privacy (SP).
[2]
Lucas Deutschmann, Johannes Müller, Mohammad R. Fadiheh, Dominik Stoffel, and Wolfgang Kunz. 2022. Towards a Formally Verified Hardware Root-of-Trust for Data-Oblivious Computing. In 59th ACM/IEEE Design Automation Conference (DAC'22).
[3]
Mohammad R. Fadiheh, Alex Wezel, Johannes Müller, Jörg Bormann, Sayak Ray, Jason M. Fung, Subhasish Mitra, Dominik Stoffel, and Wolfgang Kunz. 2023. An Exhaustive Approach to Detecting Transient Execution Side Channels in RTL Designs of Processors. IEEE Trans. Comput. 72, 1 (2023), 222--235.
[4]
Nusrat Farzana, Fahim Rahman, Mark Tehranipoor, and Farimah Farahmandi. 2019. SoC Security Verification using Property Checking. In 2019 IEEE International Test Conference (ITC).
[5]
Wei Hu, Armaiti Ardeshiricham, and Ryan Kastner. 2021. Hardware Information Flow Tracking. ACM Comput. Surv. 54, 4, Article 83 (may 2021), 39 pages.
[6]
W.-M. Hu. 1991. Reducing timing channels with fuzzy time. In Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy. 8--20.
[7]
Dino Mehmedagic, Mohammad Rahmani Fadiheh, Johannes Müller, Anna Lena Duque Antón, Dominik Stoffel, and Wolfgang Kunz. 2023. Design of Access Control Mechanisms in Systems-on-Chip with Formal Integrity Guarantees. In 2023 USENIX Security Conference.
[8]
Johannes Müller, Mohammad R. Fadiheh, Anna Lena Duque Antón, Thomas Eisenbarth, Dominik Stoffel, and Wolfgang Kunz. 2021. A Formal Approach to Confidentiality Verification in SoCs at the Register Transfer Level. In 58th ACM/IEEE Design Automation Conference (DAC'21).
[9]
Colin Percival. 2005. Cache missing for fun and profit. In BSDCan. http://www.daemonology.net/papers/htt.pdf
[10]
Cezar Reinbrecht, Altamiro Susin, Lilian Bossuet, Georg Sigl, and Johanna Sepúlveda. 2016. Side channel attack on NoC-based MPSoCs are practical: NoC Prime+Probe attack. In 2016 29th Symposium on Integrated Circuits and Systems Design (SBCCI).
[11]
Cristiano Rodrigues, Daniel Oliveira, and Sandro Pinto. 2024. BUSted!!! Microarchitectural Side-Channel Attacks on the MCU Bus Interconnect. In 2024 IEEE Symposium on Security and Privacy (SP).
[12]
Pasquale Davide Schiavone, Davide Rossi, Antonio Pullini, Alfio Di Mauro, Francesco Conti, and Luca Benini. 2018. Quentin: an Ultra-Low-Power PULPissimo SoC in 22nm FDX. In 2018 IEEE SOI-3D-Subthreshold Microelectronics Technology Unified Conference (S3S).
[13]
Martha Johanna Sepúlveda, Jean-Philippe Diguet, Marius Strum, and Guy Gogniat. 2015. NoC-Based Protection for SoC Time-Driven Attacks. IEEE Embedded Systems Letters 7 (2015).
[14]
Joakim Urdahl, Dominik Stoffel, and Wolfgang Kunz. 2014. Path Predicate Abstraction for Sound System-Level Models of RT-Level Circuit Designs. IEEE Trans. on Comp.-Aided Design of Integrated Circuits & Systems 33, 2 (Feb. 2014), 291--304.
[15]
Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2018. Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic. In 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18).
[16]
Yao Wang, Andrew Ferraiuolo, and G Edward Suh. 2014. Timing channel protection for a shared memory controller. In 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).
[17]
Yuval Yarom and Katrina Falkner. 2014. FLUSH+ RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium.
[18]
Zirui Neil Zhao, Adam Morrison, Christopher W Fletcher, and Josep Torrellas. 2022. Binoculars: Contention-Based Side-Channel Attacks Exploiting the Page Walker. In 31st USENIX Security Symposium.
Index Terms
- MCU-Wide Timing Side Channels and Their Detection
Index terms have been assigned to the content through auto-classification.
Recommendations
DAGguise: mitigating memory timing side channels
ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating SystemsThis paper studies the mitigation of memory timing side channels, where attackers utilize contention within DRAM controllers to infer a victim’s secrets. Already practical, this class of channels poses an important challenge to secure computing in shared ...
Efficient Power and Timing Side Channels for Physical Unclonable Functions
Proceedings of the 16th International Workshop on Cryptographic Hardware and Embedded Systems --- CHES 2014 - Volume 8731One part of the original PUF promise was their improved resilience against physical attack methods, such as cloning, invasive techniques, and arguably also side channels. In recent years, however, a number of effective physical attacks on PUFs have been ...
Side-channel analysis of MAC-Keccak hardware implementations
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and PrivacyAs Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
DAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,770 of 5,499 submissions, 32%
Upcoming Conference
DAC '25
- Sponsor:
- sigda
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 38Total Downloads
- Downloads (Last 12 months)38
- Downloads (Last 6 weeks)38
Reflects downloads up to 18 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in