CN110032485A - A kind of multi-core processor and its fault filling method - Google Patents

A kind of multi-core processor and its fault filling method Download PDF

Info

Publication number
CN110032485A
CN110032485A CN201910309540.0A CN201910309540A CN110032485A CN 110032485 A CN110032485 A CN 110032485A CN 201910309540 A CN201910309540 A CN 201910309540A CN 110032485 A CN110032485 A CN 110032485A
Authority
CN
China
Prior art keywords
core
attack
voltage
processor
fault
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910309540.0A
Other languages
Chinese (zh)
Other versions
CN110032485B (en
Inventor
汪东升
吕勇强
邱朋飞
王淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201910309540.0A priority Critical patent/CN110032485B/en
Publication of CN110032485A publication Critical patent/CN110032485A/en
Application granted granted Critical
Publication of CN110032485B publication Critical patent/CN110032485B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2236Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2252Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using fault dictionaries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/26Functional testing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • G06F15/177Initialisation or configuration control

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Power Sources (AREA)
  • Microcomputers (AREA)

Abstract

This application discloses a kind of multi-core processor and its fault filling methods, are related to computer processor field.Fault filling method disclosed in the present application includes: to be appointed as the processor core to be attacked core when needing to inject hardware fault to a certain processor core of multi-core processor, in addition will be used as attack core by a certain processor core;When attack core detect run by attack core to specified direct fault location point when, attack voltage will be changed to by the processor core voltage of attack core, hardware fault will be injected by attack core;Safe voltage will be reverted to by the processor core voltage of attack core after attack voltage continues preset time.Made on the basis of not changing other core voltages using fault filling method provided by the present application except attack core and all unaffected, the realization hardware fault injection, to achieve the purpose that load insincere application program into security context by other cores in addition to attack core.

Description

A kind of multi-core processor and its fault filling method
Technical field
This application involves computer processor field more particularly to a kind of multi-core processors and its fault filling method.
Background technique
With the fast development of semiconductor technology, super large-scale integration, Computer Architecture, processor is averaged The energy consumption that instruction throughput is greatly improved, however how to reduce processor is always one and needs asking for emphasis consideration Topic, especially in the mobile devices such as mobile phone, notebook, tablet computer.The energy consumption of processor be dynamic power consumption in time Convolution, dynamic power consumption are codetermined by load capacitance C, voltage V, frequency F, and relationship is as follows:
P=V2×F×C
Dynamic power consumption is directly proportional to voltage, frequency, and therefore, processor can be reduced by reducing processor core voltage and frequency Dynamic power consumption, and then the energy consumption of processor is reduced, however the performance of processor can also be reduced by reducing processor core voltage and frequency. In order to trade off between processor performance and power consumption, modern processors are widely used in dynamic power management (Dynamic Voltage and Frequency Scaling, DVFS) technology.DVFS allows operating system to meet user to performance and function For the purpose of the requirement of consumption, change the voltage and frequency of processor according to processor load state dynamic.In order to realize DVFS, system The output of frequency and voltage hardware manager be designed to the multiple of base frequency and basic voltage, multiple size is by corresponding Operating system nucleus driving configuration.For the voltage and frequency of preferably management processor, voltage and frequency are fixed on discrete In the set (Operating Performance Points, OPP) of tuple, the corresponding fixed voltage of each frequency, composition Frequency-voltage pair.OPP is determined by equipment feature, is defined in the device description file of supplier's offer and is read by kernel-driven It takes and uses.
Linux and android system provide five kinds of processor frequencies management modes, including performance mode, battery saving mode, The frequency management of system command configuration processor can be used in on-demand adjusting, conservative mode, user's self-defined pattern, equipment user Mode.Under user's self-defined pattern, each core of order given processor of kernel-driven offer is can be used in equipment user Frequency, the voltage of processor can be also modified according to the change of frequency.In Windows system, equipment user can pass through The frequency of generation planning change processor.In DVFS, the frequency of processor core be it is independent, but all cores share it is same Hardware voltage manager, in the multi-core processor for supporting DVFS, the voltage of each core is the same, if handled by reduction Device core voltage realizes direct fault location, then the voltage of all cores can all be affected, if the frequency of these cores be also it is the same, The program on these cores, including operating system program are operated in, will appear unpredictable mistake.
Summary of the invention
The application provides a kind of fault filling method based on multi-core processor, comprising: when needing to multi-core processor When a certain processor core injection hardware fault, which is appointed as to be attacked core, it will other a certain processor core conduct Attack core;When attack core detect run by attack core to specified direct fault location point when, will be by the processor core voltage of attack core It is changed to attack voltage, hardware fault is injected by attack core;It will be by attack core after attack voltage continues preset time Processor core voltage reverts to safe voltage.
As above, wherein by modifying to the voltage management driver in multi-core processor, by processor nuclear power Pressure is changed to attack voltage.
It is as above, wherein the attack voltage is specially to make to be attacked core cisco unity malfunction, except by its in addition to attack core The voltage that his processor core can work normally.
As above, wherein it will be tied to by attacker and be executed on attack core, attacker will be tied on attack core It executes;Attacker in attack core detect by attack core by attacker started by attack code to execute when It carves as specified direct fault location point.
As above, wherein it further include executing sky before attack core detection runs to specified direct fault location point by attack core Instruction assessment instruction execution cycle, it is known that run by attacker to the specified direct fault location point.
As above, wherein during attacking the core execution do-nothing instruction assessment instruction cycle, direct fault location is arranged in attack core Attack context, wait by attacker started by attack function execute, wait by attack function by attack code Start to execute.
It is as above, wherein the attack context that direct fault location is set include will attack core be set as high-frequency, core will be attacked and Other unrelated cores are set as low frequency, setting processor core voltage is safe voltage, by executing by attacker configuration attack Environment, including caching, branch predictor, processor status register.
As above, wherein configuration is specifically included by the processor core voltage and voltage-duration of attack core: will be attacked The processor voltage and voltage-duration of core are set as suitable parameters;Wherein, failure F is realizedfaultRequired suitable parameters packet Include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack Voltage, VbIndicate before and after safe voltage, namely setting attack voltage make attack core and can normal work by attack core Processor core voltage, the T of workpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate attack journey Sequence, which is waited, starts the time executed, T by attack codedurIndicate attack voltage-duration.
The application also provides a kind of multi-core processor, including multiple processor cores and power management integrated chip, power supply pipe It manages integrated chip and provides processor core voltage to processor core by power management integrated circuit;Processor core, for working as to certain When one processor core injects hardware fault, which is appointed as to be attacked core, using other a certain processor core as attacking Hit core, when attack core detect run by attack core to specified direct fault location point when, provided according to power management integrated chip Voltage is attacked, hardware fault is injected by attack core;Power management integrated chip, for detecting in attack core by attack core When operation to specified direct fault location point, attack voltage will be changed to by the processor core voltage of attack core, and continue preset time The processor core voltage for attacking core is reverted into safe voltage afterwards.
As above, wherein attack voltage will be changed to by the processor core voltage of attack core in power management chip, specifically It include: power management integrated chip to all processor cores offer attack voltage, which prevents to be attacked core from normal Work, but attack core and other cores and can work normally;Or it individually will be by the processor of attack core by power management integrated chip Core voltage is changed to attack voltage.
What the application realized has the beneficial effect that:
(1) by modification voltage management driver, around in voltage management kernel-driven threshold voltage and voltage choosing The security mechanism selected realizes arbitrary disposition processor core voltage;
(2) by providing a low-voltage for processor core, work normally other nuclear energy enough, but cannot be just by attack core Often work realizes hardware fault injection with this in the case where not influencing the normal work of other cores;
(3) direct fault location point, attack voltage and attack time can be accurately controlled by actual experiment, reduces direct fault location When influence of the hardware fault to other code segments.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The some embodiments recorded in application can also be obtained according to these attached drawings other for those of ordinary skill in the art Attached drawing.
Fig. 1 is the software and hardware combining schematic diagram of voltage management architecture in the processor based on ARM Krait framework;
Fig. 2 is to operate in the attacker attacked on core to by the fault filling method flow chart of attack core;
Fig. 3 is the method flow diagram for obtaining the AES encryption key in common world;
Fig. 4 is the method flow diagram for obtaining the AES encryption key in TrustZone;
Fig. 5 is to attack core to showing by the AES encryption program injection hardware fault in the trusted application in attack core It is intended to;
Fig. 6 is to wait starting the relational graph that do-nothing instruction required for executing executes number and frequency by attack function;
Since Fig. 7 be the execution number and frequency of do-nothing instruction required for executing being gone to by attack function by attack code The relational graph of rate;
Fig. 8 is that different attack voltages and duration lower 128 AES encryption programs the 8th take turns what input state matrix occurred Faulty word joint number schematic diagram;
Fig. 9 is abort situation schematic diagram when AES is attacked.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on the present invention In embodiment, those skilled in the art's every other embodiment obtained without making creative work, all Belong to the scope of protection of the invention.
Optionally, the confirmatory experiment of the application is mainly carried out in Google Nexus 6, and Google Nexus 6 possesses The processor based on ARM Krait framework of one Qualcomm production, the voltage management kernel-driven pair that Qualcomm provides The voltage hardware manager of processor carries out configuration and provides interface to operating system;In 6 operating system of Google Nexus In, malice voltage break treat with device, high pass are added to two safe machines in the voltage management kernel-driven of offer in order to prevent The selection of system, i.e. threshold voltage and voltage.
Following pairs of threshold voltages and the security mechanism of voltage selection are described in detail:
Threshold voltage: in hardware management driving, threshold voltage indicates the minimum value that processor core voltage can be arranged, such as Fruit attempts that the voltage also lower than threshold voltage is arranged, and driver can provide a stable threshold voltage to processor.Threshold value The size of voltage is defined in device description file and is read by the detection steps of voltage management driver;
Voltage selection: since the frequency of different processor core can be different, for the processor core for protecting frequency high, Hardware management driving select highest frequency in the frequency of all cores OPP (voltage that multi-core processor is supported and frequency it is discrete The set of tuple) in corresponding voltage as processor core voltage.
In order to carry out direct fault location to the processor for supporting dynamic power management technology, loaded with realizing into security context The purpose of insincere application program, the application bypass voltage management kernel-driven by the modification to voltage management driver In threshold voltage and voltage selection security mechanism, realize arbitrary disposition processor core voltage;
Specifically, it by the detection steps of modification device description file or modification driver, realizes and bypasses threshold voltage Purpose so that processor core voltage more smaller than threshold voltage can be set in attacker;And in generation, is selected by modification voltage Code cancels the security mechanism of voltage selection;Since modification device description file coverage is wider, it is preferred that the application To modify the detection steps of driver around threshold voltage in embodiment;
It should be noted that the application is only to the voltage minimum of processor, i.e. threshold voltage is modified, for highest Voltage without limitation, reason are as follows: the last byte represents basic voltage in the voltage register of voltage hardware manager Multiple, the maximum number that a byte can indicate is 255, therefore, 255 times of ceiling voltage no more than basic voltage;In this Shen On verification platform please, experiments verify that processor core can work normally under all frequencies when the byte is 255.Cause This, the application confirmatory experiment is for realizing low voltage failure.
Referring to Fig. 1, Fig. 1 is the soft of the voltage management architecture in based on the processor for ARM Krait framework Combination of hardware schematic diagram, including multi-core processor, kernel spacing and user's space;
Wherein, kernel spacing and user's space are software architecture, and kernel spacing includes that voltage management driving and frequency drive, For to each processor core in multi-core processor voltage and frequency be managed;Frequency drives for receiving user's space Setting to frequency, and driven to voltage management and target voltage is provided;Voltage management driving is for receiving the setting to voltage, i.e., The attack voltage of setting, and use the register setting value of attack voltage change power management chip.
Multi-core processor is hardware structure, including multiple processor cores (CPU core) and power management integrated chip are (preferably PMA8084 power supply chip), power management integrated chip according to internal register setting value, by power management integrated circuit to Processor core provides processor core voltage, and provides peripheral hardware voltage to other external equipments;
Specifically, power management chip provides processor core voltage to processor core, specifically includes to all processor cores Unified core voltage is provided, or provides processor core voltage to each processor core respectively;
Processor core, for when injecting hardware fault to a certain processor core, which being appointed as being attacked Core, will in addition a certain processor core as attack core, when attack core detect run by attack core to specified direct fault location point when, Driving change processor voltage using modified power management is attack voltage, and hardware fault is injected by attack core;
Power management integrated chip, for attack core detect run by attack core to specified direct fault location point when, will Attack voltage is changed to by the processor core voltage of attack core, and is continued the processor core voltage for attacking core is extensive after preset time It is again safe voltage;
Wherein, attack voltage will be changed to by the processor voltage of attack core, specifically included by power management integrated chip Attack voltage is provided to all processor cores, which makes to be attacked core cisco unity malfunction, but attacks core and other cores It can work normally;Or attack voltage individually will be changed to by the processor core voltage of attack core by power management integrated chip.
Due to the characteristic electron of multi-core processor, in the set of the multi-core processor voltage supported and the discrete tuple of frequency In OPP, the frequency of some processor core is higher, and required minimum voltage is also higher, and the frequency of processor core can be with It is separately provided, the corresponding minimum voltage of different frequency also has difference, when the voltage for being supplied to a certain processor core is lower than minimum need When seeking voltage, the time-constrain of the processor core is destroyed, and the attacker frequency of use-voltage difference thus attacked in core is realized It is to the specified fault injection attacks by attack core, hardware fault injection is specified by attack core.
When needing to specified by injection hardware fault on attack core, operation is set by the specified of attacker by attack core It is set to high-frequency, and sets low frequency for the attack core for running attacker core unrelated with other using system command, then Attacker particular moment from selected between minimum voltage needed for high-frequency and low frequency a suitable voltage as attacking It hits voltage and continues a short period;
Preferably, in the embodiment of the present application, attacker selects suitable voltage and voltage-duration to realize that failure is attacked It hits, specially
Ffault={ Fa;Fv;Vl;Vb;Tpre_w;Tpre_d;Tdur}
Wherein, attacker realizes failure FfaRequired suitable parameters value Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurPass through Experiment Result decision, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate safety The processor nuclear power for making to attack core and can be worked normally by attack core before and after voltage, namely setting attack voltage Pressure, Tpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate that attacker was waited by attack generation Code starts the time executed, TdurIndicate attack voltage-duration.
Embodiment one
Based on the above-mentioned modification to voltage management driver, the application provides a kind of frequency-based on multi-core processor Voltage difference fault filling method, when needing to inject hardware fault to a certain processor core, which is appointed as being attacked Core will be tied to this by attacker and be executed on attack core, run the processor core of attacker as attack core, elsewhere Device core is managed as other unrelated cores, the attack core for running attacker as a result, can be attacked to operation by the specified of attacker It hits and injects hardware fault on core, do not influence other unrelated cores and the thereon normal operation of program.
The attacker on attack core is operated in the present embodiment to by the fault filling method of attack core as shown in Fig. 2, Include:
Step 210: the attacker detection on attack core is by, by attacker, waiting is transported by attacker in attack core It goes to specified direct fault location point;
Specifically, during the attacker waiting attacked on core is run by attacker to specified direct fault location point, Execute following sub-step:
Step 211: the attack context of direct fault location is set;
Due in order to keep direct fault location more acurrate effectively, needing first to prepare suitable failure before carrying out direct fault location Injection attacks environment, specifically: configuration attacks the frequency of core and is safety electricity by the frequency of attack core, setting processor core voltage Pressure configures attack context, including caching, branch predictor, processor status register etc. by attacker by being performed a plurality of times Data.
Step 212: waiting is started to execute by attack function;
Specifically, it is encapsulated in by attack code by attack function using the object code of attack as a bit of, wherein quilt Attack function is fixed function, injects demand according to physical fault by attack code and is loaded by attack function;In attack journey After sequence starts execution, in order to realize that attacker executes cycle match with by the trusted application in attack core, to reach Failure is accurately injected in the preset failure decanting point of trusted application, after attacker starts execution, attacker Instruction execution cycle is assessed by executing do-nothing instruction, starts to execute until by attack function, attacker is waited by attack letter The time span that number starts to execute is set as Tpre_w, i.e. the do-nothing instruction execution time is Tpre_w
Step 213: after starting execution by attack function, waiting is started to execute in attack function by attack code;
Specifically, in order to be accurately controlled direct fault location point, and reduce direct fault location when hardware fault to by attack letter The influence of other code segments in number, after starting execution by attack function, attacker is held by executing do-nothing instruction assessment instruction Attacker is waited until being started to execute by attack code and starts the time span executed setting by attack code by the row period For Tpre_d, i.e. the do-nothing instruction execution time is Tpre_d
Step 220: when attack core detect run by attack core to specified direct fault location point when, will be by the processing of attack core Device core voltage is changed to attack voltage, and hardware fault is injected by attack core;
After starting execution by attack code, attacker setting is attack voltage by the processor core voltage of attack core V1 injects hardware fault by attack core;Wherein, attack voltage V1 executes attack core normally, but by attack core The voltage that cannot normally execute.
Step 230: safe electricity will be reverted to by the processor core voltage of attack core after attack voltage continues preset time Pressure;
Specifically, it is T that attacker, which continuously carries out time span in the case where attacking voltage,durDo-nothing instruction after, recovery attacked The processor core voltage and frequency for hitting core, prevent by the processor delay machine of attack core or system crash;Wherein, do-nothing instruction Execute time TdurKnown according to different direct fault location situations by experiment, best direct fault location is set in the experimental stage and is executed After time, by execution time TdurAs the preset time of the direct fault location situation, facilitate subsequent come into operation.
Further include after the hardware fault injection method provided through this embodiment, to the output knot obtained after direct fault location Fruit and original correct output result use differential fault analysis, obtain sensitive information from the output result after direct fault location.
Embodiment two
Hardware fault injection basis is realized by frequency-voltage difference in the modification of embodiment a pair of voltage management driver On, the embodiment of the present application two is illustrated for obtaining AES encryption key in AES encryption program, and embodiment two includes such as Fig. 3 Shown in AES encryption key and the AES encryption key obtained in TrustZone as shown in Figure 4 in acquisition common world;
To specify direct fault location point to illustrate for the R-2 of AES encryption program wheel inputs single byte failure, in order to So that single byte failure occurs in the input that the R-2 of AES encryption program takes turns, direct fault location point is controlled and is mixed in the column that R-3 takes turns On closing operation.
Fig. 3 is the method flow by obtaining AES encryption key in common world based on frequency-voltage difference direct fault location Figure, by attack AES program, is running attacker and monitoring programme on attack core by operation on attack core, specifically include as Lower sub-step:
Do-nothing instruction needed for S310, attacker determine setting attack context executes number;
Wherein, attacker starts simultaneously at execution, sky needed for attack context is arranged in attacker with by attack AES program Instruction execution number K can be obtained by isolated operation attacker, and setting is height by the frequency of attack core in attack context Frequency, the frequency for attacking core is low frequency.
S320, when by attack AES program run to R-3 take turns column hybrid manipulation when, to attack core in monitoring programme Signal is sent, the monitoring programme attacked in core is mixed according to the column for executing and taking turns to R-3 are gone to since by attack AES program The time of operation determines that the do-nothing instruction on attack core executes number;
Wherein, attacker detection gone to since attack AES program execution to the R-3 column hybrid manipulation taken turns when Between Tpre_dIn, the do-nothing instruction including attack context is arranged executes the time, according to time Tpre_dDetermine that the do-nothing instruction in attack core is held Row number MA, for different attack core and by attack nuclear frequency, MAIt is also different with K.
S330, when by attack AES program execute to R-3 take turns column hybrid manipulation after, attacker acquisition suitably attack Voltage and voltage-duration are hit, change processor core voltage is attack voltage, and it is hard that single byte is injected in voltage-duration Part failure to the output result after direct fault location and correctly exports result and carries out difference analysis, acquisition AES encryption key;
In order to obtain suitable attack voltage and its duration, is run simultaneously by attack AES and attacker, attack journey Sequence executes M after setting attack contextA- K time do-nothing instructions, then change processor core voltage be attack voltage and continue compared with Short time can decide whether single byte failure occur according to encryption output, different attack voltage and caused by the duration Failure be different, attack when, attacked using the attack voltage and duration, and pass through the difference to fail result Analysis obtains the encryption key of AES;
Wherein, suitably attack voltage and voltage-duration can be obtained by experiment, in the confirmatory experiment of the application In, when parameter is { 0.42GHZ, 2.65GHZ, 0.6V, 1.055V, 0,48132,4100 }, success attack rate is 3%, 200 In secondary successful attack, failure is concentrated mainly in the 10th and the 14th position of state matrix.
Wherein, suitably attack voltage and voltage-duration can be obtained by experiment, in the confirmatory experiment of the application In, when parameter is { 0.42GHZ, 2.65GHZ, 0.6V, 1.055V, 0,48132,4100 }, success attack rate is 3%, 200 In secondary successful attack, failure is concentrated mainly in the 10th and the 14th position of state matrix.
Fig. 4 is the method stream by obtaining AES encryption key in TrustZone based on frequency-voltage difference direct fault location Cheng Tu, comprising:
Since equipment user cannot run self-defined application in TrustZone, the application is provided using Qualcomm AES program to be attacked is put by the interface loophole of trusted operating system applies from the memory headroom of Widevine application program In code hole, when Widevine application program executes, executing stream can be jumped in code hole, thereby executing the AES attacked Encipheror specifically includes following sub-step;
S410, attack core in monitoring programme obtain operation vulnerability exploit program to start execute by attack AES program need to The do-nothing instruction quantity to be executed;
Since vulnerability exploit program is unfixed from starting to go to the probe the memory number that triggering loophole needs, therefore attack Hitting program cannot run simultaneously with vulnerability exploit program, but start needed for execution after loophole triggering to by attack AES program The time wanted is constant, therefore monitoring programme can get fixed execution do-nothing instruction quantity by operation vulnerability exploit program PA
Do-nothing instruction needed for S420, attacker determine setting attack context executes number K.
S430, when by attack AES program run to R-3 take turns column hybrid manipulation when, to attack core in monitoring programme Signal is sent, the monitoring programme attacked in core is mixed according to the column for executing and taking turns to R-3 are gone to since by attack AES program The time of operation determines that the do-nothing instruction on attack core executes number MA
Wherein, attacker detection gone to since attack AES program execution to the R-3 column hybrid manipulation taken turns when Between Tpre_dIn, the do-nothing instruction including attack context is arranged executes the time, according to time Tpre_dDetermine that the do-nothing instruction in attack core is held Row number MA, for different attack core and by attack nuclear frequency, MAIt is also different with K.
S440, after executing to R-3 the column hybrid manipulation taken turns by attacker AES program, it is suitable that attacker obtains Attack voltage and voltage-duration, change processor core voltage be attack voltage, individual character is injected in voltage-duration Hardware fault is saved, difference analysis is carried out with correctly output result to the output result after direct fault location, it is close to obtain AES encryption Key;
In order to obtain suitable attack voltage and its duration, is run simultaneously by attack AES and attacker, attack journey Sequence executes after setting attack context executes PAA do-nothing instruction starts to execute to AES program, then execute MA- K times sky refers to It enables the column hybrid manipulation taken turns to R-3 start to execute, then changes processor core voltage and be attack voltage and continue the short period, It can decide whether single byte failure occur according to encryption output, different attack voltage and failure caused by the duration are Different;In attack, attacked using the attack voltage and duration, and obtained by the difference analysis to fail result Take the encryption key of AES;
Wherein, suitably attack voltage and voltage-duration can be obtained by experiment, in the confirmatory experiment of the application In, when parameter is { 0.42GHZ, 2.65GHZ, 0.65V, 1.055V, 7680,48132,4200 }, success attack rate is 5%, In 200 successful attacks, failure is concentrated mainly in the 10th byte of state matrix.
Fig. 5 is to attack core to showing by the AES encryption program injection hardware fault in the trusted application in attack core It is intended to;Include common world and safer world by attack core, carried out in common world caching layout and processor state and The setting of voltage runs trusted application in safer world, includes AES encryption program and other generations in trusted application Code;Within the period of other codes before trusted application executes AES encryption program, attacks in core and referred to by executing sky It enables setting attack context and AES encryption program is waited to start to execute;Start to go to specified direct fault location point in AES encryption program Between (this example is by taking 7th round column hybrid manipulation as an example), attack core continues the synchronous do-nothing instruction that executes and waits 7th round column mixing behaviour Work starts to execute;When AES encryption program is executed to 7th round column hybrid manipulation, attack core change is by the processor core of attack core Then voltage persistently restores single byte direct fault location AES encryption program by the processor nuclear power of attack core after preset time Pressure, then AES encryption program recovery is normal, continues to execute code and AES encryption program after 7th round column hybrid manipulation Other codes later.
The application is it should be noted that the injection number of hardware fault within a preset time is not limited to once inject, with note Enter subject to hardware fault success, caching, branch predictor, processor status register etc. are made by attacker by being performed a plurality of times Data with it is highly relevant by attacker, reduce in processor with the shadow by the unrelated data of attacker to attack effect It rings.
Embodiment three
The embodiment of the present application three provides the processor based on ARM Krait framework and injects in AES encryption program firmly Part failure is to obtain the confirmatory experiment of AES encryption key:
Fig. 6, which shows to wait, starts the relationship that do-nothing instruction required for executing executes number and frequency by attack function Figure.Wherein, the set of frequency for attacking core is 0.42GHz, and attack voltage is set as 0.6V, it will be appreciated from fig. 6 that the influence of frequency size is attacked The speed hitting core and being executed instruction by attack core, in the case where attacking nuclear frequency and constant processor core voltage, by attack core Frequency it is bigger, wait by attack function start execute time it is shorter.
Since Fig. 7 show the execution time that required do-nothing instruction is executed being gone to by attack function by attack code Several relational graphs with frequency.Wherein, attack nuclear frequency is set as 0.42GHz, and attack voltage is set as 0.6V, as shown in Figure 7, attacks Hit core frequency it is constant in the case where, different by the frequency of attack core, the required time is also different.
Fig. 8 illustrates different attack voltages and duration lower 128 AES encryption programs the 8th wheel input state matrix goes out Existing faulty word joint number schematic diagram.Wherein, the set of frequency for attacking core is 0.42GHZ, and the set of frequency by attack core is 2.65GHZ attacks voltage-duration pair for each, preferably tests five times and calculate the average value of five tests;By scheming 8 it is found that voltage is lower, the duration is higher, and the faulty word joint number of appearance is more;In order to realize the fault injection attacks to AES, Can select to generate from these voltage-duration centerings single byte failure as attack parameter.
Fig. 9 shows abort situation schematic diagram when AES attack.Fault bit in the figure, when the AES in common world is attacked It sets and is concentrated mainly on the 10th and the 14th byte, the abort situation when AES in TrustZone is attacked is concentrated mainly on the 10th word Section;Abort situation compares concentration and illustrates that under identical attack parameter, attack effect is more similar, also illustrates that experiment has Repeatability.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.Obviously, those skilled in the art can be to the application Various modification and variations are carried out without departing from spirit and scope.If in this way, these modifications and variations of the application Belong within the scope of the claim of this application and its equivalent technologies, then the application is also intended to encompass these modification and variations and exists It is interior.

Claims (10)

1. a kind of fault filling method based on multi-core processor characterized by comprising
When needing to inject hardware fault to a certain processor core of multi-core processor, which is appointed as being attacked In addition core will be used as attack core by a certain processor core;
When attack core detect run by attack core to specified direct fault location point when, will be changed by the processor core voltage of attack core To attack voltage, hardware fault is injected by attack core;
Safe voltage will be reverted to by the processor core voltage of attack core after attack voltage continues preset time.
2. fault filling method according to claim 1, which is characterized in that by the voltage management in multi-core processor Driver is modified, and processor core voltage is changed to attack voltage.
3. fault filling method according to claim 2, which is characterized in that the attack voltage is specially to make attacking core just It often executes, but the voltage that cannot be normally executed by attack core.
4. fault filling method according to claim 1, which is characterized in that will be tied to by attacker by attack core It executes, attacker is tied on attack core and is executed;Attacker in attack core is detected by being attacked on attack core In program is specified direct fault location point at the time of being started to execute by attack code.
5. fault filling method according to claim 1, which is characterized in that run to finger by attack core in attack core detection Before determining direct fault location point, further includes executing do-nothing instruction assessment instruction execution cycle, run until by attacker to the finger Determine direct fault location point.
6. fault filling method according to claim 5, which is characterized in that execute do-nothing instruction assessment instruction week in attack core During phase, attack core setting direct fault location attack context, wait by attacker started by attack function execute, Waiting is started to execute in attack function by attack code.
7. fault filling method according to claim 6, which is characterized in that the attack context that direct fault location is arranged includes inciting somebody to action Attack core is set as high-frequency, sets low frequency, setting processor core voltage for attack core core unrelated with other as safety electricity Pressure configures attack context, including caching, branch predictor, processor status register by attacker by executing.
8. fault filling method according to claim 1, which is characterized in that configuration by the processor core voltage of attack core and Voltage-duration specifically includes: will be set as suitable parameters by the processor voltage of attack core and voltage-duration;Wherein, Realize failure FfaultRequired suitable parameters include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur, FaIndicate frequency, the F of attack corev It indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate that safe voltage, namely setting are attacked before and after voltage Make processor core voltage, the T that attacks core and can be worked normally by attack corepre_wIndicate that attacker waiting is opened by attack function Begin the time executed, Tpre_dIt indicates that attacker waits and the time executed, T is started by attack codedurIndicate that attack voltage continues Time.
9. a kind of multi-core processor, which is characterized in that including multiple processor cores and power management integrated chip, power management collection Processor core voltage is provided to processor core by power management integrated circuit at chip;
Processor core will for which being appointed as to be attacked core when injecting hardware fault to a certain processor core In addition a certain processor core is as attack core, when attack core detect run by attack core to specified direct fault location point when, according to The attack voltage that power management integrated chip provides injects hardware fault by attack core;
Power management integrated chip, for attack core detect run by attack core to specified direct fault location point when, will be attacked The processor core voltage for hitting core is changed to attack voltage, and reverts to the processor core voltage for attacking core after continuing preset time Safe voltage.
10. multi-core processor as claimed in claim 9, which is characterized in that will be by the processing of attack core in power management chip Device core voltage is changed to attack voltage, specifically includes: power management integrated chip provides attack voltage to all processor cores, should Attack voltage makes to be attacked core cisco unity malfunction, but attacks core and other cores and can work normally;Or it is integrated by power management Chip individually will be changed to attack voltage by the processor core voltage of attack core.
CN201910309540.0A 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof Active CN110032485B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910309540.0A CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910309540.0A CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Publications (2)

Publication Number Publication Date
CN110032485A true CN110032485A (en) 2019-07-19
CN110032485B CN110032485B (en) 2020-05-26

Family

ID=67238995

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910309540.0A Active CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Country Status (1)

Country Link
CN (1) CN110032485B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101968840A (en) * 2010-10-26 2011-02-09 杭州晟元芯片技术有限公司 Voltage detection and frequency detection-based chip anti-attack method
US20130208886A1 (en) * 2012-02-10 2013-08-15 Electronics And Telecommunications Research Institute Method of preventing fault-injection attacks on chinese remainder theorem-rivest shamir adleman cryptographic operations and recording medium for storing program implementing the same
CN103678131A (en) * 2013-12-18 2014-03-26 哈尔滨工业大学 Software failure injection and analysis system of multi-core processor
CN104391205A (en) * 2014-12-03 2015-03-04 中国航空综合技术研究所 Voltage fault injector with variable gain
US20190095621A1 (en) * 2017-09-27 2019-03-28 Qualcomm Incorporated Methods for mitigating fault attacks in microprocessors using value prediction

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101968840A (en) * 2010-10-26 2011-02-09 杭州晟元芯片技术有限公司 Voltage detection and frequency detection-based chip anti-attack method
US20130208886A1 (en) * 2012-02-10 2013-08-15 Electronics And Telecommunications Research Institute Method of preventing fault-injection attacks on chinese remainder theorem-rivest shamir adleman cryptographic operations and recording medium for storing program implementing the same
CN103678131A (en) * 2013-12-18 2014-03-26 哈尔滨工业大学 Software failure injection and analysis system of multi-core processor
CN104391205A (en) * 2014-12-03 2015-03-04 中国航空综合技术研究所 Voltage fault injector with variable gain
US20190095621A1 (en) * 2017-09-27 2019-03-28 Qualcomm Incorporated Methods for mitigating fault attacks in microprocessors using value prediction

Also Published As

Publication number Publication date
CN110032485B (en) 2020-05-26

Similar Documents

Publication Publication Date Title
US7849315B2 (en) Method for managing operability of on-chip debug capability
CN110998578B (en) System and method for booting within a heterogeneous memory environment
US8621298B2 (en) Apparatus for protecting against external attack for processor based on arm core and method using the same
CN104871167A (en) Anti-theft in firmware
CN109255259B (en) High-security encryption and decryption computing capability expansion method and system
Sabbagh et al. A novel GPU overdrive fault attack
EP3252991A1 (en) Application specific low-power secure key
CN103617396B (en) The detection method of a kind of vulnerability exploit and system
CN109753793A (en) A kind of hot patch method and hot patch device
Mahmoud et al. FPGA-to-CPU undervolting attacks
CN110032897B (en) Multi-core processor and time constraint-based fault attack method thereof
CN103890713B (en) Device and method for managing the register information in processing system
CN206133573U (en) Credible execution systems of software based on ARM framework
CN110032485A (en) A kind of multi-core processor and its fault filling method
CN104731708A (en) Dynamic detection method of Shellcode
CN102819694B (en) The equipment of a kind of TCM chip, virus investigation method and operation TCM chip
TWI812042B (en) Security system
US7881813B2 (en) System and method for sharing reset and background communication on a single MCU pin
TWI778527B (en) System-on-chip, a method for the same, and a computing device
CN112363797B (en) Virtual machine safe operation method, electronic equipment and storage medium
CN103778366B (en) Security maintenance method oriented to operating system and peripheral equipment
Wang et al. A Fine-Grained Hardware Security Approach for Runtime Code Integrity in Embedded Systems.
CN114816867A (en) FPGA-based fault injection password target implementation system and method
CN110659079B (en) Balanced type safety processor
CN110597755B (en) Recombination configuration method of safety processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant