CN110032485B - Multi-core processor and fault injection method thereof - Google Patents

Multi-core processor and fault injection method thereof Download PDF

Info

Publication number
CN110032485B
CN110032485B CN201910309540.0A CN201910309540A CN110032485B CN 110032485 B CN110032485 B CN 110032485B CN 201910309540 A CN201910309540 A CN 201910309540A CN 110032485 B CN110032485 B CN 110032485B
Authority
CN
China
Prior art keywords
core
voltage
attacked
processor
attacking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910309540.0A
Other languages
Chinese (zh)
Other versions
CN110032485A (en
Inventor
汪东升
吕勇强
邱朋飞
王淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201910309540.0A priority Critical patent/CN110032485B/en
Publication of CN110032485A publication Critical patent/CN110032485A/en
Application granted granted Critical
Publication of CN110032485B publication Critical patent/CN110032485B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2236Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2252Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using fault dictionaries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/26Functional testing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • G06F15/177Initialisation or configuration control

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Power Sources (AREA)
  • Microcomputers (AREA)

Abstract

The application discloses a multi-core processor and a fault injection method thereof, and relates to the field of computer processors. The fault injection method disclosed by the application comprises the following steps: when hardware faults need to be injected into a certain processor core of the multi-core processor, the processor core is designated as an attacked core, and another certain processor core is used as an attacking core; when the attacking core detects that the attacked core runs to a specified fault injection point, changing the voltage of a processor core of the attacked core into an attacking voltage, and injecting a hardware fault into the attacked core; and recovering the voltage of the processor core of the attacked core to be the safe voltage after the attacking voltage lasts for the preset time. By adopting the fault injection method provided by the application, on the basis of not changing the voltage of other cores, other cores except the attacking core and the attacked core are not affected, and hardware fault injection is realized, so that the purpose of loading an untrusted application program into a secure environment is achieved.

Description

Multi-core processor and fault injection method thereof
Technical Field
The application relates to the field of computer processors, in particular to a multi-core processor and a fault injection method thereof.
Background
With the rapid development of semiconductor technology, very large scale integrated circuits, and computer architectures, the average instruction throughput of processors has been greatly improved, but how to reduce the power consumption of processors has always been a problem that needs to be considered, especially on mobile devices such as mobile phones, notebooks, and tablet computers. The energy consumption of the processor is the convolution of dynamic power consumption in time, the dynamic power consumption is determined by the load capacitor C, the voltage V and the frequency F together, and the relation is as follows:
P=V2×F×C
dynamic power consumption is proportional to voltage and frequency, and therefore, reducing the voltage and frequency of the processor core can reduce the dynamic power consumption of the processor, and further reduce the power consumption of the processor, but reducing the voltage and frequency of the processor core can also reduce the performance of the processor. To trade off between processor performance and power consumption, modern processors have widely used dynamic power management (DVFS) techniques. DVFS allows the operating system to dynamically change the voltage and frequency of the processor based on the processor load state with the goal of meeting user requirements for performance and power consumption. To implement DVFS, the frequency and voltage hardware manager outputs of the system are designed to be multiples of the base frequency and base voltage, the multiple sizes being configured by the corresponding operating system kernel driver. To better manage the voltage and frequency of the processor, the voltage and frequency are fixed in a set of discrete tuples (OPP), one fixed voltage for each frequency, making up a frequency-voltage pair. The OPP is determined by device characteristics, defined in a vendor-supplied device description file and read and used by the kernel driver.
The Linux and Android systems provide five processor frequency management modes, including a performance mode, a power saving mode, on-demand adjustment, a conservative mode, and a user-defined mode, and a device user can configure the frequency management mode of the processor by using a system command. In the user-defined mode, the device user can use the commands provided by the kernel driver to specify the frequency of each kernel of the processor, and the voltage of the processor is changed according to the change of the frequency. In a Windows system, a device user may change the frequency of the processor through a power plan. In the DVFS, the frequencies of processor cores are independent, but all cores share the same hardware voltage manager, and in a multi-core processor supporting the DVFS, the voltages of all cores are the same, if fault injection is realized by reducing the voltage of the processor cores, the voltages of all cores are affected, and if the frequencies of the cores are also the same, programs running on the cores, including operating system programs, have unpredictable errors.
Disclosure of Invention
The application provides a fault injection method based on a multi-core processor, which comprises the following steps: when hardware faults need to be injected into a certain processor core of the multi-core processor, the processor core is designated as an attacked core, and another certain processor core is used as an attacking core; when the attacking core detects that the attacked core runs to a specified fault injection point, changing the voltage of a processor core of the attacked core into an attacking voltage, and injecting a hardware fault into the attacked core; and recovering the voltage of the processor core of the attacked core to be the safe voltage after the attacking voltage lasts for the preset time.
As above, wherein the processor core voltage is altered to the attack voltage by modifying a voltage management driver in the multi-core processor.
As above, the attack voltage is specifically a voltage that makes the attacked core unable to work normally, and other processor cores except the attacked core can work normally.
The method comprises the steps of binding the attacked program to the attacked core for execution, and binding the attacking program to the attacking core for execution; and the moment when the attacking program in the attacking core detects that the attacked code in the attacked program on the attacked core starts to execute is a specified fault injection point.
As above, before the attacking core detects that the attacked core runs to the specified fault injection point, the method further includes executing a null instruction evaluation instruction execution cycle, knowing that the attacked program runs to the specified fault injection point.
As above, in the process of executing the null instruction evaluation instruction cycle by the attack core, the attack core sets an attack environment of fault injection, waits for an attacked function in an attacked program to start executing, and waits for an attacked code in the attacked function to start executing.
As above, wherein setting the attack environment of fault injection includes setting the attacked core to high frequency, setting the attacking core and other unrelated cores to low frequency, setting the processor core voltage to safe voltage, configuring the attack environment by executing the attacked program, including cache, branch predictor, processor status register.
As above, the configuring the processor core voltage and the voltage duration of the attacked core specifically includes: setting the processor voltage and the voltage duration of the attacked core as suitable parameters; wherein a fault F is realizedfaultSuitable parameters required include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur,FaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a safe voltage, i.e. setting an attack voltageProcessor core voltage, T, before and after the voltage to enable both the attacking and attacked cores to work normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
The application also provides a multi-core processor which comprises a plurality of processor cores and a power management integrated chip, wherein the power management integrated chip provides the processor core voltage for the processor cores through the power management integrated circuit; the processor core is used for designating a certain processor core as an attacked core when a hardware fault is injected into the certain processor core, using another certain processor core as an attacking core, and injecting the hardware fault into the attacked core according to an attack voltage provided by the power management integrated chip when the attacking core detects that the attacked core runs to a designated fault injection point; and the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage when the attacking core detects that the attacked core runs to the specified fault injection point, and recovering the voltage of the processor core of the attacked core into a safe voltage after the preset time is continued.
As above, wherein, changing the processor core voltage of the attacked core in the power management chip to the attack voltage specifically includes: the power management integrated chip provides attack voltage for all the processor cores, the attack voltage enables the attacked core not to work normally, but the attacking core and other cores can work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
The beneficial effect that this application realized is as follows:
(1) the voltage of a processor core is randomly configured by modifying a voltage management driver and bypassing a safety mechanism of threshold voltage and voltage selection in the voltage management kernel driver;
(2) by providing a low voltage for the processor core, other cores can work normally, but the attacked core can not work normally, so that hardware fault injection is realized under the condition that the normal work of other cores is not influenced;
(3) through practical experiments, fault injection points, attack voltage and attack time can be accurately controlled, and the influence of hardware faults on other code segments during fault injection is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a diagram of a combination of hardware and software components of a voltage management architecture in a processor based on the ARM Krait architecture;
FIG. 2 is a flowchart of a method for injecting a fault into an attacked core by an attacker running on the attacking core;
FIG. 3 is a flow chart of a method of obtaining an AES encryption key in the general world;
fig. 4 is a flowchart of a method for obtaining an AES encryption key in TrustZone;
FIG. 5 is a schematic diagram of an attacking core injecting a hardware fault into an AES encryption program in a trusted application within the attacked core;
FIG. 6 is a graph of frequency versus number of times null instructions are executed that are required to wait for an attacked function to begin executing;
FIG. 7 is a graph of frequency versus number of executions of null instructions required from the execution of an attacked function to the beginning of execution of the attacked code;
FIG. 8 is a schematic diagram showing the number of failed bytes appearing in the 8 th round input state matrix of the 128-bit AES encryption program under different attack voltages and durations;
fig. 9 is a schematic diagram of a fault location in the AES attack.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Optionally, the verification experiment of the application is mainly performed in Google Nexus 6, the Google Nexus 6 has a processor which is produced by a general company and is based on an ARM Krait architecture, and a voltage management kernel driver provided by the general company configures a voltage hardware manager of the processor and provides an interface for an operating system; in the Google Nexus 6 operating system, to prevent malicious voltages from corrupting the processor, the high pass adds two security mechanisms in the voltage management kernel driver provided, namely threshold voltage and voltage selection.
The following detailed description of the safety mechanism for threshold voltage and voltage selection:
threshold voltage: in a hardware management driver, the threshold voltage represents the minimum value to which the processor core voltage can be set, and if an attempt is made to set a voltage lower than the threshold voltage, the driver will provide a stable threshold voltage to the processor. The size of the threshold voltage is defined in the device description file and is read by the detection step of the voltage management driver;
voltage selection: since the frequencies of different processor cores may be different, in order to protect processor cores with high frequencies, the hardware management driver selects, as the processor core voltage, the voltage corresponding to the highest frequency among the frequencies of all cores in the OPP (set of discrete tuples of voltages and frequencies supported by the multi-core processor).
In order to carry out fault injection on a processor supporting a dynamic power management technology and achieve the purpose of loading an untrusted application program into a secure environment, the application bypasses a security mechanism of threshold voltage and voltage selection in a voltage management kernel driver through modifying a voltage management driver, and achieves arbitrary configuration of processor core voltage;
specifically, the purpose of bypassing the threshold voltage is realized by modifying the device description file or modifying the detection step of the driver, so that an attacker can set the processor core voltage smaller than the threshold voltage; and canceling the safety mechanism of the voltage selection by modifying the voltage selection code; since the influence range of modifying the device description file is relatively wide, it is preferable that the detection step of modifying the driver in the embodiment of the present application bypasses the threshold voltage;
it should be noted that, in the present application, only the minimum voltage value, i.e., the threshold voltage, of the processor is modified, and the maximum voltage is not limited, for the reason that: the last byte in the voltage register of the voltage hardware manager represents a multiple of the base voltage, and the maximum number that can be represented by a byte is 255, so the maximum voltage cannot exceed 255 times the base voltage; on the verification platform of the application, experiments verify that when the byte is 255, the processor core can work normally under all frequencies. Therefore, the present application verifies that the experiment is used to achieve low voltage faults.
Referring to fig. 1, fig. 1 is a schematic diagram of a software and hardware combination of a voltage management architecture in a processor based on an ARM Krait architecture, which includes a multi-core processor, a kernel space and a user space;
the system comprises a multi-core processor, a kernel space and a user space, wherein the kernel space and the user space are software architectures, and the kernel space comprises a voltage management driver and a frequency driver and is used for managing the voltage and the frequency of each processor core in the multi-core processor; the frequency driver is used for receiving the setting of the user space to the frequency and providing a target voltage for the voltage management driver; the voltage management driver is used for receiving the setting of the voltage, namely the set attack voltage, and changing the register set value of the power management chip by using the attack voltage.
The multi-core processor is a hardware architecture and comprises a plurality of processor cores (CPU cores) and a power management integrated chip (preferably a PMA8084 power chip), wherein the power management integrated chip provides the processor core voltage for the processor cores through the power management integrated circuit according to the setting value of an internal register and provides peripheral voltage for other external equipment;
specifically, the power management chip provides processor core voltages to the processor cores, specifically including providing a uniform core voltage to all the processor cores, or providing a processor core voltage to each processor core;
the processor core is used for designating a certain processor core as an attacked core when a hardware fault is injected into the certain processor core, using another certain processor core as an attacking core, and when the attacking core detects that the attacked core runs to a designated fault injection point, using the modified power management drive to change the processor voltage into an attacking voltage and injecting the hardware fault into the attacked core;
the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage when the attacking core detects that the attacked core runs to a specified fault injection point, and recovering the voltage of the processor core of the attacked core into a safe voltage after the preset time lasts;
the method specifically comprises the steps that a power management integrated chip provides attack voltage for all processor cores, the attack voltage enables the attacked cores not to work normally, but the attacking cores and other cores can work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
Due to the electronic characteristic of the multi-core processor, in a set OPP of discrete tuples of voltage and frequency supported by the multi-core processor, the higher the frequency of a certain processor core is, the higher the required minimum voltage is, the frequency of the processor core can be independently set, the minimum voltages corresponding to different frequencies are also different, when the voltage supplied to the certain processor core is lower than the minimum required voltage, the time constraint of the processor core is damaged, and therefore an attack program in an attack core uses the frequency-voltage difference to realize fault injection attack on a specified attacked core, and hardware faults are injected into the specified attacked core.
When hardware faults need to be injected into the appointed attacked core, the appointed attacked core running the attacked program is set to be high-frequency, the attacking core running the attacking program and other unrelated cores are set to be low-frequency by using a system command, and then the attacking program selects a proper voltage as an attacking voltage from the lowest voltage required by the high-frequency and the low-frequency at a specific moment and lasts for a short time;
preferably, in the embodiment of the present application, the attack program selects an appropriate voltage and voltage duration to implement fault attack, specifically, the attack program selects an appropriate voltage and voltage duration to implement fault attack
Ffault={Fa;Fv;Vl;Vb;Tpre_w;Tpre_d;Tdur}
Wherein the attack program implements the fault FfaultDesired value of the appropriate parameter Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurDetermined by experimental results, FaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a security voltage, i.e. the voltage of the processor core before and after setting the attack voltage, T, enabling both the attacking and attacked core to operate normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
Example one
Based on the modification of the voltage management driving program, the application provides a frequency-voltage difference fault injection method based on a multi-core processor, when a hardware fault needs to be injected into a certain processor core, the processor core is designated as an attacked core, the attacked program is bound to the attacked core to be executed, the processor core running the attacking program is used as an attacking core, and other processor cores are used as other unrelated cores, so that the attacking core running the attacking program can inject the hardware fault into the designated attacked core running the attacked program, and the normal running of other unrelated cores and programs thereon is not influenced.
Fig. 2 shows a method for injecting a fault into an attacked core by an attacker running on the attacked core in this embodiment, which includes:
step 210: the attack program on the attack core detects the attacked program in the attacked core and waits for the attacked program to run to a specified fault injection point;
specifically, in the process that an attacking program on an attacking core waits for the attacked program to run to a specified fault injection point, the following sub-steps are executed:
step 211: setting an attack environment of fault injection;
before fault injection, in order to make fault injection more accurate and effective, a proper fault injection attack environment needs to be prepared, specifically: configuring the frequency of an attacking core and the frequency of an attacked core, setting the voltage of a processor core to be a safe voltage, and configuring an attacking environment comprising data such as a cache, a branch predictor, a processor state register and the like by executing an attacked program for multiple times.
Step 212: waiting for the attacked function to start executing;
specifically, an attacked target code is packaged in an attacked function as a small section of attacked code, wherein the attacked function is a fixed function, and the attacked code is loaded into the attacked function according to the actual fault injection requirement; after the attack program starts to execute, in order to realize that the attack program is matched with the execution cycle of the trusted application program in the attacked core so as to achieve accurate fault injection in a preset fault injection point of the trusted application program, after the attack program starts to execute, the attack program evaluates the execution cycle of the instruction by executing a null instruction until the attacked function starts to execute, and the time length of the attack program waiting for the attacked function to start to execute is set to Tpre- _ w, namely, the time length of the null instruction execution time is Tpre _ w.
Step 213: after the attacked function starts to execute, waiting for the attacked code in the attacked function to start to execute;
specifically, in order to enable a fault injection point to be accurately controlled and reduce the influence of hardware faults on other code segments in the attacked function during fault injection, after the attacked function starts to execute, the attacking program evaluates an instruction execution period by executing a null instruction until the attacked code starts to execute, and the time length of the attacking program waiting for the attacked code to start executing is set to be Tpre _ d, namely, the null instruction execution time is Tpre _ d.
Step 220: when the attacking core detects that the attacked core runs to a specified fault injection point, changing the voltage of a processor core of the attacked core into an attacking voltage, and injecting a hardware fault into the attacked core;
after the attacked code starts to execute, the attacking program sets the voltage of a processor core of the attacked core to be attack voltage V1, and hardware faults are injected into the attacked core; the attack voltage V1 is specifically a voltage that enables the attacking core to normally execute, but the attacked core cannot normally execute.
Step 230: restoring the voltage of the processor core of the attacked core to a safe voltage after the attacking voltage lasts for a preset time;
specifically, after the attack program continuously executes the null instruction with the time length Tdur under the attack voltage, the voltage and the frequency of the processor core of the attacked core are recovered, and the processor of the attacked core is prevented from being down or the system is prevented from being crashed; the execution time Tdur of the null command is obtained through experiments according to different fault injection conditions, and after the optimal fault injection execution time is set in the experiment stage, the execution time Tdur is used as the preset time of the fault injection condition, so that the subsequent operation is convenient.
The hardware fault injection method provided by the embodiment further includes obtaining sensitive information from the output result after fault injection by using differential fault analysis on the output result obtained after fault injection and the original correct output result.
Example two
On the basis that the modification of the pair of voltage management drivers in the embodiment realizes hardware fault injection through the frequency-voltage difference, the second embodiment of the present application takes the acquisition of an AES encryption key in an AES encryption program as an example, and the second embodiment includes the acquisition of an AES encryption key in the ordinary world as shown in fig. 3 and the acquisition of an AES encryption key in TrustZone as shown in fig. 4;
to illustrate the example of designating the fault injection point as the input single byte fault in the R-2 th round of the AES encryption program, the fault injection point is controlled on the column mixing operation in the R-3 rd round in order to cause the input single byte fault in the R-2 nd round of the AES encryption program.
Fig. 3 is a flowchart of a method for obtaining an AES encryption key in the general world by fault injection based on a frequency-voltage difference, in which an attacked AES program is run on an attacked core, and an attacking program and a monitoring program are run on the attacking core, and specifically includes the following sub-steps:
s310, the attack program determines the number of times of execution of the null instruction required by the attack environment;
the attack program and the attacked AES program start to execute simultaneously, the number K of times of execution of the null instructions required by the attack program for setting the attack environment can be obtained by independently operating the attack program, the frequency of the attacked core is set to be high frequency in the attack environment, and the frequency of the attacking core is set to be low frequency.
S320, when the attacked AES program runs to the column mixing operation of the R-3 th round, sending a signal to a monitoring program in the attacking core, and determining the execution times of the null instructions on the attacking core by the monitoring program in the attacking core according to the time from the beginning of the execution of the attacked AES program to the execution of the column mixing operation of the R-3 rd round;
the method comprises the steps that the time Tpre _ d from the beginning of execution of an attacking AES program to the execution of the column mixing operation of the R-3 th round is detected by the attacking program, null instruction execution time of an attacking environment is set, the number MA of null instruction execution times in an attacking core is determined according to the time Tpre _ d, and the MA and the K are different for different attacking core and attacked core frequencies.
S330, after the attacked AES program is executed to the R-3 th round of column mixing operation, the attacking program obtains proper attacking voltage and voltage duration, changes the voltage of a processor core into the attacking voltage, injects a single-byte hardware fault in the voltage duration, and performs differential analysis on an output result after fault injection and a correct output result to obtain an AES encryption key;
in order to obtain proper attack voltage and duration time thereof, the attacked AES and the attack program run simultaneously, and the attack program executes M after the attack environment is setAThe method comprises the steps of-K times of null commands, changing the voltage of a processor core into an attack voltage and continuing for a short time, judging whether a single byte fault occurs according to encryption output, wherein the faults caused by different attack voltages and durations are different, attacking by using the attack voltage and the durations during attacking, and obtaining an encryption key of the AES through differential analysis of fault results;
in the verification experiment of the present application, when the parameters are {0.42GHZ,2.65GHZ,0.6V,1.055V,0,48132,4100}, the attack success rate is 3%, and in 200 successful attacks, the failure is mainly concentrated in the 10 th and 14 th positions of the state matrix.
In the verification experiment of the present application, when the parameters are {0.42GHZ,2.65GHZ,0.6V,1.055V,0,48132,4100}, the attack success rate is 3%, and in 200 successful attacks, the failure is mainly concentrated in the 10 th and 14 th positions of the state matrix.
Fig. 4 is a flowchart of a method for obtaining an AES encryption key in TrustZone by fault injection based on a frequency-voltage difference, including:
because the equipment user can not run the user-defined application in the TrustZone, the application uses the interface bug of the trusted operating system provided by the Koutong corporation to place the AES program to be attacked into the code hole applied from the memory space of the Widevine application program, when the Widevine application program is executed, the execution flow can jump to the code hole, so as to execute the attacked AES encryption program, and the method specifically comprises the following substeps;
s410, the monitoring program in the attack core acquires the number of null instructions which need to be executed from the time when the vulnerability exploiting program is operated to the time when the attacked AES program is started to be executed;
because the number of times of memory detection required by the exploit program from the beginning of execution to the triggering of the vulnerability is not fixed, the attacking program cannot run simultaneously with the exploit program, but the time required by the attacked AES program to start execution after the vulnerability is triggered is not changed, so that the monitoring program can obtain the fixed execution null instruction number PA by running the exploit program.
And S420, the attack program determines the execution times K of the null instructions required by the attack environment.
S430, when the attacked AES program runs to the column mixing operation of the R-3 th round, sending a signal to a monitoring program in the attacking core, and determining the number MA of execution times of the null instruction on the attacking core by the monitoring program in the attacking core according to the time from the beginning of execution of the attacked AES program to the execution of the column mixing operation of the R-3 rd round;
the method comprises the steps that the time Tpre _ d from the beginning of execution of an attacking AES program to the execution of the column mixing operation of the R-3 th round is detected by the attacking program, null instruction execution time of an attacking environment is set, the number MA of null instruction execution times in an attacking core is determined according to the time Tpre _ d, and the MA and the K are different for different attacking core and attacked core frequencies.
S440, after the AES program of the attacked program is executed to the R-3 th round of column mixing operation, the attacking program obtains proper attack voltage and voltage duration, changes the voltage of a processor core into the attack voltage, injects single-byte hardware fault in the voltage duration, and performs differential analysis on the output result after fault injection and the correct output result to obtain an AES encryption key;
in order to obtain proper attack voltage and duration time thereof, the attacked AES and the attack program run simultaneously, and the attack program executes execution P after the attack environment is setAA null instruction to the AES program start execution, then execute MAThe column mixing operation from the K null commands to the R-3 th round is started, then the voltage of the processor core is changed into attack voltage and lasts for a short time, whether single-byte faults occur or not can be judged according to the encrypted output, and faults caused by different attack voltages and durations are different; when in attack, the attack voltage and the duration are used for attacking, and the encryption key of the AES is obtained through differential analysis of a fault result;
in the verification experiment of the present application, when the parameters are {0.42GHZ,2.65GHZ,0.65V,1.055V,7680,48132,4200}, the attack success rate is 5%, and in 200 successful attacks, the failure is mainly concentrated in the 10 th byte of the state matrix.
FIG. 5 is a schematic diagram of an attacking core injecting a hardware fault into an AES encryption program in a trusted application within the attacked core; the attacked core comprises a common world and a secure world, cache layout and setting of processor state and voltage are carried out in the common world, and a trusted application program is operated in the secure world and comprises an AES encryption program and other codes; in the time period of other codes before the trusted application program executes the AES encryption program, an attack environment is set in the attack core through an execution null instruction and the AES encryption program is waited to start to execute; before the AES encryption program starts to execute to a specified fault injection point (in the example, the seventh round of column mixing operation is taken as an example), the attack core continues to synchronously execute the null instruction to wait for the seventh round of column mixing operation to start executing; when the AES encryption program is executed to the seventh round of column mixing operation, the attacking core changes the voltage of the processor core of the attacked core, single-byte faults are injected into the AES encryption program, the voltage of the processor core of the attacked core is recovered after the preset time, then the AES encryption program is recovered to be normal, and codes after the seventh round of column mixing operation and other codes after the AES encryption program are continuously executed.
The application needs to be noted that the injection frequency of the hardware fault in the preset time is not limited to one injection, and the data of the cache, the branch predictor, the processor state register and the like are highly correlated with the attacked program by executing the attacked program for multiple times on the basis of the success of the injection of the hardware fault, so that the influence of the data irrelevant to the attacked program in the processor on the attack effect is reduced.
EXAMPLE III
The third embodiment of the present application provides a verification experiment for obtaining an AES encryption key by injecting a hardware fault into an AES encryption program by a processor based on an ARM Krait architecture:
FIG. 6 shows a graph of frequency versus number of times null instructions are executed that are required to wait for the attacked function to begin executing. The frequency of the attacking core is set to 0.42GHz, the attacking voltage is set to 0.6V, and as can be seen from fig. 6, the frequency affects the speed of the attacking core and the attacked core to execute instructions, and under the condition that the frequency of the attacking core and the voltage of the processor core are not changed, the larger the frequency of the attacked core is, the shorter the time for waiting for the attacked function to start executing is.
Fig. 7 shows a graph of the number of times the dummy instruction is executed versus frequency from the execution of the attacked function to the start of execution of the attacked code. As can be seen from fig. 7, when the frequency of the attacking core is not changed, the frequency of the attacked core is different, and the required time is also different.
Fig. 8 shows a schematic diagram of the number of failed bytes of the 8 th round input state matrix of the 128-bit AES encryption program under different attack voltages and durations. Wherein the frequency of the attacking core is set to 0.42GHZ and the frequency of the attacked core is set to 2.65GHZ, and for each attack voltage-duration pair, five tests are preferably performed and the average of five tests is calculated; as can be seen from fig. 8, the lower the voltage and the higher the duration, the more the number of bytes of failure occurred; to implement fault injection attacks on AES, one may select from these voltage-duration pairs as an attack parameter that can produce a single byte fault.
Fig. 9 shows a schematic diagram of the fault location in the AES attack. In the figure, the fault positions in the common world under the AES attack are mainly concentrated on the 10 th and 14 th bytes, and the fault positions in the TrustZone under the AES attack are mainly concentrated on the 10 th byte; the comparison of the fault positions shows that the attack effects are similar under the same attack parameters, and the experiment has repeatability.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A fault injection method based on a multi-core processor is characterized by comprising the following steps:
when hardware faults need to be injected into a certain processor core of the multi-core processor, the processor core is designated as an attacked core, and another certain processor core is used as an attacking core;
when the attacking core detects that the attacked core runs to a specified fault injection point, changing the voltage of a processor core of the attacked core into an attacking voltage, and injecting a hardware fault into the attacked core;
and recovering the voltage of the processor core of the attacked core to be the safe voltage after the attacking voltage lasts for the preset time.
2. The fault injection method of claim 1, wherein the processor core voltage is modified to the attack voltage by modifying a voltage management driver in the multi-core processor.
3. The fault injection method according to claim 2, wherein the attack voltage is specifically a voltage that enables the attacking core to normally execute, but the attacked core cannot normally execute.
4. The fault injection method according to claim 1, wherein the attacked program is bound to the attacked core and executed, and the attacking program is bound to the attacking core and executed; and the moment when the attacking program in the attacking core detects that the attacked code in the attacked program on the attacked core starts to execute is a specified fault injection point.
5. The fault injection method of claim 1, further comprising executing a null instruction evaluation instruction execution cycle until the attacked program runs to the specified fault injection point before the attacking core detects that the attacked core runs to the specified fault injection point.
6. The fault injection method according to claim 5, wherein during the execution of the null instruction evaluation instruction cycle by the attack core, the attack core sets an attack environment of fault injection, waits for an attacked function in the attacked program to start executing, and waits for an attacked code in the attacked function to start executing.
7. The fault injection method of claim 6, wherein setting the attack environment of the fault injection comprises setting the attacked core to a high frequency, setting the attacked core and other unrelated cores to a low frequency, setting a processor core voltage to a secure voltage, and configuring the attack environment by executing the attacked program, including a cache, a branch predictor, and a processor status register.
8. The fault injection method of claim 1, wherein configuring the processor core voltage and voltage duration of the attacked core specifically comprises: setting the processor voltage and the voltage duration of the attacked core as suitable parameters; wherein a fault F is realizedfaultSuitable parameters required include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur,FaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a security voltage, i.e. the voltage of the processor core before and after setting the attack voltage, T, enabling both the attacking and attacked core to operate normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
9. The multi-core processor is characterized by comprising a plurality of processor cores and a power management integrated chip, wherein the power management integrated chip provides a processor core voltage for the processor cores through a power management integrated circuit;
the processor core is used for designating a certain processor core as an attacked core when a hardware fault is injected into the certain processor core, using another certain processor core as an attacking core, and injecting the hardware fault into the attacked core according to an attack voltage provided by the power management integrated chip when the attacking core detects that the attacked core runs to a designated fault injection point;
and the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage when the attacking core detects that the attacked core runs to the specified fault injection point, and recovering the voltage of the processor core of the attacked core into a safe voltage after the preset time is continued.
10. The multi-core processor of claim 9, wherein changing a processor core voltage of an attacked core to an attack voltage in the power management chip specifically comprises: the power management integrated chip provides attack voltage for all the processor cores, the attack voltage enables the attacked core not to work normally, but the attacking core and other cores can work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
CN201910309540.0A 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof Active CN110032485B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910309540.0A CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910309540.0A CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Publications (2)

Publication Number Publication Date
CN110032485A CN110032485A (en) 2019-07-19
CN110032485B true CN110032485B (en) 2020-05-26

Family

ID=67238995

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910309540.0A Active CN110032485B (en) 2019-04-17 2019-04-17 Multi-core processor and fault injection method thereof

Country Status (1)

Country Link
CN (1) CN110032485B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104391205A (en) * 2014-12-03 2015-03-04 中国航空综合技术研究所 Voltage fault injector with variable gain

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101968840B (en) * 2010-10-26 2012-09-26 杭州晟元芯片技术有限公司 Voltage detection and frequency detection-based chip anti-attack method
US8861718B2 (en) * 2012-02-10 2014-10-14 Electronics And Telecommunications Research Institute Method of preventing fault-injection attacks on Chinese Remainder Theorem-Rivest Shamir Adleman cryptographic operations and recording medium for storing program implementing the same
CN103678131A (en) * 2013-12-18 2014-03-26 哈尔滨工业大学 Software failure injection and analysis system of multi-core processor
US20190095621A1 (en) * 2017-09-27 2019-03-28 Qualcomm Incorporated Methods for mitigating fault attacks in microprocessors using value prediction

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104391205A (en) * 2014-12-03 2015-03-04 中国航空综合技术研究所 Voltage fault injector with variable gain

Also Published As

Publication number Publication date
CN110032485A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
US9690498B2 (en) Protected mode for securing computing devices
US9542114B2 (en) Methods and apparatus to protect memory regions during low-power states
US7849315B2 (en) Method for managing operability of on-chip debug capability
JP5164285B2 (en) Computer system with anti-malware
US10380341B2 (en) Adaptive systems and procedures for defending a processor against transient fault attacks
US8621298B2 (en) Apparatus for protecting against external attack for processor based on arm core and method using the same
JP4960364B2 (en) Hardware-assisted device configuration detection
US8176281B2 (en) Controlling access to an embedded memory of a microcontroller
US20100017659A1 (en) Secure Boot Circuit and Method
US9262631B2 (en) Embedded device and control method thereof
WO2007023457A2 (en) Embedded memory protection
US8838952B2 (en) Information processing apparatus with secure boot capability capable of verification of configuration change
CN110659498A (en) Trusted computing measurement method, system thereof and computer readable storage medium
US10915402B2 (en) Software fault monitoring
CN110032897B (en) Multi-core processor and time constraint-based fault attack method thereof
CN106020895B (en) Application program starting method and user terminal
US7624442B2 (en) Memory security device for flexible software environment
CN115879099A (en) DCS controller, operation processing method and protection subsystem
CN113641463A (en) Virtualization system credibility authentication method, system and computer readable storage medium
CN110032485B (en) Multi-core processor and fault injection method thereof
US20200244461A1 (en) Data Processing Method and Apparatus
Noubir et al. Towards malicious exploitation of energy management mechanisms
CN112269995A (en) Trusted computing platform for parallel computing and protection of smart power grid environment
US20240070283A1 (en) Secure boot procedure
US20230259603A1 (en) Function Call Authentication for Program Flow Control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant