CAD4Security

CAD4Security

SoC Vulnerability #2

You are here: Home / SoC Vulnerability Database / SoC Vulnerability #2

The domain of Attacks

Software
Hardware

Attack Model

CAPEC-233: Privilege Escalation 

CWE-ID: – 266

Hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses, and information leakage.   

Threat Model – Privilege Escalation

Soc Vul. #Name of CoreSecurity RequirementThreat model descriptionEffectSW attack model
2CVA6 RISC-V CPU Privilege level 
should be in 
Machine mode 		Privilege Escalation: Tweaked to User mode/Supervisor modeChanging the mode can have side-effects on address translation (e.g.: other instructions) 
Re-fetch the next instruction by executing a flush 		A software code will access M mode and S mode registers.  
Possible attacks: Access control, Illegal interrupt, information leakage etc
Table 1. Attack model description

Description

In a system-on-chip (SoC), software will commonly access the peripherals through a memory-mapped register interface. Thus, software can access only certain registers with respect to their privilege level hardcoded in the design. However, through the accessible register interface, malicious software could tamper the hardware data. This threat could allow any adversary to exploit a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.  

Security Property

property one1;  
                @(posedge clk_i) (debug_req_i == 1’b0)|-> (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_S) or (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_U) or (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_M);  
        endproperty  
        ap_vulnerability11: assert property (one1);  
property one2;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_M); //machine mode is low-priviledged  
      endproperty  
        ap_vulnerability12: assert property (one2);  
              property one3;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o != riscv::PRIV_LVL_U);  
        endproperty  
        ap_vulnerability13: assert property (one3);  
property one4;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o != riscv::PRIV_LVL_S) ;  
        endproperty  
        ap_vulnerability14: assert property (one4);  
endmodule 
Table 2. Assertions/properties to check privilege escalation in RISC-V design.

Procedure

  1. Invoke Cadence JG
  2. Run prove_tl.tcl script to check the assertion
  3. Violation in the assertion will generate CEX
DOWNLOAD FILES

Impact of Vulnerability

Loss of confidentiality and integrity of the SoC

Severity

TBA (Metrics to evaluate the vulnerability impact)

tools used

Cadence JasperGold

Results (counter-example)

Fig 1.0
Fig 1.1
previous arrow
next arrow
previous arrow
Fig 1.0

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Fig 1.1
next arrow
 
Shadow

Counter-example insights

Fig.2 shows that the privilege escalation from M-mode to U-mode exists in the RISC-V design at the clock pulse of 264.