{"id":5077,"date":"2023-09-11T19:08:44","date_gmt":"2023-09-11T19:08:44","guid":{"rendered":"http:\/\/cad4security.org\/?page_id=5077"},"modified":"2023-09-26T16:36:45","modified_gmt":"2023-09-26T16:36:45","slug":"soc-vulnerability-2","status":"publish","type":"page","link":"http:\/\/cad4security.org\/index.php\/riscv-vulnerability-details\/soc-vulnerability-2\/","title":{"rendered":"SoC Vulnerability #2"},"content":{"rendered":"
\n
\n\n
\n

The domain of Attacks<\/h3>\n\n\n\n

Software
Hardware<\/p>\n\n\n\n

<\/div><\/div>\n\n\n\n\n\n
\n

Attack Model<\/h3>\n\n\n\n

CAPEC-233: Privilege Escalation\u00a0<\/p>\n<\/div><\/div>\n\n\n\n<\/div>\n\n

\n\n

CWE-ID: – 266<\/strong><\/h2>\n\n\n\n

Hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses, and information leakage.   <\/p>\n\n<\/div>\n<\/div><\/div>\n\n\n

\n\n\n\n

Threat Model – Privilege Escalation <\/h3>\n\n\n\n\n
Soc Vul. #<\/th>Name of Core<\/th>Security Requirement<\/th>Threat model description<\/th>Effect<\/th>SW attack model<\/th><\/tr><\/thead>
2<\/td>CVA6 RISC-V CPU<\/strong> <\/td>Privilege level 
should be in 
Machine mode <\/td>		Privilege Escalation:<\/strong> Tweaked to User mode\/Supervisor mode<\/td>Changing the mode can have side-effects on address translation (e.g.: other instructions) 
Re-fetch the next instruction by executing a flush <\/td>		A software code will access M mode and S mode registers.\u202f 
Possible attacks:<\/strong> Access control, Illegal interrupt, information leakage etc<\/td><\/tr><\/tbody><\/table>
Table 1. Attack model description <\/figcaption><\/figure>\n\n\n\n
\n

Description<\/h3>\n\n\n\n

In a system-on-chip (SoC), software will commonly access the peripherals through a memory-mapped register interface. Thus, software can access only certain registers with respect to their privilege level hardcoded in the design. However, through the accessible register interface, malicious software could tamper the hardware data. This threat could allow any adversary to exploit a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.\u00a0\u00a0<\/p>\n<\/div><\/div>\n\n\n\n\n\n\n

\n\n\n\n

Security Property<\/h3>\n\n\n\n\n
property one1;  
                @(posedge clk_i) (debug_req_i == 1’b0)|-> (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_S) or (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_U) or (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_M);  
        endproperty  
        ap_vulnerability11: assert property (one1);  
property one2;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o == riscv::PRIV_LVL_M); \/\/machine mode is low-priviledged  
      endproperty  
        ap_vulnerability12: assert property (one2);  
              property one3;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o != riscv::PRIV_LVL_U);  
        endproperty  
        ap_vulnerability13: assert property (one3);  
property one4;  
                @(posedge clk_i) (debug_req_i == 1’b1)|-> (ariane.csr_regfile_i.priv_lvl_o != riscv::PRIV_LVL_S) ;  
        endproperty  
        ap_vulnerability14: assert property (one4);  
endmodule <\/td><\/tr><\/tbody><\/table>
Table 2. Assertions\/properties to check privilege escalation in RISC-V design.<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n
\n
\n\n

Procedure<\/h3>\n\n\n\n
    \n
  1. Invoke Cadence JG<\/li>\n\n\n\n
  2. Run prove_tl.tcl script to check the assertion <\/li>\n\n\n\n
  3. Violation in the assertion will generate CEX<\/li>\n<\/ol>\n\n\n\n
    \n
    DOWNLOAD FILES<\/a><\/div>\n<\/div>\n\n<\/div>\n\n
    \n\n
    \n

    Impact of Vulnerability<\/h3>\n\n\n\n

    Loss of confidentiality and integrity of the SoC<\/p>\n\n\n\n

    <\/div><\/div>\n\n\n\n\n\n
    \n

    Severity<\/h3>\n\n\n\n

    TBA (Metrics to evaluate the vulnerability impact)<\/p>\n\n\n\n

    <\/div><\/div>\n\n\n\n\n\n
    \n

    tools used<\/h3>\n\n\n\n

    Cadence JasperGold<\/p>\n<\/div><\/div>\n\n\n\n<\/div>\n<\/div><\/div>\n\n\n

    <\/div>\n\n\n
    <\/path><\/svg><\/div>\n\n
    <\/path><\/svg><\/div>\n\n\n
    <\/div>\n\n\n\n

    Results (counter-example)<\/h3>\n\n\n\n\n\n\n
    \n

    Counter-example insights<\/h4>\n\n\n\n

    Fig.2 shows that the privilege escalation from M-mode to U-mode exists in the RISC-V design at the clock pulse of 264.<\/p>\n<\/div><\/div>\n\n\n\n","protected":false},"excerpt":{"rendered":"

    CWE-ID: – 266
    \nHardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses, and information leakage.\u00a0\u00a0\u00a0<\/p>\n","protected":false},"author":10,"featured_media":3528,"parent":4639,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"acf":[],"_links":{"self":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5077"}],"collection":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/comments?post=5077"}],"version-history":[{"count":10,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5077\/revisions"}],"predecessor-version":[{"id":5256,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5077\/revisions\/5256"}],"up":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/4639"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/media\/3528"}],"wp:attachment":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/media?parent=5077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}