{"id":5089,"date":"2023-09-11T19:31:48","date_gmt":"2023-09-11T19:31:48","guid":{"rendered":"http:\/\/cad4security.org\/?page_id=5089"},"modified":"2023-09-26T16:39:35","modified_gmt":"2023-09-26T16:39:35","slug":"soc-vulnerability-5","status":"publish","type":"page","link":"http:\/\/cad4security.org\/index.php\/riscv-vulnerability-details\/soc-vulnerability-5\/","title":{"rendered":"SoC Vulnerability #5"},"content":{"rendered":"
\n
\n\n
\n

The domain of Attacks<\/h3>\n\n\n\n

Software
Hardware<\/p>\n\n\n\n

<\/div><\/div>\n\n\n\n\n\n
\n

Attack Model<\/h3>\n\n\n\n

CAPEC-233: Privilege Escalation\u00a0<\/p>\n<\/div><\/div>\n\n\n\n<\/div>\n\n

\n\n

CWE-ID: – 1262<\/strong><\/h2>\n\n\n\n

Unauthorized page access request in the memory management unit (MMU)<\/p>\n\n<\/div>\n<\/div><\/div>\n\n\n

\n\n\n\n

Threat Model – Privilege Escalation <\/h3>\n\n\n\n\n
Soc Vul. #<\/th>Name of Core<\/th>Security Requirement<\/th>Threat model description<\/th>Effect<\/th>SW attack model<\/th><\/tr><\/thead>
5<\/td>CVA6 RISC-V CPU<\/strong> <\/td>If any memory page doesn\u2019t allow user-level access, no access should be given to the lower privilege-level users.<\/td>Privilege Escalation:<\/strong> <\/strong><\/strong>Illegal access is given to lower privilege modes<\/td>Illegal memory page access from user privilege level<\/td> Software in the guest OS can access memory page without having the proper privilege permission.\u202f 
Possible attacks:<\/strong> Access control, Illegal interrupt, information leakage etc <\/td><\/tr><\/tbody><\/table>
Table 1. Attack model description <\/figcaption><\/figure>\n\n\n\n
\n

Description<\/h3>\n\n\n\n

In a system-on-chip (SoC), the software will commonly access the peripherals through a memory-mapped register interface. Thus, the software can access only certain registers with respect to their privilege level hardcoded in the design. However, through the accessible register interface, malicious software could tamper with the hardware data. The memory management unit (MMU) determines the memory page access permission for different privilege levels. This vulnerability allows any attacker to access supervisor or machine-level memory pages from user-level privilege mode without generating any data access error.<\/p>\n<\/div><\/div>\n\n\n\n\n\n\n

\n\n\n\n

Security Property<\/h3>\n\n\n\n\n
property mmu;
 
                        @(posedge clk_i) disable iff (!rst_ni) (ariane.ex_stage_i.lsu_i.i_mmu.icache_areq_i.fetch_req && ((ariane.ex_stage_i.lsu_i.i_mmu.priv_lvl_i == riscv::PRIV_LVL_U) && ~ariane.ex_stage_i.lsu_i.i_mmu.itlb_content.u)) |-> (ariane.ex_stage_i.lsu_i.i_mmu.iaccess_err == 1);
 
endproperty
            ap_vulnerability123: assert property (mmu);<\/td><\/tr><\/tbody><\/table>
Table 2. Assertions\/properties to check privilege escalation in RISC-V design.<\/figcaption><\/figure>\n\n\n
\n
\n\n

Procedure<\/h3>\n\n\n\n
    \n
  1. Invoke Cadence JG inside the cva6_master folder<\/li>\n\n\n\n
  2. Run the prove_t1.tcl script to check the assertion.\u202f <\/li>\n\n\n\n
  3. Violation in the assertion will generate CEX.\u202f\u202f <\/li>\n<\/ol>\n\n\n\n
    \n
    download files<\/a><\/div>\n<\/div>\n\n<\/div>\n\n
    \n\n
    \n

    Impact of Vulnerability<\/h3>\n\n\n\n

    Loss of confidentiality and integrity of the SoC<\/p>\n\n\n\n

    <\/div><\/div>\n\n\n\n\n\n
    \n

    Severity<\/h3>\n\n\n\n

    TBA (Metrics to evaluate the vulnerability impact)<\/p>\n\n\n\n

    <\/div><\/div>\n\n\n\n\n\n
    \n

    tools used<\/h3>\n\n\n\n

    Cadence JasperGold<\/p>\n<\/div><\/div>\n\n\n\n<\/div>\n<\/div><\/div>\n\n\n

    <\/div>\n\n\n
    <\/path><\/svg><\/div>\n\n
    <\/path><\/svg><\/div>\n\n\n
    <\/div>\n\n\n\n

    Results (counter-example)<\/h3>\n\n\n\n\n

    Fig.1 shows that the property (ref. Table.2) violates the RISC-V design, indicating the illegal memory access (privilege violation) in the generated CEX (shown in Fig.2).   <\/p>\n\n\n\n","protected":false},"excerpt":{"rendered":"

    CWE-ID: – 1262
    \nUnauthorized page access request in the memory management unit (MMU)<\/p>\n","protected":false},"author":10,"featured_media":3528,"parent":4639,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"acf":[],"_links":{"self":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5089"}],"collection":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/comments?post=5089"}],"version-history":[{"count":11,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5089\/revisions"}],"predecessor-version":[{"id":5262,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/5089\/revisions\/5262"}],"up":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/pages\/4639"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/media\/3528"}],"wp:attachment":[{"href":"http:\/\/cad4security.org\/index.php\/wp-json\/wp\/v2\/media?parent=5089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}