Asmit De

Asmit De, Swaroop Ghosh

RISC-V is a promising open-source architecture primarily targeted for embedded systems. Programs compiled using the RISC-V toolchain can run bare-metal on the system, and, as such, can be vulnerable to several memory corruption vulnerabilities. In this work, we present HeapSafe, a lightweight hardware assisted heap-buffer protection scheme to mitigate heap overflow and use-after-free vulnerabilities in a RISC-V SoC. The proposed scheme tags pointers associated with heap buffers with metadata indices and enforces tag propagation for commonly used pointer operations. The HeapSafe hardware is decoupled from the core and is designed as a configurable coprocessor and is responsible for validating the heap buffer accesses. Benchmark results show a 1.5X performance overhead and 1.59% area overhead, while being 22% faster than a software protection. We further implemented a HeapSafe-nb, an asynchronous validation design, which improves performance by 27% over the synchronous HeapSafe.

Karthikeyan Nagarajan, Asmit De, Mohammad Nasim Imtiaz Khan et al.

In this paper, we investigate the advanced circuit features such as wordline- (WL) underdrive (prevents retention failure) and overdrive (assists write) employed in the peripherals of Dynamic RAM (DRAM) memories from a security perspective. In an ideal environment, these features ensure fast and reliable read and write operations. However, an adversary can re-purpose them by inserting Trojans to deliver malicious payloads such as fault injections, Denial-of-Service (DoS), and information leakage attacks when activated by the adversary. Simulation results indicate that wordline voltage can be increased to cause retention failure and thereby launch a DoS attack in DRAM memory. Furthermore, two wordlines or bitlines can be shorted to leak information or inject faults by exploiting the DRAM's refresh operation. We demonstrate an information leakage system exploit by implementing TrappeD on RocketChip SoC.

Mohammad Nasim Imtiaz Khan, Asmit De, Swaroop Ghosh

Register Files (RFs) are the most frequently accessed memories in a microprocessor for fast and efficient computation and control logic. Segment registers and control registers are especially critical for maintaining the CPU mode of execution that determinesthe access privileges. In this work, we explore the vulnerabilities in RF and propose a class of hardware Trojans which can inject faults during read or retention mode. The Trojan trigger is activated if one pre-selected address of L1 data-cache is hammered for certain number of times. The trigger evades post-silicon test since the required number of hammering to trigger is significantly high even under process and temperature variation. Once activated, the trigger can deliver payloads to cause Bitcell Corruption (BC) and inject read error by Read Port (RP) and Local Bitline (LBL). We model the Trojan in GEM5 architectural simulator performing a privilege escalation. We propose countermeasures such as read verification leveraging multiport feature, securing control and segment registers by hashing and L1 address obfuscation.

Nitin Rathi, Asmit De, Helia Naeimi et al.

Spin-Transfer Torque RAM (STTRAM) is promising for cache applications. However, it brings new data security issues that were absent in volatile memory counterparts such as Static RAM (SRAM) and embedded Dynamic RAM (eDRAM). This is primarily due to the fundamental dependency of this memory technology on ambient parameters such as magnetic field and temperature that can be exploited to tamper with the stored data. In this paper we propose three techniques to enable error free computation without stalling the system, (a) stalling where the system is halted during attack; (b) cache bypass during gradually ramping attack where the last level cache (LLC) is bypassed and the upper level caches interact directly with the main memory; and, (c) checkpointing along with bypass during sudden attack where the processor states are saved periodically and the LLC is written back at regular intervals. During attack the system goes back to the last checkpoint and the computation continues with bypassed cache. We performed simulation for different duration and frequency of attack on SPLASH benchmark suite and the results show an average of 8% degradation in IPC for a one-time attack lasting for 50% of the execution time. The energy overhead is 2% for an attack lasting for the entire duration of execution.