RF-Trojan: Leaking Kernel Data Using Register File Trojan
This addresses security risks in critical CPU components for hardware designers and security researchers, though it is incremental as it builds on known hardware Trojan concepts.
The paper tackles vulnerabilities in microprocessor Register Files by proposing a hardware Trojan that injects faults during read/retention mode, activated by hammering a specific L1 data-cache address, and demonstrates it in GEM5 simulator to achieve privilege escalation. It also proposes countermeasures like read verification and address obfuscation.
Register Files (RFs) are the most frequently accessed memories in a microprocessor for fast and efficient computation and control logic. Segment registers and control registers are especially critical for maintaining the CPU mode of execution that determinesthe access privileges. In this work, we explore the vulnerabilities in RF and propose a class of hardware Trojans which can inject faults during read or retention mode. The Trojan trigger is activated if one pre-selected address of L1 data-cache is hammered for certain number of times. The trigger evades post-silicon test since the required number of hammering to trigger is significantly high even under process and temperature variation. Once activated, the trigger can deliver payloads to cause Bitcell Corruption (BC) and inject read error by Read Port (RP) and Local Bitline (LBL). We model the Trojan in GEM5 architectural simulator performing a privilege escalation. We propose countermeasures such as read verification leveraging multiport feature, securing control and segment registers by hashing and L1 address obfuscation.