TY - JOUR
T1 - HarTBleed
T2 - Using Hardware Trojans for Data Leakage Exploits
AU - De, Asmit
AU - Nasim Imtiaz Khan, Mohammad
AU - Nagarajan, Karthikeyan
AU - Ghosh, Swaroop
N1 - Funding Information:
Manuscript received September 16, 2019; revised November 22, 2019; accepted December 12, 2019. Date of publication January 14, 2020; date of current version March 20, 2020. This work was supported in part by SRC under Grant 2727.001; in part by NSF under Grant CNS1722557, Grant CCF-1718474, Grant DGE-1723687, and Grant DGE-1821766; and in part by the DARPA Young Faculty Award under Grant D15AP00089. (Corresponding author: Asmit De.) The authors are with the School of Electrical Engineering and Computer Science, The Pennsylvania State University, University Park, PA 16802 USA (e-mail: asmit@psu.edu; muk392@psu.edu; kxn287@psu. edu; szg212@psu.edu).
Publisher Copyright:
© 1993-2012 IEEE.
PY - 2020/4
Y1 - 2020/4
N2 - Data and information leakage is an important security concern in current systems. Several data leakage prevention (DLP) techniques have been proposed in the literature to prevent external as well as internal data leakage. Most of these solutions try to trace data flow and perform privilege checks to ensure the security of the data at the software and system level. Architecture level leakage vulnerabilities such as Spectre and Meltdown can be mitigated by performance-expensive software patches or by modifying the architecture itself. However, these solutions assume that the underlying hardware platform is secure and free from tampering. In this article, we present HarTBleed, a class of system attacks involving hardware compromised with a Trojan embedded in the CPU. We show that attacks crafted specifically to make use of the Trojan can be used to obtain sensitive information from the address space of a process. We propose the use of a capacitor-based Trojan trigger that exploits the virtual addressing of L1 cache to activate a Trojan payload that resets a target translation lookaside buffer (TLB) entry to maliciously map to sensitive data in memory. Extensive circuit simulation indicates that the proposed Trojan trigger is not activated during test or normal operation even under a wide range of process/temperature conditions. Therefore, it remains undetected. A successful HarTBleed-based exploit is demonstrated using an attack code by modeling the Trojan effects in the GEM5 simulator.
AB - Data and information leakage is an important security concern in current systems. Several data leakage prevention (DLP) techniques have been proposed in the literature to prevent external as well as internal data leakage. Most of these solutions try to trace data flow and perform privilege checks to ensure the security of the data at the software and system level. Architecture level leakage vulnerabilities such as Spectre and Meltdown can be mitigated by performance-expensive software patches or by modifying the architecture itself. However, these solutions assume that the underlying hardware platform is secure and free from tampering. In this article, we present HarTBleed, a class of system attacks involving hardware compromised with a Trojan embedded in the CPU. We show that attacks crafted specifically to make use of the Trojan can be used to obtain sensitive information from the address space of a process. We propose the use of a capacitor-based Trojan trigger that exploits the virtual addressing of L1 cache to activate a Trojan payload that resets a target translation lookaside buffer (TLB) entry to maliciously map to sensitive data in memory. Extensive circuit simulation indicates that the proposed Trojan trigger is not activated during test or normal operation even under a wide range of process/temperature conditions. Therefore, it remains undetected. A successful HarTBleed-based exploit is demonstrated using an attack code by modeling the Trojan effects in the GEM5 simulator.
UR - http://www.scopus.com/inward/record.url?scp=85082520842&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85082520842&partnerID=8YFLogxK
U2 - 10.1109/TVLSI.2019.2961358
DO - 10.1109/TVLSI.2019.2961358
M3 - Article
AN - SCOPUS:85082520842
SN - 1063-8210
VL - 28
SP - 968
EP - 979
JO - IEEE Transactions on Very Large Scale Integration (VLSI) Systems
JF - IEEE Transactions on Very Large Scale Integration (VLSI) Systems
IS - 4
M1 - 8959377
ER -