Pointing in the Right Direction - Securing Memory Accesses in a Faulty World

TL;DR

This paper introduces a novel hardware-software countermeasure that protects memory accesses against address tampering attacks by encoding pointers with error detection codes and linking data with encoded addresses, demonstrated on a RISC-V FPGA.

Contribution

It presents a new method combining multi-residue encoded pointers and extended load/store instructions to secure memory accesses against faults, with practical implementation and evaluation.

Findings

Achieves 10% code size overhead and 7% runtime overhead.

Successfully implemented on RISC-V FPGA platform.

Automatically encodes pointers using modified LLVM compiler.

Abstract

Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multi-residue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10% in terms of code size and 7% regarding runtime, which makes it suitable for practical adoption.