MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks

TL;DR

MAFIA is a microarchitecture protection scheme for embedded systems that defends against fault injection attacks by ensuring control signal integrity and code authenticity, with implementations demonstrating manageable overheads.

Contribution

This paper introduces MAFIA, a novel microarchitecture-level countermeasure against fault injection attacks, including a signature-based mechanism and support for control-flow integrity.

Findings

Two implementations with different security/overhead trade-offs analyzed

Hardware overheads of 23.8% and 6.5% for different schemes

Code size and execution time overheads up to 50% and 39% respectively

Abstract

Fault injection attacks represent an effective threat to embedded systems. Recently, Laurent et al. have reported that fault injection attacks can leverage faults inside the microarchitecture. However, state-of-the-art counter-measures, hardwareonly or with hardware support, do not consider the integrity of microarchitecture control signals that are the target of these faults. We present MAFIA, a microarchitecture protection against fault injection attacks. MAFIA ensures integrity of pipeline control signals through a signature-based mechanism, and ensures fine-grained control-flow integrity with a complete indirect branch support and code authenticity. We analyse the security properties of two different implementations with different security/overhead trade-offs: one with a CBC-MAC/Prince signature function, and another one with a CRC32. We present our implementation of MAFIA in a RISC-V processor, supported by a dedicated compiler toolchain based on LLVM/Clang. We report a hardware area overhead of 23.8 % and 6.5 % for the CBC-MAC/Prince and CRC32 respectively. The average code size and execution time overheads are 29.4 % and 18.4 % respectively for the CRC32 implementation and are 50 % and 39 % for the CBC-MAC/Prince.