Abstract

CRAFT is a novel framework that utilizes pre-silicon analysis to efficiently characterize and root-cause fault injection vulnerabilities in processor designs, substantially reducing the search space for post-silicon validation. Applied to a RISC-V soft-core (cv32e40x), the study revealed two major vulnerabilities: clock-glitch induced instruction skips and the silent conversion of legal instructions into exploitable illegal ones. This work successfully traces these flaws to a specific, previously unreported vulnerability in a pipeline register shared between the instruction fetch and decode stages.

Report

CRAFT: Characterizing and Root-Causing Fault Injection Threats at Pre-Silicon

Key Highlights

• CRAFT Framework: Introduced a systematic framework combining pre-silicon simulation and post-silicon validation to analyze Fault Injection Attacks (FIA).
• Novel Vulnerabilities: The study uncovered two new vulnerabilities in the target RISC-V processor.
  1. Instruction skips induced by a single clock glitch attack, preventing critical memory loads.
  2. Conversion of a legal instruction into an illegal instruction mid-execution, causing undetected control-flow diversion.
• Root Cause Identified: The faults were traced back to a previously unreported vulnerability in a pipeline register shared between the instruction fetch (IF) and decode (ID) stages.
• Efficiency Gain: Pre-silicon analysis (simulating 9248 FIA scenarios) reduced the search space for necessary post-silicon experiments by 97.31%.
• Validation: Exploits identified in simulation were successfully validated on real hardware (FPGA).

Technical Details

• Target Architecture: A RISC-V soft-core processor, specifically the cv32e40x.
• Attack Methodology: Fault injection focused on clock glitching (single-glitch attack) to exploit timing weaknesses in the microarchitecture.
• Instruction Skip Mechanism: Glitching the clock during a specific timing window prevents necessary values from being loaded from memory, thus skipping the execution of critical instructions.
• Illegal Instruction Diversion: The timing fault causes the processor to fail to detect the resulting illegal control-flow change, leading to silent corruption of the program state.
• Specific Fault Location: The vulnerability resides within a specific pipeline register located between the instruction fetch and instruction decode stages of the RISC-V pipeline.
• Scope: The analysis covers fault exploitation across multiple layers: system software, Instruction Set Architecture (ISA), microarchitecture, and physical hardware.

Implications

• Security for RISC-V Ecosystem: This work highlights concrete, low-level security vulnerabilities inherent in common RISC-V microarchitectures (like the cv32e40x soft-core), urging designers to incorporate FIA countermeasures early in the development cycle.
• Shift-Left Security: CRAFT demonstrates the crucial advantage of moving robust security analysis (including physical attack mitigation) to the pre-silicon stage. This prevents costly redesigns after expensive silicon tape-out.
• Pipeline Register Risk: The finding emphasizes that temporary storage elements, like pipeline registers, are critical security boundaries that must be thoroughly hardened against timing and glitch attacks, as faults here can propagate to exploitable control-flow diversions.
• Methodology Standard: The CRAFT framework provides a scalable, efficient methodology for the hardware security community to systematically explore and address the complex propagation of physical faults across multiple abstraction layers.