Secure elements physically exposed to adversaries are frequently targeted by fault attacks. These attacks can be utilized to hijack the control-flow of software allowing the attacker to bypass security measures, extract sensitive data, or gain full code execution. In this paper, we systematically analyze the threat vector of fault-induced control-flow manipulations on the open-source OpenTitan secure element. Our thorough analysis reveals that current countermeasures of this chip either induce large area overheads or still cannot prevent the attacker from exploiting the identified threats. In this context, we introduce SCRAMBLE-CFI, an encryption-based control-flow integrity scheme utilizing existing hardware features of OpenTitan. SCRAMBLE-CFI confines, with minimal hardware overhead, the impact of fault-induced control-flow attacks by encrypting each function with a different encryption tweak at load-time. At runtime, code only can be successfully decrypted when the correct decryption tweak is active. We open-source our hardware changes and release our LLVM toolchain automatically protecting programs. Our analysis shows that SCRAMBLE-CFI complementarily enhances security guarantees of OpenTitan with a negligible hardware overhead of less than 3.97 % and a runtime overhead of 7.02 % for the Embench-IoT benchmarks.

翻译：物理暴露于攻击者的安全元件频繁遭受故障攻击。这些攻击可用于劫持软件的控制流，使攻击者能够绕过安全措施、提取敏感数据或获得完全代码执行能力。本文系统性地分析了开源安全元件OpenTitan上故障诱导控制流操纵的威胁向量。我们的深入分析表明，该芯片当前的防护措施要么引入较大的面积开销，要么仍无法阻止攻击者利用已识别的威胁。在此背景下，我们提出SCRAMBLE-CFI——一种基于加密的控制流完整性方案，利用OpenTitan现有硬件特性。SCRAMBLE-CFI通过在加载时使用不同加密调整值对每个函数进行加密，以极小硬件开销限制故障诱导控制流攻击的影响。运行时，仅当正确的解密调整值激活时，代码才能被成功解密。我们开源了硬件修改，并发布了自动保护程序的LLVM工具链。分析表明，对于Embench-IoT基准测试，SCRAMBLE-CFI以低于3.97%的微小硬件开销和7.02%的运行开销，互补性地增强了OpenTitan的安全保障。