“Lightweight Countermeasures Against Original Linear Code Extraction Attacks on a RISC-V Core”

Our paper, presented, demonstrated and published at 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), is now readable on IEEE Xplore

Authors: Théophile Gousselot; Olivier Thomas; Jean-Max Dutertre; Olivier Potin; Jean-Baptiste Rigaud

Abstract: Linear Code Extraction (LCE) is an invasive attack aiming at fully extracting a code from a device’s memory for reverse engineering purposes. The core instruction bus is identified and microprobed using Failure Analysis tools. Meanwhile, other microprobes force internal nodes of the core to logic states which allow a full memory linear extraction. This paper demonstrates the first assessment of a RISC-V core vulnerability to LCE. It evaluates the complexity to extract the code in the right order by freezing the instruction register or by editing the incoming instructions. This paper introduces three original countermeasures to detect an ongoing LCE by monitoring symptoms such as the lack of branch instruction execution. These hardware countermeasures are lightweight and adaptable to other core architectures. We develop an experimental setup based on a functional simulation framework and an FPGA-based demonstration. This setup made it possible to study and assess the LCE vulnerabilities of our RISC-V target and to validate the effectiveness of our proposed countermeasures. The area overhead was measured between 0.52% and 1.47% of the cv32e40p RISC-V core. Depending on the detection latency target, the clock cycle overhead using the Embench TM benchmarks can be null or kept below 1%.