# VoltJockey: Software-Controlled Voltage-Induced Hardware Fault Injection

Gang Qu University of Maryland, College Park Electronic Design Process Symposium October 6, 2022 Milpitas, CA

eshSec Lab

# Why Low Power?

Longer battery lifetime
Less packaging/cooling cost
More reliable circuitry
Smaller electricity bill





eshSec Lab



# Where Does the Power Go?

- # Dynamic power or switching power
- # Static power or leakage current
  - Gate-oxide leakage
  - Subthreshold leakage
- # Short-circuit power

shSec Lab



 $P = \frac{1}{2} \alpha C V_{dd}^2 f + I_{leak} V_{dd} + \alpha Q_{SC} V_{dd} f$ 



# What is DVFS?

- # Dynamic voltage and frequency scaling
  - Circuits can work at a range of  $V_{dd}$  values
  - A given V<sub>dd</sub> can support a range of clock frequencies with a
  - **F**  $\propto$  (V<sub>dd</sub>-V<sub>th</sub>) $^{\chi}$ /V<sub>dd</sub>  $\chi \in$  (1.0,2.0)
- # Why DVFS saves power and energy?
  - **•** Reduce  $V_{dd}$  to  $\gamma V_{dd}$

eshSec Lab

- =  $f_{max}$  reduces to roughly  $\gamma$   $f_{max}$
- **The Dynamic power reduces by roughly**  $\gamma^3$
- **Energy reduces by roughly**  $\gamma^2$

I. Hong, et al. "Power Optimization of Variable Voltage Core-based Systems", DAC'1998.

# How Does DVS Work?

- # Suppose that a data sample comes every 1 ms
- # Requires processing time of 250 μs at 600MHz
- # DVS: reduce voltage such that clock slows down to 150MHz

#### frequency

eshSec Lab

|      | slack |   | slack | slack |
|------|-------|---|-------|-------|
| 1.14 |       | 1 |       |       |
|      |       |   |       |       |

time

- 1997: variable voltage processor scheduling
- 1998: M.S. thesis, Variable voltage system (DAC), communication pipeline (ICCAD), real-time scheduling (RTSS).
- 2000: Quality-energy tradeoff (ISLPED)
- 2001: limit of energy saving by DVFS (ICCAD)
- 2002: secure sensor network (ASAP)
- 2003: multimedia system (ASPDAC, RSP, DAC), probabilistic design (DAC), multi-processor scheduling (EMSOFT), voltage set-up (ICCAD)
- 2004: performance gain vs energy saving (ISCAS), dual-voltage on (m, k)-firm system (CASES)
- 2005: parallelism on multi-processor (ASPDAC)
- 2006: dual-processor fault-tolerant system (ASAP)
- 2007: leakage aware DVS (AHS), multi-core system scheduling (McSoC) 2013: temperature-aware DVS (ASAP)

#### LeshSec Lab

- 1997: variable voltage processor scheduling
- 1998: M.S. thesis, Variable voltage system (DAC), communication pipeline (ICCAD), real-time scheduling (RTSS).
- 2000: Quality-energy tradeoff (ISLPED)
- 2001: limit of energy saving by DVFS (ICCAD)
- 2002: secure sensor network (ASAP)
- 2003: multimedia system (ASPDAC, RSP, DAC), probabilistic design (DAC), multi-processor scheduling (EMSOFT), voltage set-up (ICCAD)
- 2004: performance gain vs energy saving (ISCAS), dual-voltage on (m, k)-firm system (CASES)
- 2005: parallelism on multi-processor (ASPDAC)

eshSec Lab

- 2006: dual-processor fault-tolerant system (ASAP)
- 2007: leakage aware DVS (AHS), multi-core system scheduling (McSoC) 2013: temperature-aware DVS (ASAP)

- 1997: variable voltage processor scheduling 1998: M.S. thesis, Variable voltage system (DAC), communication -pipeline (ICCAD), real-time scheduling (RTSS). 2000: Quality-energy tradeoff (ISLPED) 2001: limit of energy saving by DVFS (ICCAD) 2002: secure sensor network (ASAP) 2003: multimedia system (ASPDAC, RSP, DAC), probabilistic design (DAC), multi-processor scheduling (EMSOFT), voltage set-up (ICCAD) 2004: performance gain vs energy saving (ISCAS), dual-voltage on (m. k)-firm system (CASES) 2005: parallelism on multi-processor (ASPDAC) 2006: dual-processor fault-tolerant system (ASAP) 2007: leakage aware DVS (AHS), multi-core system scheduling (McSoC) 2013: temperature-aware DVS (ASAP)
  - Dr. Gang Qu (gangqu@umd.edu)

eshSec Lab

- 1997: variable voltage processor scheduling
- 1998: M.S. thesis, Variable voltage system (DAC), communication pipeline (ICCAD), real-time scheduling (RTSS).
- 2000: Quality-energy tradeoff (ISLPED)
- 2001: limit of energy saving by DVFS (ICCAD)
- 2002: secure sensor network (ASAP)

eshSec Lab

- 2003: multimedia system (ASPDAC, RSP, DAC), probabilistic design (DAC), multi-processor scheduling (EMSOFT), voltage set-up (TCCAD)
- 2004: performance gain vs energy saving (ISCAS), dual-voltage on (m, k)-firm system (CASES)
- 2005: parallelism on multi-processor (ASPDAC)
- 2006: dual-processor fault-tolerant system (ASAP)
- 2007: leakage aware DVS (AHS), multi-core system scheduling (McSoC) 2013: temperature-aware DVS (ASAP)
  - Dr. Gang Qu (gangqu@umd.edu)

- 1997: variable voltage processor scheduling
- 1998: M.S. thesis, Variable voltage system (DAC), communication pipeline (ICCAD), real-time scheduling (RTSS).
- 2000: Quality-energy tradeoff (ISLPED)
- 2001: limit of energy saving by DVFS (ICCAD)
- 2002: secure sensor network (ASAP)

eshSec Lab

- 2003: multimedia system (ASPDAC, RSP, DAC), probabilistic design (DAC), multi-processor scheduling (EMSOFT), voltage set-up (ICCAD)
- 2004: performance gain vs energy saving (ISCAS), dual-voltage on (m, k)-firm system (CASES)
- 2005: parallelism on multi-processor (ASPDAC)
- 2006: dual-processor fault-tolerant system (ASAP)
- 2007: leakage aware DVS (AHS), multi-core system scheduling (McSoC) 2013: temperature-aware DVS (ASAP)

# Solution: Feasible DVS System



Change voltage only when necessary
Change at the maximal rate
Time(s) when voltage changes is calculable

L. Yuan and G. Qu. "What Is the Limit of Energy Saving by Dynamic Voltage Scaling", ICCAD'2001 .

### Voltage Set-up Problem

# For a multiple-voltage DVS system to serve a set of applications  $\{(e_i, d_i, p_i)\}$ : i=1, 2, ..., n} without missing their deadlines, where e: execution time d: deadline, p: probability d; occurs. if the system has m voltages {v1, v2,...,vm} determine the value of each  $v_i$  to minimize the average energy consumption. determine m and the value of each v<sub>i</sub>.

> S. Hua and G. Qu. "Approaching the Maximum Energy Saving on Embedded Systems with Multiple Voltages", ICCAD'2003 .

### Information on Two Applications

| Application | Deadline | Execution<br>Time Probability |      | $V_i^0$ (V) |
|-------------|----------|-------------------------------|------|-------------|
|             |          | 9                             | 0.03 | 3.0564      |
| Α           | 10       | 4                             | 0.18 | 1.8124      |
|             |          | 3                             | 0.39 | 1.5516      |
|             |          | 6                             | 0.04 | 2.6888      |
| В           | 8        | 4                             | 0.10 | 2.0669      |
|             |          | 3                             | 0,12 | 1.7479      |
|             |          | 2                             | 0.14 | 1.4176      |

V<sub>ref</sub> = 3.3v S. Hua and G. Qu. "Voltage Setup Problem for Embedded Systems with Multiple Voltages", TVLSI'2005 .

# Reference Systems

| DVS Systems   | Voltages | Energy |  |
|---------------|----------|--------|--|
| fixed-voltage | 3.0564   | 2.9536 |  |
|               |          |        |  |
|               |          |        |  |
|               |          |        |  |
| ideal         |          | 1.1763 |  |

# DVS with Optimal Voltage Set-ups

| DVS Systems   | Voltages                             | Energy | vs. fixed-<br>voltage | vs. Ideal |
|---------------|--------------------------------------|--------|-----------------------|-----------|
| fixed-voltage | 3.0564                               | 2.9536 | 1                     | +151.1%   |
| dual-voltage  | 3.0564<br>1.8124                     | 1.3833 | - 53.2%               | +17.6%    |
| 3-voltage     | 3.0564<br>2.0688<br>1.5514           | 1.2337 | - 58.2%               | +4.9%     |
| 4-voltage     | 3.0564<br>2.0768<br>1.8119<br>1.5509 | 1.2071 | - 59.1%               | +2.6%     |
| ideal         | -                                    | 1.1763 | -                     |           |

## Circuit Timing Issues by DVS



P. Qiu, et al, "VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies", CCS'2019.

2sh

### Multi-core DVFS Framework



Ideal: each core has its own voltage and frequencyReality: all cores share the same V and F

eshSec Lab

# **DVFS Working Flow**

- # DVFS driver selects proper V and F
- # Vendor device driver changes V and F registers
- # V and F registers alter the regulator outputs



## Overview of VoltJockey

eshSec Lab

- The attacker procedure and victim procedure are executed on different cores.
- The victim core has a high frequency, but all the other cores have a low frequency.



## Fault Injection Attacks

eshSec Lab

DVFS is an effective way to generate faults
The challenge is when and where to create the faults



# Short History of VoltJockey



Dr. Gang Qu (gangqu@umd.edu)

eshSec Lab

### VoltJockey



#### Impact

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data.

#### Vulnerability Scoring Details

CVE CVE-2019-11157

7.9 (HIGH)

Score

Session 2A: Side Channels I

eshSec Lab

CCS '19, November 11–15, 2019, London, United Kingdom

#### VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies

Pengfei Qiu<sup>1,2,3</sup>, Dongsheng Wang<sup>1,2</sup>, Yongqiang Lyu<sup>2\*</sup>, Gang Qu<sup>3</sup>

We validate VoltJockey on an ARM-based *Krait* processor by breaking AES and RSA in TrustZone. The experiments successfully obtain the encryption key of AES and load untrusted applications into TrustZone by invalidating the RSA verification.



### VoltJockey



eshSec Lab

#### Impact

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data.

#### Vulnerability Scoring Details

CVE

CVE-2019-11157

7.9 (HIGH)

Score

The way the gal the way the gal the way the

### VoltJockey: Breaking SGX by Software-Controlled Voltage-Induced Hardware Faults

Pengfei Qiu<sup>1,2,3</sup>, Dongsheng Wang<sup>1,2</sup>, Yongqiang Lyu<sup>2\*</sup>, Gang Qu<sup>3</sup>

- 2) We propose a hardware fault attack based on our developed kernel module. To the best of our knowledge, unlike the existing attacks on SGX, this is the first fault injection attack that does not rely on any software vulnerability.
- 3) We apply the proposed attack on a commercial Intel processor with AES running in the enclave and successfully obtain the encryption key.

(intel)

# Lightning

### Lightning: Striking the Secure Isolation on GPU Clouds with Transient Hardware Faults



- We propose the *Lightning*, the method based on DVFS faults which not only degrades model accuracy, but also leads the model to misclassify inputs to our desired inference output (targeted attack).
- We verify the method on three commodity Nvidia GPUs and show that *Lightning* can reduce CNN accuracy on MNIST, CIFAR-10, and Yale face data sets by 64.5% on average, and achieves a 67.9% success rate for the targeted attack on Lenet-5 model.

eshSec Lab



**NVIDIA** 

Figure 3: The exploitation of the DVFS-related defects. The exploitation procedure takes four steps to complete the process: ① configure CPU and GPU with a safe voltage and frequency; ② wait for the fault injection points; ③ create low-voltage or high-frequency glitches to induce faults into the GPU; ④ recover the safe voltage and frequency for the GPU.

# DVS for Device Authentication



# What is Model Inversion Attack?



eshSec Lab

M. Fredrikson et al, Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures, CCS, 2015.

# What is Model Inversion Attack?

### # Training data: b&w images of 40 people.



eshSec

M.T. Arafin, Q. Xu, and G. Qu, "MIDAS: Model Inversion Defenses using an Approximate Memory System", AsianHOST'2020.

### MIDAS Approach

eshSec



M.T. Arafin, Q. Xu, and G. Qu, "MIDAS: Model Inversion Defenses using an Approximate Memory System", AsianHOST'2020.

## Protection with MIDAS

eshSec

### # Training data: b&w images of 40 people.

M.T. Arafin, Q. Xu, and G. Qu, "MIDAS: Model Inversion Defenses using an Approximate Memory System", AsianHOST'2020.

### Conclusion

shSec Lab

- DVFS will evolve, but will not die
- # More applications, devices, greedy human nature → higher power/energy demand
- # Security and privacy are emerging
  - CLKscrew, Plundervolt, VOLTpwn
  - cover channel (DVFSspy)
  - side-channel attacks (PLATYPUS), ...
- # Holistic approach is needed:
  - Circuit, memory, architecture, OS, application, networking, human, ...

# VoltJockey + Lightning



#### Impact

Successful exploitation of this vulnerability could lead to dis sensitive information, addition or modification of data.

### Vulnerability Scoring Details

CVE

Score

CVE-2019-11157

7.9 (HIGH)

P. Qiu, D. Wang, Y. Lyu, and G. Qu, "VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies", CCS'2019.

P. Qiu, D. Wang, Y. Lyu, and G. Qu, "VoltJockey: Breaking SGX by Software-Controlled Voltage-Induced Hardware Faults", AsianHOST'2019. (Best paper award)

#### MeshSec Lab

Dr. Gang Qu (gangqu@umd.edu)



