SoC used for the second phase of the 2018 Hack@DAC hardware security competition (https://hack-dac18.trust-sysec.com/). This SoC is a modified version of the PULPissimo SoC, which was created by ETH Zurich and the University of Bologna (https://github.com/pulp-platform/pulpissimo). A collobaration of researchers at Texas A&M University, Technische Universität Darmstadt, and Intel expanded the PULPissimo SoC by adding additional security features and inserting hardware security bugs.
The following bugs were inserted into the SoC:
# | Bug |
---|---|
1 | Address range overlap between peripherals SPI Master and SoC. |
2 | Addresses for L2 memory is out of the specified range. |
3 | Processor assigns privilege level of execution incorrectly from CSR. |
4 | Register that controls GPIO lock can be written to with software. |
5 | Reset clears the GPIO lock control register. |
6 | Incorrect address range for APB allows memory aliasing. |
7 | AXI address decoder ignores errors. |
8 | Address range overlap between GPIO, SPI, and SoC control peripherals. |
9 | Incorrect password checking logic in debug unit. |
10 | Advanced debug unit only checks 31 of the 32 bits of the password. |
11 | Able to access debug register when in halt mode. |
12 | Password check for the debug unit does not reset after successful check. |
13 | Faulty decoder state machine logic in RISC-V core results in a hang. |
14 | Incomplete case statement in ALU can cause unpredictable behavior. |
15 | Faulty logic in the RTC causing inaccurate time calculation for security-critical flows, e.g., DRM. |
16 | Reset for the advanced debug unit not operational. |
17 | Memory-mapped register file allows code injection. |
18 | Non-functioning cryptography module causes DOS. |
19 | Insecure hash function in the cryptography module. |
20 | Cryptographic key for AES stored in unprotected memory. |
21 | Temperature sensor is muxed with the cryptography modules. |
22 | ROM size is too small preventing execution of security code. |
23 | Disabled the ability to activate the security-enhanced core. |
24 | GPIO enable always high. |
25 | Unprivileged user-space code can write to the privileged CSR. |
26 | Advanced debug unit password is hard-coded and set on reset. |
27 | Secure mode is not required to write to interrupt registers. |
28 | JTAG interface is not password protected. |
29 | Output of MAC is not erased on reset. |
30 | Supervisor mode signal of a core is floating preventing the use of SMAP. |
31 | GPIO is able to read/write to instruction and data cache. |
For more information on the bugs, please see doc/Bug_info.xlsx.
To install the SoC, please follow the steps listed in the PULPissimo readme (https://github.com/pulp-platform/pulpissimo/blob/master/README.md).
For any issues with the SoC or any questions, please add an issue to our issue tracker.