Cache-Out: Leaking Cache Memory Using Hardware Trojan

Abstract

Data leakage is an important security concern in current systems. Existing data leakage prevention techniques assume that the underlying hardware platform is secure and free from tampering. In this work, we present Cache-Out, a class of system attacks involving hardware compromised with a Trojan embedded in the CPU. We assume that a memory Trojan trigger is present in L1 d-cache and gets activated if one particular address of L1 d-cache is hammered with a particular data pattern for a certain number of times. Once the Trojan is triggered, accessing another address delivers payloads, such as, read disturb, write disturb, retention failure, and information leakage. We mainly exploit the advanced circuit features employed in the peripherals of nanometer cache memories, such as wordline underdrive (WLUD) (prevents read disturb) and negative bitline (NBL) (assists write) for static RAM (SRAM) to deliver the payloads. Simulation indicates that WLUD and NBL manipulation can inject read and write failures, respectively. We also show that WLUD activation during write operation can inject write failure. Furthermore, NBL along with column multiplexing can also be leveraged to steal data. We validated Cache-Out using GEM5 architectural simulator. We propose L1 address obfuscation, read/write verification, scrambling error correcting code (ECC) bits, and trusted ECC as countermeasures. Results indicate that read/write verification incurs 7.56 μm <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> of area and 0.1 μW/91.3 μW of static/dynamic power in 22-nm technology for a 64-bit word size.