To simulate FIAs on secure boot and post-quantum cryptographic algorithms, the team in MITHRIL is using open-source instruction set simulators as described in [3, 4]. For both scenarios, the target architecture is RISC-V.
FIA on Secure Boot
Secure boot uses cryptographic signatures to guarantee the authenticity and integrity of a software. A common FIA on secure boot is bypassing the signature verification of the software binary. Ultimately, the program control-flow is compromised, and untrusted software can be executed. This effect can usually be achieved by skipping branch or compare instructions. Furthermore, depending on the underlying architecture, with only a single bit flip, an instruction can be modified to follow insecure code paths. Even if the code of the secure boot does not contain any memory safety vulnerabilities, fault injections can still make it misbehave.
A simplified process of modifying the control-flow of the secure boot is shown in figure 6. The source code segment written in C (figure 6a) is compiled to the underlying RISC-V instructions (figure 6b). In the compiled code, it becomes clear where the fault should be injected. With only a single bit flip, the opcode of a branch if not equal (bne) instruction is converted into a branch if equal (beq) instruction (figure 6c). If malicious software is being verified, this will effectively circumvent its signature verification.
In reality, this process is not as straightforward as shown in this example. However, after finding the critical operation, the correct timing, and the precise location to inject the fault, and after many iterations and failed attempts, the real attack will eventually succeed.