soc-security-skills

This is not malicious code; it is a vulnerability assessment of an unprotected AES-128 hardware engine. The device is highly vulnerable to practical first-order DPA/CPA attacks targeting the first-round S-box output using a Hamming-weight or Hamming-distance leakage model. Expected trace counts are on the order of hundreds to low thousands for unprotected hardware with reasonable measurement equipment. Severity is HIGH/CRITICAL. Immediate mitigations: implement first-order masking and hiding, reduce the time the key resides in accessible registers, and perform TVLA followed by CPA testing to quantify leakage.

The configuration exhibits notable isolation gaps for multi-tenant VFIO/SR-IOV: lack of PCIe switch-level ACS, lazy DMA mode, and ATS disabled collectively raise the risk of cross-VF DMA and TOCTOU exposures. SMMUv3 2-stage translation remains a strong isolation mechanism, but its effectiveness hinges on proper ACS, per-VF IOMMU grouping, and strict DMA paths. Recommended actions: enable ACS at the PCIe switch or enforce per-VF IOMMU domains, set iommu.strict=1, reconsider ATS activation, and validate per-tenant isolation at the IOMMU/group level. Consider verifying HTTU/PRI features and firmware compatibility for stronger boundaries.

Overall assessment indicates a mixed security posture: AES exhibits second-order leakage despite a first-order pass; ECDSA lacks masking on field arithmetic; RSA-4096 has partial data; and overall lab data supports grounded findings for multiple channels. Requires lab-validated assessments for non-assessed operations and mitigations aligned to ISO 17825 and FIPS 140-3 Level 4. Residual risk centers on second-order leakage and unassessed components, necessitating mitigations and formal certification evidence.

Findings: This ROM and platform present high-risk, practical attack surfaces for voltage-glitch fault injection. Primary finding: signature verification bypass via single-instruction skip of the boolean comparison/branch is a primary and realistic attack (attackClass: voltage-glitch). Secondary finding: inducing faults in the ECDSA P-256 scalar multiplication in the hardware crypto accelerator can enable DFA to recover the signing private key or produce forged/accepted signatures. Deterministic boot timing (~50ms), external VDD access, and lack of voltage/clock sensors and instruction redundancy make both attacks feasible with commodity lab equipment and a skilled attacker. Severity: CRITICAL for boot bypass and key compromise. Recommendations: add internal LDO/regulation for secure domain, implement voltage and clock glitch sensors with tamper response, add instruction-flow redundancy or dual independent verification of signatures, consider repeating signature checks and anti-rollback protections, and protect the private signing key/workflow to minimize impact of DFA. Research references: [FROM TRAINING] literature on ECC DFA (Biehl/Meyer/Müller) and practical voltage-glitch instruction-skip attacks.