HarTBleed: Using Hardware Trojans for Data Leakage Exploits

Data and information leakage is an important security concern in current systems. Several data leakage prevention (DLP) techniques have been proposed in the literature to prevent external as well as internal data leakage. Most of these solutions try to trace data flow and perform privilege checks to ensure the security of the data at the software and system level. Architecture level leakage vulnerabilities such as Spectre and Meltdown can be mitigated by performance-expensive software patches or by modifying the architecture itself. However, these solutions assume that the underlying hardware platform is secure and free from tampering. In this article, we present HarTBleed, a class of system attacks involving hardware compromised with a Trojan embedded in the CPU. We show that attacks crafted specifically to make use of the Trojan can be used to obtain sensitive information from the address space of a process. We propose the use of a capacitor-based Trojan trigger that exploits the virtual addressing of L1 cache to activate a Trojan payload that resets a target translation lookaside buffer (TLB) entry to maliciously map to sensitive data in memory. Extensive circuit simulation indicates that the proposed Trojan trigger is not activated during test or normal operation even under a wide range of process/temperature conditions. Therefore, it remains undetected. A successful HarTBleed-based exploit is demonstrated using an attack code by modeling the Trojan effects in the GEM5 simulator.