FAULTLESS: Flexible and Transparent Fault Protection for Superscalar RISC-V Processors

Abstract

Fault injection (FI) attacks pose a significant threat to the reliability and security of devices. They can cause data or control-flow corruption, leading to system failure or allowing malicious attackers to steal secret data or leak cryptographic keys. To protect against faults, many vendors extend their processors with lockstep capabilities, which require either dedicated hardware duplication or a reconfigurable second core that can act as a shadow core. The former causes a large hardware overhead while the latter requires an inflexible configuration during boot time with additional implications for software design. Software-based fault protection requires recompilation of existing code with custom compilers, which introduces compatibility issues. This paper presents Faultless: A fault protection mechanism that transparently performs hardware-based instruction duplication and utilizes the existing redundancy in superscalar processors. Contrary to lockstep approaches, our design facilitates a flexible protection approach with marginal hardware overhead that allows developers to toggle the fault protection during runtime, providing a choice between security and performance. The design is fully transparent and compatible with preexisting binaries. We implement our prototype based on the VeeR EH1 RISC-V processor and show that, when active, our fault protection generates an average performance overhead between 32% and 79%, depending on the hardware configuration. Non-critical applications can deactivate the feature and run without any overheads. On an Artix-7 FPGA, our hardware modifications incur a minimal overhead of 3.5% for LUTs and 2.8% for flip-flops.