Nicolas Moro,Amine Dehbaoui,Karine Heydemann,Bruno Robisson,Emmanuelle Encrenaz

DOI: https://doi.org/10.48550/arXiv.1402.6421

2014-02-26

Cryptography and Security

Abstract:Injection of transient faults as a way to attack cryptographic implementations has been largely studied in the last decade. Several attacks that use electromagnetic fault injection against hardware or software architectures have already been presented. On microcontrollers, electromagnetic fault injection has mostly been seen as a way to skip assembly instructions or subroutine calls. However, to the best of our knowledge, no precise study about the impact of an electromagnetic glitch fault injection on a microcontroller has been proposed yet. The aim of this paper is twofold: providing a more in-depth study of the effects of electromagnetic glitch fault injection on a state-of-the-art microcontroller and building an associated register-transfer level fault model.

Thomas Trouchkine,Sébanjila Kevin Bukasa,Mathieu Escouteloup,Ronan Lashermes,Guillaume Bouffard

DOI: https://doi.org/10.48550/arXiv.1910.11566

2019-10-25

Cryptography and Security

Abstract:Electromagnetic fault injection (EMFI) is a well known technique used to disturb the behaviour of a chip for weakening its security. These attacks are mostly done on simple microcontrollers. On these targets, the fault effects are relatively simple and understood. Exploiting EMFI on modern system-on-chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of such faults. In this paper, we propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the SoC micro-architecture. On our targeted SoC (a BCM2837), the observed behaviours are radically different to what were obtained with state-of-the-art fault injection attacks on microcontrollers. SoC subsystems (L1 caches, L2 cache, memory management unit (MMU)) can be individually targeted leading to new fault models. We also highlight the differences in the fault impact with and without an operating system (OS). This shows the importance of the software layers in the exploitation of a fault. With this work, we demonstrate that the complexity and the speed of SoCs do not protect them against hardware fault attacks. To conclude our work, we introduce countermeasures to protect the SoC caches and MMU against EMFI attacks based on the disclosed faults effects.

Enrico Magliano,Alessio Carpegna,Alessadro Savino,Stefano Di Carlo

2024-06-11

Abstract:In contemporary times, the increasing complexity of the system poses significant challenges to the reliability, trustworthiness, and security of the SACRES. Key issues include the susceptibility to phenomena such as instantaneous voltage spikes, electromagnetic interference, neutron strikes, and out-of-range temperatures. These factors can induce switch state changes in transistors, resulting in bit-flipping, soft errors, and transient corruption of stored data in memory. The occurrence of soft errors, in turn, may lead to system faults that can propel the system into a hazardous state. Particularly in critical sectors like automotive, avionics, or aerospace, such malfunctions can have real-world implications, potentially causing harm to individuals. This paper introduces a novel fault injector designed to facilitate the monitoring, aggregation, and examination of micro-architectural events. This is achieved by harnessing the microprocessor's PMU and the debugging interface, specifically focusing on ensuring the repeatability of fault injections. The fault injection methodology targets bit-flipping within the memory system, affecting CPU registers and RAM. The outcomes of these fault injections enable a thorough analysis of the impact of soft errors and establish a robust correlation between the identified faults and the essential timing predictability demanded by SACRES.

Hardware Architecture,Artificial Intelligence

Vanthanh Khuat,Jean-Max Dutertre,Jean-Luc Danger

DOI: https://doi.org/10.1016/j.microrel.2024.115370

IF: 1.6

2024-03-25

Microelectronics Reliability

Abstract:In this work, we proposed two software countermeasures (CMs) for the detection of multiple instructions skips caused by Fault Injection (FI). The first CM is based on code duplication and uses a hardware dedicated counter. The implementation of this method consists in the duplication of instructions previously turned into an idempotent form and the insertion of dedicated instructions incrementing a hardware counter in between the groups of duplicated instructions. The second CM is based on the insertion of Sensitive instruction (SI)s into a block of instructions as sensors of instruction skips. The SI is chosen based on the observed Fault Model (FM) at bit level. We experimentally validated the effectiveness of the two CMs in a 32-bit Microcontroller Unit (MCU) using Laser Fault Injection (LFI) and Electromagnetic Fault Injection (EMFI). First, the skip of multiple instructions was obtained with a fault rate of 100%. The FM at bit level was identified to be bit-reset rather than bit-set. Second, we carried out LFI and EMFI experiments to the protected codes to validate the effectiveness of the CMs. In both cases, the results showed that the proposed methods are effective to detect multiple instructions skip faults.

engineering, electrical & electronic,nanoscience & nanotechnology,physics, applied

Clement Gaine,Pierre-Alain Moellic,Olivier Potin,Jean-Max Dutertre

DOI: https://doi.org/10.48550/arXiv.2308.16665

2023-08-31

Cryptography and Security

Abstract:With the large-scale integration and use of neural network models, especially in critical embedded systems, their security assessment to guarantee their reliability is becoming an urgent need. More particularly, models deployed in embedded platforms, such as 32-bit microcontrollers, are physically accessible by adversaries and therefore vulnerable to hardware disturbances. We present the first set of experiments on the use of two fault injection means, electromagnetic and laser injections, applied on neural networks models embedded on a Cortex M4 32-bit microcontroller platform. Contrary to most of state-of-the-art works dedicated to the alteration of the internal parameters or input values, our goal is to simulate and experimentally demonstrate the impact of a specific fault model that is instruction skip. For that purpose, we assessed several modification attacks on the control flow of a neural network inference. We reveal integrity threats by targeting several steps in the inference program of typical convolutional neural network models, which may be exploited by an attacker to alter the predictions of the target models with different adversarial goals.

Donald E. Owen,Jithin Joseph,Jim Plusquellic,Tom J. Mannos,Brian Dziki

DOI: https://doi.org/10.3390/cryptography6030038

2022-08-03

Cryptography

Abstract:Advanced, superscalar microprocessors (μP) are highly susceptible to wear-out failures because of their highly complex, densely packed circuit structure and extreme operational frequencies. Although many types of fault detection and mitigation strategies have been proposed, none have addressed the specific problem of detecting faults that lead to information leakage events on I/O channels of the μP. Information leakage can be defined very generally as any type of output that the executing program did not intend to produce. In this work, we restrict this definition to output that represents a security concern, and in particular, to the leakage of plaintext or encryption keys, and propose a counter-based countermeasure to detect faults that cause this type of leakage event. Fault injection (FI) experiments are carried out on two RISC-V microprocessors emulated as soft cores on a Xilinx multi-processor System-on-chip (MPSoC) FPGA. The μP designs are instrumented with a set of counters that records the number of transitions that occur on internal nodes. The transition counts are collected from all internal nodes under both fault-free and faulty conditions, and are analyzed to determine which counters provide the highest fault coverage and lowest latency for detecting leakage faults. We show that complete coverage of all leakage faults is possible using only a single counter strategically placed within the branch compare logic of the μPs.

Bo Wang,Leibo Liu,Chenchen Deng,Min Zhu,Shouyi Yin,Shaojun Wei

DOI: https://doi.org/10.1109/tifs.2016.2518130

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the increasing accuracy of fault injections, it has become possible to inject two faults into specific circuit regions precisely at a certain time. Unfortunately, most existing fault attack countermeasures are based on the single fault assumption, and it is, therefore, very difficult to resist double fault attacks. Reconfigurable array architecture (RAA) has the ability to introduce spatial and time randomness by dynamic reconfiguration, which can alleviate the threat of double fault attacks. This paper, for the first time, analyzes the double fault attack issues in the fault injection phase systematically. An evaluation model, named injection effort model (IEM), is proposed to quantify the efforts of a successful fault injection. In IEM, the real injection process is described mathematically using the probability method, so that a theoretical basis can be provided for the corresponding countermeasure design. Based on the concept of spatial and time randomization, three countermeasures are implemented on RAA for the purpose of decreasing the implementation overhead under the premise of ensuring the security. When these countermeasures are adopted, tradeoffs can be made between the double fault resistance and the extra overhead through changing the degree of randomness. Experiments are carried out to analyze the relationship between the resistance and the overhead using Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Camellia. When the overhead constraints in terms of throughput, hardware resources, and energy are 5%, 35%, and 10% respectively, the double fault resistance can increase by two to four orders of magnitude (ranging from 824 to 10 149 for different algorithms).

Ihab Alshaer,Gijs Burghoorn,Brice Colombier,Christophe Deleuze,Vincent Beroulle,Paolo Maistri

DOI: https://doi.org/10.1007/s13389-024-00352-6

2024-04-25

Journal of Cryptographic Engineering

Abstract:With the increasing complexity of embedded systems, the use of variable-length instruction sets has become essential, so that higher code density and better performance can be achieved. Security aspects are closely linked, considering the continuous improvement of attack techniques and equipment. Fault injection is among the most interesting and rising physical attack techniques. However, hardware designers and software developers lack accurate fault models to evaluate the vulnerabilities of their designs or codes in the presence of such attacks. In this article, we provide a proper characterization, at instruction set architecture (ISA) level, of several faulty behaviors that are experimentally observed when a processor running a variable-length instruction set is targeted. We include the binary encoding of instructions, and show how the obtained behaviors depend on the alignment in memory. Moreover, we give a deeper insight on previous results from the literature, that were still left unexplained. Additionally, we move downward at system level and consider the register-transfer level (RTL) to perform RTL fault simulation; This enables a better understanding of the faults propagation, validate the inferred fault models at ISA level, and reveal the origin of such faults at microarchitectural level. Finally, applying the given fault models leads us to provide vulnerability analysis on three different implementations of AES.

computer science, theory & methods

Idris Somoye,Tom J. Mannos,Brian Dziki,Jim Plusquellic

DOI: https://doi.org/10.1109/tcad.2024.3351592

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The execution behavior of a microprocessor (μP) in the presence of a fault is difficult to predict because of the complex interactions across pipeline stages and between functional units within the architecture. In prior work, we have observed that fault effects do not introduce any type of anomaly in the input-output behavior for 10s of thousands to millions of clock cycles. These characteristics increase the difficulty of evaluating μP architectures for resilience to information leakage events, i.e., scenarios where a fault causes sensitive data such as an encryption key to be inadvertently diverted to a primary output channel. In this paper, we use an accelerated fault emulation platform implemented on a Xilinx ZCU102 board to evaluate an ASIC implementation of the Potato RISC-V μP for information leakage events as faults from several different classes are introduced. The effectiveness and latency associated with a set of self-assertion-based countermeasures, that perform simple consistency checks on instructions and datapath values, are investigated. The countermeasures are characterized as dynamic verification (or as a continuous symptom monitor) because detection occurs during program execution. The detection and latency results of the self-assertion-based countermeasures are compared against a periodic counter-based countermeasure proposed in previous work.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Pablo Rauzy,Sylvain Guilley

DOI: https://doi.org/10.48550/arXiv.1412.0600

2014-12-02

Abstract:In this paper we study the existing CRT-RSA countermeasures against fault-injection at-tacks. In an attempt to classify them we get to achieve deep understanding of how they work. We show that the many countermeasures that we study (and their variations) actually share a number of common features, but optimize them in different ways. We also show that there is no conceptual distinction between test-based and infective countermeasures and how either one can be transformed into the other. Furthermore, we show that faults on the code (skipping instructions) can be captured by considering only faults on the data. These intermediate results allow us to improve the state of the art in several ways: (a) we fix an existing and that was known to be broken countermeasure (namely the one from Shamir); (b) we drastically optimize an existing countermeasure (namely the one from Vigilant) which we reduce to 3 tests instead of 9 in its original version, and prove that it resists not only one fault but also an arbitrary number of randomizing faults; (c) we also show how to upgrade countermeasures to resist any given number of faults: given a correct first-order countermeasure, we present a way to design a prov-able high-order countermeasure (for a well-defined and reasonable fault model). Finally, we pave the way for a generic approach against fault attacks for any modular arithmetic computations, and thus for the automatic insertion of countermeasures.

Cryptography and Security

Yuta FUKUDA,Kota YOSHIDA,Takeshi FUJINO

DOI: https://doi.org/10.1587/transfun.2021cip0015

2022-03-01

Abstract:Deep learning applications have often been processed in the cloud or on servers. Still, for applications that require privacy protection and real-time processing, the execution environment is moved to edge devices. Edge devices that implement a neural network (NN) are physically accessible to an attacker. Therefore, physical attacks are a risk. Fault attacks on these devices are capable of misleading classification results and can lead to serious accidents. Therefore, we focus on the softmax function and evaluate a fault attack using a clock glitch against NN implemented in an 8-bit microcontroller. The clock glitch is used for fault injection, and the injection timing is controlled by monitoring the power waveform. The specific waveform is enrolled in advance, and the glitch timing pulse is generated by the sum of absolute difference (SAD) matching algorithm. Misclassification can be achieved by appropriately injecting glitches triggered by pattern detection. We propose a countermeasure against fault injection attacks that utilizes the randomization of power waveforms. The SAD matching is disabled by random number initialization on the summation register of the softmax function.

computer science, information systems,engineering, electrical & electronic, hardware & architecture

Pantea Kiaei,Cees-Bart Breunesse,Mohsen Ahmadi,Patrick Schaumont,Jasper van Woudenberg

DOI: https://doi.org/10.48550/arXiv.2011.14067

2020-11-28

Abstract:Fault injection attacks can cause errors in software for malicious purposes. Oftentimes, vulnerable points of a program are detected after its development. It is therefore critical for the user of the program to be able to apply last-minute security assurance to the executable file without having access to the source code. In this work, we explore two methodologies based on binary rewriting that aid in injecting countermeasures in the binary file. The first approach injects countermeasures by reassembling the disassembly whereas the second approach leverages a full translation to a high-level IR and lowering that back to the target architecture.

Cryptography and Security

Prasanna Ravi,Bolin Yang,Shivam Bhasin,Fan Zhang,Anupam Chattopadhyay

DOI: https://doi.org/10.46586/tches.v2023.i2.447-481

2023-01-01

Abstract:In this work, we present the first fault injection analysis of the Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single fault vulnerability in the NTT, which severely reduces the entropy of its output. This in turn enables us to perform a wide-range of attacks applicable to lattice-based KEMs as well as signature schemes. In particular, we demonstrate novel key recovery and message recovery attacks targeting the key generation and encryption procedure of Kyber KEM. We also propose novel existential forgery attacks targeting deterministic and probabilistic signing procedure of Dilithium, followed by a novel verification bypass attack targeting its verification procedure. All proposed exploits are demonstrated with high success rate using electromagnetic fault injection on optimized implementations of Kyber and Dilithium, from the open-source pqm4 library on the ARM Cortex-M4 microcontroller. We also demonstrate that our proposed attacks are capable of bypassing concrete countermeasures against existing fault attacks on lattice-based KEMs and signature schemes. We believe our work motivates the need for more research towards development of countermeasures for the NTT against fault injection attacks.

Lifeng Hu,Fan Zhang,Ziyuan Liang,Ruyi Ding,Xingyu Cai,Zonghui Wang,Wenguang Jin

DOI: https://doi.org/10.1016/j.cose.2022.103003

IF: 5.105

2023-01-01

Computers & Security

Abstract:With the rise of the concept of Trusted Execution Environments (TEEs), such as Intel Software Guard Extensions (SGX), researchers are prompted to constantly verify its effectiveness. Controlled-channel attacks are proposed to construct side channels against the shielding systems by intentionally provoking page faults. So far, various powerful and noise-free controlled-channel attacks have been introduced. However, there are some challenges encountered in the actual practice of these attacks, e.g., extensive manual effort is always required to analyze the target binary and identify conditional control-flow patterns. In this paper, we present FaultMorse, an automated controlled-channel attack. We adopt a global perspective to analyze the page fault sequence and find a specific recurring pattern that corresponds to some specific instructions in the program. Most of the secret bits can be automatically deduced by analyzing the locations of the recurring pattern in the page fault sequence. Compared to previous works, FaultMorse can reduce the complexity of analysis. We propose a method to control page fault counts to improve the attack performance. We implement our FaultMorse attack on a physical machine and evaluate its effectiveness, universality, and page-fault rate. The experimental results show that for some known vulnerable algorithms, FaultMorse can automatically deduce more than 99% of the secret bits. (C) 2022 Elsevier Ltd. All rights reserved.

Vincent Giraud,Guillaume Bouffard

DOI: https://doi.org/10.48550/arXiv.2305.02855

2023-05-04

Cryptography and Security

Abstract:Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process, a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

Shoei Nashimoto,Daisuke Suzuki,Rei Ueno,Naofumi Homma

DOI: https://doi.org/10.46586/tches.v2022.i1.28-68

2021-11-19

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack.

HanSeop Lim,JongHyeok Lee,Dong-Guk Han

DOI: https://doi.org/10.3390/app10113849

2020-06-01

Applied Sciences

Abstract:Theoretical process of fault injection attacks is defined as a process of recovering a secret key assuming that an attacker can inject faults into a specific targeted operation. Therefore, an artificial triggering is required to execute such an attack. However, when conducting analysis on real devices, artificial triggering needs to rely on a powerful assumption, such as manipulation of internal codes. In this paper, we propose a novel fault injection system using Input/Output (I/O) signals of target devices as a trigger for relaxing an attacker assumption. This system does not require an implementation of artificial triggering as input signals are used as a trigger in transmission of plaintexts for fault injection attacks. As a result, the attacker can perform fault injection attacks concerning the entire encryption process. To decide the fault injection time based on the trigger, the proposed system applies simple power analysis (SPA), employing electromagnetic emission of target devices. Considering that the fault injection time identified by SPA can be relatively vague compared with that obtained using a system based on an artificial triggering, we address this problem by proposing a process to recover the secret key without knowing the byte index of an injected fault.

Thomas Chamelot,Damien Couroussé,Karine Heydemann

DOI: https://doi.org/10.48550/arXiv.2309.02255

2023-09-05

Cryptography and Security

Abstract:Fault injection attacks represent an effective threat to embedded systems. Recently, Laurent et al. have reported that fault injection attacks can leverage faults inside the microarchitecture. However, state-of-the-art counter-measures, hardwareonly or with hardware support, do not consider the integrity of microarchitecture control signals that are the target of these faults. We present MAFIA, a microarchitecture protection against fault injection attacks. MAFIA ensures integrity of pipeline control signals through a signature-based mechanism, and ensures fine-grained control-flow integrity with a complete indirect branch support and code authenticity. We analyse the security properties of two different implementations with different security/overhead trade-offs: one with a CBC-MAC/Prince signature function, and another one with a CRC32. We present our implementation of MAFIA in a RISC-V processor, supported by a dedicated compiler toolchain based on LLVM/Clang. We report a hardware area overhead of 23.8 % and 6.5 % for the CBC-MAC/Prince and CRC32 respectively. The average code size and execution time overheads are 29.4 % and 18.4 % respectively for the CRC32 implementation and are 50 % and 39 % for the CBC-MAC/Prince.

Jiyuan Bai,Xiang Wang,Zikang Zhang,Chang Cai,Gengsheng Chen

DOI: https://doi.org/10.1109/asicon52560.2021.9620299

2021-01-01

Abstract:Soft error protection schemes are indispensable for high-density computing clusters and mission-important devices in radiation environments. To evaluate different fault protection schemes, system designers need an efficient approach to undertake fault injection campaigns during the design phase. In this paper, we propose an RTL-level soft error model and construct a hierarchical emulation-based fault injection system to achieve fast and accurate soft error rate estimations for the design and fault sensitive investigation of complex digital systems, in which the modifications to the device under test can be minimized with the best efforts. We build this new fault injection system on a Xilinx ZCU102 board. Experimental results show that the new system has achieved an up to 72.75×speedup compared with simulation-based fault injection systems and has only less than one clock cycle delay for fault injection, which is much faster than peer works based on dynamic partial reconfiguration technology.

Marvin Saß,Richard Mitev,Ahmad-Reza Sadeghi

DOI: https://doi.org/10.48550/arXiv.2302.06932

2023-03-01

Abstract:Voltage Fault Injection (VFI), also known as power glitching, has proven to be a severe threat to real-world systems. In VFI attacks, the adversary disturbs the power-supply of the target-device forcing the device to illegitimate behavior. Various countermeasures have been proposed to address different types of fault injection attacks at different abstraction layers, either requiring to modify the underlying hardware or software/firmware at the machine instruction level. Moreover, only recently, individual chip manufacturers have started to respond to this threat by integrating countermeasures in their products. Generally, these countermeasures aim at protecting against single fault injection (SFI) attacks, since Multiple Fault Injection (MFI) is believed to be challenging and sometimes even impractical. In this paper, we present {\mu}-Glitch, the first Voltage Fault Injection (VFI) platform which is capable of injecting multiple, coordinated voltage faults into a target device, requiring only a single trigger signal. We provide a novel flow for Multiple Voltage Fault Injection (MVFI) attacks to significantly reduce the search complexity for fault parameters, as the search space increases exponentially with each additional fault injection. We evaluate and showcase the effectiveness and practicality of our attack platform on four real-world chips, featuring TrustZone-M: The first two have interdependent backchecking mechanisms, while the second two have additionally integrated countermeasures against fault injection. Our evaluation revealed that {\mu}-Glitch can successfully inject four consecutive faults within an average time of one day. Finally, we discuss potential countermeasures to mitigate VFI attacks and additionally propose two novel attack scenarios for MVFI.

Cryptography and Security