Analysis of a fault injection mechanism related to voltage glitches using an on-chip voltmeter by Zussa, Loïc et al.
Analysis of a fault injection mechanism related to 
voltage glitches using an on-chip voltmeter 
•Loïc ZUSSA 
•Jean-Max DUTERTRE 
•Jessy CLEDIERE 
•Bruno ROBISSON 
 
2 
K 
M C 
0110010101100001 010110000110011 
Thesis works 
• Non-invasive fault injections 
   clock , voltage , temperature , electromagnetic environment 
 
 
3 
K 
M C 
0110010101100001 010110000110011 
110101000101101 
Faulted ciphertext 
Perturbation 
Thesis works 
• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
 
 
 
 
4 
K 
M C 
0110010101100001 010110000110011 
Thesis works 
• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
• Design, analysis and improvement of a counter-measure 
 
 
 
 
5 
K 
M C 
0110010101100001 010110000110011 
delayed clk 
Delay 
alarm 
clk 
vdd 
Thesis works 
• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
• Design, analysis and improvement of a counter-measure 
• Study of new vulnerabilities induced by the counter-measure (side 
chanel) 
 
 
 
6 
K 
M C 
0110010101100001 010110000110011 
Sensibility variation 
Thesis works 
7 
K 
M C 
0110010101100001 010110000110011 
In this presentation 
• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
• Design, analysis and improvement of a counter-measure 
• Study of new vulnerabilities induced by the counter-measure (side 
chanel) 
 
 
 
8 
D Q 
clk 
data n 
n 
Dffi 
vdd : tension interne 
D 
Dffi+1 
Q 
Timing constraints 
Tclk + Tskew - su 
DclkQ : required time for register’s output to be updated  
DclkQ 
DpMax 
DpMax    : data propagation time through the logic  
Tclk        : clock period Tskew     : little phase distance between two clocks 
su          : setup time : the data have to be stable during this amount of time 
before the next clock rising edge 
 
9 
D Q 
clk 
data n 
n 
Dffi 
vdd : tension interne 
D 
Dffi+1 
Q 
Tclk + Tskew - su 
Tclk >  DclkQ + DpMax - Tskew + su 
DclkQ 
DpMax 
Timing constraints violation 
Tclk <  DclkQ + DpMax - Tskew + su 
If DpMax  increase a fault could be injected : 
10 
Static under-powering leads to timing constraint violation by increasing the 
calculation times of all the calculation rounds 
  
 Identical faults injected on an AES using overclocking and underpowering 
 
Static injections 
Note : 
 
Underpowering the 
circuit make the 
calculation times longer 
 
A fault is injected in the 
most critical one due to 
timing constraint violation 
11 
Transient under-powering also leads to timing constraint violation by 
increasing the calculation time of a specific round 
  
 Identical faults injected on an AES using clock and negative voltage glitches 
Dynamic injections 
Note : 
 
Most of the time a fault is 
injected in the targeted 
round due to timing 
constraint violation 
 
Low temporal accuracy 
due to signal filtering  ? 
12 
Transient over-powering also leads to FAULTS injection 
But it seems inconsistent with timing constraint violation 
 
 
 
Motivations 
? 
On-chip Voltmeter : 
• To observe the voltage inside the circuit 
• To understand the fault injection mechanism related to positive 
voltage glitches 
 
“Sensing nanosecond-scale voltage attacks and natural 
transients in FPGAs” - FPGA 2013 
 
ZICK Kenneth M. ; SRIVASTAV, Meeta ; ZHANG, Wei  
 
• Voltmeter   
Principle and implementation 
 
• Internal disturbances observation 
Fault injection characterization 
 
• Internal disturbances shaping 
Fault injection improvement 
 
• Conclusion 
 
13 
Agenda 
14 
CLK 
 1,2 Volt = core voltage : vdd 
delay 
A delay-meter 
Propagation times increase when the core voltage decreases 
 
Measuring a propagation time is equivalent to measuring the core voltage 
15 
CLK 
 1,0 Volt = core voltage : vdd 
delay 
Propagation times increase when the core voltage decreases 
 
Measuring a propagation time is equivalent to measuring the core voltage 
A delay-meter 
16 
CLK 
 1,2 Volt = core voltage : vdd ∆d delay 
Time to digital converter 
The time-to-digital converter measures 
a phase distance between two signals 
 
delay + 1 * ∆d < clock period 
 
17 
CLK 
 1,2 Volt = core voltage : vdd ∆d delay 
The time-to-digital converter measures 
a phase distance between two signals 
 
delay + 2 * ∆d < clock period 
 ∆d 
Time to digital converter 
18 
CLK 
 1,2 Volt = core voltage : vdd 
∆d 
∆d 
∆d delay 
Time to digital converter 
The time-to-digital converter measures 
a phase distance between two signals 
 
delay + 3 * ∆d > clock period 
 
19 
CLK 
 1,2 Volt = core voltage : vdd 
∆d 
∆d 
∆d delay 
When undergoing a glitch injection 
delay + 2 * ∆d < clock period 
 
delay + 3 * ∆d > clock period 
 code = „1110‟ 
20 
CLK 
 1,0 Volt = core voltage : vdd 
delay + 1 * ∆d < clock period 
 
delay + 2 * ∆d > clock period 
∆d 
∆d 
∆d 
 code = „1100‟ 
delay 
When undergoing a glitch injection 
21 
D Q CLK 
1 
1 
D Q 1 
D Q 1 
D Q 1 
vdd 
Library : voltage <> code 
binary code 
voltage variations 
from 0,7V to 2,5V 
step 0,05V 
 
0,5 volt 
voltage 
0,7 volt 
2 “linear” zones => resolution ~ 0,07V 
1 “blind” zone 
22 
4 voltmeters implemented : 
different delays due to 
within-die process 
variations 
Only one “linear” zones  
=> resolution improving 
 
No “blind” zone 
binary code 
voltage 
Library : voltage <> code 
23 
spartan 3A FSM 
Voltmeter 
1 
1 
0 
0 
0 
Shift Register 
200 MHz 
core voltage 
nominal voltage 
x4 
Acquisition setup 
24 
spartan 3A FSM 
Voltmeter 
1 
1 
1 
0 
0 
Shift Register 
200 MHz 
??? Volt 
Known injected glitch 
x4 
Acquisition setup 
25 
spartan 3A FSM 
RS-232 
Voltmeter 
1 
1 
1 
0 
0 
Shift Register 
200 MHz 
??? Volt 
Computer 
Library 
Code  Voltage 
Waveform 
Known injected glitch 
View of the 
effective 
disturbance 
x4 
Acquisition setup 
26 
Pulse generator variables : 
 
1. DC offset (Volts) 
2. Amplitude (Volts) 
3. Width (ns) 
4. Delay (ns) 
voltage 
time 
4 
2 
3 
1 
Glitches injection setup 
amplitude : -14V  width : 400ns 
27 
Expectation : 
 
Filtered signal due to 
the input capacitances 
Negative voltage glitch : what I expected 
400 ns 
amplitude : -14V  width : 400ns 
28 
Observation : 
 
2 sets of damping 
oscillations 
 
 
Effective disturbances 
are due to the 
rising/falling edges  
of the injected voltage 
400 ns 
Negative voltage glitch : what it is ! 
0,4 Volt 
amplitude : +14V  width : 400ns 
29 
Observation : 
 
Positive glitches 
injection also produce 
negative disturbances 
due to the rising/falling 
edges of the injected 
voltage 
 
Fault injection 
mechanism could also 
be related to timing 
constraint violation ? 
400 ns 
Glitches injection setup Positive voltage glitch 
30 
spartan 3A 
AES 
110ns 
330ns 
Glitches injection setup Fault injection target 
Target  
  
AES 128bit  - 100MHz 
 
Fault injection synchronization 
 
Trig signal 330 ns before the 
AES calculation 
31 
spartan 3A 
trigger 
AES 
110ns 
330ns 
Glitch generator 
Injected glitch  
  
Amplitude (Volts)  
Width (ns) 
 
Variables 
  
DC offset  from 1,4  to 1,1 Volts 
Delay  from 170 to 330 ns 
Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
32 
FPGA : spartan 3A 
AES 
110ns 
330ns 
expected cipher text 
AES 
delay 
DC offset 
Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
33 
FPGA : spartan 3A 
AES 
AES 
delay 
DC offset 
110ns 
330ns 
Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
expected cipher text 
34 
FPGA : spartan 3A 
AES 
AES 
delay 
DC offset 
110ns 
330ns 
Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
unexpected cipher text 
35 
FPGA : spartan 3A 
AES 
110ns 
330ns 
expected cipher text 
AES 
delay 
DC offset 
Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
36 
FPGA : spartan 3A 
AES 
AES 
delay 
DC offset 
110ns 
330ns 
Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
expected cipher text 
37 
FPGA : spartan 3A 
AES 
AES 
delay 
DC offset 
110ns 
330ns 
Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  
Delay            from 170 to 330 ns 
 
trigger 
Glitch generator 
unexpected cipher text 
38 
delay 
DC offset 
faulted round 
Negative voltage glitch characterization 
amplitude : -14V  width : 400ns 
AES 
delay 
DC offset 
39 
amplitude : -14V  width : 400ns 
AES 
delay 
DC offset 
Observation : 
  
R3 wasn‟t faulted 
The negative disturbance is too large 
Faults were injected in R2 or R4 first 
? 
Negative voltage glitch characterization 
40 
amplitude : +14V  width : 400ns 
AES 
delay 
DC offset 
Observation : 
  
R3 was faulted BUT R6 wasn‟t ! 
Positive voltage glitch characterization 
? 
41 
 Same injected faults 
 
 Same fault injection mechanism 
(-14V | 400ns) (+14V | 400ns) 
Injected faults comparison 
 Different temporal accuracy 
 
amplitude : -14V  width : 100ns 
42 
Observation : 
 
Positive oscillations  
due to the rising edge  
 
 
negative oscillations 
due to the falling edge 
 
 
 Only one significant 
negative spike 
COMPENSATE 
100 ns 
Offsetting 
amplitude : +8V  width : 50ns 
43 
Observation : 
 
Negative oscillations  
due to the rising edge 
and due to the falling 
edge are 
 
 
 
 
 More efficient glitch 
injection 
SYNCHRONIZED 
50 ns 
Addition 
44 
(-14V | 100ns) : compensation (+8V | 50ns) : synchronization 
 Same injected faults  Same temporal accuracy 
 
Injected faults comparison 
? ? 
amplitude : -22V  width : 10ns 
45 
Observation : 
 
Negative oscillation 
due to the falling edge is 
 
 
by the positive 
oscillation due to the 
rising edge  
 
 More accurate glitch 
injection 
SHORTEN 
10 ns 
Sharping 
amplitude : -22V  width : 10ns 
46 
Observation : 
 
Negative oscillation 
due to the falling edge is 
 
 
by the positive 
oscillation due to the 
rising edge  
 
 More accurate glitch 
injection 
SHARPED 
! 
Two significant oscillations 
•    unexpected faults can 
be injected… 
Sharping 
47 
(-22V | 10ns) : sharping  
Injected faults comparison 
 Same injected faults  Very good temporal accuracy 
 
48 
~90 ns 
~90 ns 
(-22V | 10ns) : sharping  
Injected faults comparison 
 Same injected faults  Very good temporal accuracy 
 
49 time 
injected 
voltage 
• A short glitch to shorten the 
first oscillation 
 
• A long glitch to compensate the 
remaining oscillations 
core 
voltage 
Fault injection mechanism  
50 
Fault injection mechanism & glitch shaping  
Effective disturbances are damping oscillations due to the rising and 
falling edges of the injected glitch 
 
 
Negative and positive glitches share the same fault injection mechanism : 
timing constraint violation 
 
 
Damping oscillations due to the rising and falling edges of one or several 
injected glitches can be “superimposed” to shape the effective disturbance  
 
 
ZUSSA Loïc 
PhD Student 
  
Secure integrated circuits and physical fault injections 
 
zussa@emse.fr 
loic.zussa.fr 
880 route de Mimet 13541 Gardanne - FRANCE 
Download PDF version  
