Analysis of a fault injection mechanism related to voltage glitches using an on-chip voltmeter by Zussa, Loïc et al.
Analysis of a fault injection mechanism related to 











• Non-invasive fault injections 











• Non-invasive fault injections 










• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 















• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
• Design, analysis and improvement of a counter-measure 















In this presentation 
• Non-invasive fault injections 
• Analysis of an injection mechanism: timing constraints violation 
• Design, analysis and improvement of a counter-measure 
















Tclk + Tskew - su 
DclkQ : required time for register’s output to be updated  
DclkQ 
DpMax 
DpMax    : data propagation time through the logic  
Tclk        : clock period Tskew     : little phase distance between two clocks 
su          : setup time : the data have to be stable during this amount of time 












Tclk + Tskew - su 
Tclk >  DclkQ + DpMax - Tskew + su 
DclkQ 
DpMax 
Timing constraints violation 
Tclk <  DclkQ + DpMax - Tskew + su 
If DpMax  increase a fault could be injected : 
10 
Static under-powering leads to timing constraint violation by increasing the 
calculation times of all the calculation rounds 
  






circuit make the 
calculation times longer 
 
A fault is injected in the 
most critical one due to 
timing constraint violation 
11 
Transient under-powering also leads to timing constraint violation by 
increasing the calculation time of a specific round 
  




Most of the time a fault is 
injected in the targeted 
round due to timing 
constraint violation 
 
Low temporal accuracy 
due to signal filtering  ? 
12 
Transient over-powering also leads to FAULTS injection 






On-chip Voltmeter : 
• To observe the voltage inside the circuit 
• To understand the fault injection mechanism related to positive 
voltage glitches 
 
“Sensing nanosecond-scale voltage attacks and natural 
transients in FPGAs” - FPGA 2013 
 
ZICK Kenneth M. ; SRIVASTAV, Meeta ; ZHANG, Wei  
 
• Voltmeter   
Principle and implementation 
 
• Internal disturbances observation 
Fault injection characterization 
 
• Internal disturbances shaping 








 1,2 Volt = core voltage : vdd 
delay 
A delay-meter 
Propagation times increase when the core voltage decreases 
 
Measuring a propagation time is equivalent to measuring the core voltage 
15 
CLK 
 1,0 Volt = core voltage : vdd 
delay 
Propagation times increase when the core voltage decreases 
 




 1,2 Volt = core voltage : vdd ∆d delay 
Time to digital converter 
The time-to-digital converter measures 
a phase distance between two signals 
 




 1,2 Volt = core voltage : vdd ∆d delay 
The time-to-digital converter measures 
a phase distance between two signals 
 
delay + 2 * ∆d < clock period 
 ∆d 
Time to digital converter 
18 
CLK 




Time to digital converter 
The time-to-digital converter measures 
a phase distance between two signals 
 








When undergoing a glitch injection 
delay + 2 * ∆d < clock period 
 
delay + 3 * ∆d > clock period 
 code = „1110‟ 
20 
CLK 
 1,0 Volt = core voltage : vdd 
delay + 1 * ∆d < clock period 
 




 code = „1100‟ 
delay 
When undergoing a glitch injection 
21 
D Q CLK 
1 
1 
D Q 1 
D Q 1 
D Q 1 
vdd 
Library : voltage <> code 
binary code 
voltage variations 






2 “linear” zones => resolution ~ 0,07V 
1 “blind” zone 
22 
4 voltmeters implemented : 
different delays due to 
within-die process 
variations 
Only one “linear” zones  
=> resolution improving 
 
No “blind” zone 
binary code 
voltage 
Library : voltage <> code 
23 









































Code  Voltage 
Waveform 
Known injected glitch 






Pulse generator variables : 
 
1. DC offset (Volts) 
2. Amplitude (Volts) 
3. Width (ns) 







Glitches injection setup 




Filtered signal due to 
the input capacitances 
Negative voltage glitch : what I expected 
400 ns 









are due to the 
rising/falling edges  
of the injected voltage 
400 ns 
Negative voltage glitch : what it is ! 
0,4 Volt 





injection also produce 
negative disturbances 
due to the rising/falling 




mechanism could also 
be related to timing 
constraint violation ? 
400 ns 






Glitches injection setup Fault injection target 
Target  
  
AES 128bit  - 100MHz 
 
Fault injection synchronization 
 









Injected glitch  
  





DC offset  from 1,4  to 1,1 Volts 
Delay  from 170 to 330 ns 
Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
32 








Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  












Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  




expected cipher text 
34 







Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  




unexpected cipher text 
35 








Glitches injection setup Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  












Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  




expected cipher text 
37 







Fault injection protocol 
AES 128bit : 11 rounds - 100MHz 
  
DC offset     from 1,4  to 1,1 Volts 
  









Negative voltage glitch characterization 











R3 wasn‟t faulted 
The negative disturbance is too large 
Faults were injected in R2 or R4 first 
? 
Negative voltage glitch characterization 
40 






R3 was faulted BUT R6 wasn‟t ! 
Positive voltage glitch characterization 
? 
41 
 Same injected faults 
 
 Same fault injection mechanism 
(-14V | 400ns) (+14V | 400ns) 
Injected faults comparison 
 Different temporal accuracy 
 




Positive oscillations  




due to the falling edge 
 
 









Negative oscillations  
due to the rising edge 












(-14V | 100ns) : compensation (+8V | 50ns) : synchronization 
 Same injected faults  Same temporal accuracy 
 
Injected faults comparison 
? ? 





due to the falling edge is 
 
 
by the positive 
oscillation due to the 
rising edge  
 










due to the falling edge is 
 
 
by the positive 
oscillation due to the 
rising edge  
 




Two significant oscillations 




(-22V | 10ns) : sharping  
Injected faults comparison 





(-22V | 10ns) : sharping  
Injected faults comparison 





• A short glitch to shorten the 
first oscillation 
 




Fault injection mechanism  
50 
Fault injection mechanism & glitch shaping  
Effective disturbances are damping oscillations due to the rising and 
falling edges of the injected glitch 
 
 
Negative and positive glitches share the same fault injection mechanism : 
timing constraint violation 
 
 
Damping oscillations due to the rising and falling edges of one or several 










880 route de Mimet 13541 Gardanne - FRANCE 
Download PDF version  
