PicoEMP: A Low-Cost EMFI Platform Compared to BBI and Voltage Fault Injection using TDC and External VCC Measurements

Electromagnetic Fault Injection (EMFI) has been demonstrated to be useful for both academic and industrial research. Due to the dangerous voltages involved, most work is done with commercial tools. This paper introduces a safety-focused low-cost and open-source design that can be built for less than \$50 using only off-the-shelf parts. The paper also introduces an iCE40 based Time-to-Digital Converter (TDC), which is used to visualize the glitch inserted by the EMFI tool. This demonstrates the internal voltage perturbations between voltage, body biasing injection (BBI), and EMFI all result in similar waveforms. In addition, a link between an easy-to-measure external voltage measurement and the internal measurement is made. Attacks are also made on a hardware AES engine, and a soft-core RISC-V processor, all running on the same iCE40 FPGA. The platform is used to demonstrate several aspects of fault injection, including that the spatial positioning of the EMFI probe can impact the glitch strength, and that the same physical device may require widely different glitch parameters when running different designs

Fault Injection using Crowbars on Embedded Systems

Causing a device to incorrectly execute an instruction or store faulty data is well-known strategy for attacking cryptographic implementations on embedded systems. One technique to generate such faults is to manipulate the supply voltage of the device. This paper introduces a novel technique to introduce those supply voltage manipulations onto existing digital systems, requiring minimal modifications to the device being attacked. This uses a crowbar to short the power supply for controlled periods of time. High-accuracy faults are demonstrated on the 8-bit AVR microcontroller, which can generate both single and multi-bit faults with high repeatability. Additionally this technique is demonstrated on a FPGA where it is capable of generating faults in both internal registers and the configuration fabric

A Unified Formalism for Physical Attacks

Technical reportThe security of cryptographic algorithms can be considered in two contexts. On the one hand, these algorithms can be proven secure mathematically. On the other hand, physical attacks can weaken the implementation of an algorithm yet proven secure. Under the common name of physical attacks, different attacks are regrouped: side channel attacks and fault injection attacks. This paper presents a common formalism for these attacks and highlights their underlying principles. All physical attacks on symmetric algorithms can be described with a 3-step process. Moreover it is possible to compare different physical attacks, by separating the theoretical attack path and the experimental parts of the attacks

Super-precision programmable current source for coil/magnet actuators

This thesis describes the design and development of a super-precision programmable current source that can deliver up to about ±100 rnA to an inductive load. The load is intended typically to be a coil in a coil/magnet actuator that provides a force which is proportional to the current, and results in a linear and well defined movement of an elastic flexure mechanism. The particularly demanding application of long-range x-ray interferometry required two tracking current sources that offered a resolution to better than 1 part in 500,000 and this could not be satisfied by commercially available instruments. Consequently it was necessary to design, construct and test two identical supplies (or drives); a non-trivial and very demanding task since exceptionally slow drives scans needed to be accommodated. Temporal stability is therefore critical. Although the operational bandwidth can be kept small, noise up to over 1 kHz must be rigorously suppressed to avoid exciting resonances in the system being driven. Commercial 20-bit digital-to-analogue converters could not be utilised to provide a resolution of 1 part per million, because they are invariably designed for audio applications and have unacceptable drifts with temperature and time. The integral non-linearity had to be less than ±O.0007% (15 ppm) and the design actually achieves ±O.5 ppm by using an embedded precision analogue-to-digital converter to form a servo-loop within each drive. A desk-top computer (PC) accepts setpoints via a serial communications channel, and simultaneously controls the servo-loops for two drives by the exchange of simple messages via optically isolated links. The major components within each drive are, an embedded 8-bit micro-controller, two DAC's providing coarse and fine voltage settings, a precision voltage-to-current converter, a precision ADC and an ADC which monitors critical nodes, all of which are discussed in considerable detail together with the algorithms and software in the PC and microcontroller. Circuit simulations were an important part of preliminary studies and are presented along with measures of actual performance. It is shown that the drives achieve not only a resolution of 1 ppm but that all other operational parameters are of a similar order. A number of proposals are made for alternative methods which represent the foundations for future work

Étude des techniques d'injection de fautes par violation de contraintes temporelles permettant la cryptanalyse physique de circuits sécurisés

Even if a cryptographic algortihm could be mathematically secure, its physical implementation could be targeted by several attacks. This thesis focus on time-based fault injection mechanisms used for physical cryptanalysis of secure circuits.First, practical fault injections have been performed on a hardware AES implementation using non-invasive attacks : static and dynamic variations of the power supply voltage, frequency, temperature and electromagnetic environement. Then a comparison of these obtained faults led us to conclude that these different injection means share a common injection mecanism : timing constraints violations.An on-chip voltmeter has been designed and implemented to observe internal disturbences due to voltage glitchs. These observations led to a better understanding of the fault injection mecanism and to a better temporal accuracy.Then, a contermeasure has been designed and its effectiveness against electromagnetic attacks has been studied. Because of the electromagnetic pulses local effects, the aera effectively protected by the countermeasure is limited. The implementation of several countermeasures has been considered in order to extend the protected aera.Finally, a new attack path using the countermeasure detection threshold variations has been proposed and experimentaly validated. This attack exploit the electrical coupling between the AES and the coutnermeasure. Because of this coupling the countermeasure sensitivity variations are related to data handled by the AES.Si un algorithme cryptographique peut être mathématiquement sûr, son implémentation matérielle quant à elle est souvent la cible de nombreuses attaques. Cette thèse porte sur l'étude des mécanismes d'injection de fautes pouvant permettre une cryptanalyse physique des circuits sécurisés et sur la conception de contre-mesures matérielles pour empêcher ces attaques.Dans un premier temps une mise en pratique d'injection de fautes sur une implémentation matérielle de l'AES a été menée à l'aide d'attaques physiques : variations statiques et dynamiques de la tension, de la fréquence, de la température et de l'environnement électromagnétique. La comparaison des fautes injectées nous a permis de conclure que ces différentes attaques partagent un mécanisme d'injection identique : la violation de contraintes temporelles.La conception et l'implémentation d'un voltmètre intégré nous a permis d'observer les perturbations internes dues aux attaques par variations transitoires de la tension. Ces observations ont permis une meilleure compréhension du mécanisme d'injection de fautes associé et une amélioration de la précision temporelle de ces injections.Ensuite, un détecteur a été implémenté et son efficacité face à des attaques électromagnétiques a été étudiée. Du fait de la localité spatiale de ces attaques, la zone effectivement protégée par le détecteur est limitée. Une implémentation de plusieurs détecteurs a été suggérée.Enfin, un nouveau chemin d'attaque exploitant la sensibilité du détecteur a été proposé et validé expérimentalement

An Update on Power Quality

Power quality is an important measure of fitness of electricity networks. With increasing renewable energy generations and usage of power electronics converters, it is important to investigate how these developments will have an impact to existing and future electricity networks. This book hence provides readers with an update of power quality issues in all sections of the network, namely, generation, transmission, distribution and end user, and discusses some practical solutions

Analysis and modeling methods for predicting functional robustness of integrated circuits during fast transient events

La miniaturisation des circuits intégrés se poursuit de nos jours avec le développement de technologies toujours plus fines et denses. Elle permet une intégration des circuits toujours plus massive, avec des performances plus élevées et une réduction des coûts de production. La réduction de taille des circuits s'accompagne aussi d'une augmentation de leur sensibilité électrique. L'électronique automobile est un acteur majeur dans la nouvelle tendance des véhicules autonomes. Ce type d'application a besoin d'analyser des données et d'appliquer des actions sur le véhicule en temps réel. L'objectif à terme est d'améliorer la sécurité des usagers. Il est donc vital de garantir que ces modules électroniques pourront effectuer leurs tâches correctement malgré toutes les perturbations auxquelles ils seront exposés. Néanmoins, l'environnement automobile est particulièrement sévère pour l'électronique. Parmi tous les stress rencontrés, les décharges électrostatiques (ESD - Electrostatic Discharge) sont une importante source d'agression électrique. Ce type d'évènement très bref est suffisamment violent pour détruire des composants électroniques ou les perturber pendant leur fonctionnement. Les recherches présentées ici se concentrent sur l'analyse des défaillances fonctionnelles. À cause des ESD, des fonctions électroniques peuvent cesser temporairement d'être opérantes. Des méthodes d'analyse et de prédiction sont requises au niveau-circuit intégré afin de détecter des points de faiblesses susceptibles de générer des fautes fonctionnelles pendant l'exposition à un stress électrostatique. Différentes approches ont été proposées dans ce but. Une méthode hiérarchique de modélisation a été mise au point afin d'être capable de reproduire la forme d'onde ESD jusqu'à l'entrée du circuit intégré. Avec cette approche, chaque élément du système est modélisé individuellement puis son modèle ajouté au schéma complet. Un cas d'étude réaliste de défaillance fonctionnelle d'un circuit intégré a été analysé à l'aide d'outils de simulation. Afin d'obtenir plus de données sur cette faute, une puce de test a été développée, contenant des structures de surveillance et de mesure directement intégrées dans la puce. La dernière partie de ce travail de recherche est concentrée sur le développement de méthodes d'analyse dans le but d'identifier efficacement des fautes par simulation. Une des techniques développées consiste à modéliser chaque bloc d'une fonction individuellement puis permet de chaîner ces modèles afin de déterminer la robustesse de la fonction complète. La deuxième méthode tente de construire un modèle équivalent dit boite-noire d'une fonction de haut-niveau d'un circuit intégré. Ces travaux de recherche ont mené à la mise au point de prototypes matériels et logiciels et à la mise en évidence de points bloquants qui pourront constituer une base pour de futurs travaux.Miniaturization of electronic circuits continues nowadays with the more recent technology nodes being applied to diverse fields of application such as automotive. Very dense and small integrated circuits are interesting for economic reasons, because they are cheaper to manufacture in mass and can pack more functionalities with elevated performances. The counterpart of size reduction is integrated circuits becoming more fragile electrically. In the automotive world, the new trend of fully autonomous driving is seeing tremendous progress recently. Autonomous vehicles must take decisions and perform critical actions such as braking or steering the wheel. Those decisions are taken by electronic modules, that have now very high responsibilities with regards of our safety. It is important to ensure that those modules will operate no matter the kind of disturbances they can be exposed to. The automotive world is a quite harsh environment for electronic systems. A major source of electrical stress is called the Electrostatic Discharge (ESD). It is a very sudden flow of electricity of large amplitude capable of destroying electronic components, or disturb them during their normal operation. This research focuses on functional failures where functionality can be temporarily lost after an ESD with various impact on the vehicle. To guarantee before manufacturing that a module and its components will perform their duty correctly, new analysis and prediction methods are required against soft-failures caused by electrostatic discharges. In this research, different approaches have been explored and proposed towards that goal. First, a modelling method for reproducing the ESD waveforms from the test generator up to the integrated circuit input is presented. It is based on a hierarchical approach where each element of the system is modelled individually, then added to the complete setup model. A practical case of functional failure at silicon-level is analyzed using simulation tools. To acquire more data on this fault, a testchip has been designed. It contains on-chip monitoring structures to measure voltage and current, and monitor function behavior directly at silicon-level. The last part of this research details different analysis methods developed for identifying efficiently functional weaknesses. The methods rely heavily on simulation tools, and prototypes have been implemented to prove the initial concepts. The first method models each function inside the chip individually, using behavioral models, then enables to connect the models together to deduce the full function's robustness. It enables hierarchical analysis of complex integrated circuit designs, to identify potential weak spots inside the circuit that could require more shielding or protection. The second method is focused on constructing equivalent electrical black box models of integrated circuit functions. The goal is to model the IC with a behavioral, black-box model capable of reproducing waveforms in powered conditions during the ESD. In summary, this research work has led to the development of several hardware and software prototypes. It has also highlighted important modelling challenges to solve in future works to achieve better functional robustness against electrostatic discharges