Design and validation of a platform for electromagnetic fault injection

Security is acknowledged as one of the main challenges in the design and deployment of embedded circuits. Devices need to operate on-the-field safely and correctly, even when at physical reach of potential adversaries. One of the most powerful techniques to compromise the correct functioning of a device are fault injection attacks. They enable an active adversary to trigger errors on a circuit in order to bypass security features or to gain knowledge of security-sensitive information. There are several methods to induce such errors. In this work we focus on the injection of faults through the electromagnetic (EM) channel. In particular, we document our efforts towards building a suitable platform for EM pulse injection. We design a pulse injection circuit that can provide currents over 20 A to an EM injector in order to generate abrupt variations of the EM field on the vicinity of a circuit. We validate the suitability of our platform by applying a well-know attack on an embedded 8-bit microcontroller implementing the AES block cipher. In particular, we show how to extract the AES secret cryptographic keys stored in the device by careful injection of faults during the encryption operations and simple analysis of the erroneous outputs.Peer ReviewedPostprint (published version

Trick or Heat? Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks

Temperature sensing and control systems are widely used in the closed-loop control of critical processes such as maintaining the thermal stability of patients, or in alarm systems for detecting temperature-related hazards. However, the security of these systems has yet to be completely explored, leaving potential attack surfaces that can be exploited to take control over critical systems. In this paper we investigate the reliability of temperature-based control systems from a security and safety perspective. We show how unexpected consequences and safety risks can be induced by physical-level attacks on analog temperature sensing components. For instance, we demonstrate that an adversary could remotely manipulate the temperature sensor measurements of an infant incubator to cause potential safety issues, without tampering with the victim system or triggering automatic temperature alarms. This attack exploits the unintended rectification effect that can be induced in operational and instrumentation amplifiers to control the sensor output, tricking the internal control loop of the victim system to heat up or cool down. Furthermore, we show how the exploit of this hardware-level vulnerability could affect different classes of analog sensors that share similar signal conditioning processes. Our experimental results indicate that conventional defenses commonly deployed in these systems are not sufficient to mitigate the threat, so we propose a prototype design of a low-cost anomaly detector for critical applications to ensure the integrity of temperature sensor signals.Comment: Accepted at the ACM Conference on Computer and Communications Security (CCS), 201

A Framework for Evaluating Security in the Presence of Signal Injection Attacks

Sensors are embedded in security-critical applications from medical devices to nuclear power plants, but their outputs can be spoofed through electromagnetic and other types of signals transmitted by attackers at a distance. To address the lack of a unifying framework for evaluating the effects of such transmissions, we introduce a system and threat model for signal injection attacks. We further define the concepts of existential, selective, and universal security, which address attacker goals from mere disruptions of the sensor readings to precise waveform injections. Moreover, we introduce an algorithm which allows circuit designers to concretely calculate the security level of real systems. Finally, we apply our definitions and algorithm in practice using measurements of injections against a smartphone microphone, and analyze the demodulation characteristics of commercial Analog-to-Digital Converters (ADCs). Overall, our work highlights the importance of evaluating the susceptibility of systems against signal injection attacks, and introduces both the terminology and the methodology to do so.Comment: This article is the extended technical report version of the paper presented at ESORICS 2019, 24th European Symposium on Research in Computer Security (ESORICS), Luxembourg, Luxembourg, September 201

Microelectromechanical Systems (MEMS) Resistive Heaters as Circuit Protection Devices

With increased opportunities for the exploitation (i.e., reverse engineering) of vulnerable electronic components and systems, circuit protection has become a critical issue. Circuit protection techniques are generally software-based and include cryptography (encryption/decryption), obfuscation of codes, and software guards. Examples of hardware-based circuit protection include protective coatings on integrated circuits, trusted foundries, and macro-sized components that self-destruct, thus destroying critical components. This paper is the first to investigate the use of microelectromechanical systems (MEMS) to provide hardware-based protection of critical electronic components to prevent reverse engineering or other exploitation attempts. Specifically, surface-micromachined polycrystalline silicon to be used as meandering resistive heaters were designed analytically and fabricated using a commercially available MEMS prototyping service (i.e., PolyMUMPs), and integrated with representative components potentially at risk for exploitation, in this case pseudomorphic high-electron mobility transistors (pHEMTs). The MEMS heaters were initiated to self-destruct, destroying a critical circuit component and thwart a reverse engineering attempt. Tests revealed reliable self-destruction of the MEMS heaters with approximately 25 V applied, resulting in either complete operational failure or severely altering the pHEMT device physics. The prevalent failure mechanism was metallurgical, in that the material on the surface of the device was changed, and the specific failure mode was the creation of a short-circuit. Another failure mode was degraded device operation due to permanently altered device physics related to either dopant diffusion or ohmic contact degradation. The results, in terms of the failure of a targeted electronic component, demonstrate the utility of using MEMS devices to protect critical components which are otherwise vulnerable to exploitation