Fault Injection using Crowbars on Embedded Systems

Causing a device to incorrectly execute an instruction or store faulty data is well-known strategy for attacking cryptographic implementations on embedded systems. One technique to generate such faults is to manipulate the supply voltage of the device. This paper introduces a novel technique to introduce those supply voltage manipulations onto existing digital systems, requiring minimal modifications to the device being attacked. This uses a crowbar to short the power supply for controlled periods of time. High-accuracy faults are demonstrated on the 8-bit AVR microcontroller, which can generate both single and multi-bit faults with high repeatability. Additionally this technique is demonstrated on a FPGA where it is capable of generating faults in both internal registers and the configuration fabric

SiliconToaster: A Cheap and Programmable EM Injector for Extracting Secrets

Electromagnetic Fault Injection (EMFI) is considered as an effective fault injection technique for the purpose of conducting physical attacks against integrated circuits. It enables an adversary to inject errors on a circuit to gain knowledge of sensitive information or to bypass security features. The aim of this paper is to highlight the design and validation of SiliconToaster, which is a cheap and programmable platform for EM pulse injection. It has been designed using low-cost and accessible components that can be easily found. In addition, it can inject faults with a programmable voltage up to 1.2kV without the need to an external power supply as it is powered by the USB. The second part of the paper invests the SiliconToaster in order to bypass the firmware security protections of an IoT chip. Two security configurations were bypassed sequentially in a non-invasive way (without chip decapsulation)

A fast-acting protection scheme for series compensators in a medium-voltage network

In recent 20 years medium voltage networks have been becoming one of the important interfaces between the power plants and loads due to the increasing load demand as well as number of distributed generators connected to the network. This is the reason, managing the power flow, and voltage profile of the network at the lowest possible power losses and also price are of the utmost importance. The series compensators such as a static synchronous series compensator are of the most cost effective power compensators that also have the high efficiency in controlling the power flow and voltage profile. However, their drawback is their vulnerability against the short circuit. This thesis presents a new protection scheme for an SSSC in an MV network by using a varistor and thyristors to eliminate this weakness. The DC offset phenomenon is one of the main uncertainties that has been studied in the thesis. This phenomenon could cause a delay in the circuit breakers’ performance. In this thesis, the parameters of the machines that have most influence on the time when the fault current will pass the zero point have been analysed. Besides, the impact of the DC offset in the medium voltage network has been studied. Furthermore, the thermal issues have always been one of the most challenging problems for the power electronics devices. This thesis investigates a new packaging style by using the phase change material to improve the thermal managing of a press-pack thyristor during a short circuit. This packaging style is able to absorb the heat as much as required and also could decrease the thermal resistance

Positive and Negative Sequence Control Strategies to Maximize the Voltage Support in Resistive-Inductive Grids During Grid Faults

Grid faults are one of the most severe perturbations in power systems. During these extreme disturbances, the reliability of the grid is compromised and the risk of a power outage is increased. To prevent this issue, distributed generation inverters can help the grid by supporting the grid voltages. Voltage support mainly depends on two constraints: the amount of injected current and the grid impedance. This paper proposes a voltage support control scheme that joins these two features. Hence, the control strategy injects the maximum rated current of the inverter. Thus, the inverter takes advantage of the distributed capacities and operates safely during voltage sags. Also, the controller selects the appropriate power references depending on the resistive-inductive grid impedance. Therefore the grid can be better supported since the voltage at the point of common coupling is improved. Several voltage objectives, which cannot be achieved together, are developed and discussed in detail. These objectives are threefold: a) to maximize the positive sequence voltage, b) to minimize the negative sequence voltage, and c) to maximize the difference between positive and negative sequence voltages. A mathematical optimal solution is obtained for each objective function. Experimental results are presented to validate the theoretical solutions.Postprint (author's final draft

PicoEMP: A Low-Cost EMFI Platform Compared to BBI and Voltage Fault Injection using TDC and External VCC Measurements

Electromagnetic Fault Injection (EMFI) has been demonstrated to be useful for both academic and industrial research. Due to the dangerous voltages involved, most work is done with commercial tools. This paper introduces a safety-focused low-cost and open-source design that can be built for less than \$50 using only off-the-shelf parts. The paper also introduces an iCE40 based Time-to-Digital Converter (TDC), which is used to visualize the glitch inserted by the EMFI tool. This demonstrates the internal voltage perturbations between voltage, body biasing injection (BBI), and EMFI all result in similar waveforms. In addition, a link between an easy-to-measure external voltage measurement and the internal measurement is made. Attacks are also made on a hardware AES engine, and a soft-core RISC-V processor, all running on the same iCE40 FPGA. The platform is used to demonstrate several aspects of fault injection, including that the spatial positioning of the EMFI probe can impact the glitch strength, and that the same physical device may require widely different glitch parameters when running different designs

On the susceptibility of Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks

We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob. This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed

Implementación de una plataforma para tests de inyección de fallos mediante electromagnetismo contra SoCs basados en RISC-V

Trabajo de Fin de Grado en Ingeniería Informática, Facultad de Informática UCM, Departamento de Arquitectura de Computadores y Automática, Curso 2021/2022.The market of microcontrollers, CPUs, desktop and server computers has seen both numerous milestones achieved and new challenges arise in the last decade. With the RISCV ISA being introduced in 2010, a new set of possibilities and freedoms was unlocked. However, the overall necessity for security and resilient computers has increased, not only for consumer grade devices, but also for every other field. Hardware is oftentimes one of the most forgotten attack surfaces, due to several reasons like lack of ease-of-access, or the cost of research. In this document, we ask the question: “how well does the RISC-V architecture stand against physical harms?”. We also develop a novel device capable of doing Electromagnetic Fault Injection attacks while being a very affordable solution to build.El mercado de los microcontroladores, CPUs, ordenadores de escritorio y servidores ha alcanzado nuevas cotas y superado numerosos retos técnicos durante la última década. Con la aparición del conjunto de instrucciones RISC-V en 2010, llegó un nuevo mundo de posibilidades y libertades. Sin embargo, la necesidad creciente de ordenadores seguros y confiables también ha aumentado, tanto de cara al consumidor, como en otras partes de la industria. En numerosas ocasiones, los componentes hardware son los grandes olvidados a la hora de evaluar la seguridad de un sistema, debido a razones tales como la dificultad de acceder o manipular estos componentes, o el coste prohibitivo que conlleva modificar e investigar dichas partes. En este trabajo, se plantea la pregunta: «¿Cómo de bien resiste la arquitectura RISC-V frente a peligros físicos?». Para evaluar posibles respuestas, se desarrolla un dispositivo nóvel capaz de llevar a cabo ataques de inyección de fallos mediante electromagnetismo, con énfasis en obtener un dispositivo cuya fabricación sea asequible.Depto. de Arquitectura de Computadores y AutomáticaFac. de InformáticaTRUEunpu