Experimental Analysis of the Laser-Induced Instruction Skip Fault Model

International audienceMicrocontrollers storing valuable data or using security functions are vulnerable to fault injection attacks. Among the various types of faults, instruction skips induced at runtime proved to be effective against identification routines or encryption algorithms. Several research works assessed a fault model that consists in a single instruction skip, i.e. the ability to prevent one chosen instruction in a program from being executed. This assessment is used to design countermeasures able to withstand a single instruction skip. We question this fault model on experimental basis and report the possibility to induce with a laser an arbitrary number of instruction skips. This ability to erase entire sections of a firmware has strong implications regarding the design of counter- measures

On the susceptibility of Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks

We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob. This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed

Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a "challenging issue" by the authors of the countermeasure themselves.Comment: arXiv admin note: substantial text overlap with arXiv:1401.817

Assembly Level Clock Glitch Insertion Into An XMega MCU

This thesis proposes clock-glitch fault injection technique to inject glitches into the clock signal running in a microcontroller unit and studying its effects on different assembly level instructions. It focusses mainly on the effect of clock glitches over the execution, sub-execution and pre-execution cycles of the test instructions and also finds the delay between the actual position of glitch insertion and the trigger being set for the glitch insertion. The instructions used in this work are provided by Atmel which classifies them according to their type of operation. These instructions are here further grouped depending on the number of clock cycles they require for their execution. Each group of instructions are tested for their behavior towards clock glitches being injected at different places in and surrounding their execution cycle. This thesis utilizes the ChipWhisperer-Lite board (CW1173) for performing the whole experiment by controlling the target device, providing clock as well as clock glitches with appropriate properties at appropriate position to the target device. The Atmel AVR XMEGA 128D4U is used as the target device (CW303) that uses an external clock of frequency 7.37MHz generated by the main board. The Capture software, provided by the ChipWhisperer, is used for establishing the hardware connection between the main board and the target board. The clock glitches are designed and triggered through the Capture software

Assembly Level Clock Glitch Insertion Into An XMega MCU

This thesis proposes clock-glitch fault injection technique to inject glitches into the clock signal running in a microcontroller unit and studying its effects on different assembly level instructions. It focusses mainly on the effect of clock glitches over the execution, sub-execution and pre-execution cycles of the test instructions and also finds the delay between the actual position of glitch insertion and the trigger being set for the glitch insertion. The instructions used in this work are provided by Atmel which classifies them according to their type of operation. These instructions are here further grouped depending on the number of clock cycles they require for their execution. Each group of instructions are tested for their behavior towards clock glitches being injected at different places in and surrounding their execution cycle. This thesis utilizes the ChipWhisperer-Lite board (CW1173) for performing the whole experiment by controlling the target device, providing clock as well as clock glitches with appropriate properties at appropriate position to the target device. The Atmel AVR XMEGA 128D4U is used as the target device (CW303) that uses an external clock of frequency 7.37MHz generated by the main board. The Capture software, provided by the ChipWhisperer, is used for establishing the hardware connection between the main board and the target board. The clock glitches are designed and triggered through the Capture software

A Survey of Fault-Injection Methodologies for Soft Error Rate Modeling in Systems-on-Chips

The development of process technology has increased system performance, but the system failure probability has also significantly increased. It is important to consider the system reliability in addition to the cost, performance, and power consumption. In this paper, we describe the types of faults that occur in a system and where these faults originate. Then, fault-injection techniques, which are used to characterize the fault rate of a system-on-chip (SoC), are investigated to provide a guideline to SoC designers for the realization of resilient SoCs

Understanding and Countermeasures against IoT Physical Side Channel Leakage

With the proliferation of cheap bulk SSD storage and better batteries in the last few years we are experiencing an explosion in the number of Internet of Things (IoT) devices flooding the market, smartphone connected point-of-sale devices (e.g. Square), home monitoring devices (e.g. NEST), fitness monitoring devices (e.g. Fitbit), and smart-watches. With new IoT devices come new security threats that have yet to be adequately evaluated. We propose uLeech, a new embedded trusted platform module for next-generation power scavenging devices. Such power scavenging devices are already widely deployed. For instance, the Square point-of-sale reader uses the microphone/speaker interface of a smartphone for communications and as a power supply. Such devices are being used as trusted devices in security-critical applications, without having been adequately evaluated. uLeech can securely store keys and provide cryptographic services to any connected smartphone. Our design also facilitates physical side-channel security analysis by providing interfaces to facilitate the acquisition of power traces and clock manipulation attacks. Thus uLeech empowers security researchers to analyze leakage in next- generation embedded and IoT devices and to evaluate countermeasures before deployment. Even the most secure systems reveal their secrets through secret-dependent computation. Secret- dependent computation is detectable by monitoring a system’s time, power, or outputs. Common defenses to side-channel emanations include adding noise to the channel or making algorithmic changes to mitigate specific side-channels. Unfortunately, existing solutions are not automatic, not comprehensive, or not practical. We propose an isolation-based approach for eliminating power and timing side-channels that is automatic, comprehensive, and practical. Our approach eliminates side-channels by leveraging integrated decoupling capacitors to electrically isolate trusted computation from the adversary. Software has the ability to request a fixed- power/time quantum of isolated computation. By discretizing power and time, our approach controls the granularity of side-channel leakage; the only burden on programmers is to ensure that all secret-dependent execution differences converge within a power/time quantum. We design and implement three approaches to power/time-based quantization and isolation: a wholly-digital version, a hybrid version that uses capacitors for time tracking, and a full- custom version. We evaluate the overheads of our proposed controllers with respect to software implementations of AES and RSA running on an ARM- based microcontroller and hardware implementations AES and RSA using a 22nm process technology. We also validate the effectiveness and real-world efficiency of our approach by building a prototype consisting of an ARM microcontroller, an FPGA, and discrete circuit components. Lastly, we examine the root cause of Electromagnetic (EM) side-channel attacks on Integrated Circuits (ICs) to augment the Quantized Computing design to mitigate EM leakage. By leveraging the isolation nature of our Quantized Computing design, we can effectively reduce the length and power of the unintended EM antennas created by the wire layers in an IC