Hardware Security Implications of Reliability, Remanence and Recovery in Embedded Memory

Secure semiconductor devices usually destroy key material on tamper detection. However, data remanence effect in SRAM and Flash/EEPROM makes secure erasure process more challenging. On the other hand, data integrity of the embedded memory is essential to mitigate fault attacks and Trojan malware. Data retention issues could influence the reliability of embedded systems. Some examples of such issues in industrial and automotive applications are presented. When it comes to the security of semiconductor devices, both data remanence and data retention issues could lead to possible data recovery by an attacker. This paper introduces a new power glitching technique that reduces the data remanence time in embedded SRAM from seconds to microseconds at almost no cost. This would definitely help in designing systems with better secret key guarding. Data remanence in non-volatile memory could be influenced in the same way. The effect of data remanence and data retention on hardware security is discussed and possible countermeasures are suggested. This should raise awareness among the designers of secure embedded systems

Synthesis and Reactions of Iron and Ruthenium Dinitrogen Complexes

This thesis is primarily concerned with the synthesis and reactions of iron and ruthenium dinitrogen complexes of tripodal phosphine ligands. Of particular interest is the cationic dinitrogen bridged iron complex [(FeH(PP3))2(μ-N2)]2+ 23, containing the tetradentate ligand P(CH2CH2PMe2)3, PP3 1, and its potential for facilitating the reduction of the bound dinitrogen upon treatment with acid. The synthesis of a selection of novel and known tripodal phosphine and amino phosphine ligands is described. New ligands N(CH2CH2CH2PMe2)3 N3P3 7 and P(CH2CH2CH2PiPr2)3 P3Pi3 11 were synthesised by nucleophilic displacement of bromide from the bromoalkylphosphine and bromoalkylamine precursors with the relevant phosphide. A new method for synthesis of known ligand P(CH2CH2CH2PMe2)3 P3P3 19 by the nucleophilic substitution of its chloroalkylphosphine oxide with dimethylphosphide and subsequent reduction is also reported. The reaction of [(FeH(PP3))2(μ-N2)]2+ 23 with base produced the singly deprotonated mixed valence species [(FeH(PP3))(μ-N2)(Fe(PP3))]+ 37 and subsequently the iron(0) dinuclear species (Fe(PP3))2(μ-N2) 38 and mononuclear complex Fe(N2)(PP3) 44. The 15N labelling of complexes has allowed the 15N NMR spectra of 23, 37 and 44 to be reported along with the observation of a long-range 5JP-P coupling across the bridging dinitrogen of 37. Complexes 23 and 37 were also structurally characterised by X-ray crystallography. The treatment of a variety of iron PP3 1 dinitrogen complexes, including the mononuclear species [(Fe(N2)H(PP3)]+ 22, with acid, or base then acid, did not result in the formation of ammonia from reduction of the complexed dinitrogen. The reactions of FeCl2(PP3) 24 and FeClH(PP3) 25 with ammonia and hydrazine afforded the complexes [FeCl(N2H4)(PP3)] 48, [FeH(N2H4)(PP3)] 47, [FeCl(NH3)(PP3)] 49 and [FeH(NH3)(PP3)] 46. Complexes 47 and 46 are considered potential intermediates in any reduction of the dinitrogen ligand of 23 to ammonia. Complexes 49 and 46 were also formed from the decomposition of the hydrazine complexes 48 and 47. The 15N NMR shifts, derived from both the 15N labelling of complexes and from 1H-15N 2D NMR experiments at natural abundance are reported. In addition, complex 47 was characterised by X-ray crystallography. The novel ligand P(CH2CH2PiPr2)3 PPi3 12 was used in the successful synthesis of [FeCl(PPi3)]+ 51 and [RuCl(PPi3)]+ 56. Reduction of 51 and 56 with potassium graphite under dinitrogen afforded the complexes Fe(N2)(PPi3) 52 and Ru(N2)(PPi3) 57 respectively. This is the first report of a Ru(0) dinitrogen complex. Treatment of 52 and 57 with lutidinium tetrafluoroborate resulted in protonation and oxidation of the metal centre to afford the hydrido complexes [Fe(N2)H(PPi3)]+ 53 and [Ru(N2)H(PPi3)]+ 58 respectively. 15N labelled analogues of 52, 53, 57 and 58 were achieved by exchange reactions with 15N2 gas, allowing for analysis by 15N NMR spectroscopy. Species 52, 57 and 58 have also been structurally characterised by X-ray crystallography. Treatment of 52 with excess acid in THF afforded both 53 and the dihydrogen complex [Fe(H2)H(PPi3)]+ 54. The mechanism of formation of 54 probably involves the C-H activation of the solvent THF. The complex cation [RuCl(P3Pi3)]+ 65 was synthesised using the novel ligand P3Pi3 11. A polymeric iron(II) complex, [Fe2Cl4(N3P3)2]n 66, of the tridentate ligand N3P3 7 was also synthesised. Characterisation of both 65 and 66 by X-ray crystallography is reported. (FeCl)2(μ-Cl)2(μ-Pi2)2 68, an unusual bridged dimer of the known ligand CH2(PiPr2)2 Pi2 67, and iron(II) and iron(0) tetramers of the PP3 1 ligand, namely [Fe4Cl4(PP3)5]4+ 71 and Fe4(PP3)5 72 were also characterised by X-ray crystallography

Experimental Analysis of the Laser-Induced Instruction Skip Fault Model

International audienceMicrocontrollers storing valuable data or using security functions are vulnerable to fault injection attacks. Among the various types of faults, instruction skips induced at runtime proved to be effective against identification routines or encryption algorithms. Several research works assessed a fault model that consists in a single instruction skip, i.e. the ability to prevent one chosen instruction in a program from being executed. This assessment is used to design countermeasures able to withstand a single instruction skip. We question this fault model on experimental basis and report the possibility to induce with a laser an arbitrary number of instruction skips. This ability to erase entire sections of a firmware has strong implications regarding the design of counter- measures

Adjusting Laser Injections for Fully Controlled Faults

Hardware characterizations of integrated circuits have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient tools. In this paper we describe how the fine tuning of a laser source has been used to characterize, set and reset the state of registers in a 90 nm chip. By adjusting the incident laser beam’s location, it is possible to choose to switch any register value from ‘ 0 ’ to ‘ 1 ’ or vice-versa by targeting the PMOS side or the NMOS side. Plus, we show how to clear a register by selecting a laser beam’s power. With the help of imaging techniques, we are able to explain the underlying phenomenon and provide a direct link between the laser mapping and the physical gate structure. Thus, we correlate the localization of laser fault injections with implementations of the PMOS and NMOS areas in the silicon substrate. This illustrates to what extent laser beams can be used to monitor the bits stored within registers, with adverse consequences in terms of security evaluation of integrated circuits

Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices

Body Biasing Injection (BBI) uses a voltage applied with a physical probe onto the backside of the integrated circuit die. Compared to other techniques such as electromagnetic fault injection (EMFI) or Laser Fault Injection (LFI), this technique appears less popular in academic literature based on published results. It is hypothesized being due to (1) moderate cost of equipment, and (2) effort required in device preperation. This work demonstrates that BBI (and indeed many other backside attacks) can be trivially performed on Wafer-Level Chip-Scale Packaging (WLCSP), which inherently expose the die backside. A low-cost ($15) design for the BBI tool is introduced, and validated with faults introduced on a STM32F415OG against code flow, RSA, and some initial results on various hardware block attacks are discussed

Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios