EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware

EMFI has become a popular fault injection (FI) technique due to its ability to inject faults precisely considering timing and location. Recently, ARM, RISC-V, and even x86 processing units in different packages were shown to be vulnerable to electromagnetic fault injection (EMFI) attacks. However, past publications lack a detailed description of the entire attack setup, hindering researchers and companies from easily replicating the presented attacks on their devices. In this work, we first show how to build an automated EMFI setup with high scanning resolution and good repeatability that is large enough to attack modern desktop and server CPUs. We structurally lay out all details on mechanics, hardware, and software along with this paper. Second, we use our setup to attack a deeply embedded security co-processor in modern AMD systems on a chip (SoCs), the AMD Secure Processor (AMD-SP). Using a previously published code execution exploit, we run two custom payloads on the AMD-SP that utilize the SoC to different degrees. We then visualize these fault locations on SoC photographs allowing us to reason about the SoC's components under attack. Finally, we show that the signature verification process of one of the first executed firmware parts is susceptible to EMFI attacks, undermining the security architecture of the entire SoC. To the best of our knowledge, this is the first reported EMFI attack against an AMD desktop CPU.Comment: This is the authors' version of the article accepted for publication at IEEE International Conference on Physical Assurance and Inspection of Electronics (PAINE 2022

Laser logic state images of masked AES implementations from registers on a Cyclone IV FPGA

This repository contains images (in Tiff format) that were captured using the Phemos-1000 failure analysis microscope with the LLSI (Laser Logic State Imaging) technique. Each image contains 16 bits stored in the registers of a Xilinx Cyclone IV FPGA. Furthermore, the repository contains scripts (in Matlab programming language) for extracting the bit values from the images. This data package is connected to the publication "Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model"

Images from on-chip memories captured using the laser-assisted side-channel techniques LLSI and TLS

This repository contains images of on-chip memories (in 16-bit TIFF and 8-bit PNG format) that were captured using the PHEMOS-1000 failure analysis microscope with the LLSI (Laser Logic State Imaging) and TLS (Thermal Laser Stimulation) techniques. The content of the imaged memories is provided in text and binary files. This data package is connected to the publication "Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks" accepted for publication at USENIX Security 2021. Preprint: https://arxiv.org/abs/2102.1165

Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs

Thermal laser stimulation (TLS) is a failure analysis technique, which can be deployed by an adversary to localize and read out stored secrets in the SRAM of a chip. To this date, a few proof-of-concept experiments based on TLS or similar approaches have been reported in the literature, which do not reflect a real attack scenario. Therefore, it is still questionable whether this attack technique is applicable to modern ICs equipped with side-channel countermeasures. The primary aim of this work is to assess the feasibility of launching a TLS attack against a device with robust security features. To this end, we select a modern FPGA, and more specifically, its key memory, the so-called battery-backed SRAM (BBRAM), as a target. We demonstrate that an attacker is able to extract the stored 256-bit AES key used for the decryption of the FPGA’s bitstream, by conducting just a single non-invasive measurement. Moreover, it becomes evident that conventional countermeasures are incapable of preventing our attack since the FPGA is turned off during key recovery. Based on our time measurements, the required effort to develop the attack is shown to be less than 7 hours. To avert this powerful attack, we propose a low-cost and CMOS compatible countermeasure circuit, which is capable of protecting the BBRAM from TLS attempts even when the FPGA is powered off. Using a proof-of-concept prototype of our countermeasure, we demonstrate its effectiveness against TLS key extraction attempts

Evaluation of Low-Cost Thermal Laser Stimulation for Data Extraction and Key Readout

Recent attacks using thermal laser stimulation (TLS) have shown that it is possible to extract cryptographic keys from the battery-backed memory on state-of-the-art field-programmable gate arrays (FPGAs). However, the professional failure analysis microscopes usually employed for these attacks cost in the order of 500k to 1M dollars. In this work, we evaluate the use of a cheaper commercial laser fault injection station retrofitted with a suitable amplifier and light source to enable TLS. We demonstrate that TLS attacks are possible at a hardware cost of around 100k dollars. This constitutes a reduction of the resources required by the attacker by a factor of at least five. We showcase two actual attacks: data extraction from the SRAM memory of a low-power microcontroller and decryption key extraction from a 20-nm technology FPGA device. The strengths and weaknesses of our low-cost approach are then discussed in comparison with the conventional failure analysis equipment approach. In general, this work demonstrates that TLS backside attacks are available at a much lower cost than previously expected

Toward Optical Probing Resistant Circuits: A Comparison of Logic Styles and Circuit Design Techniques

Laser-assisted side-channel analysis techniques, such as optical probing (OP), have been shown to pose a severe threat to secure hardware. While several countermeasures have been proposed in the literature, they can either be bypassed by an attacker or require a modification in the transistor's fabrication process, which is costly and complex. In this work, firstly, we propose a formulation for the caliber of reflected light from OP. Secondly, we propose circuit design techniques and logic styles to alleviate OP attacks based on our formulation. Finally, we compare several logic families and circuit design techniques in terms of performance and OP security merits. In this regard, we perform simulations to compare the optical beam interaction between the different logic gates. By utilizing our proposed circuit design techniques and dual-rail logic (DRL), the signal-to-noise ratio (SNR) of the reflected light from OP is reduced significantly

LAT-UP: Exposing Layout-Level Analog Hardware Trojans Using Contactless Optical Probing

The insertion of a Hardware Trojan (HT) into a chip after the in-house layout design is outsourced to a chip manufacturer for fabrication is a major concern, especially for mission-critical applications. While several HT detection methods have been developed based on side-channel analysis and physical measurements to overcome this problem, there exist stealthy analog HTs, i.e., capacitive and dopant-level HTs, which have negligible or even zero overhead on the chip. Thus, these stealthy HTs cannot be detected using the aforementioned methods. In this work, we propose a novel analytical approach to detect these Layout-level Analog Trojans (LAT). Our proposed method uses an extension of Optical Probing (OP) for LAT detection, namely, the Laser Logic State Imaging (LLSI) technique. In principle, to detect LATs using LLSI, we only need the golden design and not a golden chip, which is not typically available. As we take advantage of LLSI to detect HTs, our approach is non-invasive, less costly, and scalable to larger designs. We report experimental results on a malicious RISC-V to demonstrate the effectiveness of our approach in detecting LATs