Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models

Trouchkine, Thomas; Bukasa, Sébanjila Kevin; Escouteloup, Mathieu; Lashermes, Ronan; Bouffard, Guillaume

doi:10.1007/s13389-021-00259-6

Cited by 14 publications

(6 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This paper introduces the characterization method we use in our work. Additionally, to these works, which mainly focus on a characterization at the Instruction Set Architecture (ISA) level, a characterization of the micro-architectural behaviour of a BCM2837 against EMFI has been done in [11] with an exploitation on the AES algorithm using a Persistent Fault Analysis (PFA). In this work, the authors target only one architecture.…”

Section: A Related Workmentioning

confidence: 99%

“…The drawback of this computational power is a complex hardware layout which is, for now, lacking security analysis, in particular, regarding hardware attacks. However, some recent works have demonstrated that these attacks are efficient to lower the security of modern SoCs [5], [11], [12], [13]. Therefore, we believe it is important to understand the underlying effect induced by the proposed perturbations to be able to measure their impact and design adapted countermeasures.…”

Section: Introductionmentioning

confidence: 99%

“…Therefore, we believe it is important to understand the underlying effect induced by the proposed perturbations to be able to measure their impact and design adapted countermeasures. The used injection mediums were the laser [13], the Rowhammer attack [12] and the ElectroMagnetic Fault Injection (EMFI) [11].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model

Trouchkine

Bouffard

Clédière

2021

2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)

Self Cite

View full text Add to dashboard Cite

Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Only few works try to characterize them at the Instruction Set Architecture (ISA) level.In this article, we apply a state-of-the-art faults model characterization approach on modern CPU to evaluate the fault model on two different CPUs from different architectures with the same injection mediums. We target the CPU of the Raspberry Pi 3 (ARM) and an Intel Core i3 (x86) and perturbing them with ElectroMagnetic Fault Injection (EMFI). From the ISA point of view, we disclose a similar fault model on each component. Additionally, we evaluate a widely used complex software, OpenSSL, against this fault model.

show abstract

Section: A Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model

Trouchkine

Bouffard

Clédière

2021

2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, faults can not only be induced by glitching the supply voltage. In the past couple of years, EM fault injection techniques against modern CPUs have been examined to inject faults in a targeted and contactless way [8], [47]. Consequently, a holistic view is necessary to prevent all kinds of fault injection attacks that can manipulate the behavior of the target device.…”

Section: B Potential Mitigationsmentioning

confidence: 99%

“…Next to the intended corruption of data values, faults can be used to skip security checks, enter protected code paths, or gain code execution [4], [5]. During the past years, attacks against microcontrollers and SoCs using laser-based [6] and electromagnetic [7], [8] FI have been presented. While these techniques offer high accuracy in targeting a specific part of the chip, they also require comparatively sophisticated setups.…”

Section: Introductionmentioning

confidence: 99%

The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

Bittner¹,

Krachenfels²,

Galauner³

et al. 2021

Preprint

View full text Add to dashboard Cite

Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as selfdriving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation.

show abstract