Let's shock our IoT's heart

Bukasa, Sébanjila Kevin; Lashermes, Ronan; Lanet, Jean‐Louis; Leqay, Axel

doi:10.1145/3230833.3230842

Cited by 11 publications

(3 citation statements)

References 12 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While these papers report single fault effects, recent works show that one fault injection or complex fault injection means can lead to the corruption of several consecutive instructions. Electromagnetic pulses can lead to the replay or the skip of several consecutive instructions, from two up to a dozen [20,5,19,15]. Laser-based fault injection techniques can also lead to the skip of few chosen instructions [8] or of a variable number of consecutive instructions, from 1 to 300 depending on the laser pulse duration [11].…”

Section: Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

SAMVA: Static Analysis for Multi-fault Attack Paths Determination

Gicquel

Hardy

Heydemann

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Multi-fault injection attacks are powerful since they allow to bypass software security mechanisms of embedded devices. Assessing the vulnerability of an application while considering multiple faults with various effects is an open problem due to the size of the fault space to explore. We propose SAMVA, a framework for efficiently searching vulnerabilities of applications in presence of multiple instruction-skip faults with various widths. SAMVA relies solely on static analysis to determine attack paths in a binary code. It is configurable with the fault injection capacity of the attacker and the attacker's objective. We evaluate the proposed approach on eight PIN verification programs containing various software countermeasures. Our framework finds numerous attack paths, even for the most hardened version, in very limited time.

show abstract

Section: Threat Modelmentioning

confidence: 99%

“…Recent works have shown that it is possible to inject multiple faults [7] (i.e. at different instants) and to corrupt several consecutive instructions [20,5,11,15,8,6]. Faults can have a width varying from a few up to more than one hundred consecutively executed instructions.…”

Section: Introductionmentioning

confidence: 99%

SAMVA: Static Analysis for Multi-fault Attack Paths Determination

Gicquel

Hardy

Heydemann

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…As such, only a handful of the observed faults can be tracked down and explained by a modification of the bits in the instruction [31]. Last, but not least, electromagnetic fault injection usually exhibits poor repeatability [13], as low as a few percents in some cases. Conversely, another actively studied technique is laser fault injection, which offers several advantages when it comes to interpreting the observed faults.…”

Section: Related Workmentioning

confidence: 99%

Message-Recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem

Cayrel

Colombier

Drăgoi

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Code-based public-key cryptosystems are promising candidates for standardization as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually F2, guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in N instead. By means of laser fault injection, we illustrate how to compute the matrix-vector product in N by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in N, we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real-time message recovery attacks against the code-based proposal to the NIST Post-Quantum Cryptography standardization challenge. We perform our attacks in the worst-case scenario, i.e. considering random binary codes, and retrieve the initial message within minutes on a desktop computer. Our attack targets the reference implementation of the Niederreiter cryptosystem in the NIST PQC competition finalist Classic McEliece and is practically feasible for all proposed parameters sets of this submission. For example, for the 256-bit security parameters sets, we successfully recover the message in a couple of seconds on a desktop computer. Finally, we highlight the fact that the attack is still possible if only a fraction of the syndrome entries are faulty. This makes the attack feasible even though the fault injection does not have perfect repeatability and reduces the computational complexity of the attack, making it even more practical overall.

show abstract

Hiding a fault enabled virus through code construction

Hamadouche

Lanet

Mezghiche

2019

J Comput Virol Hack Tech

Self Cite

View full text Add to dashboard Cite

Smart cards are very secure devices designed to execute applications and store confidential data. Therefore, they become the target of many hardware and software attacks that aim to bypass their embedded security mechanisms in order to gain access to the sensitive stored data. Recently, a new kind of attacks called combined attacks has appeared. They aim to induce perturbations in the application's execution environment. Thus, correct and legitimate application can be dynamically modified to become a hostile one after being loaded in the card using a fault injection. In this paper, we treat the problem from another angle: how to design an innocent looking code in such a way that it becomes intentionally hostile after being activated by a fault injection? We present an original approach of backward code construction based on constraints satisfaction and a tree traversal algorithm. After that, we propose a way to optimize the search process by introducing heuristics for a faster convergence towards more realistic solutions.We implement this approach in a Trace Generator tool; thereafter evaluate its capacity to generate the required solutions while giving a proof-of-concept of the code desynchronization technique.

show abstract

Let's shock our IoT's heart

Cited by 11 publications

References 12 publications

SAMVA: Static Analysis for Multi-fault Attack Paths Determination

SAMVA: Static Analysis for Multi-fault Attack Paths Determination

Message-Recovery Laser Fault Injection Attack on the Classic McEliece Cryptosystem

Hiding a fault enabled virus through code construction

Contact Info

Product

Resources

About