Skip to main content
SpringerLink
Log in

Tampering with the flash memory of microcontrollers: permanent fault injection via laser illumination during read operations

  • Research Article
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Modern microcontroller units (MCUs) often feature integrated flash memory, which has been found to be vulnerable to hardware attacks. This type of memory is used to store critical data, including firmware, passwords, and cryptographic keys, making it a valuable target for attackers. Recent research has demonstrated the use of laser fault injection (LFI) during runtime to corrupt firmware by targeting the flash memory during read operations. However, these faults are non-permanent, as they only affect the read copies of the data without altering the actual data stored in the flash memory, following a bit-set fault model induced on a single bit. In our work, we extend this fault model to the flash memory of a 32-bit MCU, allowing us to induce permanent faults by compromising the stored data during read operations. In addition, we leverage photoemission analysis for target identification and characterization, enhancing the precision of our attack. By utilizing a double-spot LFI technique, we are able to concurrently induce permanent bit-set faults at two distinct locations in the flash memory, increasing the complexity and effectiveness of the attack. We also provide a practical example of how this fault model can be applied, wherein we iteratively change all 32 bits of a password to logic ‘1’, successfully bypassing a basic counter for login attempts. It is important to note, however, that there are physical limitations associated with using multi-laser spots in this context, which we thoroughly discuss in our research. Nonetheless, our approach presents a powerful method for exploiting vulnerabilities in flash memory of MCUs, underscoring the need for robust security measures to protect critical data and mitigate the risks associated with hardware attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24

Similar content being viewed by others

References

  1. Skorobogatov, S.: Using optical emission analysis for estimating contribution to power analysis. pp. 111–119 (2009). https://doi.org/10.1109/FDTC.2009.39

  2. Zhong, Y., Guin, U.: Fault-injection based chosen-plaintext attacks on multicycle AES implementations. In Proceedings of the Great Lakes Symposium on VLSI 2022, GLSVLSI ’22. New York, NY, USA, pp. 443–448 (2022). Association for Computing Machinery. ISBN 9781450393225

  3. Dumont, M., Moëllic, P. A., Viera, R., Dutertre, J. M., Bernhard, R.: An overview of laser injection against embedded neural network models. In: 2021 IEEE 7th World Forum on Internet of Things (WF-IoT), pp. 616–621 (2021). https://doi.org/10.1109/WF-IoT51360.2021.9595075

  4. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE (2006). https://doi.org/10.1109/JPROC.2005.862424

    Article  Google Scholar 

  5. Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE (2012). https://doi.org/10.1109/JPROC.2012.2188769

    Article  Google Scholar 

  6. Kiyan, T., Lohrke, H., Boit, C.: Comparative assessment of optical techniques for semi-invasive SRAM data read-out on an msp430 microcontroller. pp. 266–271 (2018). https://doi.org/10.31399/asm.cp.istfa2018p0266

  7. Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.P.: Simple photonic emission analysis of AES, vol. 2, pp. 3–15. Springer Science and Business Media LLC, Berlin (2013). https://doi.org/10.1007/s13389-013-0053-7

    Book  Google Scholar 

  8. Skorobogatov, S.: Optical fault masking attacks. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 23–29 (2010). https://doi.org/10.1109/FDTC.2010.18

  9. Cai, F., Bai, G., Liu, H., Hu, X.: Optical fault injection attacks for flash memory of smartcards. In: 2016 6th International Conference on Electronics Information and Emergency Communication (ICEIEC), pp. 46–50 (2016). https://doi.org/10.1109/ICEIEC.2016.7589684

  10. Colombier, B., Menu, A., Dutertre, J. M., Moellic, P. A., Rigaud, J. B., Danger, J. L.: Laser-induced single-bit faults in flash memory: instructions corruption on a 32-bit microcontroller. In: IEEE International Symposium on Hardware Oriented Security and Trust, HOST (2019). https://doi.org/10.1109/HST.2019.8741030

  11. Menu, A., Dutertre, J. M., Rigaud, J. B., Colombier, B., Moellic, P. A., Danger, J. L.: Single-bit Laser Fault Model in NOR Flash Memories: Analysis and Exploitation. Workshop on Fault Detection and Tolerance in Cryptography, FDTC (2020)

  12. Garb, K., Obermaier, J.: Temporary laser fault injection into flash memory: calibration, enhanced attacks, and countermeasures. In: 2020 IEEE 26th International Symposium on On-Line Testing and Robust System Design (IOLTS), pp. 1–7 (2020). https://doi.org/10.1109/IOLTS50870.2020.9159712

  13. Viera, R., Dutertre, J. M., Dumont, M., Moëllic, P. A.: Permanent laser fault injection into the flash memory of a microcontroller. In: 2021 19th IEEE International New Circuits and Systems Conference (NEWCAS), pp. 1–4 (2021). https://doi.org/10.1109/NEWCAS50681.2021.9462773

  14. Colombier, B., Bossuet, L., Grandamme, P., Vernay, J., Chanavat, E., Bon, L., Chassagne, B.: Multi-spot laser fault injection setup: new possibilities for fault injection attacks. In: 20th Smart Card Research and Advanced Application Conference—CARDIS 2021, Lübeck, Germany (2021). https://hal.archives-ouvertes.fr/hal-03353863

  15. Campardo, G., Micheloni, R., Novosel, D.: VLSI-Design of Non-volatile Memories. Springer, Berlin (2005)

    Google Scholar 

  16. Johnston, A.H.: Charge generation and collection in p–n junctions excited with pulsed infrared lasers. IEEE Trans. Nucl. Sci. (1993). https://doi.org/10.1109/23.273491

    Article  Google Scholar 

  17. Baumann, R.C.: Radiation-induced soft errors in advanced semiconductor technologies. IEEE Trans. Device Mater. Reliab. 5(3), 305–316 (2005). https://doi.org/10.1109/TDMR.2005.853449

    Article  Google Scholar 

  18. Habing, D.H.: The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits. IEEE Trans. Nucl. Sci. 12(5), 91–100 (1965). https://doi.org/10.1109/TNS.1965.4323904

    Article  Google Scholar 

  19. May, T.C., Woods, M.H.: Alpha-particle-induced soft errors in dynamic memories. IEEE Trans. Electr. Devices (1979). https://doi.org/10.1109/T-ED.1979.19370

    Article  Google Scholar 

  20. Hsieh, C.M., Murley, P.C., O’Brien, R.R.: A field-funneling effect on the collection of alpha-particle-generated carriers in silicon devices. IEEE Electr. Device Lett. 2(4), 103–105 (1981). https://doi.org/10.1109/EDL.1981.25357

    Article  Google Scholar 

  21. Messenger, G.C.: Collection of charge on junction nodes from ion tracks. IEEE Trans. Nucl. Sci. (1982). https://doi.org/10.1109/TNS.1982.4336490

    Article  Google Scholar 

  22. Wang, F., Agrawal, V. D.: Single event upset: an embedded tutorial. In: 21st International Conference on VLSI Design (2008). https://doi.org/10.1109/VLSI.2008.28

  23. Hsieh, C.M., Murley, P.C., O’Brien, R.R.: Collection of charge from alpha-particle tracks in silicon devices. IEEE Trans. Electr. Devices 30(6), 686–693 (1983). https://doi.org/10.1109/T-ED.1983.21190

    Article  Google Scholar 

  24. Jordan, A.G., Milnes, A.G.: Photoeffect on diffused p–n junctions with integral field gradients. IRE Trans. Electr. Devices (1960). https://doi.org/10.1109/T-ED.1960.14688

    Article  Google Scholar 

  25. Wirth, J.L., Rogers, S.C.: The transient response of transistors and diodes to ionizing radiation. IEEE Trans. Nucl. Sci. (1964). https://doi.org/10.1109/TNS2.1964.4315472

    Article  Google Scholar 

  26. Villa, S., Lacaita, A.L., Pacelli, A.: Photon emission from hot electrons in silicon. Phys. Rev. B 52, 10993–10999 (1995). https://doi.org/10.1103/PhysRevB.52.10993

    Article  Google Scholar 

  27. Stellari, F., Zappa, F., Cova, S., Vendrame, L.: Tools for non-invasive optical characterization of CMOS circuits. In: International Electron Devices Meeting 1999. Technical Digest (Cat. No.99CH36318), pp. 487–490 (1999). https://doi.org/10.1109/IEDM.1999.824199

  28. Bude, J, Sano, N, Yoshii, A: Hot-carrier luminescence in Si. Phys. Rev. B 45, 5848–5856 (1992). https://doi.org/10.1103/PhysRevB.45.5848

  29. Trigg, A. D.: The infrared photoemission microscope as a tool for semiconductor device failure analysis. In: Proceedings of the 1997 6th International Symposium on the Physical and Failure Analysis of Integrated Circuits, pp. 21–26 (1997). https://doi.org/10.1109/IPFA.1997.638067

  30. Ishii, T.: Functional failure analysis technology from backside of VLSI chip. In: Proceedings of the 20th International Symposium for Testing and Failure Analysis. ASM International 1994, pp. 41–47 (1994). https://cir.nii.ac.jp/crid/1573668925480841344

  31. Vashistha, N., Rahman, M. T., Dizon-Paradis, O. P., Asadizanjani, N.: Is backside the new backdoor in modern socs?: Invited paper. In: 019 IEEE International Test Conference (ITC), pp. 1–10 (2019). https://doi.org/10.1109/ITC44170.2019.9000127

  32. Lima, R. S., Viera, R., Dutertre, J. M., Ribotta, A. L., Pommies, M., Bertrand, A.: Target preparation methodology for semi-invasive attacks on microcontrollers, pp. 1–7 (2022). https://doi.org/10.1109/PAINE56030.2022.10014827

  33. Ritchey, L.W., Zasio, J., Knack, K.J.: Right the First Time: A Practical Handbook on High Speed PCB and System Design. Speeding Edge, Glen Ellen (2006)

    Google Scholar 

  34. Wilson, P.: The Circuit Designer’s Companion. Newnes, Oxford (2018)

    Google Scholar 

  35. Micro-PackS - A technical platform. https://www.pf-micropacks.org/en/micro-packs/la-plate-forme. Accessed 26 July 2021

  36. Analog Selected Area Preparation System - ASAP-1. https://www.ultratecusa.com/wp-content/uploads/2020/03/ASAP-1-Brochure-low-res-S-10-07.pdf. Accessed 26 July 2022

  37. Datasheet STM32F100x4, STM32F100x6, STM32F100x8, STM32F100xB. STMicroelectronics, 11. Rev. 9 (2016)

  38. Oliver, Bernard M. (ed.): Electronic Measurements and Instrumentation. McGraw-Hill Inc., Auckland (1985)

    Google Scholar 

  39. Zhijian, X., Qiang, T., Yanyan, S., Dongyao, Z., Changlin, Z.: Side channel leakage information based on electromagnetic emission of stm32 micro-controller. In: 2019 12th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo), pp. 204–206 (2019)

Download references

Author information

Authors and Affiliations

  1. CEA, Leti, Centre CMP, Mines Saint-Etienne, 13541, Gardanne, France

    Raphael Viera, Jean-Max Dutertre & Rodrigo Silva Lima

  2. Centre Technologique ALPhANOV, Talence, France

    Rodrigo Silva Lima, Matthieu Pommies & Anthony Bertrand

Authors
  1. Raphael Viera
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jean-Max Dutertre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rodrigo Silva Lima
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Matthieu Pommies
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Anthony Bertrand
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raphael Viera.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Viera, R., Dutertre, JM., Silva Lima, R. et al. Tampering with the flash memory of microcontrollers: permanent fault injection via laser illumination during read operations. J Cryptogr Eng (2023). https://doi.org/10.1007/s13389-023-00335-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s13389-023-00335-z

Keywords

Search

Navigation