Abstract
Modern microcontroller units (MCUs) often feature integrated flash memory, which has been found to be vulnerable to hardware attacks. This type of memory is used to store critical data, including firmware, passwords, and cryptographic keys, making it a valuable target for attackers. Recent research has demonstrated the use of laser fault injection (LFI) during runtime to corrupt firmware by targeting the flash memory during read operations. However, these faults are non-permanent, as they only affect the read copies of the data without altering the actual data stored in the flash memory, following a bit-set fault model induced on a single bit. In our work, we extend this fault model to the flash memory of a 32-bit MCU, allowing us to induce permanent faults by compromising the stored data during read operations. In addition, we leverage photoemission analysis for target identification and characterization, enhancing the precision of our attack. By utilizing a double-spot LFI technique, we are able to concurrently induce permanent bit-set faults at two distinct locations in the flash memory, increasing the complexity and effectiveness of the attack. We also provide a practical example of how this fault model can be applied, wherein we iteratively change all 32 bits of a password to logic ‘1’, successfully bypassing a basic counter for login attempts. It is important to note, however, that there are physical limitations associated with using multi-laser spots in this context, which we thoroughly discuss in our research. Nonetheless, our approach presents a powerful method for exploiting vulnerabilities in flash memory of MCUs, underscoring the need for robust security measures to protect critical data and mitigate the risks associated with hardware attacks.
Similar content being viewed by others
References
Skorobogatov, S.: Using optical emission analysis for estimating contribution to power analysis. pp. 111–119 (2009). https://doi.org/10.1109/FDTC.2009.39
Zhong, Y., Guin, U.: Fault-injection based chosen-plaintext attacks on multicycle AES implementations. In Proceedings of the Great Lakes Symposium on VLSI 2022, GLSVLSI ’22. New York, NY, USA, pp. 443–448 (2022). Association for Computing Machinery. ISBN 9781450393225
Dumont, M., Moëllic, P. A., Viera, R., Dutertre, J. M., Bernhard, R.: An overview of laser injection against embedded neural network models. In: 2021 IEEE 7th World Forum on Internet of Things (WF-IoT), pp. 616–621 (2021). https://doi.org/10.1109/WF-IoT51360.2021.9595075
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE (2006). https://doi.org/10.1109/JPROC.2005.862424
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE (2012). https://doi.org/10.1109/JPROC.2012.2188769
Kiyan, T., Lohrke, H., Boit, C.: Comparative assessment of optical techniques for semi-invasive SRAM data read-out on an msp430 microcontroller. pp. 266–271 (2018). https://doi.org/10.31399/asm.cp.istfa2018p0266
Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.P.: Simple photonic emission analysis of AES, vol. 2, pp. 3–15. Springer Science and Business Media LLC, Berlin (2013). https://doi.org/10.1007/s13389-013-0053-7
Skorobogatov, S.: Optical fault masking attacks. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 23–29 (2010). https://doi.org/10.1109/FDTC.2010.18
Cai, F., Bai, G., Liu, H., Hu, X.: Optical fault injection attacks for flash memory of smartcards. In: 2016 6th International Conference on Electronics Information and Emergency Communication (ICEIEC), pp. 46–50 (2016). https://doi.org/10.1109/ICEIEC.2016.7589684
Colombier, B., Menu, A., Dutertre, J. M., Moellic, P. A., Rigaud, J. B., Danger, J. L.: Laser-induced single-bit faults in flash memory: instructions corruption on a 32-bit microcontroller. In: IEEE International Symposium on Hardware Oriented Security and Trust, HOST (2019). https://doi.org/10.1109/HST.2019.8741030
Menu, A., Dutertre, J. M., Rigaud, J. B., Colombier, B., Moellic, P. A., Danger, J. L.: Single-bit Laser Fault Model in NOR Flash Memories: Analysis and Exploitation. Workshop on Fault Detection and Tolerance in Cryptography, FDTC (2020)
Garb, K., Obermaier, J.: Temporary laser fault injection into flash memory: calibration, enhanced attacks, and countermeasures. In: 2020 IEEE 26th International Symposium on On-Line Testing and Robust System Design (IOLTS), pp. 1–7 (2020). https://doi.org/10.1109/IOLTS50870.2020.9159712
Viera, R., Dutertre, J. M., Dumont, M., Moëllic, P. A.: Permanent laser fault injection into the flash memory of a microcontroller. In: 2021 19th IEEE International New Circuits and Systems Conference (NEWCAS), pp. 1–4 (2021). https://doi.org/10.1109/NEWCAS50681.2021.9462773
Colombier, B., Bossuet, L., Grandamme, P., Vernay, J., Chanavat, E., Bon, L., Chassagne, B.: Multi-spot laser fault injection setup: new possibilities for fault injection attacks. In: 20th Smart Card Research and Advanced Application Conference—CARDIS 2021, Lübeck, Germany (2021). https://hal.archives-ouvertes.fr/hal-03353863
Campardo, G., Micheloni, R., Novosel, D.: VLSI-Design of Non-volatile Memories. Springer, Berlin (2005)
Johnston, A.H.: Charge generation and collection in p–n junctions excited with pulsed infrared lasers. IEEE Trans. Nucl. Sci. (1993). https://doi.org/10.1109/23.273491
Baumann, R.C.: Radiation-induced soft errors in advanced semiconductor technologies. IEEE Trans. Device Mater. Reliab. 5(3), 305–316 (2005). https://doi.org/10.1109/TDMR.2005.853449
Habing, D.H.: The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits. IEEE Trans. Nucl. Sci. 12(5), 91–100 (1965). https://doi.org/10.1109/TNS.1965.4323904
May, T.C., Woods, M.H.: Alpha-particle-induced soft errors in dynamic memories. IEEE Trans. Electr. Devices (1979). https://doi.org/10.1109/T-ED.1979.19370
Hsieh, C.M., Murley, P.C., O’Brien, R.R.: A field-funneling effect on the collection of alpha-particle-generated carriers in silicon devices. IEEE Electr. Device Lett. 2(4), 103–105 (1981). https://doi.org/10.1109/EDL.1981.25357
Messenger, G.C.: Collection of charge on junction nodes from ion tracks. IEEE Trans. Nucl. Sci. (1982). https://doi.org/10.1109/TNS.1982.4336490
Wang, F., Agrawal, V. D.: Single event upset: an embedded tutorial. In: 21st International Conference on VLSI Design (2008). https://doi.org/10.1109/VLSI.2008.28
Hsieh, C.M., Murley, P.C., O’Brien, R.R.: Collection of charge from alpha-particle tracks in silicon devices. IEEE Trans. Electr. Devices 30(6), 686–693 (1983). https://doi.org/10.1109/T-ED.1983.21190
Jordan, A.G., Milnes, A.G.: Photoeffect on diffused p–n junctions with integral field gradients. IRE Trans. Electr. Devices (1960). https://doi.org/10.1109/T-ED.1960.14688
Wirth, J.L., Rogers, S.C.: The transient response of transistors and diodes to ionizing radiation. IEEE Trans. Nucl. Sci. (1964). https://doi.org/10.1109/TNS2.1964.4315472
Villa, S., Lacaita, A.L., Pacelli, A.: Photon emission from hot electrons in silicon. Phys. Rev. B 52, 10993–10999 (1995). https://doi.org/10.1103/PhysRevB.52.10993
Stellari, F., Zappa, F., Cova, S., Vendrame, L.: Tools for non-invasive optical characterization of CMOS circuits. In: International Electron Devices Meeting 1999. Technical Digest (Cat. No.99CH36318), pp. 487–490 (1999). https://doi.org/10.1109/IEDM.1999.824199
Bude, J, Sano, N, Yoshii, A: Hot-carrier luminescence in Si. Phys. Rev. B 45, 5848–5856 (1992). https://doi.org/10.1103/PhysRevB.45.5848
Trigg, A. D.: The infrared photoemission microscope as a tool for semiconductor device failure analysis. In: Proceedings of the 1997 6th International Symposium on the Physical and Failure Analysis of Integrated Circuits, pp. 21–26 (1997). https://doi.org/10.1109/IPFA.1997.638067
Ishii, T.: Functional failure analysis technology from backside of VLSI chip. In: Proceedings of the 20th International Symposium for Testing and Failure Analysis. ASM International 1994, pp. 41–47 (1994). https://cir.nii.ac.jp/crid/1573668925480841344
Vashistha, N., Rahman, M. T., Dizon-Paradis, O. P., Asadizanjani, N.: Is backside the new backdoor in modern socs?: Invited paper. In: 019 IEEE International Test Conference (ITC), pp. 1–10 (2019). https://doi.org/10.1109/ITC44170.2019.9000127
Lima, R. S., Viera, R., Dutertre, J. M., Ribotta, A. L., Pommies, M., Bertrand, A.: Target preparation methodology for semi-invasive attacks on microcontrollers, pp. 1–7 (2022). https://doi.org/10.1109/PAINE56030.2022.10014827
Ritchey, L.W., Zasio, J., Knack, K.J.: Right the First Time: A Practical Handbook on High Speed PCB and System Design. Speeding Edge, Glen Ellen (2006)
Wilson, P.: The Circuit Designer’s Companion. Newnes, Oxford (2018)
Micro-PackS - A technical platform. https://www.pf-micropacks.org/en/micro-packs/la-plate-forme. Accessed 26 July 2021
Analog Selected Area Preparation System - ASAP-1. https://www.ultratecusa.com/wp-content/uploads/2020/03/ASAP-1-Brochure-low-res-S-10-07.pdf. Accessed 26 July 2022
Datasheet STM32F100x4, STM32F100x6, STM32F100x8, STM32F100xB. STMicroelectronics, 11. Rev. 9 (2016)
Oliver, Bernard M. (ed.): Electronic Measurements and Instrumentation. McGraw-Hill Inc., Auckland (1985)
Zhijian, X., Qiang, T., Yanyan, S., Dongyao, Z., Changlin, Z.: Side channel leakage information based on electromagnetic emission of stm32 micro-controller. In: 2019 12th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo), pp. 204–206 (2019)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Viera, R., Dutertre, JM., Silva Lima, R. et al. Tampering with the flash memory of microcontrollers: permanent fault injection via laser illumination during read operations. J Cryptogr Eng (2023). https://doi.org/10.1007/s13389-023-00335-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s13389-023-00335-z