Design Considerations for EM Pulse Fault Injection

Abstract

Electromagnetic-fault injection (EM-FI) setups are appealing since they can be made at a low cost, achieve relatively high spatial resolutions, and avoid the need of tampering with the PCB or packaging of the target. In this paper we first sketch the importance of understanding the pulse characteristics of a pulse injection setup in order to successfully mount an attack. We then look into the different components that make up an EM-pulse setup and demonstrate their impact on the pulse shape. The different components are then assembled to form an EM-pulse injection setup. The effectiveness of the setup and how different design decisions impact the outcome of a fault injection campaign are demonstrated on a 32-bit ARM microcontroller.

Appendices

A The RLC Circuit

By applying Kirchhoff’s law to the RLC loop from Fig. 2 we obtain the following equation:

$$\begin{aligned} \frac{d^2I}{dt^2} + \frac{R}{L}\frac{dI}{dt} +\frac{I}{LC} = 0, \end{aligned}$$

(3)

Solving this equation yields three possible solutions depending on whether the circuit is critically damped (Eq. 4), underdamped (Eq. 5) or overdamped (Eqs. 7 and 8).

$$\begin{aligned} I = \frac{V_0}{L}t\exp {\left( -\frac{R}{2L}t\right) } \end{aligned}$$

(4)

$$\begin{aligned} I = \frac{V_0}{L\omega _d}\sin (\omega _dt)\exp {\left( -\frac{R}{2L}t\right) } \end{aligned}$$

(5)

$$\begin{aligned} \omega _d = \sqrt{\frac{1}{LC}-\frac{R^2}{4L^2}} \end{aligned}$$

(6)

$$\begin{aligned} I = \frac{V_0}{(s_1 - s_2)L}\left[ \exp {\left( s_1t\right) }-\exp {\left( s_2t\right) } \right] \end{aligned}$$

(7)

$$\begin{aligned} s_1,s_2 = -\frac{R}{2L} \pm \sqrt{\left( \frac{R}{2L}\right) ^2-\frac{1}{LC}} \end{aligned}$$

(8)

The solutions to the simple series RLC circuit can be found in nearly every physics textbook, see for instance [6].

B EM-Pulse Injection Circuit - Schematic

See Fig. 14.

Fig. 14.

EM-pulse injector schematic.