Skip to main content

Efficient Attack-Surface Exploration for Electromagnetic Fault Injection

  • Conference paper
  • First Online:
Constructive Side-Channel Analysis and Secure Design (COSADE 2023)

Abstract

Electromagnetic Fault Injection is a physical attack that aims to disrupt the operation of hardware circuits to bypass existing confidentiality and integrity protections. The success probability of the attack depends, among other things, on many different variables such as the probe used to inject the pulse, its position, the pulse intensity, and duration. The number of such parameter combinations and the stochastic nature of the induced faults make a comprehensive search of the parameter space impractical. However, it is of utmost importance for hardware circuit manufacturers to identify these vulnerability points efficiently and introduce countermeasures to mitigate them.

This work presents a methodology to efficiently identify the subregion of the attack parameter space that maximizes the occurrence of a informative fault. The idea of this work consists in applying a multidimensional bisection method and exploiting the equilibrium between a pulse that is too strong and one that is too weak to produce a disruption on the circuit’s operation. We show that such a methodology can outperform existing methods on a concrete, state-of-the-art embedded multicore platform.

D. A. E. Carta and G. Quagliarella completed this work while at Security Pattern.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Being able to skip a branch instruction could, for example, bypass security checks.

  2. 2.

    This is not a requirement as some fault-injection attacks might work even remotely (e.g., clkscrew [22] and rowhammer).

  3. 3.

    Conditions must be interpreted as sufficient as the bisection algorithm we are referring to can be applied to non-monotone functions as well by using a neighbor search.

  4. 4.

    It is an indirect stop criterion for the bisection method. The higher \(\epsilon \), the lower the bar will be set to recognize the rectangles as bracketing rectangles, and thus continue the search.

References

  1. Bachrathy, D., Stépán, G.: Bisection method in higher dimensions and the efficiency number. Periodica polytechnica. Mech. Eng. 56, 81–86 (2012). https://doi.org/10.3311/pp.me.2012-2.01

  2. Carpi, R.B., Picek, S., Batina, L., Menarini, F., Jakobovic, D., Golub, M.: Glitch it if you can: parameter search strategies for successful fault injection. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 236–252. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_16

    Chapter  Google Scholar 

  3. Cui, A., Housley, R.: BADFET: defeating modern secure boot using Second-Order pulsed electromagnetic fault injection. In: 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/woot17/workshop-program/presentation/cui

  4. Dumont, M., Lisart, M., Maurine, P.: Modeling and simulating electromagnetic fault injection. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 40(4), 680–693 (2021). https://doi.org/10.1109/TCAD.2020.3003287

    Article  Google Scholar 

  5. Dureuil, L., Potet, M.-L., de Choudens, P., Dumas, C., Clédière, J.: From code review to fault injection attacks: filling the gap using fault model inference. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 107–124. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31271-2_7

    Chapter  Google Scholar 

  6. Dutertre, J.M., Menu, A., Potin, O., Rigaud, J.B., Danger, J.L.: Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures. Microelectron. Reliability 121, 114133 (2021). https://doi.org/10.1016/j.microrel.2021.114133. https://www.sciencedirect.com/science/article/pii/S0026271421000998

  7. Wypych, G., Laurie, A.: Raiden github repository. https://github.com/IBM/raiden (2020)

  8. Gaine, C., Aboulkassimi, D., Pontié, S., Nikolovski, J.P., Dutertre, J.M.: Electromagnetic fault injection as a new forensic approach for SoCs. In: 2020 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6 (2020). https://doi.org/10.1109/WIFS49906.2020.9360902

  9. Gaine, C., Nikolovski, J.P., Aboulkassimi, D., Dutertre, J.M.: New probe design for hardware characterization by electromagnetic fault injection. In: 2022 International Symposium on Electromagnetic Compatibility - EMC Europe, pp. 299–304 (2022). https://doi.org/10.1109/EMCEurope51680.2022.9901104

  10. Hummel, T.: Exploring effects of electromagnetic fault injection on a 32-bit high speed embedded device microprocessor, Master’s thesis, University of Twente (2014)

    Google Scholar 

  11. Kühnapfel, N., Buhren, R., Jacob, H.N., Krachenfels, T., Werling, C., Seifert, J.P.: EM-fault it yourself: Building a replicable EMFI setup for desktop and server hardware. arXiv preprint arXiv:2209.09835 (2022)

  12. Machiry, A., et al.: BOOMERANG: exploiting the semantic gap in trusted execution environments. In: NDSS (2017)

    Google Scholar 

  13. Madau, M.: A methodology to localise EMFI areas on Microcontrollers, Theses, Université Montpellier (2019). https://tel.archives-ouvertes.fr/tel-02478873

  14. Maldini, A., Samwel, N., Picek, S., Batina, L.: Optimizing electromagnetic fault injection with genetic algorithms. In: Breier, J., Hou, X., Bhasin, S. (eds.) Automated Methods in Cryptographic Fault Analysis, pp. 281–300. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-11333-9_13

    Chapter  Google Scholar 

  15. Menu, A., Bhasin, S., Dutertre, J.M., Rigaud, J.B., Danger, J.L.: Precise spatio-temporal electromagnetic fault injections on data transfers. In: 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 1–8. IEEE (2019)

    Google Scholar 

  16. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 77–88 (2013). https://doi.org/10.1109/FDTC.2013.9

  17. NewAE: Chipshouter github repository. https://github.com/newaetech/ChipSHOUTER (2019)

  18. Omarouayache, R., Raoult, J., Jarrix, S., Chusseau, L., Maurine, P.: Magnetic Microprobe design for EM fault attack. In: EMC EUROPE: Electromagnetic Compatibility. EMC EUROPE, Bruges, Belgium (2013). https://hal.archives-ouvertes.fr/hal-01893856

  19. Ordas, S., Guillaume-Sage, L., Maurine, P.: Electromagnetic fault injection: the curse of flip-flops. J. Cryptogr. Eng. 7(3), 183–197 (2016). https://doi.org/10.1007/s13389-016-0128-3

    Article  Google Scholar 

  20. Proy, J., Heydemann, K., Berzati, A., Majéric, F., Cohen, A.: A first ISA-level characterization of em pulse effects on superscalar microarchitectures: a secure software perspective. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019)

    Google Scholar 

  21. Raelize: Qualcomm IPQ40xx: Breaking into QSEE using fault injection. https://raelize.com/blog/qualcomm-ipq40xx-breaking-into-qsee-using-fault-injection (2021)

  22. Tang, A., Sethumadhavan, S., Stolfo, S.: \(\{\)CLKSCREW\(\}\): exposing the perils of \(\{\)Security-Oblivious\(\}\) energy management. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1057–1074 (2017)

    Google Scholar 

  23. Trouchkine, T., Bouffard, G., Clédière, J.: Fault injection characterization on modern CPUs. In: Laurent, M., Giannetsos, T. (eds.) WISTP 2019. LNCS, vol. 12024, pp. 123–138. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41702-4_8

    Chapter  Google Scholar 

Download references

Acknowledgments

Funded by the European Union under grant agreement no. 101070008. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Maria Chiara Molteni .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Carta, D.A.E., Zaccaria, V., Quagliarella, G., Molteni, M.C. (2023). Efficient Attack-Surface Exploration for Electromagnetic Fault Injection. In: Kavun, E.B., Pehl, M. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2023. Lecture Notes in Computer Science, vol 13979. Springer, Cham. https://doi.org/10.1007/978-3-031-29497-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-29497-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-29496-9

  • Online ISBN: 978-3-031-29497-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics