Hardware and software of secured embedded systems are prone to physical attacks. In particular, fault injection attacks revealed vulnerabilities on the data and the control flow allowing an attacker to break cryptographic or secured algorithms implementations. While many research studies concentrated on successful attacks on the data flow, only a few targets the instruction flow. In this paper, we focus on electromagnetic fault injection (EMFI) on the control flow, especially on the instruction cache. We target the very widespread (smartphones, tablets, settop-boxes, health-industry monitors and sensors, etc.) ARMv7-M architecture. We describe a practical EMFI platform and present a methodology providing high control level and high reproducibility over fault injections. Indeed, we observe that a precise fault model occurs in up to 96% of the cases. We then characterize and exhibit this practical fault model on the cache that is not yet considered in the literature. We comprehensively describe its effects and show how it can be used to reproduce well known fault attacks. Finally, we describe how it can benefits attackers to mount new powerful attacks or simplify existing ones.
Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES [8] and DES [3]. Various methods of faults attack on cryptographic systems have been discovered and researched [1]. However, to the authors' knowledge, all the attacks published so far use a theoretical model of faults. In this paper we prove that we are able to reproduce experimentally the random errors model used by G. Piret and J.J. Quisquater [10] to realize practical fault attack on a smart card embedding an AES encryptor by underpowering it. In spite of the fact that this method is a convenient fault injection technique to set up, it does not often appear in the open literature. We argue that the fault model is consistent with a setup violation: errors appear at the end of combinatorial logic cones, caused by an early sampling in the downwards registers. We also carry out an extensive characterization of the faults, in terms of spatial and temporal localization.
Abstract-Detecting hardware trojans is a difficult task in general. In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks. The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage. First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry. It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader. Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic. On the example of an AES engine, we show that if the placement density is beyond 80%, the insertion is basically impossible. Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks: have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete re-place and re-route, which is detected by mere optical imaging (and not complete chip reverse-engineering).Index Terms-Hardware trojan horses (HTH), HTH detection and insertion, optical pictures versus GDSII comparison technique, ECO place-and-route, core utilization rate (CUR).
Abstract-This paper presents an easy to design Physically Unclonable Function (PUF). The proposed PUF implementation is a loop composed of N identical and controllable delay chains which are serially assembled in a loop to create a single ring oscillator. The frequency discrepancies resulting from the oscillator driven by complementary combinations of the delay chains allows to characterize one device. The presented PUF, nicknamed the Loop PUF (LPUF), returns a frequency comparison of loops made of N delay chains (N ≥ 2). The comparisons are done sequentially on the same structure. Unlike others PUFs based on delays, there is no specific routing constraints. Hence the LPUF is particularly flexible and easy to design. The basic use of the Loop PUF is to generate intrinsic device keys for cryptographic algorithms. It can also be used to generate challenge response pairs for simple authentication. Experiments have been carried out on CYCLONE II FPGAs to assess the performance of the LPUF, such as randomness, uniqueness and steadiness. They clearly show both the easiness of design and the quality level of the LPUF. The measurement time vs steadiness, as well as resistance against side-channel and modeling attacks are discussed.
We introduce the class of multiply constant-weight codes to improve the reliability of certain physically unclonable function (PUF) response. We extend classical coding methods to construct multiply constant-weight codes from known q-ary and constant-weight codes. Analogues of Johnson bounds are derived and are shown to be asymptotically tight to a constant factor under certain conditions. We also examine the rates of the multiply constant-weight codes and interestingly, demonstrate that these rates are the same as those of constant-weight codes of suitable parameters. Asymptotic analysis of our code constructions is provided.
A physically unclonable function (PUF) is a hardware device that can generate intrinsic responses from challenges. The responses serve as unique identifiers and it is required that they be as little predictable as possible. A loop-PUF is an architecture where n single-bit delay elements are chained. Each PUF generates one bit response per challenge.We model the relationship between responses and challenges in a loop-PUF using Gaussian random variables and give a closedform expression of the total entropy of the responses. It is shown that n bits of entropy can be obtained with n challenges if and only if the challenges constitute a Hadamard code. Contrary to a previous belief, it is shown that adding more challenges results in an entropy strictly greater than n bits. A greedy code construction is provided for this purpose.
Physical attacks are a known threat posed against secure embedded systems. Notable among these is laser fault injection, which is often considered as the most effective fault injection technique. Indeed, laser fault injection provides a high spatial accuracy, which enables an attacker to induce bit-level faults. However, experience gained from attacking 8-bit targets might not be relevant on more advanced micro-architectures, and these attacks become increasingly challenging on 32-bit microcontrollers. In this article, we show that the flash memory area of a 32-bit microcontroller is sensitive to laser fault injection. These faults occur during the instruction fetch process, hence the stored value remains unaltered. After a thorough characterisation of the induced faults and the associated fault model, we provide detailed examples of bitlevel corruption of instructions and demonstrate practical applications in compromising the security of real-life codes. Based on these experimental results, we formulate a hypothesis about the underlying micro-architectural features that explain the observed fault model.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.