An End-to-End Approach for Multi-Fault Attack Vulnerability Assessment

Abstract: Although multi-fault attacks are extremely powerful in defeating sophisticated hardware and software defences, detecting and exploiting such attacks remains a difficult problem, especially without any prior knowledge of the target. Our main contribution is an end-to-end approach for multi-fault attack vulnerability assessment We take advantage of target specific fault models rather than generic fault models to achieve complex multi-fault attacks that can lead to critical vulnerabilities. Target specific fault … Show more

“…As already suggested, the designer can focus on critical components, or adopt a divide-andconquer approach to reduce the overall complexity. Other techniques exist: in [5], the authors aim at optimizing the number of experimental injections in the case of multiple faults, but they limit their analysis at one level at a time (e.g., software simulation) to port the results at other levels (e.g., set of injection parameters). Unlike them, our approach uses layer crossing in order to explain the fault origin.…”

“…Then, they simulated faults at the application level in order to provide a so-called "vulnerability rate" for such faults. A similar approach has been followed by Werner et al [5]: the authors carried out laser fault injection along with software fault simulation. However, they focused mostly on performing multi-fault attacks rather than proposing new or more thorough fault models.…”

“…A very interesting point is also observed: using clock glitch fault injection, we were able to observe faulty behaviours which were obtained in the literature using other fault injection techniques. For example, quad-skip, which can also be described as 128-bit skip, was obtained in [8] using EM and in [5] using laser. Also, single-skip and source operand substitution were observed in [10] using EM as well, although in their experiments, they used super-scalar microarchitecture: Cortex-A9 [29].…”

“…It became an attractive research topic since the well-known Boneh et al attack [1], where they were able to break some cryptographic protocols by inducing faults into the computations. The fault injection can be performed in different ways [2]: exposing the device to radiations [3], laser beam [4,5], intense light [6] or an electromagnetic (EM) pulse [7,8,9,10], inducing variations in the power supply [11], injecting a glitch in the clock signal [12], changing the environmental conditions such as the temperature [13], etc. The resulting faults could reveal an interesting behaviour that could be further exploited as a vulnerability.…”

Cross-layer inference methodology for microarchitecture-aware fault models

“…As already suggested, the designer can focus on critical components, or adopt a divide-andconquer approach to reduce the overall complexity. Other techniques exist: in [5], the authors aim at optimizing the number of experimental injections in the case of multiple faults, but they limit their analysis at one level at a time (e.g., software simulation) to port the results at other levels (e.g., set of injection parameters). Unlike them, our approach uses layer crossing in order to explain the fault origin.…”

“…Then, they simulated faults at the application level in order to provide a so-called "vulnerability rate" for such faults. A similar approach has been followed by Werner et al [5]: the authors carried out laser fault injection along with software fault simulation. However, they focused mostly on performing multi-fault attacks rather than proposing new or more thorough fault models.…”

“…A very interesting point is also observed: using clock glitch fault injection, we were able to observe faulty behaviours which were obtained in the literature using other fault injection techniques. For example, quad-skip, which can also be described as 128-bit skip, was obtained in [8] using EM and in [5] using laser. Also, single-skip and source operand substitution were observed in [10] using EM as well, although in their experiments, they used super-scalar microarchitecture: Cortex-A9 [29].…”

“…It became an attractive research topic since the well-known Boneh et al attack [1], where they were able to break some cryptographic protocols by inducing faults into the computations. The fault injection can be performed in different ways [2]: exposing the device to radiations [3], laser beam [4,5], intense light [6] or an electromagnetic (EM) pulse [7,8,9,10], inducing variations in the power supply [11], injecting a glitch in the clock signal [12], changing the environmental conditions such as the temperature [13], etc. The resulting faults could reveal an interesting behaviour that could be further exploited as a vulnerability.…”

Cross-layer inference methodology for microarchitecture-aware fault models

“…Dureuil et al [6] tried to generalize fault models as a result of performing laser and EM injections on RAMs and Flash memories of smart cards, they then simulated faults at the application level in order to provide a so-called "vulnerability rate" for such faults. A similar approach has been followed by Werner et al [7]: the authors carried out laser fault injection along with software fault simulation. However, they focused mostly on performing multi-fault attacks rather than proposing new or more thorough fault models.…”

Microarchitecture-aware Fault Models: Experimental Evidence and Cross-Layer Inference Methodology

Fast Calibration of Fault Injection Equipment with Hyperparameter Optimization Techniques