Skip to main content
Log in

Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models

Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

The last years have seen the emergence of fault attacks targeting modern central processing units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the electromagnetic fault injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the memory management unit (MMU). To validate our fault model, we realize a persistent fault analysis to retrieve an AES key.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 8
Fig. 9

Availability of data and material & Code availability

Code used to characterize the fault will be available on the Internet (as a github repository).

Notes

  1. This implementation and the experiment data are released as open-source software (MIT License) here: https://gitlab.inria.fr/rlasherm/rpi3_fault_analysis.

  2. We set the PC value to the ic iallu instruction address in memory.

References

  1. Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit mcus. In 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, September 29, 2011, pages 105–114 (2011)

  2. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)

    Article  Google Scholar 

  3. Barbu, G., Thiebeauld, H., Guerin, V.: Attacks on java card 3.0 combining fault and logical attacks. In D. Gollmann, J. Lanet, and J. Iguchi-Cartigny, editors, Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings, volume 6035 of Lecture Notes in Computer Science, pages 148–163. Springer (2010)

  4. Beringuier-Boher, N., Lacruche, M., El-Baze, D., Dutertre, J., Rigaud, J., Maurine, P. (2016) Body biasing injection attacks in practice. In M. Palkovic, G. Agosta, A. Barenghi, I. Koren, and G. Pelosi, editors, Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2@HiPEAC, Prague, Czech Republic, January 20, 2016, pages 49–54. ACM

  5. Bouffard, G., Iguchi-Cartigny, J., Lanet, J.: Combined software and hardware attacks on the java card control flow. In E. Prouff, editor, Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers, volume 7079 of Lecture Notes in Computer Science, pages 283–296. Springer (2011)

  6. Breveglieri, L., Guilley, S., Koren, I., Naccache, D., Takahashi, J., editors. 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, September 29, 2011. IEEE Computer Society (2011)

  7. Bukasa, S. K., Lashermes, R., Lanet, J.-L., Legay, A.: Let’s shock our iot’s heart: Armv7-m under (fault) attacks. In Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pages 33:1–33:6, New York, NY, USA, ACM (2018)

  8. Cui, A., Housley, R.: BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection. In W. Enck and C. Mulliner, editors, 11th USENIX Workshop on Offensive Technologies, WOOT 2017, Vancouver, BC, Canada, August 14-15, 2017. USENIX Association (2017)

  9. Dumont, M., Lisart, M., Maurine, P.: Electromagnetic fault injection : How faults occur. In 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2019, Atlanta, GA, USA, August 24, 2019, pages 9–16. IEEE (2019)

  10. Dureuil, L., Potet, M., de Choudens, P., Dumas, C., Clédière, J.: From code review to fault injection attacks: Filling the gap using fault model inference. In N. Homma and M. Medwed, editors, Smart Card Research and Advanced Applications - 14th International Conference, CARDIS 2015, Bochum, Germany, November 4-6, 2015. Revised Selected Papers, volume 9514 of Lecture Notes in Computer Science, pages 107–124. Springer (2015)

  11. Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T. et al. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1–19. IEEE (2019)

  12. Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: Reading kernel memory from user space. In W. Enck and A. P. Felt, editors, 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, pages 973–990. USENIX Association (2018)

  13. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. In 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, August 20, 2013, pages 77–88 (2013)

  14. Proy, J., Heydemann, K., Majéric, F., Berzati, A., Cohen, A.: A first isa-level characterization of em pulse effects on superscalar microarchitectures - a secure software perspective. ARES 2019, (2019)

  15. Rivière, L., Najm, Z., Rauzy, P., Danger, J., Bringer, J., Sauvage, L.: High precision fault injections on the instruction cache of armv7-m architectures. In IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2015, Washington, DC, USA, 5-7 May, 2015, pages 62–67 (2015)

  16. Schmidt, J., Herbst, C.: A practical fault attack on square and multiply. In L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J. Seifert, editors, Fifth International Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008, FDTC 2008, Washington, DC, USA, 10 August 2008, pages 53–58. IEEE Computer Society (2008)

  17. Skorobogatov, S. P., Anderson, R. J.: Optical fault induction attacks. In B. S. K. Jr., Ç. K. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13-15, 2002, Revised Papers, volume 2523 of Lecture Notes in Computer Science, pages 2–12. Springer (2002)

  18. Tang, A., Sethumadhavan, S., Stolfo, S. J.: CLKSCREW: exposing the perils of security-oblivious energy management. In E. Kirda and T. Ristenpart, editors, 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., pages 1057–1074. USENIX Association (2017)

  19. Timmers, N., Mune, C.: Escalating privileges in linux using voltage fault injection. In 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2017, Taipei, Taiwan, September 25, 2017, pages 1–8. IEEE Computer Society (2017)

  20. Timmers, N., Spruyt, A., Witteman, M.: Controlling PC on ARM using fault injection. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2016, Santa Barbara, CA, USA, August 16, 2016, pages 25–35 (2016)

  21. Trouchkine, T., Bouffard, G., Clediere, J.: Fault Injection Characterization on modern CPUs – From the ISA to the Micro-Architecture. In WISTP 2019, Paris, France (2019)

  22. Turner, P.: Retpoline: a software construct for preventing branch-target-injection. https://support.google.com/faqs/answer/7625886 (2018)

  23. van der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C., Vigna, G., Bos, H., Razavi, K., Giuffrida, C.: Drammer: Deterministic rowhammer attacks on mobile platforms. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 1675–1689 (2016)

  24. van Woudenberg, J. G. J., Witteman, M. F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In Breveglieri et al. [6], pages 91–99

  25. Vasselle, A., Thiebeauld, H., Maouhoub, Q., Morisset, A., Ermeneux, S.: Laser-induced fault injection on smartphone bypassing the secure boot. In 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2017, Taipei, Taiwan, September 25, 2017, pages 41–48 (2017)

  26. Verbauwhede, I., Karaklajic, D., Schmidt, J.: The fault attack jungle - A classification model to guide you. In Breveglieri et al. [6], pages 3–8

  27. Yuce, B., Ghalaty, N. F., Santapuri, H., Deshpande, C., Patrick, C., Schaumont, P.: Software fault resistance is futile: Effective single-glitch attacks. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2016, Santa Barbara, CA, USA, August 16, 2016, pages 47–58. IEEE Computer Society (2016)

  28. Yuce, B., Schaumont, P., Witteman, M.: Fault attacks on secure embedded software: threats, design, and evaluation. J. Hardw. Syst. Secur. 2(2), 111–130 (2018)

    Article  Google Scholar 

  29. Zhang, F., Lou, X., Zhao, X., Bhasin, S., He, W., Ding, R., Qureshi, S., Ren, K.: Persistent fault analysis on block ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 150–172 (2018)

    Article  Google Scholar 

Download references

Funding

No applicable

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Guillaume Bouffard.

Ethics declarations

Conflicts of interest

Anyone from INRIA Rennes, ANSSI or ENS Paris.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Trouchkine, T., Bukasa, S.K., Escouteloup, M. et al. Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models. J Cryptogr Eng 11, 353–367 (2021). https://doi.org/10.1007/s13389-021-00259-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-021-00259-6

Keywords

Navigation