EM Injection : Fault Model and Locality
Transcript of EM Injection : Fault Model and Locality
EM INJECTION : FAULT MODEL AND LOCALITY S. Ordas𝟏 , L. Guillaume−Sage𝟏, P. 𝐌𝐚𝐮𝐫𝐢𝐧𝐞𝟏,𝟐
𝟏 LIRMM
𝟐 CEA-TECH
STATE OF THE ART
J.J. Quisquater, D. Samyde : Eddy current for Magnetic Analysis with Active Sensor
2
J.-M. Schmidt, M. Hutter : Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results
A. Alaeldine, T. Ordas, R. Perdriau, P. Maurine, M. Ramdani, L. Torres, M. Drissi Assessment of the Immunity of Unshielded Multicore Integrated Circuits to Near Field Injection
F. Poucheret, M. Lisart, L. Chusseau, B. Robisson, P. Maurine Local and Direct EM Injection of Power Into CMOS Integrated Circuits
P. Bayon, L. Bossuet, V. Fischer, F. Poucheret, B. Robisson, P. Maurine Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
2002
2007
2009
2011
2012
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART
J.-M. Schmidt, M. Hutter : Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results
3
A. Alaeldine, T. Ordas, R. Perdriau, P. Maurine, M. Ramdani, L. Torres, M. Drissi Assessment of the Immunity of Unshielded Multicore Integrated Circuits to Near Field Injection
F. Poucheret, M. Lisart, L. Chusseau, B. Robisson, P. Maurine Local and Direct EM Injection of Power Into CMOS Integrated Circuits
P. Bayon, L. Bossuet, V. Fischer, F. Poucheret, B. Robisson, P. Maurine Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
EM injection allows disrupting the behavior of embedded memories 2002
2007
2009
2011
2012
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART
A. Alaeldine, T. Ordas, R. Perdriau, P. Maurine, M. Ramdani, L. Torres, M. Drissi Assessment of the Immunity of Unshielded Multicore Integrated Circuits to Near Field Injection
4
F. Poucheret, M. Lisart, L. Chusseau, B. Robisson, P. Maurine Local and Direct EM Injection of Power Into CMOS Integrated Circuits
P. Bayon, L. Bossuet, V. Fischer, F. Poucheret, B. Robisson, P. Maurine Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
2002
2007
2009
2011
2012
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART
F. Poucheret, M. Lisart, L. Chusseau, B. Robisson, P. Maurine Local and Direct EM Injection of Power Into CMOS Integrated Circuits
5
P. Bayon, L. Bossuet, V. Fischer, F. Poucheret, B. Robisson, P. Maurine Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
Harmonic EM Injection modifies the propagation delays of logical paths
2002
2007
2009
2011
2012
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART
P. Bayon, L. Bossuet, V. Fischer, F. Poucheret, B. Robisson, P. Maurine Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator
6 STATE OF THE ART
6
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
Harmonic EM Injection modifies the propagation delays of logical paths
Harmonic EM Injection modifies the oscillating Frequency of an internal clock generator
2002
2007
2009
2011
2012
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART 7
A. Dehbaoui, J-M. Dutertre, P. Orsatelli, P. Maurine, A. Tria Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system
A. Dehbaoui, J-M Dutertre, B. Robisson, A.Tria Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
Harmonic EM Injection modifies the propagation delays of logical paths
Harmonic EM Injection modifies the oscillating Frequency of an internal clock generator
2002
2007
2009
2011
2012
Harmonic EM Injection modifies the behavior or RO based TRNG (phase locking)
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
STATE OF THE ART
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
Harmonic EM Injection modifies the propagation delays of logical paths
Harmonic EM Injection modifies the oscillating Frequency of an internal clock generator
2002
2007
2009
2011
2012
Harmonic EM Injection modifies the behavior or RO based TRNG (phase locking)
EM pulse Injection produces timing faults during the course of hardware cryptographic modules
EM pulse Injection produces timing faults during the course of hardware and software …
2014 S. Ordas,L. Guillaume-Sage, K. Tobich, J-M. Dutertre, P. Maurine Evidence of a larger EM-induced fault model
8
STATE OF THE ART
EM injection allows disrupting the behavior of embedded memories
EM injection allows disrupting the course of a RSA algorithm
Harmonic EM Injection modifies the propagation delays of logical paths
Harmonic EM Injection modifies the oscillating Frequency of an internal clock generator
2002
2007
2009
2011
2012
Harmonic EM Injection modifies the behavior or RO based TRNG (phase locking)
EM pulse Injection produces timing faults during the course of hardware cryptographic modules
EM pulse Injection produces timing faults during the course of hardware and software …
9
2014 EM pulse Injection produces bitsets and bitresets
CONCLUSION OF OUR PREVIOUS PAPER
1. Polarity of EM injection is important
2. EM injection has a local effect
3. EM injection induce bitsets and bitresets
4. Pulse must have a high voltage to produce bitset and
bitreset
What kind of faults appears on an operating
circuit?
10
TIMING FAULTS MODEL
Data D1
CLK
LOGIC CLK
Q1 D2 Q2
CLK
Timing constraint :
TCLK→𝑄1+ T𝑄1→𝐷2
< TCLK − Tskew − TSetup
EM Injection induces Setup time constraint violations
11
T𝑄1→𝐷2
TCLK→𝑄1
EM Injection Platform: overview
3-axes vision system 3-axes positioning system Oscilloscope Pulse generator Hand made injection probes a laptop
12
HAND MADE INJECTION PROBES 13
Concentrate the magnetic flux on a reduced
area of the IC surface using concentric field
lines
Directionnal Directionnal
Magnetic flux is spread over a large
surface
EXPERIMENTATION ON AN OPERATING CIRCUIT
Fpga Xilinx Spartan 3
Vdd= 1.2V
Frequency : 100MHz (generated by DCM)
Cartography step : 200µm
Vpulse = 44V << 110V
Hand made probe
100 shoots per position
FSM + Registers
DCM
RS232
AES
To evaluate if some areas of the system are more sensitive to EM pulsed than others
14
LOCALITY OF THE EM INJECTION
AES
FSM + Registers
RS232
DCM
AES
FSM + Registers
RS232
DCM
AES
FSM + Register
RS232
DCM
bad ciphering
bad ciphering
no-response
Crescent injector
flathead injector
15
LOCALITY OF EACH BYTE FAULTED
Byte n°1 Byte n°2 Byte n°3 Byte n°4
Byte n°5 Byte n°6 Byte n°7 Byte n°8
Byte n°9 Byte n°10 Byte n°11 Byte n°12
Byte n°16 Byte n°15 Byte n°14 Byte n°13
16
AES
EXPERIMENTATION ON AN OPERATING CIRCUIT
Fpga Xilinx Spartan 3
Vdd= 1,2V
Frequency : 100MHz (generated by DCM)
Vpulse = 44V << 110V
Hand made probe
Moment of the injection varies for covering all the ciphering
FSM + Registers
DCM
RS232
AES
To evaluate if some moments of the AES calculus are more sensitive to EM pulsed than others
EM probe
17
LOCALIZATION IN TIME OF THE FAULTS
tpulse (ns)
EM in
ject
ion
n°
…
4 to 8 faulted bytes 12 to 16 faulted bytes 2 to 3 faulted bytes
10ns
10ns
10ns
6ns
6ns
Frequency dependence?
18
𝐹𝐶𝐿𝐾 = 100𝑀𝐻𝑧 𝑇𝐶𝐿𝐾 = 10ns
FREQUENCY DEPENDENCE? P
rob
abili
ty (
%)
of
a fa
ult
ed
re
spo
nse
Frequency CLK =25MHz
Frequency CLK =50MHz
Frequency CLK =100MHz
40ns
20ns
10ns
6ns
6ns
6ns
tpulse (ns)
tpulse (ns)
tpulse (ns)
34ns
14ns
4ns
No frequency dependence Faults are not timing faults
19
𝑇𝐶𝐿𝐾 = 40ns
𝑇𝐶𝐿𝐾 = 20ns
𝑇𝐶𝐿𝐾 = 10ns
EXPERIMENT VALIDATION ON MICRO-CONTROLLER
Experiment realized on an AES hardware
Frequency of the CLK : 120MHz P
rob
abili
ty t
o o
bse
rve
a f
ault
ed
re
spo
nse
tpulse (ns)
Vpulse = 120V Vpulse = 160V Vpulse = 190V
8th round
9th round
10th round
8.3ns
2.9ns 4.25ns
20
XXXXXX XXXXXXXXXXXXX
OPERATING CIRCUIT
CK
XXXXXXXXXXXXX D
ts ts+thold ts-tsetup
Data D1
CLK
LOGIC CLK
Q1 D2 Q2
CLK
D
21
: Stability window
: Processing window
FAULT MODEL
Sampling faults Disrupt an input signal of the DFF (CLK, Data ,Reset, Set)
Disrupt during the stability window (tsetup+thold around rising clock edges)
22
XXXXXX XXXXXXXXXXXXX
CK
XXXXXXXXXXXXX D D
ts ts+thold ts-tsetup
EM susceptibility
+ +
: Bitset or bitreset produced
: Sampling fault produced
𝑉𝐻𝑖𝑔ℎ
𝑉𝐿𝑜𝑤
𝐻𝑖𝑔ℎ
𝐿𝑜𝑤
EM power
: Stability window
: Processing window
CONCLUSION 23
1. EM injection has a local effect
2. EM injection may induces bitsets and bitresets
3. EM injection do not produce timing faults
4. EM injection easily disrupts the switching of DFF
5. Define a fault model for EM Injection (the sampling
fault model)
Thank you for your attention
Questions?