From physical stresses

to timing constraints violation

•ZUSSA Loïc,

•DUTERTRE Jean-Max,

•CLEDIERE Jessy,

•TRIA Assia

Research subject

• Characterization and analysis of common fault

injection mechanism

2

Today’s subject

• Power glitches as a fault injection mechanism

Analysis and practice

Agenda

• Timing constraints of synchronous digital IC

• Static stresses (global effect)

• Transient stresses

• Conclusion

3

4

D Q D Q

Logic

clk

data 1 1 1

1

Dffi Dffi+1

DclkQ

DpMax

Tclk + Tskew - su

data required time = Tclk + Tskew - su

data arrival time = DclkQ + DpMax

Tclk > DclkQ + DpMax - Tskew + su

Upstream Downstream

How to inject faults through timing constraints

violation?

• Overclocking: (Frequency increase, i.e. period decrease)

5

Tclk < DclkQ + DpMax - Tskew +su

• Underpowering or overheating: (Propagation time increase)

Tclk < DclkQ + DpMax - Tskew +su

Target

• Platform: FPGA Spartan 3A

• Algorithm: AES 128 bit none-secure implementation

• Frequency: 100 MHz

• Power supply: 1.2V

6

Experimental proof

Common fault injection means

• Clock stress (overclocking)

• Power stress (underpowering)

• Overheating

7

A common mechanism !

Timing constraints

violations.

• 10,000 input dataset

• Critical path faulted

DCIS 2012 - Investigation of timing constraints violation as a fault injection means.

Transient perturbations

• Clock glitch

• Power supply glitch

8

Questions

• Injection mechanism? Timing violation?

• Achievable resolution?

Clock glitch

9

Glitchy clk

Tclk - T

• 35ps resolution

• Global effect

• Timing constraints violation (obvious)

• A tool for critical time measurement

• Used to build a template/reference library

To be compared.

Power glitch: Ideal

10

Power glitch: Ideal

11

Power glitch: capacitances

12

10ns

80ns

Power glitch: impedance adaptation

13

10ns

40ns

Power glitch: capacitances

14

10ns

40ns

10ns

100ns

15-20ns

15

Spartan 3A

Power glitch: impedance adaptation

16

Power glitch

17

1,2V

1V

Power glitch

• Target a specific

round but also affect

the neighboring

rounds

18

1,2V

1V

Power glitch

• Target a specific

round but also affect

the neighboring

rounds

19

1,2V

1V

• Global offset must be

added.

Power glitch

• When a specific

round is targeted.

• Monobit fault during

the targeted round

90% of the time.

20

1,2V

1V

Power glitch

• When a specific

round is targeted.

• Monobit fault during

the targeted round

80% of the time.

21

1,2V

1V

Power glitch

BUT 20% of the time

the fault appear during a

neighboring round.

22

1,2V

1V

• Analysis of injected faults:

70% identical to clock glitch injection

20% neighboring rounds

10% the second most critical path of the round

• Conclusion: Clock and power glitch induced faults are due

to timing constraints violation

• >90% single-bit fault

Power glitch

23

Power glitch

A spatial effect component? Linked to voltage transient propagation

through the power supply grid

24

• Analysis of injected faults:

70% identical to clock glitch injection

20% neighboring rounds

10% the second most critical path of the round

• Conclusion: Clock and power glitch induced faults are due

to timing constraints violation

• >90% single-bit fault

25

Most Critical Path (MCP)

26

D Q CLK 1

1 1 MCP

D Q 1

clk

clk_rtd

10ns

9ns (MCP)

clk_rtd

+ stress

9ns + stress

Nominal Stressed

1

0

0

1

clk

+ glitch

clk_rtd

+ glitch

10ns

10ns + ∆T 10ns - ∆T

DpMax increasing ≡ Tclk decreasing

Clock glitch

FPGA

27

Fpga : spartan 3A

1,2Volt

100MHz

+ AES

FSM RS-232

AES

CM

+ Countermeasure

28

1 : detection zone

2 : faulted zone

(bit 64 / round 2) 2

1