Characterization of Electromagnetic Fault Injection on a 32-bit Microcontroller Instruction Buffer

Abstract

Electromagnetic fault injection (EMFI) is an efficient technique to alter the behavior of microcontrollers in order to extract secret informations. Compared to fault injection techniques based on laser shots, it requires less device preparation but is a priori less accurate. Indeed, the related works on EMFI gives rather imprecise information, notably concerning the fault models and the link between the configuration and the faulted instructions. We will see in this paper that it is possible to get precise fault models by characterizing the sensitivity of a 32-bit microcontroller based on Cortex-M4 under EMFI. It is notably shown that it is relatively easy to corrupt the 128-bit instruction line buffer of four 32-bit or eight 16-bit instructions before being executed. The experimental results highlight the feasibility of well known fault models by playing with electrical and spatio-temporal parameters of the EMFI setup. In particular, we demonstrate how it is possible to target a specific instruction among those contained in the instruction buffer.