Abstract
Fault attacks are traditionally considered under a threat model that assumes the device under test is in the possession of the attacker. We propose a variation on this model. In our model, the attacker integrates a fault injection circuit into a malicious field-replaceable unit, or FRU, which is later placed by the victim in close proximity to their own device. Examples of devices which incorporate FRUs include interface cards in routers, touch screens and sensor assemblies in mobile phones, ink cartridges in printers, batteries in health sensors, and so on. FRUs are often installed by after-market repair technicians without properly verifying their authenticity, and previous works have shown they can be used as vectors for various attacks on the privacy and integrity of smart devices. We design and implement a low-cost fault injection circuit suitable for placement inside a malicious FRU, and show how it can be used to practically extract secrets from a privileged system process through a combined hardware-software approach, even if the attacker software application only has user-level permissions. Our prototype produces highly effective and repeatable attacks, despite its cost being several orders of magnitude less than that of commonly used fault injection analysis lab setups. This threat model allows fault attacks to be carried out remotely, even if the device under test is in the hands of the victim. Considered together with recent advances in software-only fault attacks, we argue that resistance to fault attacks should be built into additional classes of devices.
Highlights
Fault injection attacks (FIA) are physical interventions that exploit the circuit’s direct implementation [1]
Our work considers a new form of third-order attacks, which do not rely on data exchange between the fieldreplaceable units (FRUs) and the device at all, but instead exploit its physical proximity to launch fault injection attacks
We propose a new attack model for fault attacks, in which the adversary triggers a fault on the device under test (DUT) using a malicious FRU
Summary
Fault injection attacks (FIA) are physical interventions that exploit the circuit’s direct implementation [1]. While fault attacks are known to be much more effective than software-only attacks in their ability to corrupt a device’s ordinary execution flow [4], setting up an environment for injecting transient faults is a complex process, which includes the usage of expensive equipment such as oscilloscopes, XYZ stages, high-end pulse generators and amplifiers [5,6,7]. Defense from these attacks was considered out of scope for many devices that are not expected to be subjected to such intensive physical intervention. Our work considers a new form of third-order attacks, which do not rely on data exchange between the FRU and the device at all, but instead exploit its physical proximity to launch fault injection attacks
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
