Abstract
Voltage fault injection is a powerful active side channel attack that modifies the execution-flow of a device by creating disturbances on the power supply line. The attack typically aims at skipping security checks or generating side-channels that gradually leak sensitive data, including the firmware code. In this paper we propose a new voltage fault injection technique that generates fully arbitrary voltage glitch waveforms using off-the-shelf and low cost equipment. To show the effectiveness of our setup, we present new, unpublished firmware extraction attacks on six microcontrollers from three major manufacturers: STMicroelectronics, Texas Instruments and Renesas Electronics that, in 2016 declared a market of $1.5 billion, $800 million and $2.5 billion on units sold, respectively. Among the presented attacks, the most challenging ones exploit multiple vulnerabilities and inject over one million glitches, heavily leveraging on the performance and repeatability of the new proposed technique. We perform a thorough evaluation of arbitrary glitch waveforms by comparing the attack performance against two other major V-FI techniques in the literature. Along a responsible disclosure policy, all the vulnerabilities have been timely reported to the manufacturers.
Highlights
Side-channel attacks are considered among the most powerful physical attacks against embedded devices and secure or specialized hardware (e.g., Field Programmable Gate Array (FPGA) or ASICs)
Our contributions can be summarized as follows: (i) We investigate the effect of different glitch waveforms in the setting of voltage fault injection attacks and, in particular, we propose a new method for the generation of arbitrary glitch waveforms using a low-cost and software-managed setup; (ii) we report on unpublished vulnerabilities and weaknesses in six microcontrollers from three major manufacturers: STMicroelectronics, Texas Instruments and Renesas Electronics
In the table we indicate, for each microcontroller model: the extraction time, which is the total time required to dump the firmware of the target MCU; the total number of injected glitches during the attack; the percentage of successful faults over the total injected glitches; the time required for the genetic algorithm to search for optimal parameters used during the attack; the repeatability8, i.e., the effort for reproducing the attack against a different microcontroller of the same model, loosely indicated as High or Moderate
Summary
Side-channel attacks are considered among the most powerful physical attacks against embedded devices and secure (e.g., smartcards) or specialized hardware (e.g., FPGAs or ASICs). There exist two classes of side-channel attacks: passive and active [SMKM18]. Passive attacks exploit information that is spontaneously leaked by the device such as power consumption [BCO04], timing information [Koc96], electromagnetic emissions [GMO01] or even acoustic emanations [BDG+10]. Optical fault injection is a powerful technique that exposes the silicon to high intensity light sources, e.g., laser and UV, to induce errors or tamper with the data. Since this technique involves decapsulating [SA02] the chip from its package, technical expertise and specialized equipment are required. Some degree of specialized equipment, e.g., a high precision positioning system [OGM17] or an RF amplifier, can still be necessary to conduct complex attacks
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
