Skip to main content
SpringerLink
Log in

Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12609))

Abstract

Body Biasing Injection (BBI) uses a voltage applied with a physical probe onto the backside of the integrated circuit die Compared to other techniques such as electromagnetic fault injection (EMFI) or Laser Fault Injection (LFI), this technique appears less popular in academic literature based on published results. It is hypothesized being due to (1) moderate cost of equipment, and (2) effort required in device preperation.

This work demonstrates that BBI (and indeed many other backside attacks) can be trivially performed on Wafer-Level Chip-Scale Packaging (WLCSP), which inherently expose the die backside. A low-cost ($15) design for the BBI tool is introduced, and validated with faults introduced on a STM32F415OG against code flow, RSA, and some initial results on various hardware block attacks are discussed.

An extended version of this paper with additional figures and details is available from https://eprint.iacr.org.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.eetimes.com/infineon-claims-first-industrial-grade-wlcsp-esim-chip.

  2. 2.

    https://www.nxp.com/products/security-and-authentication/authentication/plug-and-trust-the-fast-easy-way-to-deploy-secure-iot-connections:A71CH.

  3. 3.

    https://github.com/newaetech/chipwhisperer-target-cw308t/tree/master/CW308T_STM32F4_CSP.

  4. 4.

    We will use ‘topside’ to refer to the top WLCSP package surface for clarify, which is the backside of the IC wafer.

  5. 5.

    The device would also immediately get very hot...

References

  1. Abdellatif, K., Hériveaux, O.: SiliconToaster: a cheap and programmable EM injector for extracting secrets. In: Proceedings of 2020 Workshop on Fault Diagnosis and Tolerance in Cryptography (2020)

    Google Scholar 

  2. Anceau, S., Bleuet, P., Clédière, J., Maingault, L., Rainard, J., Tucoulou, R.: Nanofocused X-ray beam to reprogram secure circuits. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 175–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_9

    Chapter  Google Scholar 

  3. Balasch, J., Arumí, D., Manich, S.: Design and validation of a platform for electromagnetic fault injection. In: 2017 32nd Conference on Design of Circuits and Integrated Systems (DCIS), pp. 1–6, November 2017

    Google Scholar 

  4. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)

    Article  Google Scholar 

  5. Benchoff, B.: Photonic Reset Of The Raspberry Pi 2, February 2015. https://hackaday.com/2015/02/08/photonic-reset-of-the-raspberry-pi-2/, library Catalog: hackaday.com

  6. Beringuier-Boher, N., Lacruche, M., El-Baze, D., Dutertre, J.M., Rigaud, J.B., Maurine, P.: Body biasing injection attacks in practice. In: Proceedings of the Third Workshop on Cryptography and Security in Computing System, CS2 2016, pp. 49–54. Association for Computing Machinery, Prague, Czech Republic, January 2016

    Google Scholar 

  7. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4

    Chapter  Google Scholar 

  8. Carpi, R.B., Picek, S., Batina, L., Menarini, F., Jakobovic, D., Golub, M.: Glitch it if you can: parameter search strategies for successful fault injection. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 236–252. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_16

    Chapter  Google Scholar 

  9. Cui, A., Housley, R.: BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection. In: Proceedings of 11th USENIX Workshop on Offensive Technologies (WOOT 2017) (2017)

    Google Scholar 

  10. Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45203-4_23

    Chapter  Google Scholar 

  11. Maurine, P.: Techniques for EM fault injection: equipments and experimental results. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 3–4, September 2012

    Google Scholar 

  12. Maurine, P., Tobich, K., Ordas, T., Liardet, P.Y.: Yet another fault injection technique: by forward body biasing injection, September 2012. https://hal-lirmm.ccsd.cnrs.fr/lirmm-00762035

  13. O’Flynn, C.: Fault injection using crowbars on embedded systems. Technical report 810 (2016). http://eprint.iacr.org/2016/810

  14. O’Flynn, C.: I, For One, Welcome Our New Power Analysis Overlords An Introduction to ChipWhisperer-Lint (2018)

    Google Scholar 

  15. O’Flynn, C.: MIn()imum failure: EMFI attacks against USB stacks. In: Proceedings of the 13th USENIX Conference on Offensive Technologies, WOOT 2019, p. 15. USENIX Association, Santa Clara, CA, USA, August 2019

    Google Scholar 

  16. Rodriguez, J., Baldomero, A., Montilla, V., Mujal, J.: LLFI: Lateral laser fault injection attack. In: 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 41–47, August 2019

    Google Scholar 

  17. Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.-P.: Simple photonic emission analysis of AES. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 41–57. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_3

    Chapter  Google Scholar 

  18. Schmidt, J.M., Hutter, M.: Optical and EM fault-attacks on CRT-based RSA: concrete results. In: Proceedings of Austrochip 2007, 15th Austrian Workshop on Microelectronics (2007)

    Google Scholar 

  19. Selmke, B., Zinnecker, K., Koppermann, P., Miller, K., Heyszl, J., Sigl, G.: Locked out by latch-up? an empirical study on laser fault injection into arm cortex-M processors. In: 2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 7–14, September 2018

    Google Scholar 

  20. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_2

    Chapter  Google Scholar 

  21. Specht, R., Heyszl, J., Kleinsteuber, M., Sigl, G.: Improving non-profiled attacks on exponentiations based on clustering and extracting leakage from multi-channel high-resolution EM measurements. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21476-4_1

    Chapter  Google Scholar 

  22. Tobich, K., Maurine, P., Liardet, P.Y., Lisart, M., Ordas, T.: Voltage spikes on the substrate to obtain timing faults. In: 2013 Euromicro Conference on Digital System Design, pp. 483–486, September 2013

    Google Scholar 

  23. van Woudenberg, J.G., Witteman, M.F., Menarini, F.: Practical Optical Fault Injection on Secure Microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography. pp. 91–99, September 2011

    Google Scholar 

  24. Zussa, L., Dutertre, J.M., Clediere, J., Robisson, B.: Analysis of the fault injection mechanism related to negative and positive power supply glitches using an on-chip voltmeter. In: 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 130–135, May 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dalhousie University, Halifax, Canada

    Colin O’Flynn

Authors
  1. Colin O’Flynn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Colin O’Flynn .

Editor information

Editors and Affiliations

  1. eShard, Pessac, France

    Pierre-Yvan Liardet

  2. Leiden University and KU Leuven, Leiden, The Netherlands

    Nele Mentens

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

O’Flynn, C. (2021). Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices. In: Liardet, PY., Mentens, N. (eds) Smart Card Research and Advanced Applications. CARDIS 2020. Lecture Notes in Computer Science(), vol 12609. Springer, Cham. https://doi.org/10.1007/978-3-030-68487-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-68487-7_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-68486-0

  • Online ISBN: 978-3-030-68487-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation