Abstract
Body Biasing Injection (BBI) uses a voltage applied with a physical probe onto the backside of the integrated circuit die Compared to other techniques such as electromagnetic fault injection (EMFI) or Laser Fault Injection (LFI), this technique appears less popular in academic literature based on published results. It is hypothesized being due to (1) moderate cost of equipment, and (2) effort required in device preperation.
This work demonstrates that BBI (and indeed many other backside attacks) can be trivially performed on Wafer-Level Chip-Scale Packaging (WLCSP), which inherently expose the die backside. A low-cost ($15) design for the BBI tool is introduced, and validated with faults introduced on a STM32F415OG against code flow, RSA, and some initial results on various hardware block attacks are discussed.
An extended version of this paper with additional figures and details is available from https://eprint.iacr.org.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
We will use ‘topside’ to refer to the top WLCSP package surface for clarify, which is the backside of the IC wafer.
- 5.
The device would also immediately get very hot...
References
Abdellatif, K., Hériveaux, O.: SiliconToaster: a cheap and programmable EM injector for extracting secrets. In: Proceedings of 2020 Workshop on Fault Diagnosis and Tolerance in Cryptography (2020)
Anceau, S., Bleuet, P., Clédière, J., Maingault, L., Rainard, J., Tucoulou, R.: Nanofocused X-ray beam to reprogram secure circuits. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 175–188. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_9
Balasch, J., Arumí, D., Manich, S.: Design and validation of a platform for electromagnetic fault injection. In: 2017 32nd Conference on Design of Circuits and Integrated Systems (DCIS), pp. 1–6, November 2017
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)
Benchoff, B.: Photonic Reset Of The Raspberry Pi 2, February 2015. https://hackaday.com/2015/02/08/photonic-reset-of-the-raspberry-pi-2/, library Catalog: hackaday.com
Beringuier-Boher, N., Lacruche, M., El-Baze, D., Dutertre, J.M., Rigaud, J.B., Maurine, P.: Body biasing injection attacks in practice. In: Proceedings of the Third Workshop on Cryptography and Security in Computing System, CS2 2016, pp. 49–54. Association for Computing Machinery, Prague, Czech Republic, January 2016
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4
Carpi, R.B., Picek, S., Batina, L., Menarini, F., Jakobovic, D., Golub, M.: Glitch it if you can: parameter search strategies for successful fault injection. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 236–252. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_16
Cui, A., Housley, R.: BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection. In: Proceedings of 11th USENIX Workshop on Offensive Technologies (WOOT 2017) (2017)
Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45203-4_23
Maurine, P.: Techniques for EM fault injection: equipments and experimental results. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 3–4, September 2012
Maurine, P., Tobich, K., Ordas, T., Liardet, P.Y.: Yet another fault injection technique: by forward body biasing injection, September 2012. https://hal-lirmm.ccsd.cnrs.fr/lirmm-00762035
O’Flynn, C.: Fault injection using crowbars on embedded systems. Technical report 810 (2016). http://eprint.iacr.org/2016/810
O’Flynn, C.: I, For One, Welcome Our New Power Analysis Overlords An Introduction to ChipWhisperer-Lint (2018)
O’Flynn, C.: MIn()imum failure: EMFI attacks against USB stacks. In: Proceedings of the 13th USENIX Conference on Offensive Technologies, WOOT 2019, p. 15. USENIX Association, Santa Clara, CA, USA, August 2019
Rodriguez, J., Baldomero, A., Montilla, V., Mujal, J.: LLFI: Lateral laser fault injection attack. In: 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 41–47, August 2019
Schlösser, A., Nedospasov, D., Krämer, J., Orlic, S., Seifert, J.-P.: Simple photonic emission analysis of AES. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 41–57. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_3
Schmidt, J.M., Hutter, M.: Optical and EM fault-attacks on CRT-based RSA: concrete results. In: Proceedings of Austrochip 2007, 15th Austrian Workshop on Microelectronics (2007)
Selmke, B., Zinnecker, K., Koppermann, P., Miller, K., Heyszl, J., Sigl, G.: Locked out by latch-up? an empirical study on laser fault injection into arm cortex-M processors. In: 2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 7–14, September 2018
Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_2
Specht, R., Heyszl, J., Kleinsteuber, M., Sigl, G.: Improving non-profiled attacks on exponentiations based on clustering and extracting leakage from multi-channel high-resolution EM measurements. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21476-4_1
Tobich, K., Maurine, P., Liardet, P.Y., Lisart, M., Ordas, T.: Voltage spikes on the substrate to obtain timing faults. In: 2013 Euromicro Conference on Digital System Design, pp. 483–486, September 2013
van Woudenberg, J.G., Witteman, M.F., Menarini, F.: Practical Optical Fault Injection on Secure Microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography. pp. 91–99, September 2011
Zussa, L., Dutertre, J.M., Clediere, J., Robisson, B.: Analysis of the fault injection mechanism related to negative and positive power supply glitches using an on-chip voltmeter. In: 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 130–135, May 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
O’Flynn, C. (2021). Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices. In: Liardet, PY., Mentens, N. (eds) Smart Card Research and Advanced Applications. CARDIS 2020. Lecture Notes in Computer Science(), vol 12609. Springer, Cham. https://doi.org/10.1007/978-3-030-68487-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-68487-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68486-0
Online ISBN: 978-3-030-68487-7
eBook Packages: Computer ScienceComputer Science (R0)