Abstract
The Secure-Boot is a critical security feature in modern devices based on System-on-Chips (SoC). It ensures the authenticity and integrity of the code before its execution, avoiding the SoC to run malicious code. To the best of our knowledge, this paper presents the first bypass of an Android Secure-Boot by using an Electromagnetic Fault Injection (EMFI). Two hardware characterization methods are combined to conduct this experiment. A real-time Side-Channel Analysis (SCA) is used to synchronize an EMFI during the Linux Kernel authentication step of the Android Secure-Boot of a smartphone-grade SoC. This new synchronization method is called Synchronization by Frequency Detection (SFD). It is based on the detection of the activation of a characteristic frequency in the target electromagnetic emanations. In this work we present a proof-of-concept of this new triggering method. By triggering the attack upon the activation of this characteristic frequency, we successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 min.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This method is partially inspired by https://github.com/bolek42/rsa-sdr which is an offline synchronization method to align SCA traces.
- 2.
HackRF One: https://greatscottgadgets.com/hackrf/one/.
- 3.
HackRF One, CPLD patch: https://github.com/simonpontie/hackrf_cpld_patch/.
- 4.
See “ARM Architecture Reference Manual ARMV7-A and ARMv7-R edition”.
- 5.
References
Abidi, A.A.: Direct-conversion radio transceivers for digital communications. IEEE J. Solid-State Circuits 30(12), 1399–1410 (1995)
Beckers, A., Balasch, J., Gierlichs, B., Verbauwhede, I.: Design and implementation of a waveform-matching based triggering system. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 184–198. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_11
Bittner, O., Krachenfels, T., Galauner, A., Seifert, J.-P.: The forgotten threat of voltage glitching: a case study on Nvidia Tegra X2 SoCs. In: 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), pp. 86–97. IEEE (2021)
Cui, A., Housley, R.: BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection. In: 11th USENIX Workshop on Offensive Technologies (WOOT 2017) (2017)
Camurati, G., Poeplau, S., Muench, M., Hayes, T., Francillon, A.: Screaming channels: when electromagnetic side channels meet radio transceivers. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 163–177 (2018)
Dehbaoui, A., Dutertre, J.-M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 7–15. IEEE (2012)
Debande, N., Souissi, Y., Nassar, M., Guilley, S., Le, T.-H., Danger, J.-L.: Re-synchronization by moments: an efficient solution to align side-channel traces. In: 2011 IEEE International Workshop on Information Forensics and Security, pp. 1–6. IEEE (2011)
Gaine, C., Aboulkassimi, D., Pontié, S., Nikolovski, J.-P., Dutertre, J.-M.: Electromagnetic fault injection as a new forensic approach for SoCs. In: 2020 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2020)
Hayashi, Y., Homma, N., Mizuki, T., Aoki, T., Sone, H.: Transient IEMI threats for cryptographic devices. IEEE Trans. Electromagn. Compat. 55(1), 140–148 (2012)
Hayashi, Y., Homma, N., Mizuki, T., Aoki, T., Sone, H.: Precisely timed IEMI fault injection synchronized with EM information leakage. In: 2014 IEEE International Symposium on Electromagnetic Compatibility (EMC), pp. 738–742. IEEE (2014)
Montminy, D.P., Baldwin, R.O., Temple, M.A., Oxley, M.E.: Differential electromagnetic attacks on a 32-bit microprocessor using software defined radios. IEEE Trans. Inf. Forensics Secur. 8(12), 2101–2114 (2013)
Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 77–88. IEEE (2013)
Riviere, L., Najm, Z., Rauzy, P., Danger, J.-L., Bringer, J., Sauvage, L.: High precision fault injections on the instruction cache of ARMv7-M architectures. In: 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 62–67. IEEE (2015)
Spruyt, A., Milburn, A., Chmielewski, Ł.: Fault injection as an oscilloscope: fault correlation analysis. IACR Trans. Cryptographic Hardware Embed. Syst. 192–216 (2021)
Timmers, N., Spruyt, A., Witteman, M.: Controlling PC on ARM using fault injection. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 25–35. IEEE (2016)
Vasselle, A., Thiebeauld, H., Maouhoub, Q., Morisset, A., Ermeneux, S.: Laser-induced fault injection on smartphone bypassing the secure boot-extended version. IEEE Trans. Comput. 69(10), 1449–1459 (2018)
Van Woudenberg, J.G.J., Witteman, M.F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 91–99. IEEE (2011)
Acknowledgment
The experiments were done on the Micro-PackSTM platform in the context of EXFILES: H2020 project funded by European Commission (No. 88315).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fanjas, C., Gaine, C., Aboulkassimi, D., Pontié, S., Potin, O. (2023). Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing. In: Buhan, I., Schneider, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2022. Lecture Notes in Computer Science, vol 13820. Springer, Cham. https://doi.org/10.1007/978-3-031-25319-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-25319-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25318-8
Online ISBN: 978-3-031-25319-5
eBook Packages: Computer ScienceComputer Science (R0)