Skip to main content
SpringerLink
Log in

Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13820))

Abstract

The Secure-Boot is a critical security feature in modern devices based on System-on-Chips (SoC). It ensures the authenticity and integrity of the code before its execution, avoiding the SoC to run malicious code. To the best of our knowledge, this paper presents the first bypass of an Android Secure-Boot by using an Electromagnetic Fault Injection (EMFI). Two hardware characterization methods are combined to conduct this experiment. A real-time Side-Channel Analysis (SCA) is used to synchronize an EMFI during the Linux Kernel authentication step of the Android Secure-Boot of a smartphone-grade SoC. This new synchronization method is called Synchronization by Frequency Detection (SFD). It is based on the detection of the activation of a characteristic frequency in the target electromagnetic emanations. In this work we present a proof-of-concept of this new triggering method. By triggering the attack upon the activation of this characteristic frequency, we successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 min.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This method is partially inspired by https://github.com/bolek42/rsa-sdr which is an offline synchronization method to align SCA traces.

  2. 2.

    HackRF One: https://greatscottgadgets.com/hackrf/one/.

  3. 3.

    HackRF One, CPLD patch: https://github.com/simonpontie/hackrf_cpld_patch/.

  4. 4.

    See “ARM Architecture Reference Manual ARMV7-A and ARMv7-R edition”.

  5. 5.

    https://riscureprodstorage.blob.core.windows.net/production/2017/07/transceiver_datasheet.pdf.

References

  1. Abidi, A.A.: Direct-conversion radio transceivers for digital communications. IEEE J. Solid-State Circuits 30(12), 1399–1410 (1995)

    Article  Google Scholar 

  2. Beckers, A., Balasch, J., Gierlichs, B., Verbauwhede, I.: Design and implementation of a waveform-matching based triggering system. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 184–198. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_11

    Chapter  Google Scholar 

  3. Bittner, O., Krachenfels, T., Galauner, A., Seifert, J.-P.: The forgotten threat of voltage glitching: a case study on Nvidia Tegra X2 SoCs. In: 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), pp. 86–97. IEEE (2021)

    Google Scholar 

  4. Cui, A., Housley, R.: BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection. In: 11th USENIX Workshop on Offensive Technologies (WOOT 2017) (2017)

    Google Scholar 

  5. Camurati, G., Poeplau, S., Muench, M., Hayes, T., Francillon, A.: Screaming channels: when electromagnetic side channels meet radio transceivers. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 163–177 (2018)

    Google Scholar 

  6. Dehbaoui, A., Dutertre, J.-M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 7–15. IEEE (2012)

    Google Scholar 

  7. Debande, N., Souissi, Y., Nassar, M., Guilley, S., Le, T.-H., Danger, J.-L.: Re-synchronization by moments: an efficient solution to align side-channel traces. In: 2011 IEEE International Workshop on Information Forensics and Security, pp. 1–6. IEEE (2011)

    Google Scholar 

  8. Gaine, C., Aboulkassimi, D., Pontié, S., Nikolovski, J.-P., Dutertre, J.-M.: Electromagnetic fault injection as a new forensic approach for SoCs. In: 2020 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2020)

    Google Scholar 

  9. Hayashi, Y., Homma, N., Mizuki, T., Aoki, T., Sone, H.: Transient IEMI threats for cryptographic devices. IEEE Trans. Electromagn. Compat. 55(1), 140–148 (2012)

    Article  Google Scholar 

  10. Hayashi, Y., Homma, N., Mizuki, T., Aoki, T., Sone, H.: Precisely timed IEMI fault injection synchronized with EM information leakage. In: 2014 IEEE International Symposium on Electromagnetic Compatibility (EMC), pp. 738–742. IEEE (2014)

    Google Scholar 

  11. Montminy, D.P., Baldwin, R.O., Temple, M.A., Oxley, M.E.: Differential electromagnetic attacks on a 32-bit microprocessor using software defined radios. IEEE Trans. Inf. Forensics Secur. 8(12), 2101–2114 (2013)

    Article  Google Scholar 

  12. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 77–88. IEEE (2013)

    Google Scholar 

  13. Riviere, L., Najm, Z., Rauzy, P., Danger, J.-L., Bringer, J., Sauvage, L.: High precision fault injections on the instruction cache of ARMv7-M architectures. In: 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 62–67. IEEE (2015)

    Google Scholar 

  14. Spruyt, A., Milburn, A., Chmielewski, Ł.: Fault injection as an oscilloscope: fault correlation analysis. IACR Trans. Cryptographic Hardware Embed. Syst. 192–216 (2021)

    Google Scholar 

  15. Timmers, N., Spruyt, A., Witteman, M.: Controlling PC on ARM using fault injection. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 25–35. IEEE (2016)

    Google Scholar 

  16. Vasselle, A., Thiebeauld, H., Maouhoub, Q., Morisset, A., Ermeneux, S.: Laser-induced fault injection on smartphone bypassing the secure boot-extended version. IEEE Trans. Comput. 69(10), 1449–1459 (2018)

    Article  MATH  Google Scholar 

  17. Van Woudenberg, J.G.J., Witteman, M.F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 91–99. IEEE (2011)

    Google Scholar 

Download references

Acknowledgment

The experiments were done on the Micro-PackSTM platform in the context of EXFILES: H2020 project funded by European Commission (No. 88315).

Author information

Authors and Affiliations

  1. CEA-Leti, Centre CMP, Equipe Commune CEA Leti- Mines Saint-Etienne, 13541, Gardanne, France

    Clément Fanjas, Clément Gaine, Driss Aboulkassimi & Simon Pontié

  2. Univ. Grenoble Alpes, CEA, Leti, 38000, Grenoble, France

    Clément Fanjas, Clément Gaine, Driss Aboulkassimi & Simon Pontié

  3. Mines Saint-Etienne, CEA, Leti, Centre CMP, 13541, Gardanne, France

    Olivier Potin

Authors
  1. Clément Fanjas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clément Gaine
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Driss Aboulkassimi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Simon Pontié
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Olivier Potin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Clément Fanjas .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Ileana Buhan

  2. NXP Semiconductors, Gratkorn, Austria

    Tobias Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fanjas, C., Gaine, C., Aboulkassimi, D., Pontié, S., Potin, O. (2023). Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing. In: Buhan, I., Schneider, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2022. Lecture Notes in Computer Science, vol 13820. Springer, Cham. https://doi.org/10.1007/978-3-031-25319-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25319-5_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25318-8

  • Online ISBN: 978-3-031-25319-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation