Abstract
Security is increasingly widespread in many embedded devices. As technology scales, fault attacks are seen as becoming more relevant to many embedded devices, revealing secrets utilized within the silicon. Despite numerous publications in fault injection, laser fault injection methodologies remain diverse with limited details on equipment and setups. A new laser fault injection methodology is proposed which combines quiescent photon emissions with backside dynamic laser pulse profiling in time and space. Empirical results illustrate the impact of the laser on multiple-instruction fault injections, and controlled instruction replacement faults. Unlike previous research, quiescent photon emissions combined with laser fault injection provides fine tuning of faulty instructions in addition to reverse engineering within each clock cycle. This research is critical for understanding how to design more secure and trustworthy hardware, including countermeasures to thwart attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Fleming B (2011) Microcontroller units in automobiles [automotive electronics]. IEEE Veh Technol Mag 6 (3):4–8
Tajik S, Lohrke H, Ganji F, Seifert J, Boit C (2015) Laser fault attack on physically unclonable functions. In: 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp 85–96
Moro N, Heydemann K, Encrenaz E, Robisson B (2014) Formal verification of a software countermeasure against instruction skip attacks. J Cryptogr Eng 4(3):145–156. https://doi.org/10.1007/s13389-014-0077-7
Kumar SVD, Patranabis S, Breier J, Mukhopadhyay D, Bhasin S, Chattopadhyay A, Baksi A (2017) A practical fault attack on arx-like ciphers with a case study on ChaCha20. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp 33–40
Amin K, Gebotys C, Faraj M, Liao H (2019) Analysis of dynamic laser injection and quiescent photon emissions on an embedded processor. In: PAINE International Conference on Physical Assurance and Inspection of Electronics
Skorobogatov SP, Anderson RJ (2003) Optical fault induction attacks. International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) 2523:2–12
Darracq F, Beauchene T, Pouget V, Lapuyade H, Lewis D, Fouillat P, Touboul A (2002) Single-event sensitivity of a single SRAM cell. IEEE Trans Nucl Sci 49(3):1486–1490
Barenghi A, Breveglieri L, Koren I, Naccache D (2012) Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc IEEE 100(11):3056–3076
Schellenberg F, Finkeldey M, Gerhardt N, Hofmann M, Moradi A, Paar C (2016) Large laser spots and fault sensitivity analysis. In: 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp 203–208
Dutertre J, Beroulle V, Candelier P, De Castro S, Faber L, Flottes M, Gendrier P, Hély D, Leveugle R, Maistri P, Di Natale G, Papadimitriou A, Rouzeyre B (2018) Laser fault injection at the CMOS 28 nm technology node: an analysis of the fault model. In: 2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp 1–6
Breier J, Jap D, Chen C-N (2015) Laser profiling for the back-side fault attacks: with a practical laser skip instruction attack on AES. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security, ser. CPSS ’15. ACM, New York, pp 99–103. https://doi.org/10.1145/2732198.2732206
Courbon F, Fournier JJA, Loubet-Moundi P, Tria A (2015) Combining image processing and laser fault injections for characterizing a hardware AES. IEEE Trans Comput-Aided Des Integr Circ Syst 34(6):928–936
Korak T (2013) Investigation of parameters influencing the success of optical fault attacks. In: Foundations and Practice of Security - 6th International Symposium, FPS 2013, La Rochelle, France, October 21-22, 2013, Revised Selected Papers, pp. 140–157. [Online]. Available: https://doi.org/10.1007/978-3-319-05302-8_9
Vasselle A, Thiebeauld H, Maouhoub Q, Morisset A, Ermeneux S (2017) Laser-induced fault injection on smartphone bypassing the secure boot. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp 41–48
Roscian C, Sarafianos A, Dutertre JM, Tria A (2013) Fault model analysis of laser-induced faults in SRAM memory cells. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp 89–98
“PIC16F687 datasheet.” [Online]. Available: http://ww1.microchip.com/downloads/en/DeviceDoc/40001262F.pdf
Faraj M, Gebotys C (2018) Quiescent photonics side channel analysis: low cost SRAM readout attack. In: Kangacrypt, Australian Workshop on Offensive Cryptography
“Rohde & Schwarz, H field probe RS H 2.5-2.” [Online]. Available: https://scdn.rohde-schwarz.com/ur/pws/dl_downloads/dl_common_library/dl_brochures_and_datasheets/pdf_1/service_support_30/HZ-15_16_17_bro_en_5213-6687-12_v0100.pdf
“PICmicro Mid-Range MCU Family Reference Manual - Microchip.” [Online]. Available: http://ww1.microchip.com/downloads/en/devicedoc/33023a.pdf
Giraud C (2005) DFA on AES. In: Proceedings of the 4th International Conference on Advanced Encryption Standard, ser. AES’04. Bonn, Springer, pp 27–41. https://doi.org/10.1007/11506447_4
Acknowledgments
The authors would like to thank Prof. Donna Strickland for her valuable insights on various laser measurements.
Funding
This study was financially supported in part by grants from NSERC and XtremeEDA Corp.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Amin, K., Gebotys, C., Faraj, M. et al. Analysis of Dynamic Laser Injection and Quiescent Photon Emissions on an Embedded Processor. J Hardw Syst Secur 4, 55–67 (2020). https://doi.org/10.1007/s41635-020-00090-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-020-00090-1