EM Fault Injection on ARM and RISC-V

Recently Electro-Magnetic Fault Injection (EMFI) techniques have been found to have significant implications on the security of embedded devices. Unfortunately, there is still a lack of understanding of EM faults and countermeasures for embedded processors. For the first time, this paper empirically shows that EMFI can cause skipping/faulting of more than one instruction on a 320MHz RISC-V processor, thus making it susceptible to a wider range of attacks. Additionally, empirical results on ARM Cortex M0 and RISC-V embedded processors show that EMFI is more susceptible at lower supply voltages and higher clock frequencies. Exception codes are also shown to be useful in understanding details of injected faults, providing further evidence that instructions have been corrupted in many cases. This research aims to enhance the understanding of faults, in order to better design countermeasures for embedded processors resistant to fault injection attacks.

[1]  Mario Werner,et al.  Protecting RISC-V Processors against Physical Attacks , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Ang Cui,et al.  BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection , 2017, WOOT.

[3]  Alessandro Barenghi,et al.  Countermeasures against fault attacks on software implemented AES: effectiveness and cost , 2010, WESS '10.

[4]  Joseph Yiu The Definitive Guide to ARM Cortex-M3 and Cortex-M4 Processors , 2013 .

[5]  Catherine H. Gebotys,et al.  Analysis of Dynamic Laser Injection and Quiescent Photon Emissions on an Embedded Processor , 2020, J. Hardw. Syst. Secur..

[6]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[7]  Philippe Maurine,et al.  Electromagnetic fault injection: the curse of flip-flops , 2016, Journal of Cryptographic Engineering.

[8]  Vincent Beroulle,et al.  Fault Injection on Hidden Registers in a RISC-V Rocket Processor and Software Countermeasures , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[9]  Karine Heydemann,et al.  Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[10]  F. W. Sexton,et al.  Critical charge concepts for CMOS SRAMs , 1995 .

[11]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[12]  Amine Dehbaoui,et al.  Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[13]  Dirmanto Jap,et al.  Laser Profiling for the Back-Side Fault Attacks: With a Practical Laser Skip Instruction Attack on AES , 2015, CPSS@ASIACSS.

[14]  Jean-Max Dutertre,et al.  Efficiency of a glitch detector against electromagnetic fault injection , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[15]  Jean-Luc Danger,et al.  High precision fault injections on the instruction cache of ARMv7-M architectures , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[16]  Karine Heydemann,et al.  Experimental evaluation of two software countermeasures against fault attacks , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[17]  Haohao Liao,et al.  Methodology for EM Fault Injection: Charge-based Fault Model , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).