Physical Fault Injection and Side-Channel Attacks on Mobile Devices: A Comprehensive Survey

aInformation Security Group, Royal Holloway, University of London, Egham, Surrey, United Kingdom bNetherlands Forensic Institute, The Netherlands cEquipe Commune CEA Tech – Mines Saint-Etienne, CEA Tech, Centre CMP, Gardanne, France dFrench National Gendarmerie Research Center (CREOGN), France eInstitut de Recherche Criminelle de la Gendarmerie Nationale, France fÉcole Normale Supérieure, Paris, France

[1]  David Naccache,et al.  Forensic smartphone analysis using adhesives: Transplantation of Package on Package components , 2018 .

[2]  N. Asokan,et al.  The Untapped Potential of Trusted Execution Environments on Mobile Devices , 2013, IEEE Security & Privacy.

[3]  Breaking Mobile Firmware Encryption through Near-Field Side-Channel Analysis , 2019, ASHES@CCS.

[4]  Niek Timmers,et al.  Escalating Privileges in Linux Using Voltage Fault Injection , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[5]  David Naccache,et al.  When Clocks Fail: On Critical Paths and Clock Faults , 2010, CARDIS.

[6]  Catherine H. Gebotys,et al.  EM Fault Injection on ARM and RISC-V , 2020, 2020 21st International Symposium on Quality Electronic Design (ISQED).

[7]  Jean-Max Dutertre,et al.  Comparison of side-channel leakage on Rich and Trusted Execution Environments , 2019, Proceedings of the Sixth Workshop on Cryptography and Security in Computing Systems.

[8]  Frederik Vercauteren,et al.  A Fault Attack on Pairing-Based Cryptography , 2006, IEEE Transactions on Computers.

[9]  Elena Dubrova,et al.  Far Field EM Side-Channel Attack on AES Using Deep Learning , 2020, IACR Cryptol. ePrint Arch..

[10]  Flavio D. Garcia,et al.  Plundervolt: Software-based Fault Injection Attacks against Intel SGX , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[11]  Robert Könighofer,et al.  A Fast and Cache-Timing Resistant Implementation of the AES , 2008, CT-RSA.

[12]  Nhien-An Le-Khac,et al.  A Survey of Electromagnetic Side-Channel Attacks and Discussion on their Case-Progressing Potential for Digital Forensics , 2019, Digit. Investig..

[13]  Jean-Louis Lanet,et al.  How TrustZone Could Be Bypassed: Side-Channel Attacks on a Modern System-on-Chip , 2017, WISTP.

[14]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[15]  Tim Güneysu,et al.  Applications of machine learning techniques in side-channel attacks: a survey , 2019, Journal of Cryptographic Engineering.

[16]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[17]  Ingrid Verbauwhede,et al.  DPA, Bitslicing and Masking at 1 GHz , 2015, IACR Cryptol. ePrint Arch..

[18]  Georg Sigl,et al.  Side Channel Attacks on Smartphones and Embedded Devices Using Standard Radio Equipment , 2015, COSADE.

[19]  Gerhard P. Hancke,et al.  Attacking smart card systems: Theory and practice , 2009, Inf. Secur. Tech. Rep..

[20]  Nuno Santos,et al.  ARM TrustZone for Secure Image Processing on the Cloud , 2016, 2016 IEEE 35th Symposium on Reliable Distributed Systems Workshops (SRDSW).

[21]  P. Rohatgi,et al.  Mobile Device Security : The case for side channel resistance , 2012 .

[22]  Yongqiang Lyu,et al.  VoltJockey: Breaking SGX by Software-Controlled Voltage-Induced Hardware Faults , 2019, 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST).

[23]  Flavio D. Garcia,et al.  VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface , 2021, USENIX Security Symposium.

[24]  Sylvain Guilley,et al.  Detecting Failures and Attacks via Digital Sensors , 2021, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[25]  David Naccache,et al.  Electrically conductive adhesives, thermally conductive adhesives and UV adhesives in data extraction forensics , 2017, Digit. Investig..

[26]  Jean-Pierre Seifert,et al.  A Practical Second-Order Fault Attack against a Real-World Pairing Implementation , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[27]  Damien Sauveron,et al.  Secure and Trusted Execution: Past, Present, and Future - A Critical Review in the Context of the Internet of Things and Cyber-Physical Systems , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[28]  Amir Moradi,et al.  Lightweight Cryptography and DPA Countermeasures: A Survey , 2010, Financial Cryptography Workshops.

[29]  Ludger Hemme,et al.  A Differential Fault Attack Against Early Rounds of (Triple-)DES , 2004, CHES.

[30]  Dick James,et al.  The State-of-the-Art in IC Reverse Engineering , 2009, CHES.

[31]  Thomas P. Hayes,et al.  Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers , 2018, CCS.

[32]  Axel Legay,et al.  On the Performance of Convolutional Neural Networks for Side-Channel Analysis , 2018, SPACE.

[33]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[34]  Adèle Morisset,et al.  Laser-Induced Fault Injection on Smartphone Bypassing the Secure Boot , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[35]  Mehdi Baradaran Tahoori,et al.  Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[36]  Cécile Canovas,et al.  Study of Deep Learning Techniques for Side-Channel Analysis and Introduction to ASCAD Database , 2018, IACR Cryptol. ePrint Arch..

[37]  Annelie Heuser,et al.  Intelligent Machine Homicide - Breaking Cryptographic Devices Using Support Vector Machines , 2012, COSADE.

[38]  J. Felba Thermally conductive adhesives in electronics , 2011 .

[39]  Ingrid Verbauwhede,et al.  An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[40]  Thomas S. Messerges,et al.  Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[41]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[42]  Michael Hutter,et al.  Side-Channel Leakage across Borders , 2010, CARDIS.

[43]  Amine Dehbaoui,et al.  Electromagnetic Glitch on the AES Round Counter , 2013, COSADE.

[44]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[45]  Konstantinos Markantonakis,et al.  Remote Credential Management with Mutual Attestation for Trusted Execution Environments , 2018, WISTP.

[46]  Domenic Forte,et al.  Power-based Side-Channel Instruction-level Disassembler , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[47]  Jean-Luc Danger,et al.  Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers , 2019, 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[48]  Huanyu Wang,et al.  Side-Channel Analysis of AES Based on Deep Learning , 2019 .

[49]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[50]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[51]  Ilia Polian,et al.  Precise fault-injections using voltage and temperature manipulation for differential cryptanalysis , 2014, 2014 IEEE 20th International On-Line Testing Symposium (IOLTS).

[52]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[53]  Guoqing Xu,et al.  Heavy-Ion Microbeam Fault Injection into SRAM-Based FPGA Implementations of Cryptographic Circuits , 2015, IEEE Transactions on Nuclear Science.

[54]  Bruno Robisson,et al.  ElectroMagnetic analysis (EMA) of software AES on Java mobile phones , 2011, 2011 IEEE International Workshop on Information Forensics and Security.

[55]  Ang Cui,et al.  BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection , 2017, WOOT.

[56]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[57]  Dirmanto Jap,et al.  A survey of the state-of-the-art fault attacks , 2014, 2014 International Symposium on Integrated Circuits (ISIC).

[58]  Prabhat Mishra,et al.  A Survey of Side-Channel Attacks on Caches and Countermeasures , 2017, Journal of Hardware and Systems Security.

[59]  Jacques Traoré,et al.  Trusted Execution Environments: A Look under the Hood , 2014, 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering.

[60]  Stefan Mangard,et al.  Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86 , 2020, USENIX Security Symposium.

[61]  Amir Moradi,et al.  Let's Take it Offline: Boosting Brute-Force Attacks on iPhone's User Authentication through SCA , 2021, IACR Cryptol. ePrint Arch..

[62]  Konstantinos I. Diamantaras,et al.  Side-Channel-Based Code-Execution Monitoring Systems: A Survey , 2019, IEEE Signal Processing Magazine.

[63]  Dawn Song,et al.  Keystone: an open framework for architecting trusted execution environments , 2020, EuroSys.

[64]  Alessandro Barenghi,et al.  Low Voltage Fault Attacks on the RSA Cryptosystem , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[65]  Apostolos P. Fournaris,et al.  Exploiting Hardware Vulnerabilities to Attack Embedded System Devices: a Survey of Potent Microarchitectural Attacks , 2017 .

[66]  Konstantinos Markantonakis,et al.  Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution Environments , 2017, ARES.

[67]  Johannes Obermaier,et al.  Peak Clock: Fault Injection into PLL-Based Systems via Clock Manipulation , 2019, ASHES@CCS.

[68]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[69]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[70]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[71]  Jasper G. J. van Woudenberg,et al.  Practical Optical Fault Injection on Secure Microcontrollers , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[72]  Latifur Khan,et al.  SGX-Log: Securing System Logs With SGX , 2017, AsiaCCS.

[73]  Emmanuel Prouff,et al.  Deep learning for side-channel analysis and introduction to ASCAD database , 2019, Journal of Cryptographic Engineering.

[74]  Jean-Jacques Quisquater,et al.  Faults, Injection Methods, and Fault Attacks , 2007, IEEE Design & Test of Computers.

[75]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[76]  Thomas Korak,et al.  On the Effects of Clock and Power Supply Tampering on Two Microcontroller Platforms , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[77]  Lilian Bossuet,et al.  Electromagnetic security tests for SoC , 2016, 2016 IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[78]  Mehdi Tibouchi,et al.  Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones , 2016, CT-RSA.

[79]  Karine Heydemann,et al.  Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[80]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[81]  Haohao Liao,et al.  Methodology for EM Fault Injection: Charge-based Fault Model , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[82]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[83]  Konstantinos Markantonakis,et al.  EmLog: Tamper-Resistant System Logging for Constrained Devices with TEEs , 2017, WISTP.

[84]  Lejla Batina,et al.  Clock Glitch Attacks in the Presence of Heating , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[85]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[86]  Alessandro Barenghi,et al.  Low voltage fault attacks to AES , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[87]  Christof Fetzer,et al.  TensorSCONE: A Secure TensorFlow Framework using Intel SGX , 2019, ArXiv.

[88]  Michael Hutter,et al.  Optical Fault Attacks on AES: A Threat in Violet , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[89]  K. Markantonakis,et al.  LIRA-V: Lightweight Remote Attestation for Constrained RISC-V Devices , 2021, 2021 IEEE Security and Privacy Workshops (SPW).

[90]  Jean-Luc Danger,et al.  Laser-induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-bit Microcontroller , 2019, 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[91]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[92]  Valerio Schiavoni,et al.  Using Trusted Execution Environments for Secure Stream Processing of Medical Data - (Case Study Paper) , 2019, DAIS.

[93]  Raoul Velazco,et al.  Dynamic Testing of an SRAM-Based FPGA by Time-Resolved Laser Fault Injection , 2008, 2008 14th IEEE International On-Line Testing Symposium.

[94]  Keith Mayes,et al.  Precise Instruction-Level Side Channel Profiling of Embedded Processors , 2014, ISPEC.

[95]  장성민,et al.  Full Disk Encryption 환경에서 디지털 증거 수집 절차에 관한 연구 , 2015 .

[96]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[97]  Sylvain Guilley,et al.  A Pre-processing Composition for Secret Key Recovery on Android Smartphone , 2014, WISTP.

[98]  Milos Prvulovic,et al.  One&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA , 2018, USENIX Security Symposium.

[99]  Daniel Gruss,et al.  PLATYPUS: Software-based Power Side-Channel Attacks on x86 , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[100]  T. Mandt,et al.  Demystifying the Secure Enclave Processor , 2016 .

[101]  David Naccache,et al.  Decrease of energy deposited during laser decapsulation attacks by dyeing and pigmenting the ECA: Application to the forensic micro-repair of wire bonding , 2019, Digit. Investig..

[102]  Electromagnetic Fault Injection as a New Forensic Approach for SoCs , 2020, 2020 IEEE International Workshop on Information Forensics and Security (WIFS).

[103]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[104]  Sylvain Guilley,et al.  Fault Injection Resilience , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[105]  Chester Rebeiro,et al.  Shakti-T: A RISC-V Processor with Light Weight Security Extensions , 2017, HASP@ISCA.

[106]  Mirjana Stojilovic,et al.  Physical Side-Channel Attacks and Covert Communication on FPGAs: A Survey , 2019, 2019 29th International Conference on Field Programmable Logic and Applications (FPL).

[107]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[108]  Paulo Martins,et al.  TrustZone-backed bitcoin wallet , 2017, CS2@HiPEAC.

[109]  Pankaj Rohatgi,et al.  Side-Channel Protections for Cryptographic Instruction Set Extensions , 2016, IACR Cryptol. ePrint Arch..

[110]  Nourdin Aït El Mehdi Analyzing the Resilience of Modern Smartphones Against Fault Injection Attacks , 2019 .

[111]  Gang Zhou,et al.  On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel , 2017, IEEE Transactions on Information Forensics and Security.

[112]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[113]  Michael A. Temple,et al.  Differential Electromagnetic Attacks on a 32-bit Microprocessor Using Software Defined Radios , 2013, IEEE Transactions on Information Forensics and Security.

[114]  Thomas Trouchkine,et al.  Fault Injection Characterization on Modern CPUs , 2019, WISTP.

[115]  Seokhie Hong,et al.  Recent advances in deep learning‐based side‐channel analysis , 2020, ETRI Journal.

[116]  Patrick Schaumont,et al.  State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[117]  Yongqiang Lyu,et al.  VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies , 2019, CCS.

[118]  Keith Mayes,et al.  Smart Cards, Tokens, Security and Applications , 2010 .

[119]  Jean-Luc Danger,et al.  High precision fault injections on the instruction cache of ARMv7-M architectures , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[120]  Jeremy Raoult,et al.  Electromagnetic coupling circuit model of a magnetic near-field probe to a microstrip line , 2015, 2015 10th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo).

[121]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.

[122]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[123]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[124]  Yubin Xia,et al.  AdAttester: Secure Online Mobile Advertisement Attestation Using TrustZone , 2015, MobiSys.