Studying EM Pulse Effects on Superscalar Microarchitectures at ISA Level

In the area of physical attacks, system-on-chip (SoC) designs have not received the same level of attention as simpler micro-controllers. We try to model the behavior of secure software running on a superscalar out-of-order microprocessor typical of more complex SoC, in the presence of electromagnetic (EM) pulses. We first show that it is possible, in a black box approach, to corrupt the loop iteration count of both original and hardened versions of two sensitive loops. We propose a characterization methodology based on very simple codes, to understand and classify the fault effects at the level of the instruction set architecture (ISA). The resulting classification includes the well established instruction skip and register corruption models, as well as new effects specific to more complex processors, such as operand substitution, multiple correlated register corruptions, advanced control-flow hijacking, and combinations of all reported effects. This diversity and complexity of effects can lead to powerful attacks. The proposed methodology and fault classification at ISA level is a first step towards a more complete characterization. It is also a tool supporting the designers of software and hardware countermeasures.

[1]  Amine Dehbaoui,et al.  Injection of transient faults using electromagnetic pulses -Practical results on a cryptographic system- , 2012, IACR Cryptol. ePrint Arch..

[2]  Karine Heydemann,et al.  Software Countermeasures for Control Flow Integrity of Smart Card C Codes , 2014, ESORICS.

[3]  Yu-ichi Hayashi,et al.  Buffer overflow attack with multiple fault injection and a proven countermeasure , 2017, Journal of Cryptographic Engineering.

[4]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[5]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[6]  Adèle Morisset,et al.  Laser-Induced Fault Injection on Smartphone Bypassing the Secure Boot , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[7]  David Naccache,et al.  Modulus Fault Attacks against RSA-CRT Signatures , 2011, CHES.

[8]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[9]  Mehdi Tibouchi,et al.  Loop-Abort Faults on Lattice-Based Signature Schemes and Key Exchange Protocols , 2018, IEEE Transactions on Computers.

[10]  Koen De Bosschere,et al.  Link-time smart card code hardening , 2016, International Journal of Information Security.

[11]  Cécile Canovas,et al.  From Code Review to Fault Injection Attacks: Filling the Gap Using Fault Model Inference , 2015, CARDIS.

[12]  Karine Heydemann,et al.  Compiler-Assisted Loop Hardening Against Fault Attacks , 2017, ACM Trans. Archit. Code Optim..

[13]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[14]  John F. Walker,et al.  Characterising a CPU fault attack model via run-time data analysis , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[15]  Nahid Farhady Ghalaty,et al.  Software Fault Resistance is Futile: Effective Single-Glitch Attacks , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[16]  Jean-Luc Danger,et al.  High precision fault injections on the instruction cache of ARMv7-M architectures , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[17]  Karine Heydemann,et al.  Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[18]  David I. August,et al.  SWIFT: software implemented fault tolerance , 2005, International Symposium on Code Generation and Optimization.

[19]  Lilian Bossuet,et al.  Electromagnetic security tests for SoC , 2016, 2016 IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[20]  Niek Timmers,et al.  Escalating Privileges in Linux Using Voltage Fault Injection , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[21]  Philippe Maurine,et al.  EM Injection: Fault Model and Locality , 2015, 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[22]  Jean-Max Dutertre,et al.  Evidence of a Larger EM-Induced Fault Model , 2014, CARDIS.

[23]  Amine Dehbaoui,et al.  Electromagnetic Glitch on the AES Round Counter , 2013, COSADE.

[24]  Thanh-Ha Le,et al.  FISSC: A Fault Injection and Simulation Secure Collection , 2016, SAFECOMP.

[25]  Bruno Robisson,et al.  Compilation of a Countermeasure Against Instruction-Skip Fault Attacks , 2016, CS2@HiPEAC.

[26]  Bilgiday Yuce,et al.  Fault Attacks on Secure Embedded Software: Threats, Design, and Evaluation , 2018, Journal of Hardware and Systems Security.