Let's shock our IoT's heart: ARMv7-M under (fault) attacks

A fault attack is a well-known technique where the behaviour of a chip is voluntarily disturbed by hardware means in order to undermine the security of the information handled by the target. In this paper, we explore how Electromagnetic fault injection (EMFI) can be used to create vulnerabilities in sound software, targeting a Cortex-M3 microcontroller. Several use-cases are shown experimentally: control flow hijacking, buffer overflow (even with the presence of a canary), covert backdoor insertion and Return Oriented Programming can be achieved even if programs are not vulnerable in a software point of view. These results suggest that the protection of any software against vulnerabilities must take hardware into account as well.

[1]  John F. Walker,et al.  Characterising a CPU fault attack model via run-time data analysis , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[2]  Cécile Canovas,et al.  From Code Review to Fault Injection Attacks: Filling the Gap Using Fault Model Inference , 2015, CARDIS.

[3]  D. Habing The Use of Lasers to Simulate Radiation-Induced Transients in Semiconductor Devices and Circuits , 1965 .

[4]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[5]  Karine Heydemann,et al.  Experimental evaluation of two software countermeasures against fault attacks , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[6]  Jean-Luc Danger,et al.  High precision fault injections on the instruction cache of ARMv7-M architectures , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[7]  Amine Dehbaoui,et al.  Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[8]  Alessandro Barenghi,et al.  Low voltage fault attacks to AES , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[9]  Karine Heydemann,et al.  Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[10]  Assia Tria,et al.  On Fault Injections in Generalized Feistel Networks , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[11]  Sylvain Guilley,et al.  Security evaluation of different AES implementations against practical setup time violation attacks in FPGAs , 2009, 2009 IEEE International Workshop on Hardware-Oriented Security and Trust.

[12]  Christopher Domas Breaking the x86 ISA , 2017 .

[13]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.