Controlling PC on ARM Using Fault Injection

Fault injection attacks are a powerful technique to influence the intended behavior of embedded systems. They can be used to exploit or bypass robust security features found in secure embedded systems. Examples of such attacks include differential fault analysis (DFA) and bypassing authentication mechanisms. An embedded system's authenticated boot chain (i.e. secure boot) is an interesting target for fault injection. The initial boot stages are of limited size which means logically exploitable vulnerabilities are not guaranteed to be present. In this paper, we introduce an ARM specific fault injection attack strategy for exploiting embedded systems where externally controlled data is loaded in the program counter (PC) register of the processor. This allows an attacker to control the target's execution flow which eventually will lead to arbitrary code execution on the target. We first simulate the attack using a common fault model, after which we demonstrate the practicality of the attack using a development platform designed around an ARM based, fast and feature rich system on chip (SOC). We conclude with an overview of effective and non-effective countermeasures against this fault injection attack technique.

[1]  George Thessalonikefs ElectroMagnetic Fault Injection Characterization , 2014 .

[2]  Thomas Korak,et al.  On the Effects of Clock and Power Supply Tampering on Two Microcontroller Platforms , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[3]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[4]  Albert Spruyt Building fault models for microcontrollers , 2012 .

[5]  Jean-Max Dutertre,et al.  Power supply glitch induced faults on FPGA: An in-depth analysis of the injection mechanism , 2013, 2013 IEEE 19th International On-Line Testing Symposium (IOLTS).

[6]  Karine Heydemann,et al.  Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[7]  Nahid Farhady Ghalaty,et al.  Improving Fault Attacks on Embedded Software Using RISC Pipeline Characterization , 2015, 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[8]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[9]  Dan Boneh,et al.  Address space randomization for mobile devices , 2011, WiSec '11.