Adjusting Laser Injections for Fully Controlled Faults

Hardware characterizations of integrated circuits have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient tools. In this paper we describe how the fine tuning of a laser source has been used to characterize, set and reset the state of registers in a 90 nm chip. By adjusting the incident laser beam’s location, it is possible to choose to switch any register value from ‘\(0\)’ to ‘\(1\)’ or vice-versa by targeting the PMOS side or the NMOS side. Plus, we show how to clear a register by selecting a laser beam’s power. With the help of imaging techniques, we are able to explain the underlying phenomenon and provide a direct link between the laser mapping and the physical gate structure. Thus, we correlate the localization of laser fault injections with implementations of the PMOS and NMOS areas in the silicon substrate. This illustrates to what extent laser beams can be used to monitor the bits stored within registers, with adverse consequences in terms of security evaluation of integrated circuits.

[1]  Jean-Max Dutertre,et al.  Electrical modeling of the photoelectric effect induced by a pulsed laser applied to an SRAM cell , 2013, Microelectron. Reliab..

[2]  David Vigilant,et al.  Static Fault Attacks on Hardware DES Registers , 2011, IACR Cryptol. ePrint Arch..

[3]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[4]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[5]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[6]  Rita Mayer-Sommer,et al.  Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smartcards , 2000, CHES.

[7]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[8]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[9]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[10]  Assia Tria,et al.  Experimental evaluation of protections against laser-induced faults and consequences on fault modeling , 2007 .

[11]  Jean-Max Dutertre,et al.  Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[12]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[13]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[14]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[15]  D. Habing The Use of Lasers to Simulate Radiation-Induced Transients in Semiconductor Devices and Circuits , 1965 .

[16]  Amine Dehbaoui,et al.  Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  S. Anceau,et al.  Electrical Modeling of the Effect of Photoelectric Laser Fault Injection On Bulk CMOS Design , 2013 .

[18]  A. Johnston Charge generation and collection in p-n junctions excited with pulsed infrared lasers , 1993 .

[19]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[20]  David Naccache,et al.  Fault Round Modification Analysis of the advanced encryption standard , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[21]  Alexandre Sarafianos,et al.  Injection de fautes par impulsion laser dans des circuits sécurisés , 2013 .

[22]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[23]  Mike Bond,et al.  Chip and Skim: Cloning EMV Cards with the Pre-play Attack , 2012, 2014 IEEE Symposium on Security and Privacy.

[24]  Hubert Kaeslin,et al.  Digital Integrated Circuit Design: From VLSI Architectures to CMOS Fabrication , 2008 .