Fault Injection Attacks Flashcards
Types of fault classifications
duration, controllability, fault resolution
duration faults
- Transient - happens once and goes away
- Permanent - the device now forever has this error
- Destructive - we can no longer use the device
controllability faults
- Precise - can control time / location of fault
- Loose - some control, but not very precise
- No-control -
Fault resolution
how much impact did the fault have on the data - bits, few bits, bytes/words
Stuck-at faults
bits are permanently the same value, no amount of reading or writing can change their value
Bit-flip faults
all bits are flipped
Random faults
bits are changed randomly
Set/reset faults
can change the value of a bit in only one direction
○ All bits become 1s (set)
○ All bits become 0s (reset)
Three ways to create faults
Clock glitches, voltage spikes, underpowering
clock glitches
- Temporarily overclock or make one cycle faster
- Processor does not have enough time to finish all the work it has to do => wrong values get set in the registers, etc
voltage spikes
- Temporarily increase or decrease in power
- Can cause circuitry to fault because it lacks power/has too much power
Underpowering
- Reduce supply voltage for a long period of time
- Can be transient or permanent
- Makes circuitry slower => sometimes is doesn’t complete what it was supposed to complete during a clock cycle
7 Effects of Glitches and Spikes
- Replacement (or skipping) of instructions
- Tampering with loops or conditionals
- Change of program counter
- Effects on data flow
○ Use value from the wrong register - Computation errors
○ Produce 7+2 = 11 - Corrupt memory pointers
- No bit transitions on data bu
does it take longer to switch a bit in one direction vs the other?
Changing 0->1 takes shorter length glitches than 1->0
Categories of Fault-Injections
non, semi-, and invasive
Heating fault injections cons
Not the most accurate, hard to control, and chip can only be heated so many times
What are cooling attacks aimed at?
devices that are designed to lose data when powered off
Optical Fault Injection
Can switch transistor by exposing it to light. semi-invasive, but very configurable
Electromagnetic Fault Injection
induce Eddy current, switch transistors
Countermeasures to fault injections
cannot prevent, so want to make things harder!
- Hide sensitive parts of the chip (physically or via encryption)
- Add filters/security sensors to detect if someone is trying to raise power, etc
RSA encryption
rewatch
