characterization of a cortex m4 microcontroller with
play

Characterization of a Cortex-M4 microcontroller with backside - PowerPoint PPT Presentation

Aug 14, 2023 •415 likes •678 views

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

  1. Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1

  2. Introduction to the world of fault injection • Research project at Riscure • Fault injection techniques introduce faults into a target by controlled environmental changes, in order to alter its intended behavior • 5 types - clock, voltage, electromagnetic, optical, temperature • Our focus - optical (laser) fault injection 2 Introduction

  3. Why? • Secure software relies on hardware functioning in the intended way • You can have the best lock in the world on your door, but if your door is made out of paper, it is useless • Used e.g in bypassing secure boot of Nintendo consoles 3 Introduction

  4. Research question What is the security impact of injecting laser glitches into an ARM based, Cortex-M4 microcontroller (MCU)? • How may laser glitches be injected into the MCU so that it results in a fault? • What are the optimal variables for the laser to introduce glitches in the ARM Cortex-M4 MCU? • What behavioral changes occur in the MCU when injecting laser glitches? 4 Research setup

  5. Device Under Test - Cortex-M4 5 Research setup

  6. Test environment 6 Research setup

  7. Test environment 7 Research setup

  8. Methodology • Global vs detailed scan • Several laser parameters • Color coding of the results: • Red/pink – success • Green – expected • Yellow – mute • Orange – reset • Cyan – timeout • Glitch repeatability 8 Research setup

  9. Results: Counter increment Code in C: • Goal: verify the setup, check if glitches can occur • Result: 0.012% successful glitches Code in ARM assembly: • Different memory and register operations 9 Results

  10. Results: Counter increment 10 Results

  11. Results: Bitwise increment • Goal: setting bits in a byte with a consecutive power of 2 • Result: 36.14% successful glitches • 0xff: 1111 1111 • 0xfb: 1111 1011 • 0xf7: 1111 0111 11 Results

  12. Results: Bitwise increment 12 Results

  13. Results: Register value modification • Goal: Modify value while in register • How: Initialize registers with known values • Result: 1.50% successful glitches • But we are modifying instructions instead 13 Results

  14. Results: Register value modification • Register values: • r0: fa ca de 00 r6 : de ad be ef r4: ca fe ba be r5: fa ce fe ed • NOP instruction: mov r1, r1 • MOV transformed into Linear Shift Left (LSL) • Expected output: 0xfacade00deadbeefcafebabefacefeed 14 Results

  15. Results: ADD loop • Goal: Increment a counter to 10,000 using a single instruction • Instruction: add.w r1, r1 #1 repeated 10,000 times • Result: 50.77% successful glitches • 0xdeadd77f • 0xeadc0789 • 0x1890 15 Results

  16. Results: ADD loop • 16 Results

  17. Results: ADD loop (0xdeadd77f) • Register r0 was first loaded with 0xdeadbeef • This value now shows up in r1 • Subtract 0x1890 from the result 17 Results

  18. Results: ADD loop (0xeadc0789) • The same was true for this result • When we subtract 0x1890 from result 18 Results

  19. Results: ADD loop • So how can this happen? • We modified the processor instruction, instead loading r1 it loads r0 19 Results

  20. Results: ADD loop • How could we obtain the value of 0x1890 • Probably the counter was restarted, also this can be explained using a modified instruction • The AND instruction sets the counter back to 1 or 0 20 Results

  21. Bypass authentication • Goal: Attack a real-world scenario, in this case, password verification • Result: 0.22% successful glitches • Lots of possibilities for introducing glitches 21 Results

  22. Results: Bypass authentication 22 Results

  23. Conclusion What is the security impact of injecting laser • There are two ways laser injection can be glitches into an ARM performed - backside and frontside based, Cortex-M4 microcontroller (MCU)? • Power 20-25% of the maximum 20W seemed to be most efficient • Other variables differ per experiment • We have proven to be able to modify processor instructions 23 Conclusion

  24. Future work • Use of different objectives: magnitude 20x or 50x to have smaller spotsize and more precise aim • Target specific features of the board e.g. the Read Data Protection (RDP) byte • Test other processors in Cortex family with more advanced security features e.g. TrustZone or Memory Protection Unit (MPU) 24 Conclusion

  25. Thank you! Questions? 25 Conclusion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ARM Microcontroller Course May 6, 2015 ARM Microcontroller Course Introduction C

ARM Microcontroller Course May 6, 2015 ARM Microcontroller Course Introduction C

Introduction C Microcontroller ARM Microcontroller Course May 6, 2015 ARM Microcontroller Course Introduction C Microcontroller Table of Contents 1 Introduction 2 C Data types Operators Events 3 Microcontroller ARM Microcontroller

457 views • 45 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David

Microcontroller Interfacing CSE/EE 5/7385 Microcontroller Architecture and Interfacing David Houngninou Southern Methodist University Table of content 1. Target device: MCBSTM32C 2. References 3. GPIO ports: registers and pins 4. Interfacing

585 views • 31 slides
Interrupt-Driven Input/Output on the STM32F407 Microcontroller Textbook: Chapter 11 (Interrupts)

Interrupt-Driven Input/Output on the STM32F407 Microcontroller Textbook: Chapter 11 (Interrupts)

Interrupt-Driven Input/Output on the STM32F407 Microcontroller Textbook: Chapter 11 (Interrupts) ARM Cortex-M4 User Guide (Interrupts, exceptions, NVIC) Sections 2.1.4, 2.3 Exceptions and interrupts Section 4.2 Nested Vectored

415 views • 29 slides
Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1)

Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1)

Chapter 6 Vision Exam 1 Anatomy of vision Primary visual cortex (striate cortex, V1) Prestriate cortex, Extrastriate cortex (Visual association coretx ) Second level association areas in the temporal and parietal lobes

454 views • 24 slides
Schematic view of the MNS1 model Posterior cortex Frontal cortex Role of PFC in Neural network

Schematic view of the MNS1 model Posterior cortex Frontal cortex Role of PFC in Neural network

Schematic view of the MNS1 model Posterior cortex Frontal cortex Role of PFC in Neural network models of the mirror neuron action selection not included system Igor Farka Centre for Cognitive Science DAI FMPI Comenius University

239 views • 4 slides
Geomaterial Characterization Sub-topics Chemical characterization pH, TDS, EC, BOD, COD

Geomaterial Characterization Sub-topics Chemical characterization pH, TDS, EC, BOD, COD

Geomaterial Characterization Sub-topics Chemical characterization pH, TDS, EC, BOD, COD Sulphite and Chloride contents Cation-Exchange Capacity Pore-solution sampling Corrosion potential Sorption-Desorption Thermal Characterization

738 views • 8 slides
Customer Presentation 16-bit Ultra Low Power Microcontroller The eCOG1, 16 Bit Ultra Low Power

Customer Presentation 16-bit Ultra Low Power Microcontroller The eCOG1, 16 Bit Ultra Low Power

Customer Presentation 16-bit Ultra Low Power Microcontroller The eCOG1, 16 Bit Ultra Low Power Microcontroller Configurable ports and integrated features increase flexibility and reduce component cost External memory interface

278 views • 15 slides
Agenda Technical updates Project Cortex availability Project Cortex partners

Agenda Technical updates Project Cortex availability Project Cortex partners

Agenda Technical updates Project Cortex availability Project Cortex partners Q&A Joining us today Sean Squires Taxonomy service updates (MMS) Administration End User Developer Tagging & filtering end-user

724 views • 24 slides
CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of

CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of

CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of South Florida Overview of PicoBlaze So:-core microcontroller in VHDL: portable to other plaAorms. Small: occupies ~20 CLBs. Respectable

424 views • 30 slides
CPU-specific optimization Example of a function that we want to optimize: Example of a target

CPU-specific optimization Example of a function that we want to optimize: Example of a target

1 2 CPU-specific optimization Example of a function that we want to optimize: Example of a target CPU core: adding 1000 integers mod 2 32 . ARM Cortex-M4F core inside LM4F120H5QR microcontroller Reference implementation: in Stellaris

2.16k views • 190 slides
Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence 1.12 Gross anatomy of the forebrain. (Part 3) Haines, Fund. Neuro., Fig 16 10 Figure A21 The ventricular system of the human brain (Part 1) Box

589 views • 36 slides
Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior

Exploring the Design of the Cortex-A15 Processor ARMs next generation mobile applications processor Travis Lanier Senior Product Manager 1 Cortex-A15: Next Generation Leadership Cortex-A class multi-processor 1 TB physical addressing

717 views • 33 slides
zyxwvutsrqponmlkihgfedcbaWVUTSRQPONMLKIHGFEDCBA Characterization, Characterization, Modeling,

zyxwvutsrqponmlkihgfedcbaWVUTSRQPONMLKIHGFEDCBA Characterization, Characterization, Modeling,

zyxwvutsrqponmlkihgfedcbaWVUTSRQPONMLKIHGFEDCBA Characterization, Characterization, Modeling, Monitoring, and Remediation of Fractured Rock A New Academies Report December 2, 2015 Sammantha Magsino S th M i COMMITTEE ON GEOLOGICAL AND

459 views • 21 slides
ARM Microcontroller Course May 20, 2015 ARM Microcontroller Course Timers Analog Peripherals

ARM Microcontroller Course May 20, 2015 ARM Microcontroller Course Timers Analog Peripherals

Timers Analog Peripherals HAL Shield ARM Microcontroller Course May 20, 2015 ARM Microcontroller Course Timers Analog Peripherals HAL Shield Table of Contents 1 Timers 2 Analog Peripherals 3 HAL 4 Shield ARM Microcontroller Course

949 views • 19 slides
Biovision team 2 Retina Visual cortex 3 Retina Visual cortex 3 Retina Visual cortex 3

Biovision team 2 Retina Visual cortex 3 Retina Visual cortex 3 Retina Visual cortex 3

Biovision team 2 Retina Visual cortex 3 Retina Visual cortex 3 Retina Visual cortex 3 Retina Visual cortex 3 285 millions visually impaired people Retina Visual cortex 3 285 millions visually impaired people Retina Visual cortex

744 views • 63 slides
Agenda Most frequently asked questions Q&A F UNDAMENTALS Question: What is

Agenda Most frequently asked questions Q&A F UNDAMENTALS Question: What is

Agenda Most frequently asked questions Q&A F UNDAMENTALS Question: What is Project Cortex? Answer: Project Cortex in Microsoft 365 puts people at the center by making it easy to discover and share knowledge within the tools

363 views • 21 slides
Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation

Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation

March 26 29, 2018 | Silicon Valley | #GTC18 www.gputechconf.com Affective Categorization Using Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation Outline Motivation Driver monitoring in

546 views • 52 slides
NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick

NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick

NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick Hopkins, Joseph Henningsen, Aaron Dederich Client: Sana M. Salih, MD, MMS Advisor: John P. Puccinelli, PhD Biomedical Engineering Design University of

375 views • 26 slides
Practice Nurses Dr Catherine Black MB ChB DCH FRNZCGP Head of WOOMB NZ Using the cervical mucus

Practice Nurses Dr Catherine Black MB ChB DCH FRNZCGP Head of WOOMB NZ Using the cervical mucus

Natural Fertility for Practice Nurses Dr Catherine Black MB ChB DCH FRNZCGP Head of WOOMB NZ Using the cervical mucus system to identify ovulation. Using the Billings Ovulation Method Billings Ovulation Method Research began in 1953.

929 views • 49 slides
NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations & Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig & Manuel Pegourie-Gonnard (Hannes.Tschofenig@arm.com,

509 views • 40 slides
CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim

CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim

CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe , Gregor Seiler, Damien Stehl authors@pq-crystals.org https://pq-crystals.org/kyber August 23, 2019

722 views • 26 slides
VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R

VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R

VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R C O R T E X T W I T T E R C O R T E X CONTENT UNDERSTANDING T W I T T E R C O R T E X T W I T T E R C O R T E X T W I T T E R C O R T E X

914 views • 64 slides
w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance

w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance

D R I V I N G P A Y M E N T I N N O V A T I O N w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance THE FUTURE OF PAYMENT 2 Cameras, New Mobile Payment Methods, Android

841 views • 35 slides

More recommend