fault injection
play

Fault Injection Characterization on ARM Cortex-A9 George - PowerPoint PPT Presentation

Mar 23, 2023 •243 likes •517 views

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

  1. ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014

  2. Introduction Hardware Fault Injection Induce faults to hardware through side channels:  Clock  Power supply  Electromagnetic radiation  Light  Temperature Goals  Change behavior  Change data 2

  3. ElectroMagnetic Fault Injection For inducing a significant voltage spike, distance d < D Source: Riscure 3

  4. EMFI vs VCC & Optical FI No preparation needed for the target  VCC FI : Need to work with capacitors to glitch the core voltage line  Optical FI : Decapsulation of the chip Countermeasures for:  VCC FI: Glitch sensors Picture:  Optical FI: Light sensors Decapsulated chip 4

  5. EMFI in action http://www.youtube.com/watch?v=dew0KD_-ypw 5

  6. Research question What are the effects of ElectroMagnetic Fault Injection (EMFI) on embedded chips? 6

  7. Setup 7

  8. Setup 8

  9. Target Freescale i.MX6 Solo Processor Using an ARM Cortex-A9 Single Core Specifications: • 32-bit processor • ARMv7 architecture based on RISC • Clock speed of 792 MHz: 1,26 ns/cycle • Pipeline Wandboard • Dual-issue superscalar SOLO • Out-of-order • Speculative execution • 8-stage 9

  10. Dual-issue superscalar Pipeline Example: IF: Instruction Fetch ID: Instruction Decode EX: Execute MEM: Memory access WB: Write Back http://en.wikipedia.org/wiki/File:Superscalarpipeline.svg 10

  11. ARM Cortex-A9 Pipeline http://www.arm.com/images/A9-Pipeline-hres.jpg 11

  12. Code instrumentation  Initialize registers to known values  Trigger ON  Critical area code  Trigger OFF  Print results Code was written in ARM assembly to avoid C compiler’s optimization 12

  13. Critical area code  R0 initialized to 0xFFFFFFFF  R1 initialized to 0x00000001  Unrolled loop of 32 pairs of instructions:  Logical operation  Shift R1 1-bit to the left Logical operations:  BIC (BIt Clear)  EOR (Exclusive OR) 13

  14. Visualization of fault injection Blue line: Trigger signal Red line: Coil current 14

  15. Correct Output BIC version R0: 00000000 R1: 80000000 R2: FFFFFFFF R3: 020B4000 R4: A54444A5 R5: A55555A5 R6: A56666A5 ……. EOR version R0: 00000000 R1: 80000000 R2: FFFFFFFF R3: 020B4000 R4: A54444A5 R5: A55555A5 R6: A56666A5 ……. 15

  16. Full chip detailed scan 16

  17. Die detailed scan 17

  18. Glitches with desired results 18

  19. Glitch results Logical operation not executed  Suspects:  Instruction Fetch  Instruction Execution  Write back Expected result: R0: 00000000 R1: 80000000 Glitched result: R0: 00000001 R1: 80000000 19

  20. Glitch results Logical shift not executed  Suspects:  Instruction Fetch  Instruction Execution  Write back Expected result: R0: 00000000 R1: 80000000 Glitched result: R0: 80000000 R1: 40000000 20

  21. Glitch results Logical operation and Logical shift not executed  Suspects:  Instruction Fetch  Instruction Execution  Write back Expected result: R0: 00000000 R1: 80000000 Glitched result: R0: 80000001 R1: 40000000 21

  22. Glitch results Data abort exception due to unaligned access  Suspects:  PC register glitched  Stack corrupted 22

  23. Glitch results Prefetch abort exception due to non-existing memory regions  Suspects:  PC register glitched  Stack corrupted 23

  24. Conclusion  Edges of the chip more sensitive than the top of the die  No unused register corruptions  Difficult to constantly have the same results with EMFI 24

  25. Future work  Comparison of full area scans of the package between ALU and memory instructions  Research the impact of EMFI on jump commands 25

  26. Thank you Questions? 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle &amp; Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

969 views • 47 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b , C. Roscian b , J.M. Dutertre b , M. Lisart a , O. Gagliano a , V. Serradeil a , A. Tria b . a STMicroelectronics, Avenue Clestin Coq 13790 Rousset,

273 views • 14 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

Practical Experience Report A TALE OF TWO INJECTORS: END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors: Guanpeng Li, Bo Fang, and Karthik Pattabiraman DEPART M ENT OF ELECT RIC AL AN D COM PUT ER

852 views • 56 slides
More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas ELCE17 Wolfram Sang, Consultant / Renesas Robust I2C with fault-injection ELCE17 1 / 24 Motivation It really got personal I2C maintainer since

257 views • 24 slides
Agenda Most frequently asked questions Q&amp;A F UNDAMENTALS Question: What is

Agenda Most frequently asked questions Q&amp;A F UNDAMENTALS Question: What is

Agenda Most frequently asked questions Q&amp;A F UNDAMENTALS Question: What is Project Cortex? Answer: Project Cortex in Microsoft 365 puts people at the center by making it easy to discover and share knowledge within the tools

363 views • 21 slides
Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation

Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation

March 26 29, 2018 | Silicon Valley | #GTC18 www.gputechconf.com Affective Categorization Using Contact-less Based Accelerometers Speaker: Refael Shamir Founder and CEO of Letos Presentation Outline Motivation Driver monitoring in

546 views • 52 slides
NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick

NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick

NOVEL IN VITRO MODEL TO GROW AND CULTURE OVARIES OUTSIDE THE BODY Matthew Zanotelli, Patrick Hopkins, Joseph Henningsen, Aaron Dederich Client: Sana M. Salih, MD, MMS Advisor: John P. Puccinelli, PhD Biomedical Engineering Design University of

375 views • 26 slides
NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance

NIST Lightweight Cryptography Workshop 2015 Session VII: Implementations &amp; Performance Performance of State-of-the-Art Cryptography on ARM-based Microprocessors Hannes Tschofenig &amp; Manuel Pegourie-Gonnard (Hannes.Tschofenig@arm.com,

509 views • 40 slides
CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim

CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim

CRYSTALSKyber Roberto Avanzi, Joppe Bos, Lo Ducas, Eike Kiltz, Tancrde Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe , Gregor Seiler, Damien Stehl authors@pq-crystals.org https://pq-crystals.org/kyber August 23, 2019

722 views • 26 slides
VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R

VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R

VIDEO UNDERSTANDING @ TWITTER C O U R T E S Y O F C O R T E X USER PROTECTION T W I T T E R C O R T E X T W I T T E R C O R T E X CONTENT UNDERSTANDING T W I T T E R C O R T E X T W I T T E R C O R T E X T W I T T E R C O R T E X

914 views • 64 slides
w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance

w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance

D R I V I N G P A Y M E N T I N N O V A T I O N w w w . p a x . u s CONTENTS BUSINESS UPDATE 1 PAX Global Technologys Worldwide Performance THE FUTURE OF PAYMENT 2 Cameras, New Mobile Payment Methods, Android

841 views • 35 slides
Neuromonitoring Cortical Mapping During Craniotomy Surgery MSET Annual Fall Meeting, 2017 Ryan

Neuromonitoring Cortical Mapping During Craniotomy Surgery MSET Annual Fall Meeting, 2017 Ryan

Intraoperative Neuromonitoring Cortical Mapping During Craniotomy Surgery MSET Annual Fall Meeting, 2017 Ryan Mandziara MS, CNIM Neuromonitoring Overview What? Application of neurophysiologic modalities to monitor the functional integrity of

725 views • 30 slides

More recommend