soc why should we care about fault injection attacks
play

SoC, why should we care about Fault Injection Attacks ? Guillaume - PowerPoint PPT Presentation

Feb 12, 2023 •241 likes •523 views

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

  1. SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la sécurité des systèmes d’information Journée JAIF – PARIS – 29 Mai 2018

  2. ANSSI? Késako? These missions concern: Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? the general public. companies and governmental entities, protection. ANSSI (French Network and Information Security Agency) has InfoSec (and no communicate on information security threats and the related means of provide reliable advice and support and services, prevent threats by supporting the development of trusted products and detect and early react to cyber attacks, Intelligence) missions: 1 / 14

  3. From the SE to the SoC Sensitive assets are in and computed on the Secure Element (SE). Secure Element are designed to be tamper-resistant against physical and sofuware attacks. System on Chips (SoC) are everywhere: Secure Element are limited resources devices. For sensitive operations where more resources are required, SoCs are used. What about security of the SoC? SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 2 / 14 ◮ Automotive ◮ Smartphone ◮ IoT

  4. From the SE to the SoC Sensitive assets are in and computed on the Secure Element (SE). Secure Element are designed to be tamper-resistant against physical and sofuware attacks. System on Chips (SoC) are everywhere: Secure Element are limited resources devices. For sensitive operations where more resources are required, SoCs are used. What about security of the SoC? SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 2 / 14 ◮ Automotive ◮ Smartphone ◮ IoT

  5. What’s a System On Chip (SoC) ? Less space needed Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Package mini PCB Wirebounds BGA SoC Stacked RAM Low power consumption Why ? SoC FPGA Communication BUS Voltage regulators/PMICs ADCs/DACs I/O Timers Timing sources Memories DSPs 3 / 14 µ Controllers µ Processors No data storage → Package On Package

  6. SoC Manufacturers G-series by AMD Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? SoC architectures distribution x86 8.3 % ARM 91.7 % Allwinner A by Allwinner AML by Amlogic MSM & APQ (Snapdragon) by OMAP by Texas Instrument Kirin by Hisilicon RK by Fuzhou RockChip Atom by Intel (x86) Tegra by Nvidia Apple A by Apple MT & Helio by MediaTek Exynos by Samsung Qualcomm 4 / 14

  7. Sofuware-security oriented component (Source: https://developer.arm.com/technologies/trustzone ) SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 5 / 14

  8. Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities Rich OS integrity is ensured by the secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14

  9. Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities Rich OS integrity is ensured by the secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14

  10. Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. Rich OS might be jailbreaked (like iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the

  11. Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the ◮ Rich OS might be jailbreaked (like

  12. Sofuware Impacts (Source: https://developer.arm.com/technologies/trustzone ) The secure enclave runs trusted apps Rich OS is complex and might have vulnerabilities secure boot step. iOS and Android). Rich OS might break the security of secure enclave area. SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF 6 / 14 ◮ Rich OS integrity is ensured by the ◮ Rich OS might be jailbreaked (like

  13. State-of-the-art physical attacks Pipeline Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Virtual to physical MMU Injection medium Cache Bus Register Clock RAM UV BBI EM Laser Glitch voltage Sofuware Sofuware security Sofuware target Physical target 7 / 14

  14. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Project Zero attack/Drammer (2015 - 2016) [Vee+16] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  15. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Project Zero NaCl/Rowhammer on TrustZone (2015) [Car17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  16. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? ClkScrew (2017) [TSS17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  17. State-of-the-art physical attacks Cryptography Key Instruction Return value Program counter User rights Memory partitioning Secure boot Virtual to physical Execution flow integry ? Controlling PC on ARM (2016) [TSW16] SoC, why should we care about Fault Injection Attacks ? G. BOUFFARD, D. EL BAZE Journée JAIF translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  18. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Attack on PS3 Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  19. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Attack on Xbox 360 (2015) [Bla15] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

  20. State-of-the-art physical attacks Virtual to physical Journée JAIF G. BOUFFARD, D. EL BAZE SoC, why should we care about Fault Injection Attacks ? Laser induced fault on smartphone (2017) [Vas+17] Execution flow integry Secure boot Cryptography Memory partitioning User rights Program counter Return value Instruction Key translation table Pipeline Injection medium EM Physical target Sofuware target Sofuware security Sofuware Glitch voltage Laser BBI MMU UV RAM Clock Register Bus Cache 7 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,

667 views • 31 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley TELECOM ParisTech CNRS LTCI / COMELEC / SEN S

896 views • 64 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013

711 views • 47 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

969 views • 47 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology,

Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology,

Towards Scalable SoC Security Validation Sujit Kumar Muduli Indian Institute of Technology, Kanpur Objective Proving confidentiality and integrity show execution traces are indistinguishable to untrusted entity Instance 1 Instance 2 AES

176 views • 3 slides
A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary,

A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary,

A Touch of Calculus: Shaking Up the Pre-Requisite Structure of College Mathematics Rick Cleary, Babson College Electronic Seminar on Math Education September 15, 2020 Thanks! To Haynes Miller and Tara Holm for the invitation. To

810 views • 48 slides
Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N.

Crash and Burn: Learning from Failure SOA 2020 June 17, 2020 Crash and Burn Collette N. McDonough Archivist and Library Manager at the Kettering Foundation Owned by one cat Crash and Burn One fails toward success.

434 views • 7 slides
SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service

SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service

SOA and ESB Mark Jeynes IBM Software, Asia Pacific jeynesm@au1.ibm.com Agenda Service Orientation SCA / SDO Process Choreography WS-BPEL Enterprise Service Bus Demonstration WebSphere Integration Developer

593 views • 20 slides
Scalable Dense Matrix Multiplication on Multi-Socket Many-Core Systems with Fast Shared Memory

Scalable Dense Matrix Multiplication on Multi-Socket Many-Core Systems with Fast Shared Memory

Scalable Dense Matrix Multiplication on Multi-Socket Many-Core Systems with Fast Shared Memory Ricardo Magana, Natalia Vassilieva Acknowledgment Ricardo Magaa magania@gmail.com And also many thanks to prof. Robert Van De Geijn, Field Van

529 views • 26 slides
LiteX: SoC builder and library OSDA Workshop (2019), Florence, March 29 Florent Kermarrec,

LiteX: SoC builder and library OSDA Workshop (2019), Florence, March 29 Florent Kermarrec,

LiteX: SoC builder and library OSDA Workshop (2019), Florence, March 29 Florent Kermarrec, florent@enjoy-digital.fr 1 Enjoy-Digital Founded in 2011. FPGA consulting / Full FPGA based systems design. Reuse and create open-source tools/cores to

944 views • 42 slides
S O C I A L NETWORK ANALYSIS CURRENT VISUALIZATION PROBLEMS Flat network structure and a Poor

S O C I A L NETWORK ANALYSIS CURRENT VISUALIZATION PROBLEMS Flat network structure and a Poor

AN EXPLORATION BASED APPROACH TO S O C I A L NETWORK ANALYSIS CURRENT VISUALIZATION PROBLEMS Flat network structure and a Poor organization leads Network presentation can lead lack of focus lead to a shallow to overwhelming network to

151 views • 11 slides
Complexity: Highly Optimized Tolerance C. A. Pearson cap10@gwu.edu Papers J.M.Carlson and

Complexity: Highly Optimized Tolerance C. A. Pearson cap10@gwu.edu Papers J.M.Carlson and

Complexity: Highly Optimized Tolerance C. A. Pearson cap10@gwu.edu Papers J.M.Carlson and J.Doyle. Highly optimized tolerance: a mechanism for power laws in designed systems. Phys. Rev. E 60, 1412-1427. (HOT:PL) J.M.Carlson and J.Doyle.

408 views • 23 slides

More recommend