strategies for successful fault injection
play

strategies for successful fault injection Rafael Boix Carpi 1 , - PowerPoint PPT Presentation

Nov 27, 2023 •368 likes •711 views

Glitch it if you can: parameter search strategies for successful fault injection Rafael Boix Carpi 1 , Stjepan Picek 2,3 , Lejla Batina 2 , Federico Menarini 1 , Domagoj Jakobovic 3 and Marin Golub 3 1 Riscure BV, The Netherlands 2 Radboud

  1. Glitch it if you can: parameter search strategies for successful fault injection Rafael Boix Carpi 1 , Stjepan Picek 2,3 , Lejla Batina 2 , Federico Menarini 1 , Domagoj Jakobovic 3 and Marin Golub 3 1 Riscure BV, The Netherlands 2 Radboud University Nijmegen, The Netherlands 3 Faculty of Electrical Engineering and Computing, Zagreb, Croatia CARDIS 2013, Berlin

  2. Agenda FI parameters problem Proposed strategies Findings, conclusions Future working lines 3

  3. 1 FI parameters problem Proposed strategies Findings, conclusions Future working lines 4

  4. Context of the problem ? ? ? ? ? ? ? ? ? ? Lunch Presentation ? ? ? 5

  5. Problem statement o Can we automatically find good values for parameters using few measurements ? CARDIS 2013, Berlin 6

  6. FI Parameters problem 2 Proposed strategies Findings, conclusions Future working lines 7

  7. Roadmap for auto-setting parameters Model of a Search for Report the generic TOE good values findings for VCC FI of parameters CARDIS 2013, Berlin 8

  8. Roadmap for auto-setting parameters Model of a Search for Report the generic TOE good values findings for VCC FI of parameters CARDIS 2013, Berlin 9

  9. What do we know about VCC FI and a generic TOE? o A glitch: Gl. Voltage (amplitude) timing Gl. Length o Parameter sets CARDIS 2013, Berlin 1 st 2 nd Doing this separation:  Reduces problem complexity 10

  10. What do we know about VCC FI and a generic TOE? Physical behavior of a generic TOE w.r.t. Example: Target A (unprotected smartcard) o Glitch Voltage [-0.05,-5]V, gl. Length [2,150]ns o Timing properties: random values within stable IC operation RESET CARDIS 2013, Berlin Successful NORMAL Glitches IN THIS REGION! 11

  11. All TOEs we analyzed so far… Lunch Presentation …showed this behavior w.r.t. 12

  12. What do we know about VCC FI and a generic TOE? Physical behavior of a generic TOE w.r.t. o External clock + predictable code path = PREDICTABLE TIMING o The rest = UNPREDICTABLE TIMING CARDIS 2013, Berlin 13

  13. Roadmap for auto-setting parameters Model of a Search for Report the generic TOE good values findings for VCC FI of parameters CARDIS 2013, Berlin 1 st 2 nd 14

  14. Proposed search strategies • FastBoxing • Coarse, proof of concept strategy • Adaptive zoom & bound • Focus on efficiency • Genetic algorithm • Focus on general applicability CARDIS 2013, Berlin 15

  15. Proposed strategy: FastBoxing LengthHigh CARDIS 2013, Berlin LengthLow VoltageHigh VoltageLow GREEN:=EXPECTED PURPLE:= MUTE 16

  16. Proposed strategy: Adaptive zoom & bound RESET/MUTE Glitch Length (ns) CARDIS 2013, Berlin NORMAL 17 Glitch Voltage (V)

  17. Proposed strategy 1 st stage: Adaptive zoom & bound Theoretical performance: o Number of measurements: 112 Observed performance: o Protected targets, 1 measurement per point: 128 ~160 Unprotected target,1 measurement per point: 160 ~200 o Protected targets, 3 measurements per point: 600~800 o Unprotected target, 3 measurements per point: 800~900 CARDIS 2013, Berlin 18

  18. Proposed strategy 1 st stage: Genetic Algorithm o Finding correct settings in minimal amount of time can be considered an optimization problem o We need to map fault classes to fitness values o Also change the operators to work better for this problem o We do not look for only one good soultion but for all the solutions that have fitness above treshold value CARDIS 2013, Berlin 19

  19. Proposed strategy 1 st stage: Genetic Algorithm CARDIS 2013, Berlin 20

  20. 2 nd search stage: sweep in time domain 1 - Sample points from the boundary between classes (FastBoxing and Adpative Zoom&bound) or output (GA) CARDIS 2013, Berlin 2 – Perform a time sweep: o Predictable timing: one sweep, minimum step between instants o Unpredictable timing: multiple sweeps 22

  21. Roadmap for auto-setting parameters Model of a Search for Report the generic TOE good values findings for VCC FI of parameters CARDIS 2013, Berlin 23

  22. FI Parameters problem Proposed strategies 3 Findings, conclusions Future working lines 24

  23. Results: Target A (unprotected TOE) MonteCarlo search o 3072 measurements each run o Successful parameter configurations (median): 0 o 1 run, 76800 measurements (1.5 days): 11 succesful configs. FastBoxing search o 3048 (2048 1 st stage+1000 2 nd stage) measurements each run o Successful parameter configurations (median): 9 Adaptive zoom & bound search o 1198 ( 198 1 st stage+1000 2 nd stage) measurements (median) CARDIS 2013, Berlin o Successful parameter configurations (median): 13 Genetic Algorithm o 2560 (1560 1 st stage+1000 2 nd stage) measurements each run 25 o Successful parameter configurations (median): 8

  24. Results: Target A (unprotected TOE) o All proposed strategies are more efficient than MonteCarlo search o Adaptive zoom & bound is the fastest o New idea - go to memetic algorithm • Memetic algorithm is a combination of a genetic algorithm and local search • It encompasses the advantages of both the Genetic Algorithm and Adaptive zoom & bound. CARDIS 2013, Berlin 26

  25. Results: Target A (unprotected TOE) o Sample plot of GA for the Glitch Shape Point classification CARDIS 2013, Berlin 8 success 27

  26. Results: Target C (protected smartcard) o Plot of MonteCarlo sampling for 2.5 samples of Target C (overlapped) RESET MUTE NORMAL CARDIS 2013, Berlin o Less than 100 resets&mutes o >6000 measurements yielded nothing interesting 28

  27. Results: Target C (protected smartcard) o Plot of Adaptive Zoom & Bound for the Glitch Shape RESET/MUTE ~600 measurements NORMAL CARDIS 2013, Berlin ORANGE:= different response types in different time instants 29

  28. Findings with target C and Adaptive zoom & bound o Adaptive zoom&bound uses few measurements: usually less than 200 measurements for finding suitable glitch shapes. o Search is focused in an interesting region for the glitch shape. o Good information in this explored search space. o Multiple measurements mitigated the clock jitter effect. o Results for glitch shape are exportable to different CARDIS 2013, Berlin samples of the same device. 30

  29. Hidden parameters: Successful glitches with respect to… o Number of glitches in consecutive cycles • No dependency (in general) o Frequency • No dependency (1~4MHz tested) o Glitch offset inside clock cycle • Only relevant to TOEs running only on external clock. o Temperature CARDIS 2013, Berlin • Exists dependency, not controllable with the experimental setup. 31

  30. Conclusions With few measurements, we can get big information. Glitch shapes found in the boundary between NORMAL and RESET/MUTE are interesting. Finding this boundary can be performed really fast. Lunch Presentation 32

  31. FI Parameters problem Proposed strategies Findings, conclusions 4 Future working lines 33

  32. Future working lines o Adaptive zoom & bound • Implement side channel information in the feedback loop. o Genetic Algorithm • Improvements in the direction of memetic algorithms o Further testing • Extensive testing with other devices: embedded TOEs, more smartcards. CARDIS 2013, Berlin 34

  33. Rafael Boix Carpi Contact: Security analyst & trainer BoixCarpi@riscure.com Riscure B.V. Riscure North America Frontier Building, Delftechpark 49 71 Stevenson Street, Suite 400 2628 XJ Delft San Francisco, CA 94105 The Netherlands USA Phone: +31 15 251 40 90 Phone: +1 650 646 99 79 www.riscure.com inforequest@riscure.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

969 views • 47 slides
Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty

Jrn-Marc Schmidt joern-marc.schmidt@iaik.tugraz.at Fault Injection Plaintext Faulty Ciphertext But how to inject a fault? Fault: Injection Model Exploitation Non-invasive Device is not altered physical Semi-invasive

602 views • 32 slides
Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed

Sharif University of Technology Department of Computer Engineering Dependable System Lab [DSL] Fault Injection in Mixed-Signal Environment Using Behavioral Fault Modeling in Verilog-A Seyed Nematollah Ahmadian, Seyed Ghassem Miremadi

398 views • 17 slides
Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and

Embedded Processor Based Embedded Processor Based Fault Injection and SEU Fault Injection and SEU Emulation for FPGAs Emulation for FPGAs Bradley Dutton, Mustafa Ali, John Bradley Dutton, Mustafa Ali, John Sunwoo, and Charles Stroud Sunwoo,

305 views • 26 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b ,

Robustness improvement of an SRAM cell against laser-induced fault injection A. Sarafianos a,b , C. Roscian b , J.M. Dutertre b , M. Lisart a , O. Gagliano a , V. Serradeil a , A. Tria b . a STMicroelectronics, Avenue Clestin Coq 13790 Rousset,

273 views • 14 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

Practical Experience Report A TALE OF TWO INJECTORS: END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors: Guanpeng Li, Bo Fang, and Karthik Pattabiraman DEPART M ENT OF ELECT RIC AL AN D COM PUT ER

852 views • 56 slides
The End-of-End- to-End: A Video Understanding Pentathlon CVPR workshop, Monday 15 th June 2020

The End-of-End- to-End: A Video Understanding Pentathlon CVPR workshop, Monday 15 th June 2020

The End-of-End- to-End: A Video Understanding Pentathlon CVPR workshop, Monday 15 th June 2020 Goal: develop systems that can achieve higher-level comprehension of videos (not just objects, but complex actions, events and long-lasting

350 views • 10 slides
Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

I-SHARE ALMA PRIMO VE OFFICE HOURS WILL START SHORTLY Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time permits, we will respond to questions typed in the chat box, and offline afterwards, as needed

236 views • 5 slides
Welcome! College Readiness Webinar: Senior Year Math will begin soon Please mute your sound to

Welcome! College Readiness Webinar: Senior Year Math will begin soon Please mute your sound to

Welcome! College Readiness Webinar: Senior Year Math will begin soon Please mute your sound to avoid noise distraction during the webinar. College Readiness Webinar: The Importance of Senior Year Math Sonya K. Sedivy Associate Scientist UW

631 views • 30 slides
Facilitating Virtually: We will begin at 12:30 Helpful Zoom Tips to begin: Navigation bar at

Facilitating Virtually: We will begin at 12:30 Helpful Zoom Tips to begin: Navigation bar at

Facilitating Virtually: We will begin at 12:30 Helpful Zoom Tips to begin: Navigation bar at the bottom of the screen will disappear unless you place your mouse pointer over it. All call settings can be found here. Mute- bottom left in

158 views • 15 slides
Productizing Telephony and Audio in a GNU/Linux (Sailfish OS) Smartphone Martti Piirainen

Productizing Telephony and Audio in a GNU/Linux (Sailfish OS) Smartphone Martti Piirainen

Productizing Telephony and Audio in a GNU/Linux (Sailfish OS) Smartphone Martti Piirainen (martti.piirainen@tieto.com) Tieto Product Development Services Agenda Hardware / software stack overview Audio What we did and why Some

825 views • 27 slides
OKLAHOMA STATE BOARD OF EXAMINERS FOR LONG- TERM CARE ADMINISTRATORS APRIL 15, 2020 BOARD

OKLAHOMA STATE BOARD OF EXAMINERS FOR LONG- TERM CARE ADMINISTRATORS APRIL 15, 2020 BOARD

OKLAHOMA STATE BOARD OF EXAMINERS FOR LONG- TERM CARE ADMINISTRATORS APRIL 15, 2020 BOARD MEETING PUBLIC ATTENDEES ARE REQUESTED TO MUTE THEIR MICROPHONES FOR THE DURATION OF THE MEETING UNLESS A DIRECT QUESTION IS ASKED OF THEM.

271 views • 16 slides
Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your setup before the meeting. We start all calls 10 minutes early, where you can do so. Please connect before the meeting starts. Please join using your

318 views • 13 slides
MUTE and UNMUTE Extension to RTSP draft-sergent-rtsp-mute-00.txt Aravind Narasimhan

MUTE and UNMUTE Extension to RTSP draft-sergent-rtsp-mute-00.txt Aravind Narasimhan

MUTE and UNMUTE Extension to RTSP draft-sergent-rtsp-mute-00.txt Aravind Narasimhan aravind.narasimhan@sun.com Motivation RFC 2326 is ambiguous and incomplete Aggregate/non-aggregate control interaction needs clarification

180 views • 6 slides

More recommend