TY - GEN
T1 - High precision fault injections on the instruction cache of ARMv7-M architectures
AU - Riviere, Lionel
AU - Najm, Zakaria
AU - Rauzy, Pablo
AU - Danger, Jean Luc
AU - Bringer, Julien
AU - Sauvage, Laurent
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/6/29
Y1 - 2015/6/29
N2 - Hardware and software of secured embedded systems are prone to physical attacks. In particular, fault injection attacks revealed vulnerabilities on the data and the control flow allowing an attacker to break cryptographic or secured algorithms implementations. While many research studies concentrated on successful attacks on the data flow, only a few targets the instruction flow. In this paper, we focus on electromagnetic fault injection (EMFI) on the control flow, especially on the instruction cache. We target the very widespread (smartphones, tablets, settop-boxes, health-industry monitors and sensors, etc.) ARMv7-M architecture. We describe a practical EMFI platform and present a methodology providing high control level and high reproducibility over fault injections. Indeed, we observe that a precise fault model occurs in up to 96% of the cases. We then characterize and exhibit this practical fault model on the cache that is not yet considered in the literature. We comprehensively describe its effects and show how it can be used to reproduce well known fault attacks. Finally, we describe how it can benefits attackers to mount new powerful attacks or simplify existing ones.
AB - Hardware and software of secured embedded systems are prone to physical attacks. In particular, fault injection attacks revealed vulnerabilities on the data and the control flow allowing an attacker to break cryptographic or secured algorithms implementations. While many research studies concentrated on successful attacks on the data flow, only a few targets the instruction flow. In this paper, we focus on electromagnetic fault injection (EMFI) on the control flow, especially on the instruction cache. We target the very widespread (smartphones, tablets, settop-boxes, health-industry monitors and sensors, etc.) ARMv7-M architecture. We describe a practical EMFI platform and present a methodology providing high control level and high reproducibility over fault injections. Indeed, we observe that a precise fault model occurs in up to 96% of the cases. We then characterize and exhibit this practical fault model on the cache that is not yet considered in the literature. We comprehensively describe its effects and show how it can be used to reproduce well known fault attacks. Finally, we describe how it can benefits attackers to mount new powerful attacks or simplify existing ones.
KW - Fault attacks
KW - electromagnetic injections
KW - embedded systems
KW - instructions cache
U2 - 10.1109/HST.2015.7140238
DO - 10.1109/HST.2015.7140238
M3 - Conference contribution
AN - SCOPUS:84942627304
T3 - Proceedings of the 2015 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2015
SP - 62
EP - 67
BT - Proceedings of the 2015 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2015 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2015
Y2 - 5 May 2015 through 7 May 2015
ER -