Fault Injection Attack

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Fault Injection Attacks are physical attacks where adversaries try to inject malicious faults into a cryptographic device or system. By injecting faults, the usual behaviour of the cryptographic operations is changed and the erroneous outputs of the faults is analysed to steal secrets/keys or sensible information.

Introduction

Fault Injection Attack is a type of a Side Channel Attack. It is a physical attack issued on a cryptographic device or a system. Adversaries inject faults to change the normal process of a cryptographic operation. By doing this and by analyzing the generated outputs, the system security features can be bypassed or the overall system behaviour can be compromised to get secret information and keys. Usually this type of attack can be done by tempering with the voltage, the clock or the electromagnetic emissions of a system. But also optical laser injection is one technique. When it comes to the actual attack, adversaries can either choose to attack the software or the hardware of a system. The injected faults are short-lived and the are used in a differential analysis for the secrets/key stealing.[1][2]

Attack Techniques

Fault injection can be done using various techniques the most common ones are the following:

  1. Clock Glitch
  2. Voltage Glitch
  3. Electromagnetic Glitch
  4. Optical Injection

Clock Glitch

Glock glitching is a method where the system clock of a cryptographic device or system is being tampered with. Usually systems have their internally system clock. In order for the integrated circuits (ICs) to properly work and for the operations to being successfully executed, the system clock time period needs to be greater that the maximum propagation delay (including offset). Faults injected to the clock results in the attacker bypassing security checks. All it takes it the injection of short pulses in the circuit, at the right time.[2]

Voltage Glitch

Voltage glitching is a method where faults are created when the systems voltage is being tampered with. The behaviour of operations is manipulated when the voltage is tampered with at specific times. This technique is a low-cost technique, because it doesn't require many additional hardware. However, the generated faults might not always be predictable, therefore attackers cannot tell when an injected fault leads to information leakage. A quite well known Fault Injection Attack called Plundervolt uses this technique.[2]

Electromagnetic Glitch

Electromagnetic glitching is another technique that is commonly used in Fault Injection Attacks. It is also one of the most used methods, because it not invasive. Attackers use EM probes with precisely placed X-Y tables above the EM probe. Researchers have already released information about various flaws in ESP32. [2]

Optical Injection

Optical injection uses illumination of transistors to make a conduct in a system and to inject faults. Attackers use a laser or high energy light source such as UV lamps combined with decapsulation of the system chip. This attack results in resets of microcontroller’s internal protection fuses and results in breaking cryptographic implementation to steal secrets. [2]

Examples

Espressif ESP32: Bypassing Secure Boot [2]

Also known as CVE-2019-15894, is a Fault Injection Attack which bypasses the Secure Boot verification when starting a ESP32 CPU. When faults are generated. unverified code is being executed from flash. Researchers found out, that the flash encryption mitigates this attack, as unverified code cannot be executed then.[2]

Reference: Espressif Advisory, CVE Mitre

Espressif ESP32: Bypassing Flash Encryption [2]

Also known as CVE-2020-15048, is a Fault Injection Attack which bypasses the Flash Encryption and the Secure Boot verification. When faults are generated. unverified code is being executed from flash.[2]

Reference: Espressif Advisory, Raelize

Gigadevice GD32F130 devices: Debug interface permissions escalation [2]

Also known as CVE-2020-13468, is a Fault Injection Attack which exploits the insufficiently physically protected inter-IC bonding wires. When this exploit is exploited, the debug interface permissions of the device escalate. This leads to extraction of firmware even thought there is debugging protection implemented. Attackers can also read the protected flash memory and perform random modifications on the device.[2]

Reference: Research Paper, CVE Mitre

STM32 USB Device Library: Buffer overflow vulnerability exploit [2]

Also known as CVE-2020-15808, is a Fault Injection Attack which uses the buffer overflow vulnerability in the CDC communicaation interface code. When this exploit is exploited, attackers can access sensitive information, keys, secrets or obtain firmware.[2]

Reference: Black Hat Asia 2020, Grzegorz Wypych, Raiden

Countermeasures

Currently people are researching for countermeasures against Fault Injection Attacks. Some of the countermeasures that are already used today are listed below:[2]

  • Proper shielding
  • Proper physical hardening of systems and devices
  • Fault detection mechanisms
  • Redundancy for critical control signals

Courses

References

  1. Y. Li, M. Chen and J. Wang, "Introduction to side-channel attacks and fault attacks," 2016 Asia-Pacific International Symposium on Electromagnetic Compatibility (APEMC), 2016, pp. 573-575, doi: 10.1109/APEMC.2016.7522801.
  2. 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 http://web.archive.org/web/20210304184552/https://payatu.com/blog/asmita-jha/fault-injection-basics