Paper 2015/147

High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures

Lionel Rivière, Zakaria Najm, Pablo Rauzy, Jean-Luc Danger, Julien Bringer, and Laurent Sauvage

Abstract

Hardware and software of secured embedded systems are prone to physical attacks. In particular, fault injection attacks revealed vulnerabilities on the data and the control flow allowing an attacker to break cryptographic or secured algorithms implementations. While many research studies concentrated on successful attacks on the data flow, only a few targets the instruction flow. In this paper, we focus on electromagnetic fault injection (EMFI) on the control flow, especially on the instruction cache. We target the very widespread (smartphones, tablets, settop-boxes, health-industry monitors and sensors, etc.) ARMv7-M architecture. We describe a practical EMFI platform and present a methodology providing high control level and high reproducibility over fault injections. Indeed, we observe that a precise fault model occurs in up to 96\% of the cases. We then characterize and exhibit this practical fault model on the cache that is not yet considered in the literature. We comprehensively describe its effects and show how it can be used to reproduce well known fault attacks. Finally, we describe how it can benefits attackers to mount new powerful attacks or simplify existing ones.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. HOST 2015
Keywords
fault attacksinstructions cacheembedded systemselectromagnetic injections
Contact author(s)
rauzy @ enst fr
History
2015-02-27: received
Short URL
https://ia.cr/2015/147
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/147,
      author = {Lionel Rivière and Zakaria Najm and Pablo Rauzy and Jean-Luc Danger and Julien Bringer and Laurent Sauvage},
      title = {High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures},
      howpublished = {Cryptology ePrint Archive, Paper 2015/147},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/147}},
      url = {https://eprint.iacr.org/2015/147}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.