Paper 2022/602
Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing
Abstract
The Secure-Boot is a critical security feature in modern devices based on System-on-Chips (SoC). It ensures the authenticity and integrity of the code before its execution, avoiding the SoC to run malicious code. To the best of our knowledge, this paper presents the first bypass of an Android Secure-Boot by using an Electromagnetic Fault Injection (EMFI). Two hardware characterization methods are combined to conduct this experiment. A real-time Side-Channel Analysis (SCA) is used to synchronize an EMFI during the Linux Kernel authentication step of the Android Secure-Boot of a smartphone-grade SoC. This new synchronization method is called Synchronization by Frequency Detection (SFD). It is based on the detection of the activation of a characteristic frequency in the target electromagnetic emanations. In this work we present a proof-of-concept of this new triggering method. By triggering the attack upon the activation of this characteristic frequency, we successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 minutes.
Metadata
- Available format(s)
- Publication info
- Published elsewhere. CARDIS 2022
- Keywords
- Secure BootFault injectionSide-ChannelSystem on Chip
- Contact author(s)
-
clement fanjas @ cea fr
clement gaine @ cea fr
driss aboulkassimi @ cea fr
simon pontie @ cea fr - History
- 2023-01-24: revised
- 2022-05-17: received
- See all versions
- Short URL
- https://ia.cr/2022/602
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/602, author = {Clément Fanjas and Clément Gaine and Driss Aboulkassimi and Simon Pontié and Olivier Potin}, title = {Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/602}, year = {2022}, url = {https://eprint.iacr.org/2022/602} }