Paper 2022/602

Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing

Clément Fanjas
Clément Gaine
Driss Aboulkassimi
Simon Pontié
Olivier Potin, olivier.potin@emse.fr
Abstract

The Secure-Boot is a critical security feature in modern devices based on System-on-Chips (SoC). It ensures the authenticity and integrity of the code before its execution, avoiding the SoC to run malicious code. To the best of our knowledge, this paper presents the first bypass of an Android Secure-Boot by using an Electromagnetic Fault Injection (EMFI). Two hardware characterization methods are combined to conduct this experiment. A real-time Side-Channel Analysis (SCA) is used to synchronize an EMFI during the Linux Kernel authentication step of the Android Secure-Boot of a smartphone-grade SoC. This new synchronization method is called Synchronization by Frequency Detection (SFD). It is based on the detection of the activation of a characteristic frequency in the target electromagnetic emanations. In this work we present a proof-of-concept of this new triggering method. By triggering the attack upon the activation of this characteristic frequency, we successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 minutes.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. CARDIS 2022
Keywords
Secure BootFault injectionSide-ChannelSystem on Chip
Contact author(s)
clement fanjas @ cea fr
clement gaine @ cea fr
driss aboulkassimi @ cea fr
simon pontie @ cea fr
History
2023-01-24: revised
2022-05-17: received
See all versions
Short URL
https://ia.cr/2022/602
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/602,
      author = {Clément Fanjas and Clément Gaine and Driss Aboulkassimi and Simon Pontié and Olivier Potin},
      title = {Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/602},
      year = {2022},
      url = {https://eprint.iacr.org/2022/602}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.