Methodology for EM Fault Injection: Charge-based Fault Model

Haohao Liaoa and Catherine Gebotysb
University of Waterloo, Waterloo, Canada
ahaohao.liao@uwaterloo.ca
bcgebotys@uwaterloo.ca

ABSTRACT


Recently electromagnetic fault injection (EMFI) techniques have been found to have significant implications on the security of embedded devices. Unfortunately there is still a lack of understanding of EM fault models and countermeasures for embedded processors. For the first time, this paper proposes an extended fault model based on the concept of critical charge and a new EMFI backside methodology based on over-clocking. Results show that exact timing of EM pulses can provide reliable repeatable instruction replacement faults for specific programs. An attack on AES is demonstrated showing that the EM fault injection requires on average less than 222 EM pulses and 5.3 plaintexts to retrieve the full AES key. This research is critical for ensuring embedded processors and their instruction set architectures are secure and resistant to fault injection attacks.

Keywords: Side channel, Fault injection, EM, Fault model, Embedded processor security.



Full Text (PDF)