Precise Spatio-Temporal Electromagnetic Fault Injections on Data Transfers

摘要

Fault injection techniques allow an attacker to alter the behavior of an electronic device in order to extract confidential information or be granted unauthorized privileges. To this end, local electromagnetic fault injections (EMFI) are commonly used to corrupt or prevent the execution of instructions. However, little attention is devoted to practical data corruption. This article investigates the local effects of EMFI on data transfer from the Flash memory to the 128-bit data buffer of a cortex-M microcontroller. We demonstrate that the corrupted bits are closely related to the location of the injection probe, allowing us to set or reset from 0 to 128 bits with a byte-level precision. Moreover, the spatial and temporal accuracy of the injection technique allowed us to target the data prefetch mechanism without corrupting the code execution. We highlight the efficiency of the derived fault model with three practical case studies. Firstly, we demonstrate precise key-zeroing and key-setting capability, with further extension to a DFA on the secret key of a cipher from Biham and Shamir, that was never implemented practically. Next, we report practical persistent faults on ARM microcontroller, which allows an attacker to retrieve the secret key of a cipher with a single successful injection.