Ricerca CERCA

Power and EM Fault Injection - Attacks and Countermeasures



External reference persons Samuele Yves CERINI (CINI Cybersecurity National Laboratory)
Matteo FORNERO (CINI Cybersecurity National Laboratory)
Nicolς MAUNERO (CINI Cybersecurity National Laboratory)
Gianluca ROASCIO (CINI Cybersecurity National Laboratory)

Research Groups GR-21 - TESTGROUP - TESTGROUP


Description Fault Injection attacks leverage external disturbances (laser, EM, power etc.) to introduce faults in VLSI chips by voluntarily changing their internal electrical states.

Randomly-placed Faul Injection (FI) attacks can change the firmware code flow of a device by skipping entire sets of instructions or by faulting their opcodes. Bit flips can also be forced on the data handled by internal variables so as to change the outcome of a code snippet or force specific branch executions. Targeted fault injection can go as far as disturbing cryptographic implementations (like AES-128) and leaking the secret key in use.

From a practical point of view:
• Power Fault Injection focuses on inserting glitches in either power supply lines or clock lines, hence requiring the attacker to phisically manipulate the PCB around the chip under attack;
• EM attacks can be pursued even without removing the device enclosure, just by hovering a discharging coil over the device, making this kind of FI attacks the most accessible and practical ones;
• Laser FI lives at the opposite side of the spectrum, being the most expensive attack (as it requires chip depackaging) but also being the most precise and effective one.

Countermeasures can span from software solutions, inserted at C or ASM level, to hardware solutions, leveraging internal clock oscillators or phisical Faraday-like shields.

For further introductions, please refer to the following videos:
• [Hardware Power Glitch attack – Fault Injection](https://www.youtube.com/watch?v=6Pf3pY3GxBM
• [Proving the efficacy of software countermeasures for Fault Injection](https://www.youtube.com/watch?v=2F6HDJ1veXY)

The thesis, given the vastness of the topic and depending on the preferences, time dedicated and learning path of the candidate(s), can spread over a huge set of possible paths. Focus can be put on both the attack and countermeasures points of view. For instance:

• Candidate(s) may learn about different fault models, focusing on benchmarking the combination of multiple software countermeasures, evaluating their efficacy and their costs in terms of performance, applicability and protection provided;
• Focus can also be put on attacking/protecting specific cryptographic software implementations;
• Candidate(s) may want to focus on exploring the feasibility of hardware countermeasures, protecting soft-processors leveraging FPGA design;
• Exploring attacks and countermeasures, developing HW Capture-the-Flag competitions (Jeopardy and/or Atk/Def) for the PAIDEUSIS platform;
• Other proposals the candidate(s) may want to explore.

Required skills - Basics of Programming (Python, C, ARM (or RISC-V) Assembly), Hardware Design (VHDL/Verilog)

Notes The thesis activities will be carried out in collaboration with:
- CINI Cybersecurity National Laboratory

For additional information:
- Nicolς MAUNERO – nicolo.maunero@polito.it
- Gianluca ROASCIO – gianluca.roascio@polito.it

Deadline 31/12/2022      PROPONI LA TUA CANDIDATURA

© Politecnico di Torino
Corso Duca degli Abruzzi, 24 - 10129 Torino, ITALY