Permanent Laser Fault Injection into the Flash Memory of a Microcontroller

2021 19th IEEE International New Circuits and Systems Conference (NEWCAS) Pub Date : 2021-06-13 DOI:10.1109/NEWCAS50681.2021.9462773

R. Viera, J. Dutertre, Mathieu Dumont, Pierre-Alain Moëllic

{"title":"Permanent Laser Fault Injection into the Flash Memory of a Microcontroller","authors":"R. Viera, J. Dutertre, Mathieu Dumont, Pierre-Alain Moëllic","doi":"10.1109/NEWCAS50681.2021.9462773","DOIUrl":null,"url":null,"abstract":"The Flash memory of a Microcontroller Unit (MCU) is an important part of its attack surface as it contains its firmware and its security related data (e.g. passwords and cryptographic keys). Recent research works report the use of Laser Fault Injections (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations (data reads from Flash were also faulted). These faults, induced on a single bit and following a bit-set fault model, were non-permanent: the data stored in Flash stayed unaltered while only their read copies were corrupted. We report an extension of this fault model on the Flash memory of a 32-bit MCU. Using LFI, we were able to induce permanent faults into its Flash. Single bit faults, that followed a bit-reset fault model, were induced during the Flash write operations. As a proof of concept, we describe how we were able to iteratively set to zero all the bits of a 32-bit password using a laser pulse with relatively undemanding settings (15 µm beam diameter, and 3 µs pulse duration).","PeriodicalId":373745,"journal":{"name":"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)","volume":"51 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NEWCAS50681.2021.9462773","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

The Flash memory of a Microcontroller Unit (MCU) is an important part of its attack surface as it contains its firmware and its security related data (e.g. passwords and cryptographic keys). Recent research works report the use of Laser Fault Injections (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations (data reads from Flash were also faulted). These faults, induced on a single bit and following a bit-set fault model, were non-permanent: the data stored in Flash stayed unaltered while only their read copies were corrupted. We report an extension of this fault model on the Flash memory of a 32-bit MCU. Using LFI, we were able to induce permanent faults into its Flash. Single bit faults, that followed a bit-reset fault model, were induced during the Flash write operations. As a proof of concept, we describe how we were able to iteratively set to zero all the bits of a 32-bit password using a laser pulse with relatively undemanding settings (15 µm beam diameter, and 3 µs pulse duration).

查看原文本刊更多论文

微控制器闪存中的永久激光故障注入

微控制器单元(MCU)的闪存是其攻击面的重要组成部分，因为它包含其固件及其安全相关数据(例如密码和加密密钥)。最近的研究报告使用激光故障注入(LFI)在运行时通过在读取操作期间瞄准闪存来破坏固件(从Flash读取数据也会出错)。这些故障是由单个比特引起的，并遵循位集故障模型，它们不是永久性的:存储在Flash中的数据保持不变，只有它们的读副本被损坏。我们报告了该故障模型在32位MCU闪存上的扩展。使用LFI，我们能够在Flash中诱发永久性故障。在Flash写操作过程中引起的单比特故障遵循位复位故障模型。作为概念证明，我们描述了如何能够使用具有相对不苛刻设置(15 μ m光束直径和3 μ s脉冲持续时间)的激光脉冲迭代地将32位密码的所有位设置为零。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)

自引率

0.00%

发文量