Laser irradiation on EEPROM sense amplifiers enhances side-channel leakage of read bits

Abstract

Side-channel attacks that compromise confidentiality of memory contents have become a major concern for device manufacturers and users. Electrically erasable programmable read-only memory (EEPROM) implemented on embedded devices contains several types of sensitive information, and it shall strictly prohibit unauthorized access to such information. This paper introduces a new technique that extracts data while reading from EEPROM using a combination of power analysis and laser irradiation techniques. One characteristic of the proposed method is that it uses laser irradiation onto a sense amplifier in a manner that enables it to obtain multiple bits for each irradiation position. This also implies that we can obtain sensitive information from memory content selectively, as the proposed method extracts the read bits via a sense amplifier (values while reading in real time) rather than states of memory cell. Another characteristic of this method is that the laser injects no logical errors onto the target devices. Because the proposed method uses laser induced current, conventional software countermeasures against fault-based attacks are ineffective against it. To demonstrate the effectiveness of the proposed method, this paper exhibits a data extraction experiment recovering the complete contents of a test program stored in the flash EEPROM contained in an ATMega 8515 microcontroller.