R. Viera, J. Dutertre, Mathieu Dumont, Pierre-Alain Moëllic
{"title":"微控制器闪存中的永久激光故障注入","authors":"R. Viera, J. Dutertre, Mathieu Dumont, Pierre-Alain Moëllic","doi":"10.1109/NEWCAS50681.2021.9462773","DOIUrl":null,"url":null,"abstract":"The Flash memory of a Microcontroller Unit (MCU) is an important part of its attack surface as it contains its firmware and its security related data (e.g. passwords and cryptographic keys). Recent research works report the use of Laser Fault Injections (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations (data reads from Flash were also faulted). These faults, induced on a single bit and following a bit-set fault model, were non-permanent: the data stored in Flash stayed unaltered while only their read copies were corrupted. We report an extension of this fault model on the Flash memory of a 32-bit MCU. Using LFI, we were able to induce permanent faults into its Flash. Single bit faults, that followed a bit-reset fault model, were induced during the Flash write operations. As a proof of concept, we describe how we were able to iteratively set to zero all the bits of a 32-bit password using a laser pulse with relatively undemanding settings (15 µm beam diameter, and 3 µs pulse duration).","PeriodicalId":373745,"journal":{"name":"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)","volume":"51 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Permanent Laser Fault Injection into the Flash Memory of a Microcontroller\",\"authors\":\"R. Viera, J. Dutertre, Mathieu Dumont, Pierre-Alain Moëllic\",\"doi\":\"10.1109/NEWCAS50681.2021.9462773\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Flash memory of a Microcontroller Unit (MCU) is an important part of its attack surface as it contains its firmware and its security related data (e.g. passwords and cryptographic keys). Recent research works report the use of Laser Fault Injections (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations (data reads from Flash were also faulted). These faults, induced on a single bit and following a bit-set fault model, were non-permanent: the data stored in Flash stayed unaltered while only their read copies were corrupted. We report an extension of this fault model on the Flash memory of a 32-bit MCU. Using LFI, we were able to induce permanent faults into its Flash. Single bit faults, that followed a bit-reset fault model, were induced during the Flash write operations. As a proof of concept, we describe how we were able to iteratively set to zero all the bits of a 32-bit password using a laser pulse with relatively undemanding settings (15 µm beam diameter, and 3 µs pulse duration).\",\"PeriodicalId\":373745,\"journal\":{\"name\":\"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)\",\"volume\":\"51 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-06-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NEWCAS50681.2021.9462773\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 19th IEEE International New Circuits and Systems Conference (NEWCAS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NEWCAS50681.2021.9462773","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Permanent Laser Fault Injection into the Flash Memory of a Microcontroller
The Flash memory of a Microcontroller Unit (MCU) is an important part of its attack surface as it contains its firmware and its security related data (e.g. passwords and cryptographic keys). Recent research works report the use of Laser Fault Injections (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations (data reads from Flash were also faulted). These faults, induced on a single bit and following a bit-set fault model, were non-permanent: the data stored in Flash stayed unaltered while only their read copies were corrupted. We report an extension of this fault model on the Flash memory of a 32-bit MCU. Using LFI, we were able to induce permanent faults into its Flash. Single bit faults, that followed a bit-reset fault model, were induced during the Flash write operations. As a proof of concept, we describe how we were able to iteratively set to zero all the bits of a 32-bit password using a laser pulse with relatively undemanding settings (15 µm beam diameter, and 3 µs pulse duration).
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
