FIAs Pose Tricky Security Attacks

The ways transient faults are used to attack chip security features and how to fight them.


Voltage and clock glitching are terms crowding into the emerging lexicon of chip security attacks. These are two popular methods adversaries use that can be categorized under the umbrella of fault injection attacks (FIAs). Micro-architectural vulnerabilities like Meltdown, Spectre, Foreshadow and Spoiler have been in the limelight for months. But now, FIAs are getting more attention as the industry fends off growing numbers of security attacks.

The strategy of an FIA is to make silicon do something besides what it’s intended to do. The attacker’s objective is to create a transient fault during the execution of a chip operation or lead to the reduction or disabling of security features and countermeasures.

Voltage glitching, as the name implies, is carried out by increasing the voltage or creating a glitch. As far as clock glitching, one or more short pulses from an external clock are introduced to temporarily accelerate the chip’s clock. This operation has the effect of presenting a fault when an instruction is being executed.

For example, the CPU reads a memory cell at precisely the moment of a glitch. Results are read before data is stable on the memory bus, leading to a wrong value being read. Another example is the CPU fetches an instruction from memory. Only, this time, due to an FIA, that instruction execution is never completed because the fast clock has rapidly triggered the CPU to fetch a subsequent instruction.

The right level of embedded security establishes the barriers to guard against FIAs and chip vulnerabilities. There are countermeasures that provide SoC and system designers the necessary security to deprive attackers of these avenues of attack. They include control signal redundancy, canary logic, separated key bus logic, and logic to protect cryptographic algorithm implementations.

Control logic is an easy target for a fault injection attack. Glitching a control signal immediately results in something going wrong in the circuitry, meaning a security check is disabled. Redundancy of control signals provides the means to blunt this attack.

Consider a system with redundant control signals which are separately timed. If the fault injection attacker glitches one control signal, the other will be unaffected since they are not simultaneously occurring.

Hamming distance for control signals also keeps attackers at bay. State machines or controlled units in a security processor core run a pre-determined sequence to perform testing operations. It’s critical that all states occur in the right order at the right time.

An attacking voltage or clock glitch can influence those state machines. Ensuring that the Hamming distance of state transitions is always greater than one is a highly effective countermeasure to detect and declare an attack.

Canary logic determines if an attacker is attacking the clock signal either through a voltage attack or by directly operating it faster or slower. When the clock operates unpredictably or out of specification it exposes a security vulnerability.

Canary logic is a timing surrogate that knows how long an event needs to happen and when the clock is accurately operating within the precise specification. If the clock runs at specification, canary logic knows the clock operation runs exactly at X nanoseconds. Plus, there’s a security check at the end for a “yes” or “no.” Alteration of the clock will be detected by the canary logic and a security monitor then flags the problem, followed by erasing sensitive material.

A separate key bus is another important countermeasure. Cryptographic keys are digital data transmitted via conventional, common buses on a chip in most instances. But, for tighter security, it’s best to send keys on a separate bus. If a system comes under attack, and rogue software is running on the chip, it cannot access the keys on the separate bus.

Protecting the cryptographic algorithm implementations, themselves, is yet another critical countermeasure. Successful FIA attacks on cryptographic cores can result in wrong results. An attacker could influence the crypto control flow to making the crypto core do fewer encryption steps than required. This would in effect make a DPA attack less complex.

Security is often the art of making the cost of the attack greater than the gain from breaking in. Faced with these countermeasures, an FIA attacker would be confronted with a very steep cliff to climb.

Leave a Reply

(Note: This name will be displayed publicly)