So what is Clock Glitching?
There are several mediums of fault injection, such as voltage, electromagnetic pulse, laser, temperature, etc. Practically everything that you can use to stress the device and alter its standard operations can be used to inject faults. A clock of a target is just another medium to alter behavior. However, the means of introducing clock faults are different.
By altering the operating frequency for a short time we can influence how digital circuits work. A successful result is similar for any Fault Injection method: we introduce violations that ultimately lead to an algorithm storing zero when it should be one or one when it should be zero.
Where can one apply Clock Glitching?
Injecting fault in a clock is sometimes considered to be a thing of the past. It was viable for some time in Smart Card evaluation, when their clock was controlled externally. Back then it was a very powerful medium. Everything changed when the frequency clock generators were embedded in Smart Cards themselves. Suddenly a lot of attacks were not practical anymore. However, we observed that in modern SOCs these attacks are still practical. Particularly they are relevant during the initialization phase when the SOC has not yet configured itself to rely on internal clock generators and relies on external clocks. This is where we saw the window of opportunity.
Clock Glitching is relevant for hardware vendors and independent labs that are doing security assessments. In general, any Red Team involved in hardware testing could see some potential in this fault injection method to uncover new vulnerabilities. Adding another technique to an existing arsenal is always a good idea so that you have more flexibility in your assessments.
How effective is this attack method?
It always depends on the device under test. A security evaluator always chooses the best technique that is practical under given circumstances. By no means Clock Glitching is a silver bullet. However, a vulnerability that can be exploited by altering the clock could potentially have dangerous consequences. Although we focus on physical attacks, there is also a chance to conduct an attack remotely, if we deal with configurable PLLs adjustable in software. There is always a potential to scale a hardware vulnerability should it be discovered by an adversary. Overall, we consider Clock Glitching to be a versatile attack. Every device needs a clock. If we are somehow able to influence the clock, an external one or even internal, we may have a new method to circumvent protection mechanisms.
What are the plans to implement Clock Glitching as a testing method?
We are working to add a Clock Glitching device to the Riscure tool portfolio in the near future and make this technique available for our customers. One feature that we pursued was to simplify the testing process and ensure compatibility with different targets. There are different types of clock signals and different methods to alter them. We wanted to make this new clock glitching tool configurable to use on different targets. We will also make this new functionality compatible with the ecosystem of Riscure tools. Clock Glitching as a new testing method will offer new opportunities for our customers to improve the security of their products.
If you would like to discuss how Clock Glitching may be used in your testing environment, feel free to contact us via inforequest@riscure.com.