Advanced Fault Injection
Security beyond specifications – exploiting unexpected behavior in hardware. Learn how to exploit unexpected behavior when multiple faults are needed to bypass the countermeasures in place, the power of post-processing and limited information is available.
Duration: 2 days | Type: Classroom/Interactive
Who is this training for?
This course is intended for security evaluators and researchers focused on hardware security testing, government organizations seeking to analyze threats posed by state-of-the-art side channel attack, and Inspector customers. The training program provides thorough coverage of the Fault Injection techniques and is addressed to intermediate and advanced level candidates. Experience with Riscure fault injection tooling is useful, but not required.
Evaluation of a target’s fault injection resilience has typically three phases: target profiling, setup creation and the search for a successful glitch. During target profiling the evaluator learns as much as possible about the target via data sheets, test programs, back side imaging or direct investigation of the target (e.g. find available signals).
The creation of the evaluation setup includes choosing the method of evaluation (clock, voltage, optics, transient pulse, etc), the information stream, which maximizes learning of the unknown or unexpected behavior of the target, and last but not least managing the information stream coming from the setup, which includes sanity check of the tools and simplification of the setup.
The third phase is searching for a (successful) fault, a random process where the number of parameters used determines the complexity of the search and indirectly the conclusions of the target fault injection resilience. The three phases are the same for both basic FI evaluations (which we introduce in the fault injection training) and complex FI evaluations. We use the term basic evaluation to describe testing the FI resilience of a target against a single fault/glitch, single trigger and simple/static trigger (rising edge of SPI). In contrast, a complex evaluation may have multiple, dynamic triggers (random patterns in the signal), the testing may involve resilience against multiple faults and strategies for directing the search for a successful faults are typically used.
The key differentiator between a simple and a complex evaluation is the type and amount of information available, the countermeasures present on the target, the tools available and last but not least the creativity and knowledge of the attacker.
In this training we focus exclusively on complex FI attacks. We begin with an overview of the state-of-art tools and attacks. Next, you learn to design and build a setup which can carry out a complex FI attack and use tools that allow decisions to be made in real-time. During the deep analysis session we use visualization, post-processing and filtering of the results to direct the search during the third phase of a fault injection evaluation. The FI in the dark session shows that side channel analysis can be an additional source of information which gives insights into the behavior of the target.