Problem Statement

The goal is to design a search strategy for VCC FI parameters that lead to a successful fault injection.

Input of the search consists of the parameters required by the search strategy to proceed, and an estimated initial range for every parameter.

Search space is a set of all the possible combinations of values for every param-eter required to define the VCC FI attack. Paramparam-eters that can have real values are considered as discrete-valued parameters sampled with the maximum resolution of the acquisition hardware devices, and all value ranges are bounded. The goal of the search is to get the maximum information about the behavior of a device with the minimum number of measurements given a black-box scenario. Furthermore, the goal is to find parameters that define a successful VCC FI attack in the case that device is vulnerable to fault attacks caused by glitching.

Output of the search is a report of the behavior of the device. Additionally, an output can include a parameter combination or a set of parameter combinations that lead to a successful VCC FI attack.

7.3.1 Model

We divide the search into two phases: in the first phase, we look for the appropriate glitch shape (containing all the parameters that define the signal) and in the second phase we look for the timing instant in which we have to inject the fault. The moti-vation for the parameter split into two stages is obtaining a reduction in the dimen-sionality (thus, complexity) of the problem. The feasibility of this parameter splitting was experimentally tested to be possible and useful: all Target of Evaluations (TOEs) (from this point on, targets) covered by this research show a similar behavior w.r.t.

glitch shape-related parameters. The second stage search consists of a time sweep with glitch shapes obtained by the first stage search. The time range defined in the initial search space is discretized in n time instants. In each time instant, a subset of the glitch shapes output by the first stage is tested. The verdicts of all measurements are reported as the final output of the parameter search.

7.3.2 Verdict Classes and Boundaries

Fault injection testing equipment can output only verdict classes that correspond to the effectiveness of the measurement. There exist several possible classes for classi-fying a single measurement (i.e. attack attempt):

1. NORMAL: smart card behaves as expected and the glitch is ignored.

2. RESET: smart card resets because of the glitch.

3. MUTE: smart card stops all communication as a result of the glitch.

146

4. CHANGING: smart card gives different responses for the same glitch (only in the first phase of the experiments).

5. INCONCLUSIVE: smart card responds in a way that cannot be classified in any other class (only in the second phase of the experiments).

6. SUCCESS: smart card response is a specific, predetermined value that does not happen under normal operation.

In the rest of this paper, we will consider RESET and MUTE classes as equivalent when interpreting the results. Additionally, when depicting graphs with measure-ment results, for each class we allocate a color. When the card responds NORMAL, we depict a green dot in search space, for RESET/MUTE we depict blue color, for IN-CONCLUSIVE yellow color and finally, for SUCCESS red color. CHANGING class is not depicted in the graphs. This is because CHANGING actually outputs some other class (different classes in multiple measurements) and is therefore depicted as one of those classes.

Looking for parameter combinations that lead to the successful fault injection can be regarded as optimization problem where we want to find as much as possible successful combinations in the minimal amount of time. However, before trying to give an answer about appropriate methods, we explain how difficult the problem is.

In a realistic setting that we consider, glitch voltage parameter ranges from -5000 mV to -50 mV , with a step of 50 mV . Second parameter, glitch length ranges from 2 nsto 150 ns with a step of 2 ns. If we conduct experiments where we are interested in only those two parameters and do exhaustive search, we need to collect 7 400 measurements. If we assume that each measurement takes one second, this results in the total time of two hours. However, if we add just one more parameter, e.g.

glitch offset that ranges from 100 ns to 400 ns with 1 ns step, then we have in total 2.2 million measurements. This equals to more than 600 hours of measurement time.

Naturally, here one also needs to take into account possible consequences for a smart card if it is tested for more than 600 hours and the fact that there are several more parameters of interest not mentioned in this calculation. Therefore, we conclude that the complexity of the problem depends on the number of considered parameters and it can be regarded as a difficult problem (in realistic test environments).

In the first phase of the experiments, we concentrate only on two parameters, namely, glitch length and glitch voltage in order to better control the behavior of our algorithm. Only when we are satisfied with the algorithm performance, we add the third parameter, glitch offset in the second phase of our experiments. We display a photo of our laboratory setup in Figure 7.1.

7.3.3 Search Space Parameters

Multiple search space parameters need to be set for finding faults in FI process. We informally divide those parameters into two groups, the first group consists of

pa-Figure 7.1: Laboratory setup for FI testing.

rameters that we influence with external search algorithm and are therefore of pri-mary interest. The second group consists of parameters that we leave for fault injec-tion framework to be set randomly.

In the first group, we include the parameters for glitch length, glitch voltage and in the second phase of experiments glitch offset. The glitch length refers to the time (ns) that the VCC line is perturbed. The glitch voltage is the number of millivolts (mV ) that is added to the VCC line. The glitch offset is the start time (ns) of the perturbation relative to the start of the clock cycle.

In order to understand better the influence of those parameters, next we give few examples of their working. Suppose that the glitch length is 100 ns, the glitch voltage is -3500 mV , the glitch offset is 250 ns, and the supplied VCC is 5 V . What happens is that 250 ns after the start of the clock cycle the VCC line will be pulled down to 1.5 V for 100 ns, after which it will be restored to 5 V . These three parameters determine the electrical effect on the target: roughly speaking the product of glitch length and glitch voltage represents the amount of energy that is exerted on (or withheld from) the target. Since the current propagation within a clock cycle is not constant, the offset timing is also important. We refer to these parameters as the “shape” of the glitch. Note that this is a physical effect: if the glitch is too strong the target will

“mute” or reset, if the glitch is too weak the target will not be disturbed, but if the glitch is of appropriate shape the target will behave in an unspecified way. This is unrelated to the logical effect, which refers to the exact instruction that is being glitched.

The second parameter group covers the logical effect and it consists of the num-ber of wait cycles and the numnum-ber of glitch cycles. The wait cycles parameter refers to the number of clock cycles that are skipped before the glitch attack is performed, counting from the sending of the smart card command. The glitch cycles parameter specifies the number of successive clock cycles that are glitched.

For example, we could wait for 800 clock cycles and then apply the glitch in 148

the next five cycles, assuming the relevant instruction is executed around that time frame. The fact that the electrical effects can be observed independent of the logical effects allows the security analyst to work in two phases. First, he finds a glitch

“shape” that triggers the target to behave in unspecified way. In the second phase he can search for the right wait cycles and glitch cycles values while applying the right glitch.

In the rest of this chapter, we do not investigate the logical parameters. We as-sume reasonable ranges for the wait/glitch cycles and select uniformly at random.

A nice property of the glitch shape parameters is that they display locality. The glitch offset has only a small range of values that “work”. On top of that, the glitch voltage and the glitch length are monotone: once a glitch voltage is strong enough to force a card reset, then bigger than the threshold values will also force a reset.

The same goes for the glitch length. In practice, this means that there is a clear phase transition in the voltage/length dimensions between NORMAL results and RESET/MUTE results. In addition, the class of SUCCESS results (when offset is also guessed correctly) is often located around this phase transition. Note however that the exact effect of a glitch is stochastic and a perfect separation of parameter regions is impossible.

7.3.4 Smart Card Details

In all our experiments we use smart cards that are based on ATMega163+24C256 IC, realized in Complementary Metal Oxide Semiconductor (CMOS) technology. Those cards do not exhibit any side-channel or fault injection countermeasures. All process-ing of the card is performed in software, and cards are runnprocess-ing on an external 1 M Hz clock frequency. For experimental purposes, we attack a vulnerable Personal Iden-tification Number (PIN) authentication mechanism. The PIN authentication mecha-nism is implemented as follows:

if (ok_digits == 4) //LOCATION FOR ATTACK

respond_code(0x00, SW_NO_ERROR_msb, SW_NO_ERROR_lsb);

else

respond_code(0x00, 0x69, 0x85);

In the code above, we want to glitch the target while it is executing the second if-statement. However, we want to emphasize that our approach makes no assump-tions on the software that runs on the smart card. First, we regard the target as a black box and only hypothesize that there exists a weakness in the implementation and that we can roughly estimate its location in time. Secondly, the most difficult

part of finding good FI parameters are the electrical properties like glitch voltage and glitch length. The right values for these dimensions will make the target phys-ically behave in an unspecified way, and most importantly, they will do so on any smart card of the same make (or production batch), regardless of the software.