Fig 6 - uploaded by Shahin Tajik
Content may be subject to copyright.
Detail of a fault sensitive location map and reflected light pattern overlay acquired with slightly increased laser power (85 %) and tilted orientation in 240 s for an AND gate in a single LE. (a) LUT bit 15, (b) LUT bit 11. Red denotes a low-to-high fault, green a high-to-low fault.
Source publication
![Fig. 1: (a) A 4-input LUT, which consists of two 3-input LUTs [5]. 16...](profile/Shahin-Tajik/publication/312054428/figure/fig4/AS:668792136953856@1536463879063/a-A-4-input-LUT-which-consists-of-two-3-input-LUTs-5-16-SRAM-cells-store-the_Q320.jpg)
![Fig. 4: (a) Block diagram of our optical and electrical setup [5]. (b)...](profile/Shahin-Tajik/publication/312054428/figure/fig2/AS:446809278554114@1483539041772/a-Block-diagram-of-our-optical-and-electrical-setup-5-b-Signal-flow-for_Q320.jpg)
Programmable logics, such as complex pro-grammable logic devices (CPLDs) and field programmable gate arrays (FPGAs), are widely used in security applications. In these applications cryptographic ciphers, physically unclonable functions (PUFs) and other security primitives are implemented on such platforms. These security primitives can be the targe...
Similar publications
The concept of dielectric laser accelerators (DLA) has gained increasing attention in accelerator research, because of the high achievable acceleration gradients (GeV/m). This is due to the high damage threshold of dielectrics at optical frequencies. In the context of the Accelerator on a Chip International Program () we plan to inject electron bun...
This paper presents a novel full-depletion Si X-ray detector based on silicon-on-insulator pixel (SOIPIX) technology using a pinned depleted diode structure, named the SOIPIX-PDD. The SOIPIX-PDD greatly reduces stray capacitance at the charge sensing node, the dark current of the detector, and capacitive coupling between the sensing node and SOI ci...
This paper presents a case study on the reuse of the on chip debug infrastructures, present in most recent microprocessors, to execute real time fault injection campaigns. It is based on a debugger customized for fault injection and designed for maximum performance and flexibility. The developed methodology can be applied on the verification of dep...
A handy, flexible micro-thermocouple using low-melting-point metal alloys is proposed in this paper. The thermocouple has the advantages of simple fabrication and convenient integration. Bismuth/gallium-based mixed alloys are used as thermocouple materials. To precisely inject the metal alloys to the location of the sensing area, a micro-polydimeth...
Over many years, Field Programmable Gated Arrays (FPGA) have been used as a target device for various prototyping and cryptographic algorithm applications. Due to the parallel architecture of FPGAs, the flexibility of cryptographic algorithms can be exploited to achieve high throughputs at the expense of very low chip area. In this research, we pro...
Citations
... Depending on the target platform (i.e., FPGA or ASIC), the attacker needs to apply more sophisticated techniques to tamper with the clock. If the target is an SRAM-based FPGA, the attacker can use laser fault injection to manipulate the clock source configuration (e.g., based on ring-oscillators) or its routing configuration to stop the clock signalling [73], [74]. To take a snapshot of registers, the adversary first needs to inject a fault into the clock circuitry at her desired cycle and then take a snapshot. ...
Due to its sound theoretical basis and practical efficiency, masking has become the most prominent countermeasure to protect cryptographic implementations against physical side-channel attacks (SCAs). The core idea of masking is to randomly split every sensitive intermediate variable during computation into at least t+1 shares, where t denotes the maximum number of shares that are allowed to be observed by an adversary without learning any sensitive information. In other words, it is assumed that the adversary is bounded either by the possessed number of probes (e.g., microprobe needles) or by the order of statistical analyses while conducting higher-order SCA attacks (e.g., differential power analysis). Such bounded models are employed to prove the SCA security of the corresponding implementations. Consequently, it is believed that given a sufficiently large number of shares, the vast majority of known SCA attacks are mitigated. In this work, we present a novel laser-assisted SCA technique, called Laser Logic State Imaging (LLSI), which offers an unlimited number of contactless probes, and therefore, violates the probing security model assumption. This technique enables us to take snapshots of hardware implementations, i.e., extract the logical state of all registers at any arbitrary clock cycle with a single measurement. To validate this, we mount our attack on masked AES hardware implementations and practically demonstrate the extraction of the full-length key in two different scenarios. First, we assume that the location of the registers (key and/or state) is known, and hence, their content can be directly read by a single snapshot. Second, we consider an implementation with unknown register locations, where we make use of multiple snapshots and a SAT solver to reveal the secrets.
... As some other works show (e.g. [22]), by using more advanced setups, such as Hamamatsu PHEMOS-1000, the precision of the faults can be further improved. ...
As a prominent attack approach against the security modules of integrated circuits, fault injection attacks (FIA) are able to breach thecryptographic primitives by analyzing the intentionally induced computation errors by adversaries. Parity-based Concurrent Error Detection (CED) techniques are often deployed as a countermeasure, owing to their low-overhead. Advanced linear and non-linear randomized encodings can be employed for constructing varying CED schemes. In this paper, we first evaluate the detection capability of linear parity-protected ciphers implemented in commercial FPGA, using laser fault injection (LFI) technique. A single-bit linear parity scheme is shown to be ineffective for error detection, since the LFI can typically flip multiple bits that are close to each other. On the other hand, a linear randomized parity scheme, with multiple bits parity, shows higher detection rates. Further, we study existing (randomized) non-linear encoding-based CED. With practical fault distributions on PRESENT cipher, non-linear randomized codes are extensively tested against fault injection. Although, known to have better theoretical detection bounds, non-linear encodings do not provide much improvements over simple randomized linear codes.
... Lohrke et al. [21] test CPLDs manufactured with 180 nm technology by using a high-end Hamamatsu PHEMOS-1000 laser scanning microscope. In their experiment, they show how to localize AND and XOR gates and apply this method in order map the location of a ring oscillator circuit. ...
Fault injection attacks have been widely investigated in both academia and industry during the past decade. In this attack approach, the adversary intentionally induces computational faults in the security components of the integrated circuit (IC) for deducing the confidential information processed or stored inside the device. However, the internal architecture of real-world devices is typically unknown to the attacker and the insufficient information about the device internals often cannot satisfy requirements of a practical fault injection attack. In this paper, we target Field Programmable Gate Array (FPGA) that is widely used in hardware security applications. By analyzing the faulty outputs of implemented algorithms, the scale of logic arrays and the sensitive logic cells can be precisely profiled. Using the outcome of this work, practical attacks can be significantly accelerated, without a need of time-consuming chip-scale injection scan. In addition, the observed fault models are compatible with most of the previously proposed fault models for differential or algebraic fault attacks (DFA/AFA). Moreover, a low-cost and highly sensitive logic-level countermeasure for predicting the laser fault injection attempt is described, which can be applied into any digital IC with a minimal overhead.
... In other words, the faults are permanent as long as the FPGA is powered on or not rebooted. Reconfiguration attacks can be launched by tampering with the bitstream [8] and voltage glitching [9] during the configuration phase or laser fault injection [10] during the runtime. ...
Mainstream FPGAs and programmable SoCs employ different countermeasures during configuration and runtime to mitigate physical attacks. However, it has been demonstrated that sophisticated active attack techniques, such as laser voltage probing, can still bypass the bitstream protections during the configuration phase. On the other hand, although the security monitoring IP cores provided by FPGA vendors can ensure the physical security during the runtime of applications, they are unable to detect such attacks during configuration. In this work, we propose a novel approach to using PUFs as physical sensors to monitor the integrity of FPGAs against active attacks. Small modifications in existing PUF architectures enable us to design a PUF-based security scheme, which can be deployed for integrity monitoring and authentication/key generation at the same time. We evaluate the effectiveness of our framework against a range of powerful attacks, such as optical probing and fault attacks. We further discuss how this scheme can be deployed during bitstream configuration in FPGAs with partial reconfiguration capability.
Obtaining a knowledge of internal structure of a Field Programmable Gate Array (FPGA), together with the vulnerable spots that can be targeted by a laser fault injection, can be a time-consuming task when done manually. In this chapter, we present an automated method to identify regions of interest in an FPGA, such as logic arrays and cells. Such method identifies circuits that are implemented in FPGA and helps the attacker to determine which fault models are achievable with a given laser fault injection equipment. The chapter follows a step-by-step methodology of evaluation, starting with the chip decapsulation and preparation, followed by the characterization of the laser pulse interaction with the silicon. Later it focuses on the automated profiling itself, with a case study on Virtex-5 FPGA.
Parity-based concurrent error detection (CED) techniques are often deployed as a countermeasure to fault injection attacks, owing to their low-overhead in hardware. Advanced linear and non-linear randomized encoding can be employed for constructing varying CED schemes. In this chapter, we provide an automated evaluation method to estimate the detection capability of both linear and non-linear parity-protected ciphers in the presence of fault attacks. The method takes the device characteristics into account to provide accurate results on fault coverage. Case study on PRESENT-80 CED-protected implementation is provided to show the usage and practicality of such method.
