FEDS: Comprehensive Fault Attack Exploitability Detection for Software Implementations of Block Ciphers

Fault injection attacks are one of the most powerful forms of cryptanalytic attacks on ciphers. A single, precisely injected fault during the execution of a cipher like the AES, can completely reveal the key within a few milliseconds. Software implementations of ciphers, therefore, need to be thoroughly evaluated for such attacks. In recent years, automated tools have been developed to perform these evaluations. These tools either work on the cipher algorithm or on their implementations. Tools that work at the algorithm level can provide a comprehensive assessment of fault attack vulnerability for different fault attacks and with different fault models. Their application is, however, restricted because every realization of the cipher has unique vulnerabilities. On the other hand, tools that work on cipher implementations have a much wider application but are often restricted by the range of fault attacks and the number of fault models they can evaluate.In this paper, we propose a framework, called FEDS, that uses a combination of compiler techniques and model checking to merge the advantages of both, algorithmic level tools as well as implementation level tools. Like the algorithmic level tools, FEDS can provide a comprehensive assessment of fault attack exploitability considering a wide range of fault attacks and fault models. Like implementation level tools, FEDS works with implementations, therefore has wide application. We demonstrate the versatility of FEDS by evaluating seven different implementations of AES (including bitsliced implementation) and implementations of CLEFIA and CAMELLIA for Differential Fault Attacks. The framework automatically identifies exploitable instructions in all implementations. Further, we present an application of FEDS in a Fault Attack Aware Compiler, that can automatically identify and protect exploitable regions of the code. We demonstrate that the compiler can generate significantly more efficient code than a naïvely protected equivalent, while maintaining the same level of protection.

Download Full-text

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.96-122 ◽

2018 ◽

pp. 96-122 ◽

Cited By ~ 6

Author(s):

Jakub Breier ◽

Xiaolu Hou ◽

Yang Liu

Keyword(s):

Fault Injection ◽

Fault Analysis ◽

Data Flow Graph ◽

Assembly Code ◽

The Past ◽

Injection Attacks ◽

Differential Fault Analysis ◽

Software Implementations ◽

Fault Injection Attack ◽

Fault Injection Attacks

Over the past decades, fault injection attacks have been extensively studied due to their capability to efficiently break cryptographic implementations. Fault injection attack models are normally determined by analyzing the cipher structure and finding exploitable spots in non-linear and permutation layers. However, this level of abstraction is often too high to distinguish vulnerable parts of software implementations, due to specific operations and optimizations. On the other hand, manually analyzing the assembly code requires non-negligible amount of time and expertise. In this paper, we propose an automated approach for analyzing cipher implementations in assembly. We represent the whole assembly program as a data flow graph so that the vulnerable spots can be found efficiently. Fault propagation is analyzed in a subgraph constructed from each vulnerable spot, allowing equations for Differential Fault Analysis (DFA) to be automatically generated. We have created a tool that implements our approach: DATAC – DFA Automation Tool for Assembly Code. We have successfully used this tool for attacking PRESENT- 80, being able to find implementation-specific vulnerabilities that can be exploited in order to recover the last round key with 16 faults. Our results show that DATAC is useful in finding attack spots that are not visible from the cipher structure, but can be easily exploited when dealing with real-world implementations.

Download Full-text

Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks

Foundations and Practice of Security - Lecture Notes in Computer Science ◽

10.1007/978-3-319-17040-4_7 ◽

2015 ◽

pp. 92-111 ◽

Cited By ~ 1

Author(s):

Lionel Rivière ◽

Marie-Laure Potet ◽

Thanh-Ha Le ◽

Julien Bringer ◽

Hervé Chabanne ◽

...

Keyword(s):

Fault Injection ◽

Multiple Fault ◽

Low Level ◽

Injection Attacks ◽

Software Implementations ◽

High Level ◽

Fault Injection Attacks

Download Full-text

SimpliFI: Hardware Simulation of Embedded Software Fault Attacks

Cryptography ◽

10.3390/cryptography5020015 ◽

2021 ◽

Vol 5 (2) ◽

pp. 15

Author(s):

Jacob Grycel ◽

Patrick Schaumont

Keyword(s):

Fault Injection ◽

Embedded Software ◽

Fault Models ◽

Simulation Framework ◽

Embedded Processor ◽

Fault Attacks ◽

Simulation Methodology ◽

Fault Behavior ◽

Injection Simulation ◽

High Level

Fault injection simulation on embedded software is typically captured using a high-level fault model that expresses fault behavior in terms of programmer-observable quantities. These fault models hide the true sensitivity of the underlying processor hardware to fault injection, and they are unable to correctly capture fault effects in the programmer-invisible part of the processor microarchitecture. We present SimpliFI, a simulation methodology to test fault attacks on embedded software using a hardware simulation of the processor running the software. We explain the purpose and advantage of SimpliFI, describe automation of the simulation framework, and apply SimpliFI on a BRISC-V embedded processor running an AES application.

Download Full-text

Persistent Fault Analysis on Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i3.150-172 ◽

2018 ◽

pp. 150-172 ◽

Cited By ~ 3

Author(s):

Fan Zhang ◽

Xiaoxuan Lou ◽

Xinjie Zhao ◽

Shivam Bhasin ◽

Wei He ◽

...

Keyword(s):

Time Synchronization ◽

Fault Injection ◽

Block Ciphers ◽

Fault Analysis ◽

Experimental Results ◽

Fault Attacks ◽

Intrinsic Nature ◽

Fault Attack ◽

Modular Redundancy

Persistence is an intrinsic nature for many errors yet has not been caught enough attractions for years. In this paper, the feature of persistence is applied to fault attacks, and the persistent fault attack is proposed. Different from traditional fault attacks, adversaries can prepare the fault injection stage before the encryption stage, which relaxes the constraint of the tight-coupled time synchronization. The persistent fault analysis (PFA) is elaborated on different implementations of AES-128, specially fault hardened implementations based on Dual Modular Redundancy (DMR). Our experimental results show that PFA is quite simple and efficient in breaking these typical implementations. To show the feasibility and practicability of our attack, a case study is illustrated on the shared library Libgcrypt with rowhammer technique. Approximately 8200 ciphertexts are enough to extract the master key of AES-128 when PFA is applied to Libgcrypt1.6.3 with redundant encryption based DMR. This work puts forward a new direction of fault attacks and can be extended to attack other implementations under more interesting scenarios.

Download Full-text

An AOP-Based Fault Injection Environment for Cryptographic SystemC Designs

Journal of Circuits System and Computers ◽

10.1142/s0218126615500085 ◽

2014 ◽

Vol 24 (01) ◽

pp. 1550008 ◽

Cited By ~ 3

Author(s):

Hassen Mestiri ◽

Younes Lahbib ◽

Mohsen Machhout ◽

Rached Tourki

Keyword(s):

Fault Injection ◽

Electronic System ◽

System Level ◽

Standard Case ◽

Fault Attacks ◽

Injection Attacks ◽

Electronic System Level ◽

Fault Injection Attacks ◽

The Impact ◽

Simulation Time

The increasing complexity of cryptographic devices requires fast simulation environment in order to test their security against fault attacks. SystemC is one promising candidate in Electronic System Level that allows models to reach higher simulation speed. However in order to enable both fault injection and detection inside a SystemC cryptographic models, its code modification is mandatory. Aspect-Oriented Programming (AOP), which is a new programming paradigm, can be used to test the robustness of the cryptographic models without any code modifications. This may replace real cryptanalysis schemes. In this paper, we present a new methodology to simulate the security fault attacks of cryptographic systems at the Electronic System Level. A fault injection/detection environment is proposed to test the resistance of cryptographic SystemC models against fault injection attacks. The fault injection technique into cryptographic SystemC models is performed using weaving faults by AspectC++ as an AOP programming language. We validate our methodology with two scenarios applied to a SystemC Advanced Encryption Standard case study: the first is related to the impact of the AOP on fault detection capabilities, while the second refers to the impact of the AOP on simulation time and size of the executable files. Simulation results show that this methodology can evaluate perfectly the robustness of a cryptographic design against fault injection attacks. They show that the impact of AOP on simulation time is not significant.

Download Full-text

Practical, Low-Cost Fault Injection Attacks on Personal Smart Devices

Applied Sciences ◽

10.3390/app12010417 ◽

2022 ◽

Vol 12 (1) ◽

pp. 417

Author(s):

Shaked Delarea ◽

Yossi Oren

Keyword(s):

Fault Injection ◽

Low Cost ◽

Device Under Test ◽

Smart Devices ◽

Fault Attacks ◽

Threat Model ◽

Software Application ◽

Injection Attacks ◽

Close Proximity ◽

Fault Injection Attacks

Fault attacks are traditionally considered under a threat model that assumes the device under test is in the possession of the attacker. We propose a variation on this model. In our model, the attacker integrates a fault injection circuit into a malicious field-replaceable unit, or FRU, which is later placed by the victim in close proximity to their own device. Examples of devices which incorporate FRUs include interface cards in routers, touch screens and sensor assemblies in mobile phones, ink cartridges in printers, batteries in health sensors, and so on. FRUs are often installed by after-market repair technicians without properly verifying their authenticity, and previous works have shown they can be used as vectors for various attacks on the privacy and integrity of smart devices. We design and implement a low-cost fault injection circuit suitable for placement inside a malicious FRU, and show how it can be used to practically extract secrets from a privileged system process through a combined hardware-software approach, even if the attacker software application only has user-level permissions. Our prototype produces highly effective and repeatable attacks, despite its cost being several orders of magnitude less than that of commonly used fault injection analysis lab setups. This threat model allows fault attacks to be carried out remotely, even if the device under test is in the hands of the victim. Considered together with recent advances in software-only fault attacks, we argue that resistance to fault attacks should be built into additional classes of devices.

Download Full-text