Abstract
With the proliferation of embedded systems and our ever-increasing dependence on them, their security has never been more critical. Electromagnetic fault injection (EMFI) has garnered significant attention after it was found that electromagnetic (EM) pulses can cause faults in hardware and can be used to break security algorithms. In this work, we present an EMFI detector that excels at all quality metrics of a detection mechanism, namely, precision, accuracy, detection rate, and specificity. We developed this detector after careful evaluation of the most recent existing techniques for EMFI detection. We have conducted these evaluations on two different FPGA platforms and presented them in this paper. One of the most unexpected results of our study is that a previously designed sensor that was built based on a particular bit-set/reset fault model and achieved a relatively high-quality detection was, in fact, performing the detection based on a timing/sampling fault model. We conclude that despite the mixed interpretations in the previous work, the timing/sampling fault model is the most plausible way to describe EMFI effects. This work suggests that the EMFI attacks act like localized timing attacks in FPGAs, and we can detect them with low false-positive and false-negative rates using the newly proposed in-situ timing sensors. Our proposed sensors have low cost, are scalable, and can be integrated into any digital design with ease.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Blomer J, Seifert J-P (2003) Fault based cryptanalysis of the advanced encryption standard (AES). In: International Conference on Financial Cryptography. Springer, Berlin, Heidelberg
Dumont M, Lisart M, Maurine P (2019) Electromagnetic fault injection : how faults occur ? In: Fault Diagnosis and Tolerance in Cryptography (FDTC), vol 2019, Atlanta, GA
L. Zussa, J.-M. Dutertre, J. Clédière, B. Robisson and A. Tria, "Investigation of timing constraints violation as a fault injection means," 2012
Ordas S, Guillaume-Sage L, Maurine P (2015) Em injection: fault model and locality. In: Fault diagnosis and tolerance in cryptography (FDTC)
Zussa L, Dehbaoui A, Tobich K, Dutertre J-M, Maurine P, Guillaume-Sage L, Clédière J and Tria A (2014) Efficiency of a glitch detector against electromagnetic fault injection. [Online]. Available: http://mines-stetienne.fr/~dutertre/doc_recherche/p_2014_1_talk_date14_emi.pdf. [Accessed 31 3 2019]
Moro N, Dehbaoui A, Heydemann K, Robisson B, Encrenaz E (2013) Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. arXiv: Cryptography and Security:77–88
Ghodrati M, Yuce B, Gujar S, Deshpande C, Nazhandali L, Schaumont P (2018) Inducing local timing fault through EM injection. In: Proceedings of the 55th Annual Design Automation Conference, San Francisco
Ordas S, Guillaume-Sage L, Tobich K, Dutertre JM, Maurine P (2014) Evidence of a larger EM-induced fault model. In: International Conference on Smart Card Research and Advanced Applications
Deshpande C, Yuce B, Schaumont P, Nazhandali L (2017) Employing dual-complementary Flip-flops to detect EMFI attacks. In: IEEE VLSI (AsianHOST), 2017 Asian hardware oriented security and trust symposium
El-Baze D, Rigaud J-B and Maurine P (2016) A fully-digital EM pulse detector. [Online]. Available: http://dblp.uni-trier.de/db/conf/date/date2016.html. [Accessed 31 3 2019]
El-Baze D, Rigaud J-B, Maurine P (2016) An embedded digital sensor against EM and BB fault injection. In: Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), Santa Barbara
Miura N, Nazm Z, He W, Bhasin S, Ngo XT, Nagata M and Danger J-L (2016) PLL to the rescue: a novel EM fault countermeasure. [Online]. Available: https://dr.ntu.edu.sg/handle/10220/41437?show=full. [Accessed 31 3 2019]
Ravi P, Bhasin S, Breier J, Chattopadhyay A (2018) PPAP and iPPAP: PLL-based protection against physical attacks. In: IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Hong Kong
Breier J, Bhasin S, He W (2017) An electromagnetic fault injection sensor using Hogge phase-detector. In: Quality Electronic Design (ISQED), 2017 18th International Symposium on, IEEE, pp 307–312
Riscure (2019) EM-FI transient probe: localized glitches testing tool. [Online]. Available: https://www.riscure.com/product/em-fi-transient-probe/
Boneh D, DeMillo RA, Lipton RJ (1997) On the importance of checking cryptographic protocols for faults, pp 37–51
Fawcett T An introduction to ROC Analysis. Pattern Recogn Lett 27(8):861–874
Terasic - SoC Platform - Cyclone - DE1-SoC Board
Terasic - DE Main Boards - Cyclone - DE0-Nano Development and Education Board
Yuce B, Ghalaty NF, Deshpande C, Patrick C, Nazhandali L, Schaumont P (2016) FAME: fault-attack aware microprocessor extensions for hardware fault detection and software fault response. ACM, New York
FPGA Design Software - Intel® Quartus® Prime
Deshpande C, Yuce B, Ghalaty NF, Ganta D, Schaumont P and Nazhandali L (2016) A configurable and lightweight timing monitor for fault attack detection. [Online]. Available: http://ieeexplore.ieee.org/document/7560241. [Accessed 31 3 2019]
Altera (2018) Designing with low-level primitives. [Online]
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gujar, S.S., Nazhandali, L. Detecting Electromagnetic Injection Attack on FPGAs Using In-situ Timing Sensors. J Hardw Syst Secur 4, 196–207 (2020). https://doi.org/10.1007/s41635-020-00096-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-020-00096-9