Cryptography Reference
In-Depth Information
regular clock within the working range of the device, while retaining the ability to
alter a single clock edge. This implies that the equipment inducing the alteration
must be working at a clock frequency higher than that of the attacked device, and
this is intrinsically more difficult as the target device working frequency increases.
Another way to induce nondestructive faults in a digital circuit is to steadily
overclock the device under attack; as shown in [172], the number of induced faults
increases gradually when the computations are performed at a frequency higher than
the nominal one. In particular, it is possible to exploit a clock frequency interval where
the appearance of the fault is very limited in order to obtain localized alterations in
the computation which can be exploited successfully.
Another possibility for an attacker willing to inject controlled faults into a com-
puting device is to alter the environmental conditions around the device under attack,
for instance, causing the temperature to rise. A global rise of the temperature around
common desktop DRAM modules has been reported to cause multiple multi-bit
errors in the memory content [169]. The authors report a thermal fault induction
attack against the DRAM memory chips of a common desktop PC. The reported
number of flipped bits is around ten per 32-bit word, when the working temperature
of the DRAM is brought up to 100
◦
C. The number of faulty words is also reported
to be in the range of tenths of the RAM cells. In order to raise the temperature to
a fault inducing level, a common 50 W light bulb was employed to illuminate the
chips and the level of heating was tuned by modifying the distance between the light
bulb and the chips. The temperature level was monitored with a simple commer-
cial thermometer, by placing the temperature probe on the DRAM. The workbench
setup requires minimal technical knowledge and the equipment is readily available
to anyone. The limitations of this fault induction technique are due to its very coarse
grain, which tends to easily corrupt large amounts of data. Another downside of this
technique is the fact that it is actually possible to destroy parts of the circuit through
excessive heating, since some components have a very narrow tolerance range with
respect to the working temperature.
A practical way to induce faults without needing to physically tap into the working
device is to cause strong electromagnetic (EM) disturbances near it. The eddy currents
induced by strong EM pulses into the lines of the circuit cause temporary alterations
at the level of the signals, which in turn may be recorded by a latch, thus causing
an erroneous value to be employed in a computation. Since the EM pulse affects
uniformly the whole attacked device, it is necessary to shield the components that
should not be subject to faults with either a metal plate or a mesh, connected to
a proper grounding point. This technique has been proved effective against eight-
bit micro-controllers by [360], employing as a source of EM disturbances a spark
generator and placing the two endpoints between which the spark is produced very
close to the chip package. The authors also demonstrated that better results in terms
of more efficient fault injection may be obtained by removing the plastic package
of the chip before the spark generator is placed. The spark generator employed in
the reported article consists of a simple piezoelectric gas lighter, whose wires have
been extended to obtain an easily placeable spark gap, which is held directly above
or below the device under attack. All the parts of the circuit that did not need to
