Cryptography Reference
In-Depth Information
low cost fault injection techniques are unable to obtain high precision of the injected
faults, and that it is less common to achieve spatial than temporal accuracy.
16.3 Low-Voltage Faults on General-Purpose Processors
This section provides a complete characterization of the faults happening when a
general-purpose microprocessor is constantly underfed, and subsequently charac-
terizes the errors induced on the computed outputs in terms of position, shape and
timing, together with the methodology followed to obtain such faults. A complete
description of the working environment is provided to properly outline the workflow
we follow in order to coalesce the new fault and error model.
16.3.1 CPU Architecture and Experimental Settings
The processor architecture taken into account in this study is the ARMv5TE, in
particular the version implemented by the ARM9E microprocessor. Our choice was
driven by the wide deployment of this CPU, which is nowadays the dominant choice
for smartphones, network appliances, portable gaming platforms and low power
computers, and is thus quite likely to be used also to compute cryptographic primitives
when the possession of a possible attacker.
Our target chip is an ARM926EJ-S [17]; a 32-bit RISC Harvard architecture CPU
with 16 general purpose registers and a five stage pipeline. The ARM processor has a
full MMU and separate data and instruction caches, each 16 KB wide, coupled with
a 16-entry write buffer which avoids stalls in the CPU when memory writebacks are
performed. In particular the ARM926EJ-S is also endowed with a hardware Java
bytecode interpreter able to directly run Java bytecode. The richness of the available
features justifies the vast popularity achieved by this model in the consumer mobile
devices. The CPU is embedded in a system on-chip mounted on a development board,
specifically a SPEAr Head200 [389] built by STMicroelectronics, which is used as
reference board to design ARM-based devices equipped with 64 MB DDR RAM
clocked at 133 MHz, 32 MB of on-board Flash storage, two USB Host ports, an RS-
232 serial interface and a 100 Mbps Ethernet network card. The system is endowed
with a U-Boot [118] embedded bootloader, which is able to load the binary code to
be run via TFTP [382] protocol. This allows the board either to run a specific binary,
compiled to be independently executed on the ARM9 CPU, or to boot a full-fledged
operating system. In the following experiments, raw binaries were employed in order
to precisely characterize the fault model of this system. On the other hand, for the
sake of practical applicability, all the attacks on cryptosystems were led with a full
vanilla Linux 2.6 kernel (DENX distribution) employing an NFS [78] partition as
root filesystem. All the binaries were compiled with the GCC 3.4-based development
toolchain for ARM9 provided by CodeSourcery [96]. All the fault characterization
