

### April 15, 2014 COSADE2014 A Multiple-fault Injection Attack by Adaptiv e Timing Control under Black-box Conditi ons and a Countermeasure

<u>Sho Endo1</u>, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi Fuji2 and Takafumi Aoki1 1Tohoku University, Japan 2NTT Secure Platform Laboratories, Japan

### Fault injection attacks against microcontrollers

<u>8888888</u>88888888

- Fault Injection attacks
  - Injects faults in cryptographic operation
  - Obtain a secret key from faulty ciphertexts or other information
- Countermeasures against the attacks by software
   Fault detection by recalculation
  - Adding random delay before encryption
- Multiple fault injection attacks in microcontrollers
   Involves Multiple fault injections into single cryptographi
  - c operation

### Multiple fault injection attacks

- Experiments against RSA software
  - Injects faults into both encryption and recalculation
  - Power glitches [Kim 2007]
  - Laser shots [Trichina 2010]
  - Skips branch instruction in recalculation routine
- Conventional attacks were performed in a white-box setting
  - Execution timing of critical instructions are known
  - Black-box condition (execution timing is not known) w as not considered in literature

Investigating multiple-fault injection attack in black-box setting and countermeasure

 Scanning appropriate fault injection timing
 Controlling fault injection timing adaptively according t o the output of microcontrollers

Attack can be applied without knowledge of program

- An experiment of attack against AES with recalculation
   Demonstrates that we can obtain faulty ciphertext for DFA
- Proposal of a countermeasure

# Outline

### Background

- Concept of the proposed attack
- Scanning algorithm
- Experiment of proposed attack against AES program wit h recalculation
- Countermeasure against the proposed attack
- Conclusion and future works

### Multiple fault injection attack against recalculation



# Assumption of our attack



Countermeasure by recalculation is present We can observe start and end timings of cryptographic op eration through communication signal

April 15, 2014

# Scanning fault timing



# Obtaining faulty ciphertext for DFA

### Example of faulty ciphertext



## Experiment

### Experimental setup



### **Experimental conditions**

| Conditions                            |                                          |
|---------------------------------------|------------------------------------------|
| Cryptographic<br>algorithm            | 128-bit AES with recalculation           |
| -                                     |                                          |
| Microcontroller                       | AVR ATmega163 (8-bit)                    |
| Compiler                              | ■gcc 4.3.3 -Os                           |
| FPGA                                  | Xilinx XC6SLX150                         |
| Clock frequency of<br>microcontroller | ■3.6 MHz                                 |
| Plaintext                             | (00112233445566778899aabbccddeef<br>f)16 |
| ■Key                                  | (000102030405060708090a0b0c0d0e 0f)16    |
| Can be exploited by Piret's DFA       |                                          |

### Number of trials in our attack



### Instruction that was skipped in the experiment



Branch is not skipped

Branch is skipped

# Application of proposed attack

- Attacks against conventional countermeasures for fault i njection
  - Duplication of instructions can be defeated by injectin g faults into all the duplicated instructions
  - Random delay before the encryption can be defeated by skipping random number generation code

### Proposed countermeasure

Rearrange instructions of main function so that faulty ciphertext is not output when critical instructions are s kipped

### Countermeasure for the skip of branch instruction



w/o countermeasure

Modified code #1

- Output routine was moved to the address less than that of encrypt ion
- Branch condition was flipped

# Attack on test (TST) instruction



Modified code #1

Program may jumps to Line 2 when Line 7 was skipped and Z = 1

### Proposed countermeasure



Initialize Zero (Z) flag before executing test instruction

# Conclusion and future works

- Proposal of scanning method to find appropriate fault positi on
  - Tuning the fault position adaptively according to output
- Experiment against AES program with recalculation
   Successfully obtained faulty ciphertext
  - Proposal of countermeasure against proposed attack
- Future works
  - Experiment on microcontrollers with other architectures
  - Implementation of compiler applies the proposed counte rmeasure automatically

Thank you! Any questions?

April 15, 2014

# Screenshot during fault injection

