# Hardware Security Evaluation of Embedded Applications against Fault Injection Attacks

ZAHRA KAZEMI

JOURNÉE THÉMATIQUE SUR LES ATTAQUES PAR INJECTION DE FAUTES (JAIF 2021) 24 SEPTEMBER 2021



# Outline

o Introduction

Our Hardware Security Evaluation Platform

o High-Level Hardware Security Assessment Methods

• Fine Tuned Experimental Evaluation for RISC-V

Conclusions and Future Works

o References

# Outline

#### o Introduction

- o Our Hardware Security Evaluation Platform
- o High-Level Hardware Security Assessment Methods
- o Fine Tuned Experimental Evaluation for RISC-V
- o Conclusions and Future Works
- o References

### Embedded IoT Systems Role in Daily Life













Imbalance Security as a Key Element In IoT Market



Imbalance Security as a Key Element in IoT Market

## Different Security Attacks Against IoT/Embedded Systems



### Different Hardware Security Attacks



## Different Hardware Security Attacks



## Different Non-Invasive Fault Injectors



ChipWhisperer tool from NewAE©

- + Proper for academia
- Hardware dependent
- Not fully automated
- Lack of parameter database
- Not proper for all the external targets



Spider tool from Riscure©

- + Proper for industry
- + Automatic testing scenarios
- Hardware dependent
- Too expensive
- Not easy to get acquainted for nonsecurity users

#### Examples in Academia and Industry:

## **Introduction:** Our Goal

- 1. Review the state of the art of existing clock glitch generators
- 2. Develop an evaluation platform for non security experts which is:
  - Capable of injecting precise faults
  - Open source implementation
  - Low cost and accessible
  - Configurable for various targets
  - Automatic scenarios
  - Easy to use for novice hardware security evaluators
- **3**. Introduce high-level evaluation methods for common functions and patterns of embedded IoT applications

# Outline

#### o Introduction

#### • Our Hardware Security Evaluation Platform

- o High-Level Hardware Security Assessment Methods
- o Fine Tuned Experimental Evaluation for RISC-V
- o Conclusions and Future Works
- o References

Clock Glitching Attacks

Clock glitching attack violates critical path delay by insertion of additional positive clock edge and leads to incorrect values and states in the target system:



A High-Level Schematic



A High-Level Schematic



Clock Glitch Generation Methods



### **Important Characteristics:**

- 1. Needed Equipment and Cost
- 2. Complexity
- 3. Minimum Glitch Width
- 4. Capability to Inject Glitch into Specific Clock Cycle
- 5. Capability to Perform Run-Time Configuration
- 6. Capability to Control Generated Faulty Clock Frequency
- 5. Reproducibility of Faulty Clock



\*[1] Please see: Kazemi, Zahra, David Hely, Mahdi Fazeli, and Vincent Beroulle. 2020. "A Review on Evaluation and Configuration of Fault Injection Attack Instruments to Design Attack Resistant MCU-Based IoT Applications" *Electronics* 9, no. 7: 1153. https://doi.org/10.3390/electronics9071153

#### Table 3. Review of previously proposed clock glitch generators.

**Clock Glitch Generation Methods** 



**Clock Glitch Generation Methods** 

Implemented Clock Glitch Generator Based On Combine Shifted Clocks (Xilinx FPGA Arty-S7-50) [2] Implemented Clock Glitch Generator Based On Combine Clocks with Different Frequencies (Kintex 7 FPGA Digilent Genesys-2) [2]





Comparison of Different Clock Glitch Generators



- 1. One can use our open-source glitch generator on various FPGA types with one of the following features:
  - **Digital Clock Management (DCM)** (e.g., Spartan-3 and Virtex-4)
  - Phase Locked Loop (PLL) (e.g., Virtex-5 and Spartan-6)
  - **Mixed-Mode Clock Manager (MMCM)** (e.g., Virtex-6 and the seven series FPGAs)
- 2. To be able to use runtime reconfiguration facture one needs to use Xilinx<sup>®</sup>7 series, UltraScale., and UltraScale+.

# Outline

#### o Introduction

o Our Hardware Security Evaluation Platform

High-Level Hardware Security Assessment Methods

o Fine Tuned Experimental Evaluation for RISC-V

o Conclusions and Future Works

o References

## High-Level Hardware Security Assessment: Our Approach



## High-Level Hardware Security Assessment: Our Approach



## High-Level Hardware Security Assessment: Our Approach

| Function<br>Categories                | Examples | Normal Functionality                       | Functionality Under Attack            |
|---------------------------------------|----------|--------------------------------------------|---------------------------------------|
| Type Casting<br>Function              | atoi     | Converts ASCII array to an integer value   | Generates corrupted<br>integer value  |
| Memory<br>Based<br>Functions          | memcpy   | Compares the values in memory              | Faulty comparison result              |
| String<br>Manipulation<br>Functions   | strcpy   | Copies from one character array to another | Copy corrupted or<br>incomplete array |
| Searching<br>and Sorting<br>Functions | bsearch  | Searches an array to find value            | Returns null                          |

# High-Level Hardware Security Assessment:

Our Approach on a Case-Study

## Sec-Pump:

An Open-Source Secured Medical Application (<u>https://github.com/r3glisss/SecPump</u>)



## High-Level Hardware Security Assessment: Our Experimental Platform

Clock Glitch Generator (FPGA Arty S7) Synchronization Faulty Clock C-Functions Target Device (Implemented RISC-V Rocket Core on FPGA ARTY A7)



## High-Level Hardware Security Assessment: Experimental Results



# Outline

#### o Motivation

o Introduction

o High-Level Hardware Security Assessment

• Fine Tuned Experimental Evaluation for RISC-V Processors

o Conclusions and Future Works

oReferences

Our Approach



Simulation Environment

### **RIPES**:

- An open-source hardware simulator (<u>https://github.com/mortbopet/Ripes</u>)
- Based on RISC-V ISA
- Simulates the execution of each instruction cycle-accurately



**Ripes** 

Faults are induced into the selected instructions and we monitor the behavior of highlevel functions running on a RISC-V processor

Simulation Results



Functions such as **memset**, **strncpy**, **and strcpy** are more vulnerable at their initial execution clock cycles.

Results



# Outline

### o Motivation

o Introduction

o High-Level Hardware Security Assessment

o Fine Tuned Experimental Evaluation for RISC-V Processors

o Conclusions and Future Works

o References

# Conclusions

- 1. We have reviewed all the existing clock glitching platform and extract their important characteristics
- 2. We have developed our open-source and practical platform which can help non-security specialists and developers to make their applications robust against low-cost but effective physical attacks
- 3. We have presented high-level evaluation approaches for common functions and patterns
- 4. Our experimental results have been improved using a ISA-Level simulation environment

# **Future Works**

- 1. Demonstrating the potential risks of overlooking such vulnerabilities in different case-studies
- 2. Building up a database on clock glitch configurations for embedded application assessments
- **3.** Assessing the vulnerability of different patterns and functions depending on their location in an embedded application by using symbolic executions
- 4. Proposing software level mitigation patterns/countermeasures

# References

[1] Kazemi, Zahra, David Hely, Mahdi Fazeli, and Vincent Beroulle. 2020. "A Review on Evaluation and Configuration of Fault Injection Attack Instruments to Design Attack Resistant MCU-Based IoT Applications" *Electronics* 9, no. 7: 1153. <u>https://doi.org/10.3390/electronics9071153</u>

[2] Z. Kazemi, A. Papadimitriou, I. Souvatzoglou, E. Aerabi, M. M. Ahmed, D. Hely, and V. Beroulle, "On a low cost fault injection framework for security assessment of cyber-physical systems: Clock glitch attacks," in 2019 IEEE 4th International Verification and Security Workshop (IVSW). IEEE, 2019, pp. 7–12.

[3] Z. Kazemi, M. Fazeli, D. Hely, and V. Beroulle, "Hardware security vulnerability assessment to identify the potential risks in a critical embedded application," in 2020 IEEE 26th International Symposium on On-Line Testing and Robust System Design (IOLTS). IEEE, 2020, pp.1–6.

[4] Z. Kazemi, A. Norollah, A. Kchaou, M. Fazeli, D. Hely, and V. Beroulle, "An in-depth vulnerability analysis of RISC-V micro-architecture against fault injection attack," International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFTS), 2021.

# Thank you for your attention!

## Questions?

HARDWARE SECURITY EVALUATION OF EMBEDDED APPLICATIONS AGAINST FAULT INJECTION ATTACKS