Amélie Marotta's PhD Thesis - Effects of synchronous clock glitch on the security of integrated circuits

Amélie Marotta’s PhD Thesis

Amélie Marotta is currently pursuing her PhD thesis, entitled Effects of synchronous clock glitch on the security of integrated circuits, at the INRIA TARAN team. Her research, which began in October 2021, is co-supervised by Ronan Lashermes from INRIA/LHS, Olivier Sentieys from INRIA/TARAN, and Rachid Dafali from DGA-MI.

Abstract

When designing an electronic device, security is a key aspect to consider. Vulnerabilities can stem from numerous sources and be exploited through a wide variety of methods. In particular, this thesis focuses on fault injection attacks, which aim to disrupt circuit signals—such as the power supply—in order to alter the device’s behavior. To design effective countermeasures or to develop attacks, it is essential to understand how faults affect integrated circuits.

Electromagnetic fault injection (EMFI) is especially challenging to study, as it often impacts multiple signals simultaneously. This thesis investigates a specific effect of EMFI: the synchronous clock glitch. While this phenomenon has already been exploited to bypass security mechanisms, it has not been thoroughly analyzed in the literature.

We begin by studying its impact on registers and their sampling behavior, leading to the identification of a new fault model. We then examine the effects of the glitch at the microarchitectural level. Our objectives are threefold: to establish the relationship between injection parameters and the resulting effects, to identify the processor’s vulnerable components, and to link these observations with low-level fault models.

Together, these contributions enhance our understanding of the effects of fault injection—particularly electromagnetic faults—across different abstraction levels.

Publications

1. Characterizing and Modeling Synchronous Clock-Glitch Fault Injection Amélie Marotta, Ronan Lashermes, Guillaume Bouffard, Olivier Sentieys, and Rachid Dafali - In Proceedings of the 15th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE) (2024)

   In the realm of fault injection (FI), electromagnetic fault injection (EMFI) attacks have garnered significant attention, particularly for their effectiveness against embedded systems with minimal setup. These attacks exploit vulnerabilities with ease, underscoring the im- portance of comprehensively understanding EMFI. Recent studies have highlighted the impact of EMFI on phase-locked loops (PLLs), uncov- ering specific clock glitches that induce faults. However, these studies lack a detailed explanation of how these glitches translate into a specific fault model. Addressing this gap, our research investigates the physical fault model of synchronous clock glitches (SCGs), a clock glitch injec- tion mechanism likely to arise from EMFI interactions within the clock network. Through an integrated approach combining experimental and simulation techniques, we critically analyze the adequacy of existing fault models, such as the Timing Fault Model and the Sampling Fault Model, in explaining SCGs. Our findings reveal specific failure modes in D flip-flops (DFFs), contributing to a deeper understanding of EMFI effects and aiding in the development of more robust defensive strategies against such attacks.

2. Characterizing and Modeling Clock-Glitch Fault Injection Amélie Marotta, Ronan Lashermes, Olivier Sentieys, Rachid Dafali, and Guillaume Bouffard - Journée thématique sur les attaques par injection de fautes (JAIF) (2023)

   Fault injection techniques are numerous, including laser, electromagnetic fault injection (EMFI), power glitch, and clock glitch. The physical effects that are caused from fault injection result in fault models that can be interpreted at three different abstraction levels: physical (impact on logic gates and flip-flop), register-transfer (bit-set, bit-reset) and microarchitectural (impact on the execution of programs). To fully characterize the effects of fault injection, it is important to know all three abstractions levels and how they are linked to each other. In this work, we focus on a particular type of clock glitch fault injection. We use TRAITOR, a many-fault injection platform, which uses a specific pertubation on the clock signal to induce incorrect behaviors in the target. Some observations of these behaviours at a microarchitectural level have been made, but until now, lower level fault models haven’t been proposed. We observe that the sampling process of registers can be compromised by TRAITOR’s glitched clock. While some fault models already exist, they do not explain this behaviour. Simulation- based investigations were done to characterize precisely when a register would latch or not depending on the glitched clock cycle shape. They revealed that the issue arises due to an insufficient energy supply on the clock port of the register. Besides, experiments were done on registers in FPGAs, to highlight that the hardware environment of the target system influences the fault results. During our presentation, we will introduce our approach to characterize the impact of TRAITOR on registers. We will present a new physical fault model which explains its effects