Abstract
This paper introduces a new class of optical fault injection attacks called bumping attacks. These attacks are aimed at data extraction from secure embedded memory, which usually stores critical parts of algorithms, sensitive data and cryptographic keys. As a security measure, read-back access to the memory is not implemented leaving only authentication and verification options for integrity check. Verification is usually performed on relatively large blocks of data, making brute force searching infeasible. This paper evaluates memory verification and AES authentication schemes used in secure microcontrollers and a highly secure FPGA. By attacking the security in three steps, the search space can be reduced from infeasible > 2100 to affordable ≈ 215 guesses per block of data. This progress was achieved by finding a way to preset certain bits in the data path to a known state using optical bumping. Research into positioning and timing dependency showed that Flash memory bumping attacks are relatively easy to carry out.
Chapter PDF
Similar content being viewed by others
References
Xilinx CoolRunner-II CPLDs in Secure Applications. White Paper, http://www.xilinx.com/support/documentation/white_papers/wp170.pdf
Design Security in Nonvolatile Flash and Antifuse FPGAs. Security Backgrounder, http://www.actel.com/documents/DesignSecurity_WP.pdf
Skorobogatov, S.: Semi-invasive attacks – A new approach to hardware security analysis. Technical Report UCAM-CL-TR-630, University of Cambridge, Computer Laboratory (April 2005), http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf
Skorobogatov, S., Anderson, R.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)
Brown, W.D., Brewer, J.E.: Nonvolatile semiconductor memory technology: a comprehensive guide to understanding and using NVSM devices. IEEE Press, Los Alamitos (1997)
Anderson, R.J., Kuhn, M.G.: Tamper resistance – a cautionary note. In: The Second USENIX Workshop on Electronic Commerce, Oakland, California (November 1996)
Wagner, L.C.: Failure Analysis of Integrated Circuits: Tools and Techniques. Kluwer Academic Publishers, Dordrecht (1999)
Tobias, M.W.: Opening locks by bumping in five seconds or less: is it really a threat to physical security? A technical analysis of the issues, Investigative Law Offices, http://podcasts.aolcdn.com/engadget/videos/lockdown/bumping_040206.pdf
NEC PD789104A, 789114A, 789124A, 789134A Subseries User’s Manual. 8-Bit Single-Chip Microcontrollers, http://www2.renesas.com/maps_download/pdf/U13037EJ1V0PM00.pdf
NEC 78K/0, 78K/0S Series 8-Bit Single-Chip Microcontrollers. Flash Memory Write. Application Note, http://www.necel.com/nesdis/image/U14458EJ1V0AN00.pdf
Actel ProASIC3 Handbook. ProASIC3 Flash Family FPGAs, http://www.actel.com/documents/PA3_HB.pdf
Actel: ISP and STAPL. Application Note AC171, http://www.actel.com/documents/ISP_STAPL_AN.pdf
Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Ajluni, C.: Two new imaging techniques promise to improve IC defect identification. Electronic Design 43(14), 37–38 (1995)
Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)
Actel ProASIC3/E Production FPGAs. Features and Advantages, http://www.actel.com/documents/PA3_E_Tech_WP.pdf
Skorobogatov, S.: Using Optical Emission Analysis for Estimating Contribution to Power Analysis. In: 6th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), Lausanne, Switzerland, September 2009, pp. 111–119. IEEE-CS Press, Los Alamitos (2009) ISBN 978-0-7695-3824-2
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Skorobogatov, S. (2010). Flash Memory ‘Bumping’ Attacks. In: Mangard, S., Standaert, FX. (eds) Cryptographic Hardware and Embedded Systems, CHES 2010. CHES 2010. Lecture Notes in Computer Science, vol 6225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15031-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-15031-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15030-2
Online ISBN: 978-3-642-15031-9
eBook Packages: Computer ScienceComputer Science (R0)