

# Laser Fault Injection on Mobile phone FDTC – 25/09/2017







### How secure is a secure boot?



Secure Boot: TrustZone (TZ) & Trusted Execution Environment (TEE) Chain of trust:



Can we target a <u>widespread device</u>, off the shelf And <u>break its secure boot implementation</u>?



# **State of the Art**



- Quarkslab 2017 : i.MX6 single core Cortex A9 Dev. Board
  - Buffer overflow on X509 parser
- Riscure : i.MX6 single core Cortex A9 Dev. Board
  - EMFI
  - Voltage glitching

(Thessalonikefs – 2014) (Timmers, Spruyt – 2012..2016)

(CVE-2017-7932, -7936)

→ Targeting Secure boot / TEE

• Laser practical results: not much on complex SoC or recent technology nodes

• Importance of IR Drops on the Modeling of Laser-Induced Transient Faults - 2017

# **Real-world attack scope**

#### Protagonist

- Well equipped, unlimited samples
- Undocumented

#### Attack

• Breaking the chain of trust only once

#### Could lead to

- Reverse engineering
- Fault characterization
- Permanent privilege escalation



- : Injection possibilities
- : Signature forgery







# **Starting Point: Facing reality**

Optics & Lasers Technology Center



# **Embedded industry standard**





• Package-on-Package intricacy



The attack will occur on back-side through the silicon substrate

# **PoP Opening**









### **Solution: Removing DRAM**

Relatively fast operation Minimal cost High chances of success

Incomplete boot – Partial solution Require software exploits Impossible to estimate the required time



### **Attack scenario unfolding**







### **Attack scenario unfolding**







#### **Characteristics of the attack**



Spot source: 980nm

Spot power: 250mW

Sport duration: 100ns to 200ns

Spot size: 1 to 10 microns

Custom trigger generator





# **Target System on Chip**

• On-die block analysis

32nm node – 1 x 1 cm

Quad-core CorteA9 @ 1,4GHz – 0.71ns clock period 8-Stage pipeline (variable length, speculative execution)

27 million logic gates in CPU

64KB ROM and 256 KB SRAM

40+ integrated peripherals / interfaces



### Light sensitive areas



5 to 20% "faults" depending on the area and instructions used

> 50% crash 50% misbehavior

Sensible area mapping CPU0 / HW IPs / Buses



# **Finding vulnerabilities**





#### Hard to achieve in practice due to timing considerations

# **ARM Security architecture**

Normal world

Secure Configuration Register

ARM SoC

State is hold by the **NS bit** inside each core's Secure Configuration Register (SCR)

FDTC – 25/09/2017 © eshard



ARM SoC



Secure world

Secure Configuration Register

# **Finding vulnerabilities**



#### • Non robust implementation: Static fault attack

Simple scenario: Direct state change – Fault Injection on SCR bits

Is there anything behind the specs more than NS = 0 or NS = 1 ?

### **Zoom on Fault Effects**





# Mitigations





#### Can only be confirmed by a security evaluation

# Conclusion

Reverse engineering



Achieved goals Fault characterization

Privilege escalation

#### Risk assessment

High-level attack with several critical stepsMono-bit fault is possible on complex hardwareStatic fault injection is more likely to succeed (simplicity, efficiency)

#### Complexity != Security

Practical feasibility is proven. Exploitation remains.





# Optics & Lasers Technology Center

Confidential © eshard