



### Laser Fault Injection in a 32-bit Microcontroller: from the Flash Interface to the Execution Pipeline

Vanthanh Khuat, Jean-Luc Danger, Jean-Max Dutertre September 2021

# **Table contents**

#### 1. Introduction

2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works





#### **Fault injection**







#### **Fault injection**



FI is an active side-channel attack in which the attacker induces stress to the target, forcing it to produce a fault result.





#### **Fault injection**



- FI is an active side-channel attack in which the attacker induces stress to the target, forcing it to produce a fault result.
- The fault result is further used to extract secret information by differential fault analysis (fault vs no-fault).





<sup>1</sup>barenghi2009low; balasch2011depth.

<sup>2</sup>riviere2015high; beckers2019characterization.

<sup>3</sup>skorobogatov2002optical; dutertre2019experimental.





Clock glitch or Voltage glitch<sup>1</sup>

<sup>1</sup>barenghi2009low; balasch2011depth.

<sup>2</sup>riviere2015high; beckers2019characterization.

<sup>3</sup>skorobogatov2002optical; dutertre2019experimental.





- Clock glitch or Voltage glitch<sup>1</sup>
- Electromagnetic fault injection<sup>2</sup>

<sup>1</sup>barenghi2009low; balasch2011depth.

<sup>2</sup>riviere2015high; beckers2019characterization.

<sup>3</sup>skorobogatov2002optical; dutertre2019experimental.





- Clock glitch or Voltage glitch<sup>1</sup>
- Electromagnetic fault injection<sup>2</sup>
- Laser fault injection (LFI)<sup>3</sup>

<sup>1</sup>barenghi2009low; balasch2011depth.

<sup>2</sup>riviere2015high; beckers2019characterization.

<sup>3</sup>skorobogatov2002optical; dutertre2019experimental.





- Clock glitch or Voltage glitch<sup>1</sup>
- Electromagnetic fault injection<sup>2</sup>
- Laser fault injection (LFI)<sup>3</sup>
  - The laser has a very high spacial and temporal resolution because the pulse can be confined a very small space and lasts for a very short time.

<sup>1</sup>barenghi2009low; balasch2011depth.

<sup>2</sup>riviere2015high; beckers2019characterization.

<sup>3</sup>skorobogatov2002optical; dutertre2019experimental.







<sup>4</sup>SAMD21\_datasheet\_microchip.







Our target is SAMD21G18A, with the following features:<sup>4</sup>

<sup>4</sup>SAMD21\_datasheet\_microchip.







Our target is SAMD21G18A, with the following features:<sup>4</sup> is a 32-bit MCU;

<sup>4</sup>SAMD21\_datasheet\_microchip.







Our target is SAMD21G18A, with the following features:<sup>4</sup>

- is a 32-bit MCU;
- implements an ARM Cortex-M0+ (2-stage pipeline);



<sup>&</sup>lt;sup>4</sup>SAMD21\_datasheet\_microchip.





Our target is SAMD21G18A, with the following features:<sup>4</sup>

- is a 32-bit MCU;
- implements an ARM Cortex-M0+ (2-stage pipeline);
- has an 8 lines 64 bits cache;





<sup>&</sup>lt;sup>4</sup>SAMD21\_datasheet\_microchip.

### Introduction

#### About the target: SAMD21G18A



Our target is SAMD21G18A, with the following features:<sup>4</sup>

- is a 32-bit MCU;
- implements an ARM Cortex-M0+ (2-stage pipeline);
- has an 8 lines 64 bits cache;
- can operate at maximum frequency of 48 MHz;



<sup>&</sup>lt;sup>4</sup>SAMD21\_datasheet\_microchip.

### Introduction

#### About the target: SAMD21G18A



Our target is SAMD21G18A, with the following features:<sup>4</sup>

- is a 32-bit MCU;
- implements an ARM Cortex-M0+ (2-stage pipeline);
- has an 8 lines 64 bits cache;
- can operate at maximum frequency of 48 MHz;



<sup>&</sup>lt;sup>4</sup>SAMD21\_datasheet\_microchip.







being able to fault instructions from the Flash interface to the core pipeline (Flash interface buffer-> AHB bus-> core fetch -> core execution) in a 32-bit MCU;





- being able to fault instructions from the Flash interface to the core pipeline (Flash interface buffer-> AHB bus-> core fetch -> core execution) in a 32-bit MCU;
- identifying the faults in different stages and their behaviors, and characterizing the fault models at instruction level and bit level;





- being able to fault instructions from the Flash interface to the core pipeline (Flash interface buffer-> AHB bus-> core fetch -> core execution) in a 32-bit MCU;
- identifying the faults in different stages and their behaviors, and characterizing the fault models at instruction level and bit level;
- investigating the impact of LFI parameters such as the PW and the power on the faults;





- being able to fault instructions from the Flash interface to the core pipeline (Flash interface buffer-> AHB bus-> core fetch -> core execution) in a 32-bit MCU;
- identifying the faults in different stages and their behaviors, and characterizing the fault models at instruction level and bit level;
- investigating the impact of LFI parameters such as the PW and the power on the faults;
- comparing the instruction(s) skip fault models obtained with LFI at different positions.



# **Table contents**

#### 1. Introduction

### 2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works





<sup>5</sup>dutertre2019experimental.





Wavelength: 1064 nm, power: 0 - 3 W, PW: 5 ns - 1 s (more details can be found in<sup>5</sup>).

<sup>5</sup>dutertre2019experimental.



Wavelength: 1064 nm, power: 0 - 3 W, PW: 5 ns - 1 s (more details can be found in<sup>5</sup>).



<sup>&</sup>lt;sup>5</sup>dutertre2019experimental.



- Wavelength: 1064 nm, power: 0 3 W, PW: 5 ns 1 s (more details can be found in<sup>5</sup>).
- The MCU was depackaged and the laser pulse was injected from the back side.



<sup>&</sup>lt;sup>5</sup>dutertre2019experimental.



- Wavelength: 1064 nm, power: 0 3 W, PW: 5 ns 1 s (more details can be found in<sup>5</sup>).
- The MCU was depackaged and the laser pulse was injected from the back side.

The MCU was configured to work at 12 MHz, with zero waitstate. <sup>5</sup>dutertre2019experimental.



A test follows three main steps:

 (1) the target is reset to initialize all systems including memories and registers;



A test follows three main steps:

- (1) the target is reset to initialize all systems including memories and registers;
- (2) the trigger for laser pulse generator is set and the test code is then executed;



A test follows three main steps:

- (1) the target is reset to initialize all systems including memories and registers;
- (2) the trigger for laser pulse generator is set and the test code is then executed;
- (3) registers content harvesting is performed as the program reaches the configured break-point.



A test follows three main steps:

- (1) the target is reset to initialize all systems including memories and registers;
- (2) the trigger for laser pulse generator is set and the test code is then executed;
- (3) registers content harvesting is performed as the program reaches the configured break-point.

For each injection parameter, 100 tests are performed. At the beginning, a test without LFI was performed to make sure the program functions correctly and the data is used as the reference.



- i<sub>5</sub>. add r1,r1,#0x01
- i<sub>6</sub>. add r2,r2,#0x01
- i7. add r3,r3,#0x01
- i<sub>8</sub>. add r4,r4,#0x01
- i<sub>9</sub>. add r0,r0,#0x05
- i<sub>10</sub>. add r0,r0,#0x06
- $i_{11}$ . add r0,r0,#0x07
- i<sub>12</sub>. add r0,r0,#0x08

(a) test code



- add r0,r0,#0x01 i, add r0,r0,#0x02 i., add r0.r0.#0x03 i<sub>3</sub>. add r0.r0.#0x04 i<sub>4</sub>. add r1,r1,#0x01 i<sub>5</sub>. add r2.r2,#0x01 i<sub>e</sub>. add r3.r3.#0x01 i., add r4,r4,#0x01 İ., add r0,r0,#0x05 i., add r0.r0.#0x06 i,,,. add r0,r0,#0x07
- i<sub>11</sub>. add r0,r0,#0x07 i<sub>12</sub>. add r0,r0,#0x08

(a) test code







(a) test code

#### (a) test code





(a) test code

(b) skip  $i_5 i_6 i_7 i_8$ 

#### (a) test code

(b) skip i<sub>5</sub>i<sub>6</sub>i<sub>7</sub>i<sub>8</sub>: instructions (i<sub>5</sub>, i<sub>6</sub>, i<sub>7</sub>, i<sub>8</sub>) are replaced by instructions equivalent to (nop, nop, nop, nop);





(a) test code

(b) skip  $i_5 i_6 i_7 i_8$ 

(c) skip  $i_5 i_6$ 

#### (a) test code

(b) skip i<sub>5</sub>i<sub>6</sub>i<sub>7</sub>i<sub>8</sub>: instructions (i<sub>5</sub>, i<sub>6</sub>, i<sub>7</sub>, i<sub>8</sub>) are replaced by instructions equivalent to (nop, nop, nop, nop);





(a) test code

(b) skip  $i_5 i_6 i_7 i_8$ 

(c) skip  $i_5 i_6$ 

## (a) test code

- (b) skip i<sub>5</sub>i<sub>6</sub>i<sub>7</sub>i<sub>8</sub>: instructions (i<sub>5</sub>, i<sub>6</sub>, i<sub>7</sub>, i<sub>8</sub>) are replaced by instructions equivalent to (nop, nop, nop, nop);
- (c) skip  $i_5 i_6$ : instructions ( $i_5$ ,  $i_6$ ) are replaced by (*nop*, *nop*);





- (a) test code
- (b) skip i<sub>5</sub>i<sub>6</sub>i<sub>7</sub>i<sub>8</sub>: instructions (i<sub>5</sub>, i<sub>6</sub>, i<sub>7</sub>, i<sub>8</sub>) are replaced by instructions equivalent to (*nop*, *nop*, *nop*, *nop*);
- (c) skip  $i_5 i_6$ : instructions ( $i_5$ ,  $i_6$ ) are replaced by (*nop*, *nop*);





### (a) test code

- (b) skip i<sub>5</sub>i<sub>6</sub>i<sub>7</sub>i<sub>8</sub>: instructions (i<sub>5</sub>, i<sub>6</sub>, i<sub>7</sub>, i<sub>8</sub>) are replaced by instructions equivalent to (*nop*, *nop*, *nop*, *nop*);
- (c) skip  $i_5 i_6$ : instructions ( $i_5$ ,  $i_6$ ) are replaced by (*nop*, *nop*);
- (d) skip i<sub>5</sub>: instruction (i<sub>5</sub>) is replaced by instruction (nop).

ΤΕΙ ΕΓΩΜ

add r0,r0,#0x01 i.,. add r0.r0.#0x02 i.,. add r0,r0,#0x03 i.,. add r0,r0,#0x04 i,. add r1.r1.#0x01 i., add r2,r2,#0x01 i., add r3.r3.#0x01 i... add r4,r4,#0x01 add r0,r0,#0x05 add r0.r0.#0x06 add r0,r0,#0x07 i.,. i<sub>12</sub>. add r0,r0,#0x08

(a) test code



add r0,r0,#0x01 i.e. i2. add r0,r0,#0x02 add r0,r0,#0x03 i.,. add r0,r0,#0x04 i,. add r1.r1.#0x01 i., add r2,r2,#0x01 i., add r3.r3.#0x01 i... add r4,r4,#0x01 add r0,r0,#0x05 add r0.r0.#0x06 add r0,r0,#0x07 i.,. i,,, add r0,r0,#0x08

(a) test code













- (a) test code
- (b) replay i<sub>1</sub>i<sub>2</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions(i<sub>1</sub>, i<sub>2</sub>);





- (a) test code
- (b) replay i<sub>1</sub>i<sub>2</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions(i<sub>1</sub>, i<sub>2</sub>);





### (a) test code

- (b) replay i<sub>1</sub>i<sub>2</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions(i<sub>1</sub>, i<sub>2</sub>);
- (c) replay i<sub>3</sub>i<sub>4</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions (i<sub>3</sub>, i<sub>4</sub>);





### (a) test code

- (b) replay i<sub>1</sub>i<sub>2</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions(i<sub>1</sub>, i<sub>2</sub>);
- (c) replay i<sub>3</sub>i<sub>4</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions (i<sub>3</sub>, i<sub>4</sub>);





### (a) test code

- (b) replay i<sub>1</sub>i<sub>2</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions(i<sub>1</sub>, i<sub>2</sub>);
- (c) replay i<sub>3</sub>i<sub>4</sub>(i<sub>5</sub>i<sub>6</sub>): instructions (i<sub>5</sub>, i<sub>6</sub>) are overwritten by instructions (i<sub>3</sub>, i<sub>4</sub>);
- (d) replay *i*<sub>1</sub>*i*<sub>2</sub>*i*<sub>3</sub>*i*<sub>4</sub>: instructions (*i*<sub>5</sub>, *i*<sub>6</sub>, *i*<sub>7</sub>, *i*<sub>8</sub>) are overwritten by instructions (*i*<sub>1</sub>, *i*<sub>2</sub>, *i*<sub>3</sub>, *i*<sub>4</sub>).



# **Table contents**

## 1. Introduction

- 2. Experimental setup and methodology
- 3. Fault on instructions: from the flash interface to the execution pipeline
- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works



# Faults at six positions

Laser power: 1.5 W, PW: 50 ns.



# Faults at six positions



(b)

Laser power: 1.5 W, PW: 50 ns.





# Faults at six positions



- Laser power: 1.5 W, PW: 50 ns.
- Six positions marked with red circular shapes with different fault behavior were found.



from The flash interface to the execution pipeline: P1 and P2



<sup>6</sup>vkhuat\_emc\_europe\_2021; vkhuat\_dsd\_2021.



from The flash interface to the execution pipeline: P1 and P2



 The fault is related to block of two or four instructions depending on the cache operation mode;

<sup>6</sup>vkhuat\_emc\_europe\_2021; vkhuat\_dsd\_2021.



ΓΕΙ ΕΟΟ

from The flash interface to the execution pipeline: P1 and P2



- The fault is related to block of two or four instructions depending on the cache operation mode;
- Two fault models: skip and replay of instruction block are observed;

<sup>6</sup>vkhuat\_emc\_europe\_2021; vkhuat\_dsd\_2021.



ΓΕΙ ΕΟΟ

from The flash interface to the execution pipeline: P1 and P2



- The fault is related to block of two or four instructions depending on the cache operation mode;
- Two fault models: skip and replay of instruction block are observed;

The fault behavior is the same with results obtained in<sup>6</sup>, in which we ascribed the fault to impact of EMFI and LFI to the Flash interface buffer.

<sup>6</sup>vkhuat\_emc\_europe\_2021; vkhuat\_dsd\_2021.

from The flash interface to the execution pipeline: P3 and P4



from The flash interface to the execution pipeline: P3 and P4





from The flash interface to the execution pipeline: P3 and P4



The fault is related to a block of two instructions for both cache operation modes;



from The flash interface to the execution pipeline: P3 and P4



- The fault is related to a block of two instructions for both cache operation modes;
- Two fault models of skip and replay of a block of two instructions are observed.



from The flash interface to the execution pipeline: P5 and P6



from The flash interface to the execution pipeline: P5 and P6





from The flash interface to the execution pipeline: P5 and P6



The fault is related to a single instruction;



from The flash interface to the execution pipeline: P5 and P6



- The fault is related to a single instruction;
- Single instruction skip was obtained at position P5 and P6.



from The flash interface to the execution pipeline: P5 and P6



- The fault is related to a single instruction;
- Single instruction skip was obtained at position P5 and P6.
- There is a phase shift of one clock cycle between the fault at position 5 and 6.



|                  | CLOCK   | 1              | 2              | 3              | 4                                           |
|------------------|---------|----------------|----------------|----------------|---------------------------------------------|
| AHB<br>access    | HTRANS  | NESQ           | IDLE           | NESQ           | IDLE                                        |
|                  | HADDR   | a <sub>s</sub> |                | a,             |                                             |
|                  | HRDATA  |                | 1. 1.          |                | <i>i</i> <sub>7</sub> <i>i</i> <sub>8</sub> |
| Core<br>pipeline | Fetch   | i,             | i <sub>s</sub> | i,             | i,                                          |
|                  | Execute | i,             | i,             | i <sub>s</sub> | i <sub>e</sub>                              |

(a) Normal execution



|                  | CLOCK   | 1              | 2              | 3              | 4                                           |
|------------------|---------|----------------|----------------|----------------|---------------------------------------------|
| AHB<br>access    | HTRANS  | NESQ           | IDLE           | NESQ           | IDLE                                        |
|                  | HADDR   | a <sub>s</sub> |                | a,             |                                             |
|                  | HRDATA  |                | 1. 1.          |                | <i>i</i> <sub>7</sub> <i>i</i> <sub>8</sub> |
| Core<br>pipeline | Fetch   | i,             | i <sub>s</sub> | i <sub>e</sub> | i,                                          |
|                  | Execute | i,             | i,             | i <sub>s</sub> | i <sub>e</sub>                              |

(a) Normal execution

(a) Normal execution process.



|                      | CLOCK   | 1                | 2              | 3              | 4                       |  |  |
|----------------------|---------|------------------|----------------|----------------|-------------------------|--|--|
| AHB<br>access        | HTRANS  | NESQ             | IDLE           | NESQ           | IDLE                    |  |  |
|                      | HADDR   | a <sub>s</sub>   |                | a,             |                         |  |  |
|                      | HRDATA  |                  | 1. 1.          |                | $I_7 = I_8$             |  |  |
| Core<br>pipeline     | Fetch   | i,               | i <sub>s</sub> | i <sub>s</sub> | i,                      |  |  |
|                      | Execute | i,               | i,             | i <sub>s</sub> | i <sub>c</sub>          |  |  |
| (a) Normal execution |         |                  |                |                |                         |  |  |
|                      | CLOCK   | 1                | 2              | 3              | 4                       |  |  |
| AHB<br>access        | HTRANS  | NESQ             | IDLE           | NESQ           | IDLE                    |  |  |
|                      | HADDR   | a <sub>s</sub>   |                | a,             |                         |  |  |
|                      | HRDATA  |                  | 1. 1.          |                | $I_{\rm S} = I_{\rm S}$ |  |  |
| Core<br>pipeline     | Fetch   | - I <sub>4</sub> | Ι,             | i,             | - 1 <sub>8</sub>        |  |  |
|                      | Execute | i,               | i,             | i,             | i,                      |  |  |

(b) Laser-induced replay of two instructions

■ (a) Normal execution process.





(b) Laser-induced replay of two instructions

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.





(c) Laser-induced modification of two instructions

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.





<sup>(</sup>c) Laser-induced modification of two instructions

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.
- (c) Laser-induced instructions corruption of data loaded into ABH bus, resulting in skip of two instructions.





(d) Laser-induced fault on core pipeline fetch stage

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.
- (c) Laser-induced instructions corruption of data loaded into ABH bus, resulting in skip of two instructions.



# Fault mechanism hypothesis



(d) Laser-induced fault on core pipeline fetch stage

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.
- (c) Laser-induced instructions corruption of data loaded into ABH bus, resulting in skip of two instructions.
- (d) Laser-induced fault on pipeline fetch.



# Fault mechanism hypothesis







<sup>(</sup>e) Laser-induced fault on core pipeline execution stage

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.
- (c) Laser-induced instructions corruption of data loaded into ABH bus, resulting in skip of two instructions.
- (d) Laser-induced fault on pipeline fetch.



# Fault mechanism hypothesis



|                  | (c) Laser-ind | uced modific   | ation (          | of two         | instructions   |      |                    |
|------------------|---------------|----------------|------------------|----------------|----------------|------|--------------------|
|                  | CLOCK         | 1              | 2                |                | 3              | 4    |                    |
| AHB<br>access    | HTRANS        | NESQ           | IDLE             |                | NESQ           | IDLE |                    |
|                  | HADDR         | a <sub>s</sub> |                  |                | a <sub>7</sub> |      |                    |
|                  | HRDATA        |                | - İ <sub>5</sub> | i <sub>s</sub> |                | i,   | - İ <sub>8</sub> - |
| Core<br>pipeline | Fetch         | 1.             | 18               |                | $P_{\theta}$   | I,   |                    |
|                  | Execute       | l <sub>3</sub> | - 14             |                | 1,             | P    |                    |



<sup>(</sup>e) Laser-induced fault on core pipeline execution stage

- (a) Normal execution process.
- (b) Laser-induced prevention of AHB bus update, resulting in replay of two instructions.
- (c) Laser-induced instructions corruption of data loaded into ABH bus, resulting in skip of two instructions.
- (d) Laser-induced fault on pipeline fetch.
- (e) Laser-induced fault on the pipeline execution.



 Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;





- Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;
- Position P2: the modification of a block instructions (including skip) due to laser-induced bit corruption of instruction's opcodes in the Flash interface buffer;



- Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;
- Position P2: the modification of a block instructions (including skip) due to laser-induced bit corruption of instruction's opcodes in the Flash interface buffer;
- Position P3: the replay of two instructions due to laser-induced prevention of loading data into the AHB bus;



- Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;
- Position P2: the modification of a block instructions (including skip) due to laser-induced bit corruption of instruction's opcodes in the Flash interface buffer;
- Position P3: the replay of two instructions due to laser-induced prevention of loading data into the AHB bus;
- Position P4: the modification of two instructions (including skip) due to laser-induced bit(s) corruption of instructions loaded into the AHB bus;



- Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;
- Position P2: the modification of a block instructions (including skip) due to laser-induced bit corruption of instruction's opcodes in the Flash interface buffer;
- Position P3: the replay of two instructions due to laser-induced prevention of loading data into the AHB bus;
- Position P4: the modification of two instructions (including skip) due to laser-induced bit(s) corruption of instructions loaded into the AHB bus;
- Position P5: the modification of a single instruction (including skip) due to laser-induced fault in the core pipeline fetch stage;



- Position P1: the replay of a block of instructions due to laser-induced prevention of the Flash interface buffer updating process;
- Position P2: the modification of a block instructions (including skip) due to laser-induced bit corruption of instruction's opcodes in the Flash interface buffer;
- Position P3: the replay of two instructions due to laser-induced prevention of loading data into the AHB bus;
- Position P4: the modification of two instructions (including skip) due to laser-induced bit(s) corruption of instructions loaded into the AHB bus;
- Position P5: the modification of a single instruction (including skip) due to laser-induced fault in the core pipeline fetch stage;
- Position P6: the modification of a single instruction (including skip) due to laser-induced fault in the core pipeline execution stage.









(a) cache disabled;





(a) cache disabled;





(a) cache disabled;

(b) cache enabled: cache miss;





- (a) cache disabled;
- (b) cache enabled: cache miss;





- (a) cache disabled;
- (b) cache enabled: cache miss;
- (c) cache enabled: cache hit.



# **Table contents**

#### 1. Introduction

2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

#### 4. Impact of the pulse width

- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works













#### ■ (a) Flash interface buffer: 20 faulted instructions.



V. Khuat, J. Danger, J. Dutertre





■ (a) Flash interface buffer: 20 faulted instructions.







■ (a) Flash interface buffer: 20 faulted instructions.





- (a) Flash interface buffer: 20 faulted instructions.
- (b) AHB bus: 110 faulted instructions





- (a) Flash interface buffer: 20 faulted instructions.
- (b) AHB bus: 110 faulted instructions



- (a) Flash interface buffer: 20 faulted instructions.
- (b) AHB bus: 110 faulted instructions



- (a) Flash interface buffer: 20 faulted instructions.
- (b) AHB bus: 110 faulted instructions
- (c) Pipeline (fetch or execution): 115 faulted instructions



# **Table contents**

- 1. Introduction
- 2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works



### Impact of the laser power on the fault rates





### Impact of the laser power on the fault rates



The laser power has a direct impact on the fault rates; as the power increases the fault rates increase accordingly.



### Impact of the laser power on the fault rates



- The laser power has a direct impact on the fault rates; as the power increases the fault rates increase accordingly.
- The Flash interface buffer seems to be more sensitive to the laser pulse as compared to the AHB bus and the core pipeline.



# **Table contents**

- 1. Introduction
- 2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works



Isl r0,r0, #0x00 Isl r0,r0, #0x00 Isl r0,r0, #0x00 Isl r0,r0, #0x00 (a) bit-set detection sub r7,r7, #0xff sub r7,r7, #0xff sub r7,r7, #0xff sub r7,r7, #0xff(b) bit-reset detection

- The opcode of lsl r0,r0,#0x00 is 0x0000 (all bits' values are 0)
- The opcode of sub r7,r7,#0xff is 0x3fff (most of the bits'values are 1)









Many faults were detected when the buffers were filled with bits at 1.





- Many faults were detected when the buffers were filled with bits at 1.
- Almost no fault was detected when the buffers were filled with bits at 0.





- Many faults were detected when the buffers were filled with bits at 1.
- Almost no fault was detected when the buffers were filled with bits at 0.
- At bit level the faults are bit-reset rather than bit-set.

ΤΕΙ ΕΓΟΙ

# **Table contents**

- 1. Introduction
- 2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

# 7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works







27/34

V. Khuat, J. Danger, J. Dutertre

ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

.....

(a) test code





ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

.....

(a) test code

ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

(b) skip fault



ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

(a) test code

(b) skip fault

"skip" fault models were obtained by faulting the Flash interface buffer, AHB bus, Pipeline: fetch, Pipeline: execution.



ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

(a) test code

(b) skip fault

- "skip" fault models were obtained by faulting the Flash interface buffer, AHB bus, Pipeline: fetch, Pipeline: execution.
- The execution time of instruction Idr rx, #address is two clock cycles.



ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

ldr r1, #address ldr r2, #address ldr r3, #address ldr r4, #address

. . . . . . . . .

(a) test code

(b) skip fault

- "skip" fault models were obtained by faulting the Flash interface buffer, AHB bus, Pipeline: fetch, Pipeline: execution.
- The execution time of instruction Idr rx, #address is two clock cycles.
- The execution time of instruction **nop** is one clock cycles.





(a) No fault





(a) No fault

1 clock cycle = ~83.2 ns

---- pulse command

----- trigger

---- pulse image

test code execution window







(a) No fault

(b) P2: Fault on the Flash interface buffer

- 1 clock cycle = ~83.2 ns
  - ---- pulse command
  - ----- trigger
  - ---- pulse image
  - test code execution window





(a) No fault

- 1 clock cycle= ~83.2 ns
  - ---- pulse command
  - ---- trigger
  - ---- pulse image
  - test code execution window

(b) P2: Fault on the Flash interface buffer

500 ns

4 clock cycles



(c) P4: Fault on data loaded into the AHB bus





(a) No fault



- ---- pulse command
- ---- trigger
- ---- pulse image
- test code execution window

(b) P2: Fault on the Flash interface buffer



(c) P4: Fault on data loaded into the AHB bus

Flash interface buffer, AHB bus: Reduction in the length of code execution windows by 4 clocks cycles. -> *ldr* instructions were replaced by *nop* operations.





(a) No fault





(a) No fault

- 1 clock cycle = ~83.2 ns
  - ---- pulse command
  - ----- trigger
  - ---- pulse image
  - test code execution window





(a) No fault

(d) P5: Fault on the core fetch

- 1 clock cycle = ~83.2 ns
  - ---- pulse command
  - ----- trigger
  - ---- pulse image
  - ----- test code execution window





(a) No fault



(d) P5: Fault on the core fetch

- 1 clock cycle=  $\sim$ 83.2 ns
- ---- pulse command
- ---- trigger
- ---- pulse image
- test code execution window



(e) P6: Fault on the core execution





(e) P6: Fault on the core execution

Pipeline: No reduction in the length of code execution windows. -> *ldr* instructions were replaced by "unknown" operations.



## **Table contents**

- 1. Introduction
- 2. Experimental setup and methodology

3. Fault on instructions: from the flash interface to the execution pipeline

- 4. Impact of the pulse width
- 5. Impact of the laser power
- 6. Fault at bit level characterization

7. Comparison of different skip instruction fault models obtained with LFI

8. Conclusions & future works







31/34

V. Khuat, J. Danger, J. Dutertre

By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.





- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.
- Replay fault was ascribed to laser-induced buffer update prevention.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.
- Replay fault was ascribed to laser-induced buffer update prevention.
- Skip fault was ascribed to laser-induced instruction modification.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.
- Replay fault was ascribed to laser-induced buffer update prevention.
- Skip fault was ascribed to laser-induced instruction modification.
- At the Flash interface: When the cache is disabled, the block size is 32 bits. When the cache is enabled the block size is 64 bits.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.
- Replay fault was ascribed to laser-induced buffer update prevention.
- Skip fault was ascribed to laser-induced instruction modification.
- At the Flash interface: When the cache is disabled, the block size is 32 bits. When the cache is enabled the block size is 64 bits.
- At the AHB bus, the faults is with a block of two instructions in both cache operation modes.



- By using LFI, we were able to fault the instructions in a 32-bit MCU from Flash interface buffer -> AHB bus -> fetch-> execution at six different positions.
- Fault rate of 100% was obtained at all the positions.
- Skip and replay of block of instructions were obtained by faulting Flash interface buffer and the AHB bus.
- Replay fault was ascribed to laser-induced buffer update prevention.
- Skip fault was ascribed to laser-induced instruction modification.
- At the Flash interface: When the cache is disabled, the block size is 32 bits. When the cache is enabled the block size is 64 bits.
- At the AHB bus, the faults is with a block of two instructions in both cache operation modes.
- The faults of pipeline fetch and execution are with a single instruction, and single instruction skip with fault rate of 100 % was obtained.







32/34

V. Khuat, J. Danger, J. Dutertre



There is a difference of one clock cycle between the fault of the two stages in the pipeline.



- There is a difference of one clock cycle between the fault of the two stages in the pipeline.
- The laser power has a direct impact on the fault rate. And the Flash interface buffer seems to be more sensitive to the laser pulse than the AHB bus and the Pipeline since smaller laser power is needed to induced fault on it.



- There is a difference of one clock cycle between the fault of the two stages in the pipeline.
- The laser power has a direct impact on the fault rate. And the Flash interface buffer seems to be more sensitive to the laser pulse than the AHB bus and the Pipeline since smaller laser power is needed to induced fault on it.
- Tens to more than one hundred of instructions were faulted by increasing the laser PW.



- There is a difference of one clock cycle between the fault of the two stages in the pipeline.
- The laser power has a direct impact on the fault rate. And the Flash interface buffer seems to be more sensitive to the laser pulse than the AHB bus and the Pipeline since smaller laser power is needed to induced fault on it.
- Tens to more than one hundred of instructions were faulted by increasing the laser PW.
- At bit level, the faults at Flash interface buffer and AHB bus were identified to to be bit-reset rather than bit-set.



- There is a difference of one clock cycle between the fault of the two stages in the pipeline.
- The laser power has a direct impact on the fault rate. And the Flash interface buffer seems to be more sensitive to the laser pulse than the AHB bus and the Pipeline since smaller laser power is needed to induced fault on it.
- Tens to more than one hundred of instructions were faulted by increasing the laser PW.
- At bit level, the faults at Flash interface buffer and AHB bus were identified to to be bit-reset rather than bit-set.
- The skips fault obtained at different positions were compared by comparing the related signals such as the pulse duration, the execution windows.





# Validation of the faults obtained in this work on other devices.



# Thanks for your attention!



V. Khuat, J. Danger, J. Dutertre