

# A Tale of Two Models: Discussing the Timing and Sampling EM Fault Injection Models

<u>Roukoz Nabhan</u>\*, Jean-Max Dutertre\*, Jean-Baptiste Rigaud\*, Jean-Luc Danger<sup>+</sup> and Laurent Sauvage<sup>+</sup>



Une école de l'IMT

Une école de l'IMT

## Introduction

- Securing Integrated Circuit (IC) against fault injection attacks is an ongoing challenge
- Developing effective on-chip detection sensors as countermeasures against ElectroMagnetic Fault Injection (EMFI)
- Study the mechanism involved in injecting faults due to EM disturbances
- Test the effectiveness of the fully digital detector designed by Elbaze et al. embedded in an AES accelerator

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

#### Previous work

- EMFI models
- Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results

In-depth analysis of EMFI-induced clock glitches

## **EMFI models: sampling fault model**



Previous publications<sup>1,2,3</sup> explained EMFI models through sampling fault models:

- Occurs around the clock rising edge within EMFI susceptibility windows
- Fault windows width is constant and independent of the clock frequency
- Bit-set or bit-reset depend on the polarity of the pulse
- Based on an experimental results and modeling of the EMFI effect on the Power Distribution Network (PDN) of a generic IC

<sup>1</sup> S. Ordas, L. Guillaume-Sage, and P. Maurine, "Electromagnetic fault injection: the curse of flip-flops," Journal of Cryptographic Engineering, vol. 7, no. 3, pp. 183–197, 2017.
<sup>2</sup> D. El-Baze, J.-B. Rigaud, and P. Maurine, "A fully-digital em pulse detector," in 2016 Design, Automation Test in Europe Conference Exhibition (DATE), 2016, pp. 439–444.
<sup>3</sup> M. Dumont, P. Maurine, and M. Lisart, "Modeling of electromagnetic fault injection," in 2019 12th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo), 2019, pp. 246–248

# **EMFI models: timing violations fault model**

#### Timing faults<sup>1</sup>

- EM disturbances coupling with the target's PDN
- Increased critical path surpassing the clock period
- Bit flip
- EMFI-induced clock glitches<sup>2</sup>
  - EM disturbances coupling with the target's Clock Distribution Network (CDN)
  - Shortened clock period
  - Bit flip

Conference (DAC). IEEE, 2018, pp. 1-6

<sup>1</sup>A. Dehbaoui, J.-M. Dutertre, B. Robisson, and A. Tria, "Electromagnetic transient faults injection on a hardware and a software implementations of aes," in 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, September 9, 2012, 2012, pp. 7–15. <sup>2</sup>M. Ghodrati, B. Yuce, S. Gujar, C. Deshpande, L. Nazhandali, and P. Schaumont, "Inducing local timing fault through em injection," in 2018 55th ACM/ESDA/IEEE Design Automation

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### From sampling fault model to digital sensor



- **Two** DFF toggling on CLK rising edges
- > Resp. initialized at 0 (DFF1) and 1 (DFF3) to monitor both  $1 \rightarrow 0$  and  $0 \rightarrow 1$  transitions

### From sampling fault model to digital sensor





Four DFF toggling on CLK rising and falling edges

Goal: increase the faults detection windows

### How does this detector work?



Normal behavior

### How does this detector work?



Alarm is raised for any deviation in Q<sub>1</sub>Q<sub>2</sub>Q<sub>3</sub>Q<sub>4</sub> states from the normal behavior

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### **Experimental setup: EMFI platform**



#### FPGA target

- Xilinx Artix7: XCZA200T-SBV484
- Process: CMOS 28 nm
- Easy rear side access
  - Heat sink to be removed
- Nexys Video 7 board



- AV-Tech voltage pulse generator
  - Pulse amplitude: up to +/- 750V
  - Pulse-width: 4.5-20ns
  - Pulse rise and fall time: 2 ns
  - Remotely controlled using the telnet protocol

#### EM injection probe

- Homemade EM probe
- Thickness of the copper wire: 0.2 mm
- 4 turns
- Cylindrical ferrite core: 2 mm

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- > Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### **DUT block diagram: AES + sensors.**











### **Experimental methodology**



EM injection probe above the AES accelerator sensitive area

Focus on the intrinsic detection ability of the sensor all over the target's **full-frequency range** 

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### EMFI results: @100MHZ (+420V)



#### Faults windows were consistent to the sampling fault model

- Width of the detection windows (sensors): 2-3ns.
- Width of the injection windows (AES): 1.5-2.5 ns.

## EMFI results: @200MHZ (+420V)



#### Timing fault model in addition to sampling fault model?

• Width of the detection windows: 0.6-1 ns.

# EMFI results: @200MHZ (+350V)



- None of these sensors are triggered
- Timing fault model induced (no sampling faults)

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### **Deep exploration of EMFI mechanisms**



### **Deep exploration of EMFI mechanisms**



### **Deep exploration of EMFI mechanisms**



#### Coexistence of two distinct fault injection mechanisms to explain EMFI<sup>1</sup>

<sup>1</sup>Nabhan, R., Dutertre, J. M., Rigaud, J. B., Danger, J. L., & Sauvage, L. (2023, April). Highlighting Two EM Fault Models While Analyzing a Digital Sensor Limitations. In 2023 Design, Automation & Test in Europe Conference & Exhibition (DATE) (pp. 1-2). IEEE

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

# **Analysis of experimental results**

|                   | Impact on the detection window widths w.r.t              |                                                                              |
|-------------------|----------------------------------------------------------|------------------------------------------------------------------------------|
|                   | Sampling fault model <sup>1,2,3</sup>                    | Our experimental results                                                     |
| Clock frequency   | Constant and independent                                 | Decreased when the clock frequency increased                                 |
| Input data        | Independent                                              | Dependent                                                                    |
| Critical path     | Independent                                              | Reduced when shortening the propagation delay path                           |
| Fault logic model | Bit-set or bit-reset depend on the polarity of the pulse | Bit flip (Mix of bit-sets and bit-resets)<br>No effect of the polarity pulse |

- > The faults injected at low frequency
  - Broadly follow the sampling fault model
  - Some discrepancies from the theory cast doubts on its validity
  - Further exploration and tests are needed

<sup>1</sup> S. Ordas, L. Guillaume-Sage, and P. Maurine, "Electromagnetic fault injection: the curse of flip-flops," Journal of Cryptographic Engineering, vol. 7, no. 3, pp. 183–197, 2017.
<sup>2</sup> D. El-Baze, J.-B. Rigaud, and P. Maurine, "A fully-digital em pulse detector," in 2016 Design, Automation Test in Europe Conference Exhibition (DATE), 2016, pp. 439–444.
<sup>3</sup> M. Dumont, P. Maurine, and M. Lisart, "Modeling of electromagnetic fault injection," in 2019 12th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo), 2019, pp. 246–248

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results

> In-depth analysis of EMFI-induced clock glitches

# **Normal operation**





The impact of EMFI attacks, induced by a positive pulse on the AES ON signal:

• When the clock signal is '1':

The width of the AES ON signal is reduced by one clock period

#### **Ciphertext is correctly received**



The impact of EMFI attacks, induced by a positive pulse on the AES ON signal:

• When the clock signal is '1':

The width of the AES ON signal is reduced by one clock period

#### **Ciphertext is correctly received**

When the clock signal is '0':

#### No effect





# **EMFI effects on AES duration (+420V)**



# **EMFI effects on AES duration (-420V)**



The impact of EMFI attacks, induced by a negative pulse on the AES ON signal:

• When the clock signal is '1':

#### **No effect**

• When the clock signal is '0':

The width of the AES ON signal is reduced by one clock period

#### **Ciphertext is correctly received**

## **EMFI effects on AES duration (-420V)**



## **EMFI effects on AES duration (-420V)**



# **EMFI effects on AES duration**



- Two EM disturbances induced two clock glitches
- Ciphertext is correctly received

EMFI does induce clock glitches in the target's CDN It can replace genuine clock rising edges

# **EMFI-induced clock glitch principle (+420V)**



# **EMFI-induced clock glitch principle (+420V)**



The width of the susceptibility window caused by EMFI-induced clock glitches:

$$w_{EMFI} = \frac{T}{2} - 2k$$

Where k is a constant margin during which clock edges get a small shift

# **EMFI-induced clock glitch principle (-420V)**



The width of the susceptibility window caused by EMFI-induced clock glitches:

$$w_{EMFI}=\frac{T}{2}-2k$$

Where k is a constant margin during which clock edges get a small shift



















# How does the mechanism of EMFI-induced clock glitch explain the triggering of the sensors?



When frequency  $\nearrow$ , clock period  $\searrow$ , the width of DWs for triggering sensors  $\searrow$ 

# Study of the sensor's detection capability (when $t_{critical} < \frac{T}{2}$ )



# Study of the sensor's detection capability (when $t_{critical} < \frac{T}{2}$ )



# Study of the sensor's detection capability (when $t_{critical} < \frac{T}{2}$ )



#### This explains why all injected faults are detected at low frequencies

# Sensor's detection performance when changing clock frequency and pulse amplitude



# Sensor's detection performance when changing clock frequency and pulse amplitude



# **EMFI models: Timing violations fault model**



# **EMFI models: Timing violations fault model**



## Outline

- Previous work
  - EMFI models
  - Fully digital detector
- Experimental setup
  - EMFI platform
  - DUT block diagram
- Experimental results
  - EMFI results
  - Deep exploration of EMFI mechanisms
  - Analysis of experimental results
- In-depth analysis of EMFI-induced clock glitches

### Conclusion

# Conclusion

EMFI models: timing violations fault model

- EMFI-induced clock glitches within the clock network
- Timing faults, which result from EM coupling with the PDN
- El-Baze sensor's efficiency
  - High detection at low frequencies
  - No detection of timing faults obtained at high frequencies
- > The risk of using an EMFI detection sensor based on a single fault model
- An enhanced explanation of the EMFI models to aid designers in developing more effective detection sensors





### Questions

### Contact: roukoz.nabhan@emse.fr



Une école de l'IMT

Une école de l'IMT

62