



Philippe MAURINE

14/09/2025









# Background - Hardware security

### ☐ Fault Attack Techniques





# Body Bias Injection (BBI)

- ☐ Principle: Voltage pulse injection on IC substrate
- Potential Disruptions :
  - Power supply networks
  - Clock signals
  - Control & data signals
  - ...







### The state of the art of Body Bias Injection

| Yet Another Fault Injection Technique : by Forward Body Biasing Injection Invention de cette technique - Attaque de Bellcore sur RSA |
|--------------------------------------------------------------------------------------------------------------------------------------|
| Voltage spikes on the substrate to obtain timing faults  Fault nature on digital circuits                                            |
| Body biasing injection attacks in practice (Lumped model for dual-well substrates)  First physical model                             |
| Low-cost body biasing injection (BBI) attacks on WLCSP devices Attaque on AES                                                        |
| Breaking a Recent SoC's Hardware AES Accelerator Using Body Biasing Injection Attaque on AES                                         |
| A better practice for Body Biasing Injection Injection practive improvement                                                          |
|                                                                                                                                      |

My Objective: To establish a model that characterizes the impact of BBI on program control flow.



### Program Control Flow

☐ Order in which statements and instructions are executed in a program.







### Program control flow attack

- ☐ Program control flow attack : Alters the normal execution path of a program
  - ☐ Faults Inside the Processor Examples:
    - Loading attacker-controlled values into the Program Counter (PC)
    - Instruction skipping / replay
  - ☐ Faults between Program Memory and the Processor Examples:
    - Corrupt instruction cache/buffer contents
    - Disrupt instruction cache/buffer updates

Can BBI also generate exploitable faults in program control flow?



## Target architecture

☐ **Target microcontroller**: STM32F439, ARM Cortex-M4 (3-stage pipeline)



- ☐ Current Buffer: Stores the instruction line currently requested by the CPU
- ☐ AHB Bus Matrix: Fetches instructions (32 bits at a time) from the Current Buffer
- ☐ Prefetch Buffer: Holds the next consecutive instruction line
- ☐ I-Cache: Stores likely branch destination lines based on update rules



## Study in 2 Phases

- ☐ Phase 1 : Sequential Test Code
  - How BBI affects the normal operation of the **CPU pipeline** and **FLASH accelerator** when there's no branch involved?
  - Which stage of the sequential execution flow is most likely to be affected by BBI?
- ☐ Phase 2 : Single Branch Test Code
  - What kind of phenomenon can be generated when there is a branch operation involved?



☐ Prefetch enabled

#### instruction buffer update period = 4 cycles



### ☐ Prefetch disabled

#### instruction buffer update period = 5 cycles

| P-buffer - |    | )  | X  |    | Х  |    | )  | <  |    | Х  | Χ  |    |    |    | X  | X   |    |    | X  | Х   |    |    | X  |    |    |  |
|------------|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|-----|----|----|----|-----|----|----|----|----|----|--|
| C-buffer - |    | N  | -2 |    | WS |    | N- | -1 |    | WS |    | 1  | V  |    | WS | N+1 |    |    | WS | N+2 |    |    | WS |    |    |  |
| Fetch -    | 10 | 10 | 10 | 10 |    | 10 | 10 | 10 | 10 |    | 10 | 10 | IA | IB |    | IC  | 10 | 10 | 10 |     | 10 | 10 | 10 | 10 |    |  |
| Decode -   |    | 10 | 10 | 10 | 10 |    | 10 | 10 | 10 | 10 |    | 10 | 10 | IA | IB |     | IC | 10 | 10 | 10  |    | 10 | 10 | 10 | 10 |  |
| Execute -  |    |    | 10 | 10 | 10 | 10 |    | 10 | 10 | 10 | 10 |    | 10 | 10 | IA | IB  |    | IC | 10 | 10  | 10 |    | 10 | 10 | 10 |  |
| !          |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |     |    |    |    |     |    |    |    |    |    |  |



☐ Prefetch buffer enabled



#### **Fault Classification**

- ☐ Skipping: The instruction is skipped.
- ☐ Replay: The instruction is replayed



#### ☐ Prefetch buffer enabled



#### ☐ Prefetch buffer disabled



#### **Fault Classification**

- ☐ Skipping: The instruction is skipped.
- ☐ Replay: The instruction is replayed



- ☐ Conclusion for the first phase: In sequential code execution, BBI-induced faults are observed, primarily attributable to update failures in the instruction buffers of the FLASH accelerator.
  - ☐ With the prefetch buffer enabled, the update of the prefetch buffer represents the most vulnerable stage, whereas the current buffer is seldom impacted.
  - ☐ Conversely, when the prefetch buffer is disabled, the update of the current buffer emerges as the most vulnerable stage of the program flow.







☐ Target Conditional Branch Operation

- ☐ The branch under consideration transfers control from line N to line N+3.
- ☐ The fault injection is performed during the execution of this branch operation.



### Prefetch buffer enabled

Correct P-buffer update process





### ☐ Prefetch buffer enabled







### ☐ Prefetch buffer enabled





Line N+1 is executed illegally instead of N+3, so N+3 is skipped. Both N+1 and N+3 contain arithmetic instructions; therefore, in this scenario, the primary impact of the fault is the generation of incorrect arithmetic results.



### Prefetch buffer disabled





Line N is replayed, line N+3 is skipped.





Question: What happens when a branch instruction is replayed illegally?

Line N includes not only arithmetic instructions but also the branch instruction that has juste been executed, which means the branch will also be replayed, prompting the question of how the system behaves in this case.





#### Branch instruction

- Add a fixed offset (br\_offset) to the current Program Counter (PC).
- "br\_offset" is coded in the instruction "BNE destination\_instruction".
- The CPU only see br\_offset but not the absolute destination address. The destination address is calculated by :

Destination address = PC1 (current PC) + br offset



# **Normal Execution ADD** str r3, [r7,#4] line N cmp r3, #3 BNE destination\_instruction PC1 + br\_offset destination\_instruction line N+3~ **ADD** ADD line N+4≺

#### ☐ Disrupted Execution





### Fault Model Conclusion

☐ Conclusion for the first phase (sequential test code) :

During the execution of sequential code, BBI can induce control flow faults, primarily caused by update failures in the instruction buffers within the FLASH accelerator.



Body Bias Injection affects a common path that delivers instructions from the FLASH to the instruction buffers.





## Fault Model Conclusion

| Duri     | elusion for the first phase (sequential test code):  ng the execution of sequential code, BBI can induce control flow faults, primarily ed by update failures in the instruction buffers within the FLASH accelerator.                                                                          |
|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <u> </u> | When the <b>prefetch buffer is enabled</b> , the most <b>vulnerable</b> stage is the update of the <b>prefetch buffer</b> , the current buffer is rarely affected.  When the <b>prefetch buffer is disabled</b> , the most <b>vulnerable</b> stage is the update of the <b>current buffer</b> . |
| Con      | clusion for the second phase (test code with branch):  Root cause of faults: Failure to update instruction buffer  Impact depends on buffer content before/after update:  Arithmetic instructions → Arithmetic errors  Branch instructions → Illegal branch / Control flow deviation            |



### Conclusion







### Annex













# Spatial genericity of obtained results

☐ The fault is easy to generate in a large region on the chip



