black-box laser fault injection on a secure memory · testing campaign for each test: 1. laser...
TRANSCRIPT
![Page 1: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/1.jpg)
Black-box Laser Fault Injection on a Secure Memory
Olivier Hériveaux
![Page 2: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/2.jpg)
Secret protection in embedded systems
Microcontrollers FLASH memory, basic readout protection fuses Low-cost Low resistance against hardware attacks
Secure Elements Physical attacks counter-measures Evaluated by accredited labs Restricted access (JCVM, NDA, ...)
Microchip ATECC508A Secure memory IoT applications Easy access, no NDA Is this secure ?
![Page 3: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/3.jpg)
Coldcard Wallet
Bitcoin hardware wallet Version Mk2 studied
STM32L4 Microcontroller Main firmware
⇅
ATECC508A Stores the "Seed" (private key) Protected with authentication
![Page 4: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/4.jpg)
ATECC508A
Reduced software attack surface
Confidential firmware
Voltage glitch sensors
Top-metal shield
Internal clock generator
No laser counter-measures
![Page 5: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/5.jpg)
↑ Device Under Test
Scaffold control board https://github.com/Ledger-Donjon/scaffold
Laser source
←Optical fiber
←Microscope objective lens 50X
Motorised XYZ stage
![Page 6: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/6.jpg)
Silicon is transparent to infra-red light
Integrated circuits are photosensitive
Light can enable transistors conduction...
... hence introducing computation errors!
Laser is a powerful and semi-invasive tool
←←←
❌
![Page 7: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/7.jpg)
What's the plan?
Identify assets and seek an attack path
Prepare and instrument the sample
Target
Test
![Page 8: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/8.jpg)
ATECC508A Memory Layout
CONFIG
DATA
OTP
![Page 9: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/9.jpg)
ATECC508A Memory Layout
CONFIG
#0 - 36 bytes #1 - 36 bytes
#2 - 36 bytes #3 - 36 bytes
#4 - 36 bytes #5 - 36 bytes
#6 - 36 bytes #7 - 36 bytes
#8 - 416 bytes
#9 - 72 bytes
#10 - 72 bytes
#11 - 72 bytes
#12 - 72 bytes
#13 - 72 bytes
#14 - 72 bytes
#15 - 72 bytes
OTP
![Page 10: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/10.jpg)
ATECC508A Memory Layout
CONFIG
Unused Pairing secret
Anti-phishing PIN1 hash
PIN2 PIN1 try counter
PIN2 try counter PIN3
PIN4
Seed1
Seed2
Seed3
Seed4
BrickMe
Firmware hash
Unused
OTP
![Page 11: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/11.jpg)
Accessing data slots
ReadMemory command:03 07 02 82 1800 0a78
Command Length OpCode Read Memory
DATA zone + Length
Adresse CRC
Response when access granted:
23 303132333435363738396162636465666768696a6b6c6d6e6f70717273747576 384aLength Data (32 bytes) CRC
![Page 12: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/12.jpg)
Accessing data slots
ReadMemory command:03 07 02 82 1800 0a78
Command Length OpCode Read Memory
DATA zone + Length
Adresse CRC
Response when access denied:
1 10 384aLength Error code
EXECUTION_ERRORCRC
![Page 13: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/13.jpg)
PIN1 data slot configuration
Raw 0x8f43
Write config Encrypt
Write key 3
Read key 15
Is secret Yes
Encrypt read No
Limited use No
No MAC No
→→
![Page 14: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/14.jpg)
PIN1 data slot configuration
Raw 0x8f43
Write config Encrypt
Write key 3
Read key 15
Is secret Yes
Encrypt read No
Limited use No
No MAC No
→→ No
![Page 15: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/15.jpg)
Code hypothesis
config_address = get_config_address(slot);
config = eeprom_read(config_address);
if (!config.is_secret){
data_address = get_data_address(slot);
data = eeprom_read(data_address);
if (config.encrypt_read)
encrypt(data);
i2c_send(data);
} else {
i2c_send(EXECUTION_ERROR);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
![Page 16: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/16.jpg)
Code hypothesis
config_address = get_config_address(slot);
config = eeprom_read(config_address);
if (!config.is_secret){
data_address = get_data_address(slot);
data = eeprom_read(data_address);
if (config.encrypt_read)
encrypt(data);
i2c_send(data);
} else {
i2c_send(EXECUTION_ERROR);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
![Page 17: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/17.jpg)
Code hypothesis
config_address = get_config_address(slot);
config = eeprom_read(config_address);
if (!config.is_secret){
data_address = get_data_address(slot);
data = eeprom_read(data_address);
if (config.encrypt_read)
encrypt(data);
i2c_send(data);
} else {
i2c_send(EXECUTION_ERROR);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
![Page 18: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/18.jpg)
Code hypothesis
config_address = get_config_address(slot);
config = eeprom_read(config_address);
if (!config.is_secret){
data_address = get_data_address(slot);
data = eeprom_read(data_address);
if (config.encrypt_read)
encrypt(data);
i2c_send(data);
} else {
i2c_send(EXECUTION_ERROR);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
![Page 19: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/19.jpg)
When?
![Page 20: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/20.jpg)
Power analysis
Circuit processing activity can be observed on the power trace
![Page 21: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/21.jpg)
Power analysis
Reading a granted data slot
I2C SDA signal
Electrical current
← Processing begin Processing end →
![Page 22: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/22.jpg)
Power analysis
Reading a denied data slot
I2C SDA signal
Electrical current
Processing stops earlier →
![Page 23: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/23.jpg)
Power analysis
Reading a denied data slot
I2C SDA signal
Electrical current
← Coarse time frame →
![Page 24: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/24.jpg)
Power analysis
Comparison of averaged traces
Denied
Granted↑
Divergence
123 456 78Transfer of 8 x 4 bytes
EEPROM → RAM
![Page 25: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/25.jpg)
Power analysis
Comparison of averaged traces
Denied
Granted↑
Divergence
123 456 78Transfer of 8 x 4 bytes
EEPROM → RAM
![Page 26: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/26.jpg)
Where?
![Page 27: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/27.jpg)
Circuit Dissection
![Page 28: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/28.jpg)
Circuit Dissection
![Page 29: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/29.jpg)
Circuit Dissection
Integrated Circuit →Glue →
Leadframe →
← Bonding wire
← Package pin
![Page 30: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/30.jpg)
Backside decapsulation
![Page 31: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/31.jpg)
Backside decapsulation
![Page 32: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/32.jpg)
Backside decapsulation
![Page 33: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/33.jpg)
Backside decapsulation
![Page 34: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/34.jpg)
Backside decapsulation
![Page 35: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/35.jpg)
Backside decapsulation
![Page 36: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/36.jpg)
Backside decapsulation
![Page 37: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/37.jpg)
Backside decapsulation
![Page 38: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/38.jpg)
Backside decapsulation
![Page 39: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/39.jpg)
Backside decapsulation
![Page 40: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/40.jpg)
Backside decapsulation
![Page 41: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/41.jpg)
Backside decapsulation
![Page 42: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/42.jpg)
Backside decapsulation
![Page 43: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/43.jpg)
Backside decapsulation
![Page 44: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/44.jpg)
Backside decapsulation
![Page 45: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/45.jpg)
Backside decapsulation
![Page 46: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/46.jpg)
Backside decapsulation
![Page 47: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/47.jpg)
Backside decapsulation
![Page 48: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/48.jpg)
Backside decapsulation
![Page 49: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/49.jpg)
Backside decapsulation
←1.5 mm →
(60 mils)
![Page 50: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/50.jpg)
Infrared imaging
![Page 51: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/51.jpg)
Infrared imaging
Analog circuitry?
EEPROM
ROMRAM
Logic gates, CPU,
Peripherals...
![Page 52: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/52.jpg)
Infrared imaging
.←Laser
![Page 53: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/53.jpg)
Targeting
![Page 54: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/54.jpg)
Targeting
![Page 55: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/55.jpg)
Targeting
![Page 56: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/56.jpg)
Targeting
![Page 57: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/57.jpg)
Targeting
![Page 58: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/58.jpg)
Targeting
![Page 59: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/59.jpg)
Testing campaign
Known data is loaded prior to testing:
303132333435363738396162636465666768696a6b6c6d6e6f70717273747576
![Page 60: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/60.jpg)
Testing campaign
For each test:
1. Laser shooting time configuration2. Laser beam displacement3. Power-on4. Initialization5. Laser activation6. ReadMemory command + Laser shoot7. Laser deactivation8. Response readout9. Power-off
10. Result and parameters logging
![Page 61: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/61.jpg)
Testing campaign
Test #1:
EXECUTION_ERROR
Test #2:
Timeout, no response received!
Test #3:
PARSE_ERROR
Test #4:
OK 09c8420000000000000000000000000000000000000000000000000000000000
Test #5:
OK 41e0f633a019cd625920691b11400c9387009e68d0b13e53d73257216a4c0ce8
Test #6:
UNKNOWN_ERROR 0xFE
Test #7:
EXECUTION_ERROR
Test #8:
OK
Test #9:
OK 2ffef9424c7e67d31b519d3d4ea96444265a5189aadba8ab27624ca34c2fdf27
...
![Page 62: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/62.jpg)
Testing campaign
343617 faults injected
Many days of testing
1546 responses received
No success observed...
![Page 63: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/63.jpg)
Top 20
x 336 a712c6137b0b50b401d8deff8b0b3b8e5f2b01e0707d4eaeaeb6bbe589220274
x 152 a092cc6943e6c408bdd924e4ce90b8c895ddac03d2ada707088cace9d9cb803a
x 151 00000000
x 76 a1ff80fa7028066d4dcc023f23e2ec6b79864aa8b6e979e1d63cbf05277ebeb7
x 72 41e0f633a019cd625920691b11400c9387009e68d0b13e53d73257216a4c0ce8
x 58 929b86e3dff0ecb1d2318cf0c4bf5872b32d9db260cf012ae7c00d40cac19cc1
x 53 4e92d8096bfa78254581b9f5b987e60337e4f9860f92a2615581676e896854dd
x 51 011ffd4b459e81f8ab7f42cd2662fc6117cad15cb99155e72ed6b76211067e22
x 50 09c842000000000000000000000000000000000000000000000000000000000000000000...
x 43 9dbf7427f5098feb2c708174875896f7294629a30049f5aa825dffa05b7c3c29
x 37 f6fecd81f528d1ebfcf005b0d59ebfd84839dbcc0c1a9614be3a13351009b107
x 31 8f8a22572231abafd8035be7d84eece928e7754d966b054fa4f02e5d02599bc6
x 29 069ff7317d731544177eb8d663f97f27dd3c7cbf1b41bc4e88eca06e41effc6c
x 21 c776a730a55dd031685d2afc76672ba5d23187ca07ce42b66286888be89cac2d
x 20 01000000
x 15 89f3c21a72ebb69fb1f6010fe3c0a3ab6ebb81356337b3e2a7024024d40ba371
x 14 2132c13ce836eda1ab62fc3c9b07345da28616d792e0ebc3e7bae5864c0d9e80
x 12 07f2bba24ebdd721e76b9e0d8e8b2b8431679a147f0562a8565cb382bf5ac2e1
x 12 e7edcd6b9e8c1c2ef387f529bc29cb7ccfe14ed4195d251a57525ba6f26870be
x 11 1c60381c2111566e7b200149b12bc72ee416bd90d1db927d4fe0abc008d0349a
![Page 64: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/64.jpg)
Analysis
0 50000 100000 150000 200000 250000 300000
a712c613…
9dbf7427…
fea48df3…
011ffd4b…
a1ff80fa…
07f2bba2…
929b86e3…
3496bdbb…
1c60381c…
8f8a2257…
89f3c21a…
487ce193…
f6fecd81…
50f3f6d9…
c776a730…
41e0f633…
e7edcd6b…
2132c13c…
4e92d809…
e89fe351…
a092cc69…
069ff731…
Data overwrite ↓ ↓ ↓↓↓↓↓ ↓ ↓↓ ↓
![Page 65: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/65.jpg)
Analysis
0 50000 100000 150000 200000 250000 300000
a712c613…
9dbf7427…
fea48df3…
011ffd4b…
a1ff80fa…
07f2bba2…
929b86e3…
3496bdbb…
1c60381c…
8f8a2257…
89f3c21a…
487ce193…
f6fecd81…
50f3f6d9…
c776a730…
41e0f633…
e7edcd6b…
2132c13c…
4e92d809…
e89fe351…
a092cc69…
069ff731…
Plaintext→Encrypted?→
![Page 66: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/66.jpg)
Oh wait!
The attack seems to work!
Can we do it without losing data?
![Page 67: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/67.jpg)
Attack refinement
Optimal parameters identification
New sample preparation and programming
Test run
![Page 68: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/68.jpg)
Success!
Two minutes of testing only
PIN1 and pairing secret data slots can be revealed Grants access to Seed1 data slot
Coldcard Mk2 vulnerable
Realistic attack
![Page 69: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/69.jpg)
Did we killed chips?
Yes!
Misconfiguration due to misunderstanding
Failed sample preparation
Data corruption with bad EEPROM write
![Page 70: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/70.jpg)
Possible software mitigations
Double checking
Sensitive constants value
Kill-chip
![Page 71: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/71.jpg)
Possible hardware mitigations
Light sensors for laser detection
Power trace jamming
CPU clock frequency randomization
Error-Detection-Codes on memories
![Page 72: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/72.jpg)
Cost of mitigations
Implementing them correctly is difficult.
More counter-measures requires more silicon area.
Power and performance is impacted.
Counter-measures may be patent protected.
Security is expensive!
![Page 73: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/73.jpg)
Conclusion
High potential attack Very expensive equipment
Specific configuration P-256 keys are not affected
Less resistant than a Secure Element
ATECC508A now deprecated Superseeded by ATECC 08A6
![Page 74: Black-box Laser Fault Injection on a Secure Memory · Testing campaign For each test: 1. Laser shooting time configuration 2. Laser beam displacement 3. Power-on 4. Initialization](https://reader035.vdocuments.site/reader035/viewer/2022070820/6023535100029d297b3d5371/html5/thumbnails/74.jpg)
Thank you!