Memory address scrambling revealed using fault attacks
Abstract
Today's trend in the smart card industry is to move from ROM+EEPROM chips to Flash-only products. Recent publications have illustrated the vulnerability of Floating Gate memories to UV and heat radiation. In this paper, we explain how, by using low cost means, such a vulnerability can be used to modify specific data within an EEPROM memory even in the presence of a given type of counter-measure. Using simple means, we devise a fault injection tool that consistently causes predictable modifications of the targeted memories' contents by flipping `1's to `0's. By mastering the location of those modifications, we illustrate how we can reverse-engineer a simple address scrambling mechanism in a white box analysis of a given EEPROM. Such an approach can be used to test the security of Floating Gate memories used in security devices like smart cards. We also explain how to prevent such attacks and we propose some counter-measures that can be either implemented on the hardware level by chip designers or on the software level in the Operating System interacting with those memories.
Keywords
EEPROM memory
ROM+EEPROM chips
UV radiation
chip designers
fault attacks
fault injection tool
flash-only products
floating gate memories
hardware level
heat radiation
memory address scrambling
operating system
security devices
smart card industry
software level
white box analysis
fault simulation
flash memories
logic testing
security of data
smart cards