Electromagnetic fault injection on microcontrollers
Abstract
The purpose of this work is to define an assembly-level fault model for electromagnetic fault injection on a state-of-the-art 32-bit microcontroller. Injecting faults in a circuit's computation can be used by a malicious user to corrupt the control flow of an embedded program or recover cryptographic keys. The microcontroller we use for this study is based on the ARM Cortex-M3 processor. We are able to perform an electromagnetic fault injection on our target microcontroller by sending a high-voltage pulse into a coil antenna placed over the circuit. The fault injection has different effects depending on the injection probe's position, the pulse's voltage, the injection time or the pulse's width. Pulsed electromagnetic fault injection has already been performed against reconfigurable architectures designed for the experiment but its effects against more complex circuits such as microcontrollers are not clearly understood by the academic community. We developed an injection bench for our experiments and we propose an approach based on fault model simulation in order to define more clearly the effects of the injected faults. With this approach, we are able to simulate different assembly-level fault models that could match the most with the experimental results we obtain. This approach also enabled us to infer the basics of a theoretical register- transfer level fault model which could explain the faults we observed. According to our model and current experiments, we are able to inject faults both on instructions and data fetching from the Flash memory. Our future works will try to propose several software-based countermeasures against the fault model we defined and a way to use those countermeasures in combination with other countermeasures usually proposed in secure embedded systems.