| Publikationstyp: | Konferenz: Sonstiges |
| Art der Begutachtung: | Peer review (Abstract) |
| Titel: | Bypassing security measures with voltage fault injection on Cortex-M devices |
| Autor/-in: | Lorenz, David Noseda, Mario Künzli, Simon |
| et. al: | No |
| Angaben zur Konferenz: | Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024 |
| Erscheinungsdatum: | Mai-2024 |
| Sprache: | Englisch |
| Fachgebiet (DDC): | 004: Informatik |
| Zusammenfassung: | The normal operating range of a chip must be ensured, as otherwise, faults can occur. Supply voltage glitches (spikes or dips) can manifest themselves as faulty bits on the micro-architectural level, which then propagate to the application level as faulty instructions or data. Voltage fault injection is an attack technique that intentionally and maliciously bombards a given target with glitches and exploits the resulting faulty behavior. We built a low-cost voltage fault injection tool with a Cortex-M7 and an analog switch to show that neither much money nor effort is needed for such an attack. We used a secure-element-hardened MCUboot version as a test subject and investigated how susceptible such a system is to voltage fault injection during firmware image verification. Our analysis found various vulnerable instructions in the glue code between MCUboot and the secure element library. By attacking the Nordic nRF52840 host MCU while it executes such instructions, we were able to show how an attacker can bypass the signature verification performed on a secure element. Furthermore, we applied our tool to bypass the read-out protection on a Cortex-M device in a commercially available home automation sensor. By injecting a glitch at a specific time during boot, we were able to circumvent the protection mechanism, which would have allowed us to extract the entire flash content. The extracted firmware binary could then be searched for sensitive information (like key material) or reverse-engineered to find vulnerabilities in the firmware. Keys and vulnerabilities might be used to construct follow-up attacks that scale significantly better than the voltage fault injection itself. Such attacks show the need for a holistic approach to ensure that countermeasures like read-out protection or secure elements can unfold their full potential. |
| URI: | https://digitalcollection.zhaw.ch/handle/11475/31075 |
| Volltext Version: | Publizierte Version |
| Lizenz (gemäss Verlagsvertrag): | Lizenz gemäss Verlagsvertrag |
| Departement: | School of Engineering |
| Organisationseinheit: | Institute of Embedded Systems (InES) |
| Enthalten in den Sammlungen: | Publikationen School of Engineering |
Dateien zu dieser Ressource:
Es gibt keine Dateien zu dieser Ressource.
Zur Langanzeige
Lorenz, D., Noseda, M., & Künzli, S. (2024, May). Bypassing security measures with voltage fault injection on Cortex-M devices. Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024.
Lorenz, D., Noseda, M. and Künzli, S. (2024) ‘Bypassing security measures with voltage fault injection on Cortex-M devices’, in Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024.
D. Lorenz, M. Noseda, and S. Künzli, “Bypassing security measures with voltage fault injection on Cortex-M devices,” in Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024, May 2024.
LORENZ, David, Mario NOSEDA und Simon KÜNZLI, 2024. Bypassing security measures with voltage fault injection on Cortex-M devices. In: Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024. Conference presentation. Mai 2024
Lorenz, David, Mario Noseda, and Simon Künzli. 2024. “Bypassing Security Measures with Voltage Fault Injection on Cortex-M Devices.” Conference presentation. In Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024.
Lorenz, David, et al. “Bypassing Security Measures with Voltage Fault Injection on Cortex-M Devices.” Embedded Computing Conference (ECC), Winterthur, Switzerland, 28 May 2024, 2024.
Alle Ressourcen in diesem Repository sind urheberrechtlich geschützt, soweit nicht anderweitig angezeigt.