Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation

Matthias Probst; Michael Gruber; Manuel Brosch; Tim Music; Georg Sigl

doi:10.1109/FDTC64268.2024.00011

Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation

Matthias Probst, Michael Gruber, Manuel Brosch, Tim Music, Georg Sigl

Chair of Security in Information Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro-Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based on a single trace per location, which is then used to find promising spatial EMFI positions. We chose an STM32F303 microcontroller, which shows that the injection locations that result in data modification are almost entirely contained within areas of high Signal-to-Noise Ratio (SNR). An EMFI based attack can be accelerated up significantly using this relationship.

Original language	English
Title of host publication	Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	22-27
Number of pages	6
ISBN (Electronic)	9798350380361
DOIs	https://doi.org/10.1109/FDTC64268.2024.00011
State	Published - 2024
Event	21st Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024 - Halifax, Canada Duration: 4 Sep 2024 → …

Publication series

Name	Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024

Conference

Conference	21st Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024
Country/Territory	Canada
City	Halifax
Period	4/09/24 → …

Keywords

Fault Injection Analysis
Probe Positioning
Side-Channel Analysis

Access to Document

10.1109/FDTC64268.2024.00011

Cite this

Probst, M., Gruber, M., Brosch, M., Music, T., & Sigl, G. (2024). Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation. In Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024 (pp. 22-27). (Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/FDTC64268.2024.00011

Probst, Matthias ; Gruber, Michael ; Brosch, Manuel et al. / Switch-Glitch : Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation. Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024. Institute of Electrical and Electronics Engineers Inc., 2024. pp. 22-27 (Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024).

@inproceedings{caad7de0168c4958aaf9c5dec57e2659,

title = "Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation",

abstract = "While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro-Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based on a single trace per location, which is then used to find promising spatial EMFI positions. We chose an STM32F303 microcontroller, which shows that the injection locations that result in data modification are almost entirely contained within areas of high Signal-to-Noise Ratio (SNR). An EMFI based attack can be accelerated up significantly using this relationship.",

keywords = "Fault Injection Analysis, Probe Positioning, Side-Channel Analysis",

author = "Matthias Probst and Michael Gruber and Manuel Brosch and Tim Music and Georg Sigl",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 21st Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024 ; Conference date: 04-09-2024",

year = "2024",

doi = "10.1109/FDTC64268.2024.00011",

language = "English",

series = "Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "22--27",

booktitle = "Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024",

}

Probst, M, Gruber, M, Brosch, M, Music, T & Sigl, G 2024, Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation. in Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024. Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024, Institute of Electrical and Electronics Engineers Inc., pp. 22-27, 21st Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024, Halifax, Canada, 4/09/24. https://doi.org/10.1109/FDTC64268.2024.00011

Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation. / Probst, Matthias; Gruber, Michael; Brosch, Manuel et al.
Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024. Institute of Electrical and Electronics Engineers Inc., 2024. p. 22-27 (Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Switch-Glitch

T2 - 21st Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024

AU - Probst, Matthias

AU - Gruber, Michael

AU - Brosch, Manuel

AU - Music, Tim

AU - Sigl, Georg

PY - 2024

Y1 - 2024

N2 - While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro-Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based on a single trace per location, which is then used to find promising spatial EMFI positions. We chose an STM32F303 microcontroller, which shows that the injection locations that result in data modification are almost entirely contained within areas of high Signal-to-Noise Ratio (SNR). An EMFI based attack can be accelerated up significantly using this relationship.

AB - While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro-Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based on a single trace per location, which is then used to find promising spatial EMFI positions. We chose an STM32F303 microcontroller, which shows that the injection locations that result in data modification are almost entirely contained within areas of high Signal-to-Noise Ratio (SNR). An EMFI based attack can be accelerated up significantly using this relationship.

KW - Fault Injection Analysis

KW - Probe Positioning

KW - Side-Channel Analysis

UR - http://www.scopus.com/inward/record.url?scp=85210896477&partnerID=8YFLogxK

U2 - 10.1109/FDTC64268.2024.00011

DO - 10.1109/FDTC64268.2024.00011

M3 - Conference contribution

AN - SCOPUS:85210896477

T3 - Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024

SP - 22

EP - 27

BT - Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 4 September 2024

ER -

Probst M, Gruber M, Brosch M, Music T, Sigl G. Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation. In Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024. Institute of Electrical and Electronics Engineers Inc. 2024. p. 22-27. (Proceedings - 2024 Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2024). doi: 10.1109/FDTC64268.2024.00011

Switch-Glitch: Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this