Skip to Main content Skip to Navigation

A methodology to localise EMFI areas on Microcontrollers

Abstract : Today, security of embedded devices is put in the limelight with the increasing market share of both IoT and automotive.To ensure a proper level of security to its customer such embedded components must undergo pentesting either to obtain some certifications to address security market but also to avoid tarnishing the name of the firm in case of vulnerability.Amongst the various attack paths, one of most threatening is the voluntary violation of operation condition to induce a fault on a circuit.These faults are then used for privilege escalation or combined with statistic tools to recover cryptographic keys. This thesis focuses on the use of electromagnetic field to generate such faults, this medium being the one that offers the best trade-off between cost and accuracy.The efficiency of such family of attack has already been demonstrated in the literature. Yet fault injection techniques shared a common problem which root cause is the amount of parameter an evaluator has to tweaks to obtain a fault. Therefore, it is hard to state whether a target is protected against fault injection since evaluation is bounded in time, thus exhaustive search is not an option.Metrics or strategies should be defined to get the most out of up to date fault injection methods.This thesis is a first step towards defining such metrics, and proposed to tackle the space complexity of EM fault injection. In other words, according to the attack scenario we developed metrics or strategy relying on both experimentation and state of the art. The aims of those metrics/strategy being to reduce the space on the DUT that undergo electromagnetic emanation to the most likely to be faulted area.In a first part, a criterion based on a basic model of the coupling between the injection probes and the circuit as well as today fault model will be developed.This criterion is then analysed and a refinement is proposed.Yet fault injection could also be used to nullify countermeasure that disable some attack vectors. Most of those countermeasures have in common the use of a true random generator.Thence in a second part we evaluate the robustness of an up to date true random number generator against electromagnetic perturbation.From this analysis we derived which parts of true random number generator are more relevant to be targeted using electromagnetic waves.
Complete list of metadatas

Cited literature [97 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Friday, February 14, 2020 - 10:43:06 AM
Last modification on : Wednesday, September 9, 2020 - 3:15:37 AM
Long-term archiving on: : Friday, May 15, 2020 - 2:13:11 PM


Version validated by the jury (STAR)


  • HAL Id : tel-02478873, version 1



Maxime Madau. A methodology to localise EMFI areas on Microcontrollers. Micro and nanotechnologies/Microelectronics. Université Montpellier, 2019. English. ⟨NNT : 2019MONTS045⟩. ⟨tel-02478873⟩



Record views


Files downloads