IACR News item: 17 May 2022
Clément Fanjas, Clément Gaine, Driss Aboulkassimi, Simon Pontié, Olivier Potin
ePrint Report
The success rate of Fault Injection (FI) and Side-Channel Analysis (SCA) depends on the quality of the synchronization available in the target.
As the modern SoCs implement complex hardware architectures able to run at high-speed frequency, the synchronization of hardware security characterization becomes therefore a real challenge.
However when I/Os are unavailable, unreachable or if the synchronization quality is not sufficient, other triggering methodologies should be investigated.
This paper proposes a new synchronization approach named Synchronization by Frequency Detection (SFD), which does not use the target I/Os.
This approach consists in the identification of a vulnerability following a specific code responsible for the activation of a characteristic frequency which can be detected in the EM field measured from the target.
A real time analysis of EM field is applied in order to trigger the injection upon the detection of this characteristic frequency.
For validating the proof-of-concept of this new triggering methodology, this paper presents an exploitation of the SFD concept against the Android Secure-Boot of a smartphone-grade SoC.
By triggering the attack upon the activation of a frequency at 124.5 MHz during a RSA signature computation, we were able to synchronize an electromagnetic fault injection to skip a vulnerable instruction in the Linux Kernel Authentication.
We successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 minutes.
Additional news items may be found on the IACR news page.