What is fault injection?
Fault injection is a method of creating unexpected behavior in physical electronic devices. This involves taking a working system and introducing various glitches, high amounts of energy, and random physical conditions to maliciously affect its functionality. Fault injection has historically been used to test the robustness of new devices to harsh environmental conditions and operational corner cases. However, fault injection has now become a significant tool used to break the security of modern devices. With a diverse set of methods and advanced instruments, it can be used to bypass security measures implemented in hardware and software, both of which store sensitive information and are a target for potential attackers.
Origins of fault injection
The assessment of fault injection vulnerability originated partly to mitigate the effects of harsh environmental conditions on a device. NASA played a large role in this early development through their use of fault tolerant computer systems aboard spacecraft. Cosmic radiation, which is unavoidable when leaving the protection of the Earth’s atmosphere, can impart large amounts of energy when colliding with materials. When applied to electronic devices, they can corrupt data by causing undesired bit flips in memory. This necessitated the creation of computer systems that would still function properly even in the event of faults.
For those of us thankfully protected by the Earth’s atmosphere, natural environmental effects are less of a concern when it comes to fault vulnerability. Currently, the largest overarching threat is intentional fault injection performed by malicious actors. Strategies for mitigating the effects of the environment are well developed, while the threat of fault injection attacks has just recently grown as an important area of concern. As we transition into a world dominated by Internet-of-Things (IoT) devices, fault injection attacks grow more prevalent and more likely to cause harm.
Types of hardware fault injection attacks
Faults can be injected into a chip by directly interfacing with it or by altering its physical conditions and its environment. An example of the first method could be injecting malformed inputs, while an example of the second could be manually changing data in memory or introducing harsh environmental conditions. External methods are often the greatest risk to hardware devices, giving attackers the most control over a device’s functionality by physically altering its behavior.
Fault injection attacks on hardware can be carried out through several techniques that are invasive, semi-invasive, or non-invasive. These categories measure the required amount of damage done to the device to carry out the attack. In addition, these techniques can be targeted to specific locations within a device or can be random, affecting a large range of locations. A commonality between the different fault injection attack methods is that they are mostly active – the chip must be running for the attack to be effective – as they rely upon the chip’s altered runtime behavior to expose sensitive information. The following are the most prevalent methods:
- Clock glitching: A non-invasive injection technique where the system clock is disturbed, causing timing violations which cause registers to capture incorrect values. As this attack normally affects the clock used by the entire chip, its effects are random, making it hard to target to specific areas.
- Voltage glitching: A non-invasive injection technique where the chip’s voltage supply is disturbed, leading to an increase or decrease in signal transmission speed. Voltage glitching affects the supply voltage used by the entire chip, meaning its effects are random and cannot be targeted to specific areas.
- Electromagnetic fault injection (EMFI): A non-invasive attack method that uses generated magnetic fields to create voltage pulses from the outside of a chip. These effects act like voltage glitching and can lead to timing failures. Due to the nature of electromagnetic waves, EMFI cannot be targeted to specific locations on a chip.
- Laser fault injection (LFI): A semi-invasive, targeted attack method that uses directed beams of light to inject voltage pulses into a chip, causing supply variations or flipping bits in registers and memory. This attack requires the removal of a chip’s packaging but does not alter it internally, which makes it semi-invasive.
- Focused ion beam (FIB) machining: An invasive and targeted attack method that uses semiconductor editing machinery to alter the structure of a chip to either cut or add interconnects. Security measures can then be bypassed and points of interest in the chip can be probed to extract information.
Implications of hardware fault injection attacks
Real-world fault vulnerabilities often go unaccounted for during a product’s development. Understandably, it is difficult to account for every possible fault, and in the essence of saving development time and testing, these possibilities are overlooked. However, with fault injection attack methods becoming less expensive and more easily accessible, security becomes an important factor to consider when developing new designs.
Fault injection can result in flipped bits in memory, causing corrupted data to be propagated within a chip. A properly timed and placed fault injection attack can leverage this effect, potentially revealing sensitive information. With an understanding of the design’s functionality, attackers gain even more control over how this data is accessed and increase the likelihood of success. By forgoing hardware level protections, designs are left vulnerable to data corruption, denial of service, and the leakage of assets and design secrets. These assets may include cryptographic keys, sensitive user information, passwords, biometrics, configuration bits, and firmware.
What can be done?
The most effective way to prevent against fault injection attacks is to consider them early in the design process. Countermeasures must be implemented directly into the design, which could be infeasible later down the line. This could mean spending large amounts of money to rework the chip after a design is finalized or even manufactured. This is often why designers forgo fault injection countermeasures – it becomes too difficult to implement without the proper forethought.
To make matters worse, many hardware designers are not formally trained in hardware security, which increases the barrier to entry when it comes to securing designs. In addition to this, the options for “plug and play” solutions are very limited, requiring costly external services or very time-intensive research. To overcome this gap, Caspia offers AFIx as an automatic solution for pre-silicon fault-injection assessment. AFIx aims to make securing designs from fault injection attacks a simple process, regardless of hardware security knowledge.
AFIx is designed to assess fault injection attack vulnerability early in the design flow, giving designers the tools they need to protect their products. AFIx performs its assessments at the pre-silicon stage, which means costly redesigns after post-silicon validation are unnecessary. AFIx achieves this by determining specific locations within a design that are the most susceptible to fault injection attacks. This pointed analysis, done early in the design phase, allows designers to implement countermeasures only where necessary and with the highest chance of preventing an attack, greatly reducing area overhead and cost.
 D. Jenkins, “Advanced Vehicle Automation and Computers Aboard the Shuttle ,” NASA, 05-Apr-2001. [Online]. Available: https://history.nasa.gov/sts25th/pages/computer.html.