Breaking SoC Security By Glitching OTP Data Transfers by Cristofaro Mune | hardwear.io USA 2022
ฝัง
- เผยแพร่เมื่อ 28 มิ.ย. 2022
- Abstract:
------------------
Modern System-on-Chips (SoCs) include security critical features which are often configured securely using one-time programmable (OTP) bits, often implemented using so-called electronic fuses (eFuses). Most SoCs will transfer these configuration bits from OTP memory to dedicated shadow registers from where they will be consumed by either hardware modules (e.g. cryptographic engines) or software (e.g. ROM code). These bits must be transferred correctly during boot to ensure the SoC is configured as intended. A SoC is then assumed to operate as expected, according to the supplied configuration, especially when operating in its expected conditions. However, what if we can break this fundamental assumption?
Fault Injection (FI) attacks are becoming increasingly popular due to their effectiveness of hacking into devices (e.g. consoles) for which there are no software vulnerabilities identified yet. Although mostly used for altering software control flow, they can also affect the intended behavior of pure hardware implementations. This also includes the subsystems responsible for transferring the configuration bits from OTP memory to shadow registers.
We discussed this attack for the first time publicly during our talk at Blue Hat IL 2019 [1]. Back then, we only outlined the technical feasibility of such a technique, without considering a specific target. Since then, Limited Results applied this attack to dump the authentication keys [2] of the ESP32 SoC using a Voltage Fault Injection attack (VFI). We decided to also apply this technique using Electromagnetic Fault Injection (EMFI), which has several significant advantages.
In this talk, we demonstrate what it takes to perform a successful EMFI attack on the OTP transfer performed by the ESP32 SoC, using commercially available tooling. We will explain our thought process and approach before diving into the results of the attack. Finally. by using our Fault Injection Reference Model (FIRM), we will discuss what a manufacturer can do to harden a SoC against these type of attacks. As far as we know, this has never been discussed publicly.
#faultinjection #EMFI #systemonchip #hardwaresecurity #hardwear_io
-----------------------------------------------------------------------------------------------------------
Website: hardwear.io
Twitter: / hardwear_io
LinkedIn: / hardwear.io-hardwarese...
Facebook: / hardwear.io - วิทยาศาสตร์และเทคโนโลยี
![แขกคนแรกร้านแจ๊ส [ซี - เอมมี่] | iJazzKhunJang](http://i.ytimg.com/vi/XP6C9kulFfc/mqdefault.jpg)
ME ENCANTA ESTOS TEMAS