Exploration of system-on-chip secure-boot vulnerability to fault-injection by side-channel analysis
C. Fanjas, D. Aboulkassimi, S. Pontie, and J. Clédière, “Exploration of system-on-chip secure-boot vulnerability to fault-injection by side-channel analysis” in 2023 IEEE international symposium on defect and fault tolerance in VLSI and nanotechnology systems (DFT), 2023, pp. 1–6. DOI HAL.
Abstract: Fault-Injection might be a useful tool to bypass security features that may obstruct the work of forensic experts. For instance, injecting a fault could modify the target control-flow and compromise its security. When the attacker knowledge about the target software implementation and hardware architecture is limited, discovering a Fault-Injection vulnerability becomes a serious challenge. Another issue is identifying when the targeted vulnerability is executed. To the best of our knowledge, this paper proposes a new methodology to solve these problems for the first time on System-on-Chip (SoC). The first step is to improve the knowledge of security feature implementations. Then deviations in the control-flow induced by forged inputs can be combined with Side-Channel observations to identify vulnerabilities. The next step is to define a trigger as close as possible in time and prior to these vulnerabilities. At this stage, Electromagnetic Fault-Injection (EMFI) can be put in practice to bypass the targeted security feature. As a proof of concept, we bypassed the Secure-Boot of a smartphone grade SoC. Three theoretical vulnerabilities in the Secure-Boot architecture of our target are identified using this new methodology and successfully exploited by EMFI.