Introduction to fault injection attacks (mainly glitching), with examples from the MITRE eCTF 2017 challenge.

1. Fault Injection Attacks
on embedded systems
Ziyad Alshehri
IA 5984
Fall - 2017

2. Overview
• Fault injection techniques
• Clock Glitching
• Timing the attack
• Setup for Clock Glitching
• Advanced Clock Glitching
• Voltage Glitching
• Setup for Voltage Glitching
• Defenses against fault injection
• Contribution to Sprite team
• Conclusion

3. Glitching Attacks
• Introducing faults in a target to alter its intended behavior
• The goal is to skip instructions or corrupt data while
read/write
• Real-life Example:
• Xbox 360 Reset Glitch Hack – by a French hacker GliGli, 2011

4. Clock Glitching
• Since the instructions are executed in a pipeline based on the rising edge, it’s
possible to skip an instruction by reducing the execution time.

5. Clock Glitching
• To build a Clock Glitcher, we XOR the glitch stream with the original clock:
• Then we remove the crystal oscillator and use the new clock.

6. Timing the attack
• In order to precisely attack the target, we have to
identify a trigger signal to initiate the attack based
on.
• Status LEDs
• Toggle GPIO
• Serial messages ( UART )
• Any other hardware events ( Reset, … )

7. Setup for Clock Glitching
• We will use Chipwhisperer-Lite for this attack
• Comprised of MCU & FPGA (ATSAM3U2C +
SPARTAN-6)
CLK out
Trigger in
UART for output

8. Setup for ATMEGA1284PChipWhispere
r
CLK OUT
Trigger
in
UART
output

9. ChipWhisperer Software
Configuration
External
trigger
offset
= 22% of 50ns = 11ns
= 14% of 50ns = 7ns
Glitch
offset
Glitch
Width
20MHz freq = Period 50ns

10. Results
Trigger
Target instruction

11. Examples of Successful Glitches
• Rolled back to version 1 using FPGA trigger (UART=‘U’) to skip version check, and then printed the
flag.
River Hawk (Umass Lowell)
Target instruction

12. Examples of Successful Glitches
• Obtained the encryption keys by glitching to exit the while loop, and then installing a malicious
firmware to print the keys over serial, then decrypted v1 firmware.
• Forced the bootloader to print out memory read log and decrypt it using the keys to get stored flags.
Northeastern ReadbackNortheastern Upload
If statement
Print ‘F’ = 0x46
Infinite loop
wdt_reset()
Minimum optimization -O1

13. Optimized !Optimized !
Lesson learned! Review the assembly code

14. Advanced Glitching
• Practical Analysis of Embedded Microcontrollers
against Clock Glitching Attacks - by Ricardo Gomes da
Silva, 17 March 2014
Summary of the paper:
• The research proposes a better design for a glitching
system, and compares between different glitching
results for different assembly instructions.
• Also, the research shows how glitching multiple loops is
possible with the appropriate hardware configurations.

15. Glitcher Development
• Using Die Datenkrake, Hardware Security Platform
• Comprised of ARM MCU & FPGA
• Their target XMEGA-A1 Xplained
XMEGA-A1 Xplained

16. Glitcher Development
• Results of the glitched clock:
• The research compares between
• Unconditional loops (Jump, Relative Jump)
• Conditional loops (Branch if equal, Branch if not equal)
• Multiple loops

17. Unconditional loops: Jump ( JMP )
Explanation:
JMP requires 3 CLK cycles to be
executed.
Each instruction is (16-bit) long,
and the new address is (22-bit)
long, therefore, we need 2 cycles
to fit the new address. If these 2
cycles were glitched then we can
bypass the instruction.

18. If we glitched both
cycles, we won’t
change the PC value.

19. Unconditional loops – Relative
Jump ( RJMP )
Explanation:
RJMP requires 2 CLK cycles to
be executed.
RJMP is a sum of the current
PC + offset (12 bit) +1 , so the
first cycle will conduct the
sum operation for the new
address, if glitched, then we
can bypass the instruction.

20. Conditional loops – Branch if
equal ( BREQ )
Explanation:
BREQ changes the current
flow of the program if the
compared values are equal. In
other words, subtract then
branch if zero.
BREQ requires 1 or 2 CLK
cycles to be executed. The first
cycle, will compare if the
result is zero or not (0xFF),
and the second one will
execute the branch.
We only need to glitch the
first cycle to bypass the
instruction.

21. Conditional loops –Branch if not
equal (BRNE)
Explanation:
BRNE changes the current flow
of the program if the compared
values are not equal. In other
words, subtract then branch if
not zero.
BRNE requires 1 or 2 CLK cycles
to be executed. The first cycle,
will compare if the result is not
zero (0xEE), and the second one
will execute the branch.
We only need to glitch the first
cycle to bypass the instruction.

22. Multiple loops – (double RJMP)
We needed to use the internal
trigger to add a precise delay
before the second RJMP.

23. Multiple loops – (double RJMP)
Explanation:
D0 and W0 correspond to the
delay and width of the first glitch,
while D1 and W1 correspond to
the delay and width of the second
glitch (after the trigger).
They were able to glitch multiple
RJMPs with 1-2 repeated glitches

24. VCC Glitching
Shunt
resistor

25. Setup for Voltage Glitching

26. Setup for ATMEGA1284P
ChipWhisperer
Glitch OUT

27. Example of VCC Glitching

29. Defenses against glitching attacks
• Using different clock for sensitive operations (
Firmware Dogs )

30. Defenses against glitching attacks
• Enable Brown-out-detection against vcc glitching

31. Defenses against glitching attacks
• Erase the flash/eeprom in case failure (Firmware Dogs,
pgm_flag)
• Using bl_configure function, to configure only once (
Firmware Dogs )
Firmware Dogs: Fill the buffer with FFs and rewrite pgm_flag: Erase SRAM, then erase flash

32. Defenses against glitching attacks
• Disable any unnecessary debug info (Snorlax)
Snorlax: no feedback on UART!

33. Contribution to Sprite team
• Got all flags from RPI, using AVR Dragon and High
Voltage Parallel Programming (HVPP)
• Hardening the hardware configurations (Lockbits)

34. Contribution to Sprite team
• implementing Clock Glitching, and helped getting
all flags from vulnerable designs.

35. References
• Gomes, Ricardo, “Practical Analysis of Embedded Microcontrollers against Clock Glitching
Attacks”, https://rgsilva.com/Bachelorarbeit.pdf
• Riscure: https://www.riscure.com/documents/eu-16-timmers-bypassing-secure-boot-using-
fault-injection.pdf?1479193246
• NCC Group:https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-
Electrical-Glitching-Attacks.pdf
• Chipwhisperer: https://wiki.newae.com
• Die Datenkrake: https://github.com/ddk
• AVR XMEGA datasheet: http://www.atmel.com/images/doc8077.pdf

36. Thank you