14. Advanced Glitching
• Practical Analysis of Embedded Microcontrollers
against Clock Glitching Attacks - by Ricardo Gomes da
Silva, 17 March 2014
Summary of the paper:
• The research proposes a better design for a glitching
system, and compares between different glitching
results for different assembly instructions.
• Also, the research shows how glitching multiple loops is
possible with the appropriate hardware configurations.
16. Glitcher Development
• Results of the glitched clock:
• The research compares between
• Unconditional loops (Jump, Relative Jump)
• Conditional loops (Branch if equal, Branch if not equal)
• Multiple loops
23. Multiple loops – (double RJMP)
Explanation:
D0 and W0 correspond to the
delay and width of the first glitch,
while D1 and W1 correspond to
the delay and width of the second
glitch (after the trigger).
They were able to glitch multiple
RJMPs with 1-2 repeated glitches
31. Defenses against glitching attacks
• Erase the flash/eeprom in case failure (Firmware Dogs,
pgm_flag)
• Using bl_configure function, to configure only once (
Firmware Dogs )
Firmware Dogs: Fill the buffer with FFs and rewrite pgm_flag: Erase SRAM, then erase flash