Your search keyword '"Fault Injection"' showing total 1,333 results

1. Fault Injection and Safe-Error Attack for Extraction of Embedded Neural Network Models

Author

Hector, Kevin, Moëllic, Pierre-Alain, Dutertre, Jean-Max, Dumont, Mathieu, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Katsikas, Sokratis, editor, Abie, Habtamu, editor, Ranise, Silvio, editor, Verderame, Luca, editor, Cambiaso, Enrico, editor, Ugarelli, Rita, editor, Praça, Isabel, editor, Li, Wenjuan, editor, Meng, Weizhi, editor, Furnell, Steven, editor, Katt, Basel, editor, Pirbhulal, Sandeep, editor, Shukla, Ankur, editor, Ianni, Michele, editor, Dalla Preda, Mila, editor, Choo, Kim-Kwang Raymond, editor, Pupo Correia, Miguel, editor, Abhishta, Abhishta, editor, Sileno, Giovanni, editor, Alishahi, Mina, editor, Kalutarage, Harsha, editor, and Yanai, Naoto, editor

Published

2024

2. HUM-enhanced hybrid version of UVM with intelligent Fault injection and python based system predictors mechanisms

Author

G. Renuka

Subjects

010302 applied physics, Computer science, business.industry, Computation, 02 engineering and technology, General Medicine, Fault injection, Python (programming language), 021001 nanoscience & nanotechnology, 01 natural sciences, ARM architecture, Universal Verification Methodology, Software, Embedded system, 0103 physical sciences, Hum, Transceiver, 0210 nano-technology, business, computer, computer.programming_language

Abstract

Embedded SoC System verification have become chief challenge in recent years due to increase in complex architectures and software’s. Even though SoC caters the needs for implementing the complex architectures, verification still remains crucial in terms of the accuracy, time computation and most importantly complex methodologies. Several methodologies were proposed, one such is Universal Verification Methodology (UVM), which occupies the major role in the SoC verification, UVM needs brighter light of research for the better improvisation in terms of the testing features and time of computation. Hence HUM (Hybrid Universal Methodology) was proposed with idea of extending the UVM by integrating the Fault Injection Systems along with Intelligent Predictors. The proposed tool has been tested with the IoTWireless Transceivers algorithms. The algorithms are targeted for the ARM architectures and results proved to be more vital.

Published

2023

3. Soft Error Effects on Arm Microprocessors: Early Estimations versus Chip Measurements

Author

Paolo Rech, George N. Papadimitriou, Pablo Bodmann, Rubens Luiz Rech Junior, and Dimitris Gizopoulos

Subjects

reliability, fault injection, business.industry, Computer science, neutrons, soft error, ARM, Word error rate, 02 engineering and technology, Fault injection, Fault (power engineering), Chip, 020202 computer hardware & architecture, Theoretical Computer Science, Soft error, Software, Computational Theory and Mathematics, Hardware and Architecture, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Central processing unit, business, Reliability (statistics)

Abstract

Extensive research efforts are being carried out to evaluate and improve the reliability of computing devices, either through beam experiments or simulation-based fault injection. Unfortunately, it is still largely unclear to which extend fault injection can provide an accurate error rate estimation at early stages and if beam experiments can be used to identify the weakest resources in a device. The challenges associated with reliability evaluation grow with the increase of complexity of the hardware and the software. In this paper, we combine and analyze data gathered with extensive beam experiments (on the final physical CPU hardware) and microarchitectural fault injections (on early microarchitectural CPU models). We target a standalone Arm Cortex-A5 and an Arm Cortex-A9 integrated in an SoC and evaluate their reliability in bare-metal and Linux-based configurations. We find that both the SoC integration and the OS presence increase the system DUEs (Detected Unrecoverable Errors) rate (for different reasons) but do not significantly impact the SDCs (Silent Data Corruptions) rate which is solely attributed to the CPU core. Our reliability analysis demonstrates that, even considering SoC integration and OS inclusion, early, pre-silicon microarchitecture-level fault injection delivers accurate SDC rates estimations and lower bounds for the DUE rates.

Published

2022

4. Information Leakage Analysis Using a Co-Design-Based Fault Injection Technique on a RISC-V Microprocessor

Author

Jim Plusquellic, Brian Dziki, Tom J. Mannos, and Donald E. Owen

Subjects

Computer science, business.industry, Plaintext, Fault injection, Fault (power engineering), Computer Graphics and Computer-Aided Design, Instruction set, Programmable logic device, Embedded system, RISC-V, Information leakage, State (computer science), Electrical and Electronic Engineering, business, Software

Abstract

The RISC-V instruction set architecture open licensing policy has spawned a hive of development activity, making a range of implementations publicly available. The environments in which RISC-V operates have expanded correspondingly, driving the need for a generalized approach to evaluating the reliability of RISC-V implementations under adverse operating conditions or after normal wear-out periods. Fault injection (FI) refers to the process of changing the state of registers or wires, either permanently or momentarily, and then observing execution behavior. The analysis provides insight into the development of countermeasures that protect against the leakage or corruption of sensitive information which might occur because of unexpected execution behavior. In this paper, we develop a hardware-software co-design architecture that enables fast, configurable fault emulation and utilize it for information leakage and data corruption analysis. Modern System-on-chip FPGAs enable building an evaluation platform where control elements run on a processor(s) (PS) simultaneously with the target design running in the programmable logic (PL). Software components of the FI system introduce faults and report execution behavior. A pair of RISC-V FI-instrumented implementations are created and configured to execute the Advanced Encryption Standard and Twister algorithms. Key and plaintext information leakage and degraded pseudo-random sequences are both observed in the output for a subset of the emulated faults.

Published

2022

5. Constructing software countermeasures against instruction manipulation attacks: an approach based on vulnerability evaluation using fault simulator

Author

Daisuke Fujimoto, Junichi Sakamoto, Tsutomu Matsumoto, and Shungo Hayashi

Subjects

Computer Networks and Communications, business.industry, Computer science, Fault Simulator, Construct (python library), Fault injection, computer.software_genre, Software, Embedded system, Information leakage, Confidentiality, business, computer, Secure coding, Debugger

Abstract

Fault injection attacks (FIA), which cause information leakage by injecting intentional faults into the data or operations of devices, are one of the most powerful methods compromising the security of confidential data stored on these devices. Previous studies related to FIA report that attackers can skip instructions running on many devices through many means of fault injection. Most existing anti-FIA countermeasures on software are designed to secure against instruction skip (IS). On the other hand, recent studies report that attackers can use laser fault injection to manipulate instructions running on devices as they want. Although the previous studies have shown that instruction manipulation (IM) could attack the existing countermeasures against IS, no effective countermeasures against IM have been proposed. This paper is the first work tackling this problem, aiming to construct software-based countermeasures against IM faults. Evaluating program vulnerabilities to IM faults is required to consider countermeasures against IM faults. We propose three IM simulation environments for that aim and compare them to reveal their performance difference. GDB (GNU debugger)-based simulator that we newly propose in this paper outperforms the QEMU-based simulator that we presented in AICCSA:1–8, 2020 in advance, in terms of evaluation time at most $$\times$$ × 400 faster. Evaluating a target program using the proposed IM simulators reveals that the IM faults leading to attack successes are classified into four classes. We propose secure coding techniques as countermeasures against IMs of each four classes and show the effectiveness of the countermeasures using the IM simulators.

Published

2021

6. Identifying Radiation-Induced Micro-SEFIs in SRAM FPGAs

Author

Andres Perez-Celis, Corbin Thurlow, and Michael Wirthlin

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, 010308 nuclear & particles physics, Computer science, business.industry, Event (computing), Hardware_PERFORMANCEANDRELIABILITY, Fault injection, 01 natural sciences, Nuclear Energy and Engineering, 13. Climate action, Memory cell, Embedded system, 0103 physical sciences, Static random-access memory, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, Error detection and correction, Field-programmable gate array, business, Vulnerability (computing)

Abstract

Field-programmable gate arrays (FPGAs) are susceptible to radiation-induced effects that can affect more than one memory cell. Radiation-induced microsingle event functional interrupts (micro-SEFIs) are one of such events that can upset several bits at a time. These events need to be studied because they can overcome protection from techniques such as triple modular redundancy (TMR) and error correction codes (ECCs). Extracting these events from radiation data helps to understand if specific resources of the FPGA are more vulnerable and the extent of this vulnerability. This article presents a method based on statistics and fault injection to identify micro-SEFIs from beam-test data in the configuration memory and block RAM (BRAM) of SRAM-based FPGAs. The results show the cross section of these events for the configuration RAM (CRAM) and BRAM for three families of Xilinx SRAM FPGAs gathered throughout three neutron tests. This article also contains data from a fault injection campaign to uncover the possible CRAM source bits causing micro-SEFIs in memory look-up tables (LUTs) of Xilinx 7-series and Ultrascale devices.

Published

2021

7. REPAIR: Control Flow Protection based on Register Pairing Updates for SW-Implemented HW Fault Tolerance

Author

Ulf Schlichtmann, Uzair Sharif, and Daniel Mueller-Gritschneder

Subjects

business.industry, Computer science, Register file, Fault tolerance, OpenRISC, Fault injection, Data flow diagram, Soft error, Control flow, Hardware and Architecture, Embedded system, Redundancy (engineering), business, Software

Abstract

Safety-critical embedded systems may either use specialized hardware or rely on Software-Implemented Hardware Fault Tolerance (SIHFT) to meet soft error resilience requirements. SIHFT has the advantage that it can be used with low-cost, off-the-shelf components such as standard Micro-Controller Units. For this, SIHFT methods apply redundancy in software computation and special checker codes to detect transient errors, so called soft errors, that either corrupt the data flow or the control flow of the software and may lead to Silent Data Corruption (SDC). So far, this is done by applying separate SIHFT methods for the data and control flow protection, which leads to large overheads in computation time. This work in contrast presents REPAIR, a method that exploits the checks of the SIHFT data flow protection to also detect control flow errors as well, thereby, yielding higher SDC resilience with less computational overhead. For this, the data flow protection methods entail duplicating the computation with subsequent checks placed strategically throughout the program. These checks assure that the two redundant computation paths, which work on two different parts of the register file, yield the same result. By updating the pairing between the registers used in the primary computation path and the registers in the duplicated computation path using the REPAIR method, these checks also fail with high coverage when a control flow error, which leads to an illegal jumps, occurs. Extensive RTL fault injection simulations are carried out to accurately quantify soft error resilience while evaluating Mibench programs along with an embedded case-study running on an OpenRISC processor. Our method performs slightly better on average in terms of soft error resilience compared to the best state-of-the-art method but requiring significantly lower overheads. These results show that REPAIR is a valuable addition to the set of known SIHFT methods.

Published

2021

8. Emulating Radiation-Induced Multicell Upset Patterns in SRAM FPGAs With Fault Injection

Author

Andres Perez-Celis, Corbin Thurlow, and Michael Wirthlin

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, Computer science, business.industry, Radiation induced, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Upset, Microcontroller, Nuclear Energy and Engineering, Fault mitigation, Embedded system, Static random-access memory, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, business, Field-programmable gate array

Abstract

Radiation-induced multiple-cell upsets (MCUs) are events that account for more than 50% of failures on triple modular redundancy (TMR) designs in SRAM field programmable gate array (FPGA). It is important to understand these events and their impact on FPGA designs to develop improved fault mitigation techniques. This article describes an enhanced fault injection (FI) method for SRAM-based FPGAs that injects MCUs within the configuration memory of an FPGA based on MCU information extracted from previous radiation tests. The improved FI technique uncovers $3\times $ more failures than is observable in conventional single-bit FI approaches. The results from several MCU FI experiments also show that injecting MCUs can replicate the failures observed in the radiation beam test and identify new failure mechanisms.

Published

2021

9. Mitigating Voltage Attacks in Multi-Tenant FPGAs

Author

George Provelengios, Daniel Holcomb, and Russell Tessier

Subjects

General Computer Science, Clock signal, Computer science, business.industry, 020208 electrical & electronic engineering, Cloud computing, 02 engineering and technology, Fault injection, 020202 computer hardware & architecture, Power (physics), Embedded system, Stratix, 0202 electrical engineering, electronic engineering, information engineering, Field-programmable gate array, business, Reset (computing), Electronic circuit

Abstract

Recent research has exposed a number of security issues related to the use of FPGAs in embedded system and cloud computing environments. Circuits that deliberately waste power can be carefully crafted by a malicious cloud FPGA user and deployed to cause denial-of-service and fault injection attacks. The main defense strategy used by FPGA cloud services involves checking user-submitted designs for circuit structures that are known to aggressively consume power. Unfortunately, this approach is limited by an attacker’s ability to conceive new designs that defeat existing checkers. In this work, our contributions are twofold. We evaluate a variety of circuit power wasting techniques that typically are not flagged by design rule checks imposed by FPGA cloud computing vendors. The efficiencies of five power wasting circuits, including our new design, are evaluated in terms of power consumed per logic resource. We then show that the source of voltage attacks based on power wasters can be identified. Our monitoring approach localizes the attack and suppresses the clock signal for the target region within 21 μs, which is fast enough to stop an attack before it causes a board reset. All experiments are performed using a state-of-the-art Intel Stratix 10 FPGA.

Published

2021

10. Bridging the Gap between RTL and Software Fault Injection

Author

Florian Pebay-Peyroula, Johan Laurent, Christophe Deleuze, Vincent Beroulle, Laboratoire de Conception et d'Intégration des Systèmes (LCIS), Université Grenoble Alpes (UGA)-Institut polytechnique de Grenoble - Grenoble Institute of Technology (Grenoble INP ), Université Grenoble Alpes (UGA)-Université Grenoble Alpes (UGA), Commissariat à l'énergie atomique et aux énergies alternatives - Laboratoire d'Electronique et de Technologie de l'Information (CEA-LETI), Direction de Recherche Technologique (CEA) (DRT (CEA)), and Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA)

Subjects

Bridging (networking), Computer science, business.industry, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Fault modeling, Microarchitecture, Software fault, Hardware and Architecture, Embedded system, [INFO]Computer Science [cs], Electrical and Electronic Engineering, business, Software

Abstract

Protecting programs against hardware fault injection requires accurate software fault models. However, typical models, such as the instruction skip, do not take into account the microarchitecture specificities of a processor. We propose in this article an approach to study the relation between faults at the Register Transfer Level (RTL) and faults at the software level. The goal is twofold: accurately model RTL faults at the software level and materialize software fault models to actual RTL injections. These goals lead to a better understanding of a system's security against hardware fault injection, which is important to design effective and cost-efficient countermeasures. Our approach is based on the comparison between results from RTL simulations and software injections (using a program mutation tool). Various analyses are included in this article to give insight on the relevance of software fault models, such as the computation of a coverage and fidelity metric, and to link software fault models to hardware RTL descriptions. These analyses are applied on various single-bit and multiple-bit injection campaigns to study the faulty behaviors of a RISC-V processor.

Published

2021

11. Neutron Radiation Testing of a TMR VexRiscv Soft Processor on SRAM-Based FPGAs

Author

Michael Wirthlin, Christine D. Wilson, Andrew Wilson, Corbin Thurlow, and Sam Larsen

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, 010308 nuclear & particles physics, Computer science, business.industry, Reliability (computer networking), Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Neutron radiation, 01 natural sciences, Software implementation, Nuclear Energy and Engineering, Gate array, Embedded system, 0103 physical sciences, Static random-access memory, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, Field-programmable gate array, business

Abstract

Soft processors are often used within field-programmable gate array (FPGA) designs in radiation hazardous environments. These systems are susceptible to single-event upsets (SEUs) that can corrupt both the hardware configuration and software implementation. Mitigation of these SEUs can be accomplished by applying triple modular redundancy (TMR) techniques to the processor. This article presents fault injection and neutron radiation results of a Linux-capable TMR VexRiscv processor. The TMR processor achieved a $10\times $ improvement in SEU-induced mean fluence to failure with a cost of $4\times $ resource utilization. To further understand the TMR system failures, additional post-radiation fault injection was performed with targets generated from the radiation data. This analysis showed that not all the failures were due to single-bit upsets, but potentially caused by multibit upsets, nontriplicated IO, and unmonitored nonconfiguration RAM (CRAM) SEUs.

Published

2021

12. Impact of Single-Event Upsets on Convolutional Neural Networks in Xilinx Zynq FPGAs

Author

Xiao Jianfeng, Shouli Wang, Yuke Wang, Tongling Liang, and Haibin Wang

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, Computer science, business.industry, Control reconfiguration, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Fault (power engineering), Convolutional neural network, Reduction (complexity), Soft error, Nuclear Energy and Engineering, Embedded system, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, Field-programmable gate array, business

Abstract

Convolutional neural networks (CNNs) are quickly becoming an attractive solution for autonomous vehicles, military weapons, and space exploration. Thanks to their reconfiguration ability, design flexibility, and low power consumption, field-programmable gate arrays (FPGAs) have become a promising candidate for CNN accelerators. However, FPGAs have been proven to be susceptible to radiation-induced single-event upsets (SEUs). One goal of this article is to analyze the impact of quantization on the reliability of CNNs in FPGAs. Therefore, we performed quantization on ZynqNet without affecting its classification accuracy. Meanwhile, we implemented the triple modular redundancy (TMR) version of ZynqNet and we also evaluated the effects of SEUs on these CNNs through both fault injections and neutron exposures. Fault injection results show that TMRed ZynqNet reduces the soft error rate (SER) by 33.59% with a circuit area increase of 111.92% when compared with the standard ZynqNet. The experimental results demonstrate that the quantized ZynqNet reduces the SER by 71.36% with a circuit area reduction of 44.76% when compared with the standard ZynqNet. These results confirm that quantization does contribute to SER reduction of the neural networks. In addition, the operating system on the processing system (PS) side was also found to be highly sensitive to SEUs, and, thus, mitigation techniques should be applied.

Published

2021

13. Precise Cache Profiling for Studying Radiation Effects

Author

James Marshall, Gabriel Parmer, Robert Gifford, Gedare Bloom, and Rahul Simha

Subjects

Profiling (computer programming), 010308 nuclear & particles physics, Event (computing), Computer science, business.industry, media_common.quotation_subject, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Fault injection, Fault (power engineering), 01 natural sciences, 020202 computer hardware & architecture, Debugging, Hardware and Architecture, Embedded system, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Transient (computer programming), Cache, business, Software, media_common, Vulnerability (computing)

Abstract

Increased access to space has led to an increase in the usage of commodity processors in radiation environments. These processors are vulnerable to transient faults such as single event upsets that may cause bit-flips in processor components. Caches in particular are vulnerable due to their relatively large area, yet are often omitted from fault injection testing because many processors do not provide direct access to cache contents and they are often not fully modeled by simulators. The performance benefits of caches make disabling them undesirable, and the presence of error correcting codes is insufficient to correct for increasingly common multiple bit upsets. This work explores building a program’s cache profile by collecting cache usage information at an instruction granularity via commonly available on-chip debugging interfaces. The profile provides a tighter bound than cache utilization for cache vulnerability estimates (50% for several benchmarks). This can be applied to reduce the number of fault injections required to characterize behavior by at least two-thirds for the benchmarks we examine. The profile enables future work in hardware fault injection for caches that avoids the biases of existing techniques.

Published

2021

14. DOMREP–An Orthogonal Countermeasure for Arbitrary Order Side-Channel and Fault Attack Protection

Author

Michael Gruber, Matthias Probst, Michael Tempelmeier, Georg Sigl, Lars Tebelmann, Patrick Karl, and Thomas Schamberger

Subjects

Emulation, Computer Networks and Communications, Computer science, business.industry, Cryptography, Fault injection, Fault (power engineering), Embedded system, Overhead (computing), Side channel attack, Safety, Risk, Reliability and Quality, Field-programmable gate array, Error detection and correction, business

Abstract

Protection against physical attacks is a major requirement for cryptographic implementations on devices which can be accessed by attackers. Side-channel and fault injection attacks are the most common types of physical attacks. In this work we present a novel generic solution for simultaneous protection against side-channel and fault attacks with arbitrary order. We combine domain oriented masking and repetition codes in an orthogonal way and call this approach DOMREP. The resistance against side-channel attacks and fault attacks can be scaled independently of each other, for the protection against higher-order side-channel analysis and the injection of multiple faults including SIFA. We develop the generic concept of orthogonal protection, and implement the DOMREP concept on GIMLI, a round two NIST LWC competition candidate, on a Xilinx Artix-7 FPGA. Our implementation of GIMLI is verified to be resistant against univariate first-order side-channel attacks by TVLA. The resistance against SIFA is verified by means of fault emulation of single as well as multiple bit faults. Our implementation of GIMLI achieves the expected security level according to these measurements. We also provide numbers for the area overhead for our protected implementation of GIMLI.

Published

2021

15. FERNANDO: A Software Transient Fault Tolerance Approach for Embedded Systems Based on Redundant Multi-Threading

Author

Yi Hu, Haotian Wu, and Ruifeng Guo

Subjects

General Computer Science, redundant multi-threading, Computer science, Embedded systems, 02 engineering and technology, 01 natural sciences, Instruction set, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Redundancy (engineering), Overhead (computing), General Materials Science, Transient (computer programming), Electrical and Electronic Engineering, 010302 applied physics, reliability, business.industry, General Engineering, Fault tolerance, Fault injection, 020202 computer hardware & architecture, fault-tolerance, TK1-9971, Multithreading, Embedded system, microprocessor, Electrical engineering. Electronics. Nuclear engineering, Error detection and correction, business

Abstract

As semiconductor technology scales, modern microprocessors are more vulnerable to transient faults. Software-level fault tolerance schemes are promising because they can improve reliability effectively without extra hardware. Redundant Multi-threading (RMT) uses off-the-shelf cores as redundancy to achieve error resilience. Latest software RMT fault-tolerance models do not effectively cope with transient faults occurring on multiple components during the application execution, resulting in a large number of silent data corruptions (SDC). To address this challenge, we propose FERNANDO, a software-level RMT runtime fault tolerance scheme which provides enhanced error detection and comprehensive error recovery by Triple-Modular Redundancy (TMR). On an ARM Cortex-A57 like simulated microprocessor, we performed probability model transient fault injection experiments in different components of all cores. The results demonstrate that, compared to the state-of-the-art technique, FERNANDO can reduce the SDC rate by about 86.67 percent and optimize the execution time overhead by about 19.64 percent.

Published

2021

16. Reliability Analysis of ASIC Designs With Xilinx SRAM-Based FPGAs

Author

O. Ruano, Francisco Garcia-Herrero, Juan Antonio Maestro, and Luis Alberto Aranda

Subjects

General Computer Science, fault injection, Computer science, emulation, Context (language use), Hardware_PERFORMANCEANDRELIABILITY, Application-specific integrated circuit, Gate array, Hardware_INTEGRATEDCIRCUITS, General Materials Science, Static random-access memory, Hardware_ARITHMETICANDLOGICSTRUCTURES, Bitstream, Field-programmable gate array, FPGA, Emulation, reliability, business.industry, ASIC, General Engineering, TK1-9971, Embedded system, Antifuse, Electrical engineering. Electronics. Nuclear engineering, business, configuration memory, Hardware_LOGICDESIGN

Abstract

There are many platforms and tools based on field-programmable gate array (FPGA) devices oriented to facilitate the reliability estimation of digital designs, but they are usually focused only on configuration memory errors since the configuration memory represents the majority of the memory elements in an FPGA. However, an FPGA-based platform could also be exploited to support the emulation of transient and permanent errors for designs intended to work in application-specific integrated circuits (ASICs) or radiation-hardened devices such as antifuse FPGAs. In this context, the obtention of a particular set of bits to flip is required to be able to emulate these error models. The main difficulty of this approach lies in determining the mentioned set of bits, which is due to the unavailability of a public description of the bitstream and the lack of FPGA architecture details. To help with this issue, we present a methodology to determine specific configuration memory bits from SRAM-based FPGAs that, when flipped, emulate permanent or transient upsets in any flip-flop element of the design under test. This methodology is proved in recent FPGA technologies and provides great control and precision in reliability experiments for harsh environments.

Published

2021

17. Power Distribution Attacks in Multitenant FPGAs

Author

George Provelengios, Daniel Holcomb, and Russell Tessier

Subjects

Multitenancy, business.industry, Computer science, Cloud computing, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Fault injection, Encryption, Fault (power engineering), 020202 computer hardware & architecture, Hardware and Architecture, Embedded system, Hardware_INTEGRATEDCIRCUITS, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), System on a chip, Electrical and Electronic Engineering, business, Field-programmable gate array, Software

Abstract

The increased use of field-programmable gate arrays (FPGAs) in the cloud and embedded computing environments has led to a number of potential security risks. The sizable amount of logic resources in these devices makes them amenable to sharing across multiple untrusted tenants. However, the co-location of multiple independent circuits presents the possibility of malicious fault injection into an unsuspecting circuit. In this article, the ability of one tenant’s FPGA circuit to inject delay faults into another tenant’s application located at points across the FPGA die via deliberate supply voltage modulation is investigated. To illustrate the risks involved, a Rivest–Shamir–Adleman (RSA) encryption key extraction attack is performed by introducing delay faults in hardware via voltage manipulations. This attack does not require modification to the encryption core nor require attack activation synchronized with specific encryption operations. Our work characterizes the magnitude of on-chip voltage changes and fault injections over time in relation to the on-chip location of the malicious circuit once an attack is initiated. Strategies to identify power manipulation using low-cost monitoring circuits that can locate the source of an attack are highlighted.

Published

2020

18. Laser-Induced Fault Injection on Smartphone Bypassing the Secure Boot-Extended Version

Author

Aurélien Vasselle, Adele Morisset, Sebastien Ermeneux, Hugues Thiebeauld, and Quentin Maouhoub

Subjects

Computer science, business.industry, 02 engineering and technology, Fault injection, Laser, 020202 computer hardware & architecture, Theoretical Computer Science, law.invention, Software, Computational Theory and Mathematics, Hardware and Architecture, law, Mobile phone, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), business

Abstract

This paper describes the outcome of a laser attack study on an Android smartphone targeting specifically the secure boot sequence. Laser fault injection has become a classical attack path in the secure chip industry to investigate potential security mitigation. The implementation of such attacks on a recent mobile phone remains relatively unexplored and represents different challenges, both at hardware and software levels. In this paper, we show how the device is crafted to get a direct access to the silicon and explain the corresponding experimental setup. By inserting our own software into the boot sequence, it was possible to achieve a fine characterization of the die sensitivity to laser emissions. With the knowledge of potential perturbations, several attack scenarios were built, allowing to malevolently get the highest level of privilege within the mobile phone.

Published

2020

19. A Hierarchical Scrubbing Technique for SEU Mitigation on SRAM-Based FPGAs

Author

Zheng Sijie, Guanghui He, and Naifeng Jing

Subjects

Hardware architecture, Mean time between failures, Hardware_MEMORYSTRUCTURES, business.industry, Computer science, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Fault injection, 020202 computer hardware & architecture, Soft error, Hardware and Architecture, Gate array, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Redundancy (engineering), Static random-access memory, Electrical and Electronic Engineering, Field-programmable gate array, business, Software, Data scrubbing

Abstract

The SRAM-based field-programmable gate array (FPGA) is extremely susceptible to single event upsets (SEUs) on configuration memory which can lead to soft error and malfunction of the circuit. Facing the ever-growing number of configuration bits in modern FPGAs, traditional scrubbing is getting harder to find errors in time, resulting in mismatching between the SEU sensitivity and scrubbing performance. This article proposes a hierarchical scrubbing technique that makes full use of the SEU sensitivity based on the adaptive mean time to detect (MTTD) for each frame. It distinguishes the configuration frames with multipriority and uses different scrubbing methods for different priorities. Also, a model has been built for solving the MTTD allocating problem and enabling an effective scrubbing when SEU occurrence. Moreover, the corresponding hardware architecture is supported and the fault injection-based evaluation on a Xilinx Kintex-7 FPGA is done. The result shows that it can improve mean upsets to failure from $1.56 \times $ to $146.93 \times $ , which is proportional to the mean time to failure (MTTF) improvement.

Published

2020

20. Design of fault-resilient S-boxes for AES-like block ciphers

Author

Swapan Maiti and Dipanwita Roy Chowdhury

Subjects

Computer Networks and Communications, business.industry, Computer science, Applied Mathematics, Substitution (logic), 020206 networking & telecommunications, Hardware_PERFORMANCEANDRELIABILITY, 0102 computer and information sciences, 02 engineering and technology, Fault injection, Fault (power engineering), 01 natural sciences, Fault detection and isolation, Cellular automaton, Computational Theory and Mathematics, 010201 computation theory & mathematics, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Cryptosystem, Hardware_ARITHMETICANDLOGICSTRUCTURES, business, Field-programmable gate array, Block cipher

Abstract

Substitution functions (S-boxes) play an important role in the security of AES-like cryptosystems, but the cryptosystems are highly vulnerable against fault injection attacks. Some research has been carried out previously to prevent fault injection attacks on AES, but most of the countermeasures are restricted to the detection of faults only, and they only work at the cost of large hardware needed for duplicating the S-boxes. In this paper, we present a design construction of fault-resilient S-boxes for AES-like block ciphers by fault detection and correction. The random evolution of cellular automata with linear and nonlinear neighborhood functions is exploited to design these S-boxes. The proposed design guarantees 100% coverage of single-byte fault correction and double-byte fault detection in the S-boxes. The FPGA implementation shows that our design makes the substitution boxes fault-resilient with 21.34% extra hardware compared to the AES substitution layer.

Published

2020

21. Evaluating Soft Core RISC-V Processor in SRAM-Based FPGA Under Radiation Effects

Author

Luis A. C. Benites, Nemitala Added, Fabio Benevenuti, Nilberto H. Medina, Adria Barros de Oliveira, Marcilei A. G. Silveira, Fernanda Lima Kastensmidt, Lucas A. Tambara, and V. A. P. Aguiar

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, Emulation, MATERIAIS, 010308 nuclear & particles physics, Computer science, business.industry, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, 01 natural sciences, Nuclear Energy and Engineering, Gate array, Embedded system, 0103 physical sciences, RISC-V, Redundancy (engineering), Static random-access memory, Electrical and Electronic Engineering, Field-programmable gate array, business

Abstract

This article evaluates the RISC-V Rocket processor embedded in a Commercial Off-The-Shelf (COTS) SRAM-based field-programmable gate array (FPGA) under heavy-ions-induced faults and emulation fault injection. We also analyze the efficiency of using mitigation techniques based on hardware redundancy and scrubbing. Results demonstrated an improvement of $3\times $ in the cross section when scrubbing and coarse grain triple modular redundancy are used. The Rocket processor presented analogous sensitivity to radiation effects as the state-of-the-art soft processors. Due to the complexity of the system-on-chip, not only the Rocket core but also its peripherals should be protected with proper solutions. Such solutions should address the specific vulnerabilities of each component to improve the overall system reliability while maintaining the trade-off with performance.

Published

2020

22. An Adjustable and Fast Error Repair Scrubbing Method Based on Xilinx Essential Bits Technology for SRAM-Based FPGA

Author

Xuebing Cao, Linzhe Li, Jie Li, Liyi Xiao, and Rongsheng Zhang

Subjects

Hardware_MEMORYSTRUCTURES, 021103 operations research, User design, business.industry, Computer science, Reliability (computer networking), 0211 other engineering and technologies, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Fault injection, Fpga design, Single event upset, Embedded system, Static random-access memory, Electrical and Electronic Engineering, Safety, Risk, Reliability and Quality, business, Field-programmable gate array, Data scrubbing

Abstract

Field programmable gate array (FPGA) is becoming more valuable for space applications because of its large density, high performance, reduced development cost and flexible programmability. In particular, static random access memory (SRAM) based FPGA is very valuable for remote missions because of the possibility of being reprogrammed by the user as many times as necessary in a very short period. However, SRAM-based FPGA contains a large number of memory cells which are very sensitive to single event upset (SEU). SEU in SRAM-based FPGA may result in a functional error unless the FPGA is reconfigured. In this paper, we propose a fast adjustable scrubbing method based on Xilinx essential bits technology to mitigate the effect of SEU for SRAM-based FPGA. The whole scrubbing flow contains two sub-flows: partial scrubbing and entire scrubbing. This scrubbing method not only increases the speed of repairing an error for user design, but also ensures the reliability of whole FPGA design. We test the proposed scrubbing method through fault injection. Finally, we show the error repair speeds of user designs for different repeat cycles of partial scrubbing and summarize the optimized repeat cycles of partial scrubbing.

Published

2020

23. SAFARI: Automatic Synthesis of Fault-Attack Resistant Block Cipher Implementations

Author

Swarup Bhunia, Aritra Hazra, Chester Rebeiro, and Indrani Roy

Subjects

Computer science, business.industry, 02 engineering and technology, Fault injection, Computer Graphics and Computer-Aided Design, 020202 computer hardware & architecture, Cipher, Embedded system, CLEFIA, Camellia, Fault coverage, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Key (cryptography), Electrical and Electronic Engineering, business, Software, Vulnerability (computing), Block cipher

Abstract

Most cipher implementations are vulnerable to a class of cryptanalytic attacks known as fault injection attacks. To reveal the secret key, these attacks make use of faults induced at specific locations during the execution of the cipher. Countermeasures for fault injection attacks require these vulnerable locations in the implementation to be first identified and then protected. However, both these steps are difficult and error-prone and, hence, it requires considerable expertise to design efficient countermeasures. Incorrect or insufficient application of the countermeasures would cause the implementation to remain vulnerable, while inefficient application of the countermeasures could lead to significant performance penalties to achieve the desired fault-attack resistance. In this paper, we present a novel framework called SAFARI for automatically synthesizing fault-attack resistant implementations of block ciphers. The framework takes as input the security requirements and a high-level specification of the block cipher. It automatically detects the vulnerable locations from the specification, applies an appropriate countermeasure based on the user-specified security requirements, and then synthesizes an efficient, fault-attack protected, RTL, or C code for the cipher. We take AES, CAMELLIA, and CLEFIA as case studies and demonstrate how the framework would explore different countermeasures, based on the vulnerability of the locations, the output format, and the required security margins. We then evaluate the efficacy of SAFARI in hardware and software to the design overhead incurred and the fault coverage.

Published

2020

24. Analysis of Dynamic Laser Injection and Quiescent Photon Emissions on an Embedded Processor

Author

Mustafa Faraj, Karim Amin, Catherine H. Gebotys, and Haohao Liao

Subjects

Reverse engineering, Profiling (computer programming), Fine-tuning, Photon, Cycles per instruction, Computer science, business.industry, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Laser, Fault (power engineering), computer.software_genre, law.invention, law, Embedded system, business, computer

Abstract

Security is increasingly widespread in many embedded devices. As technology scales, fault attacks are seen as becoming more relevant to many embedded devices, revealing secrets utilized within the silicon. Despite numerous publications in fault injection, laser fault injection methodologies remain diverse with limited details on equipment and setups. A new laser fault injection methodology is proposed which combines quiescent photon emissions with backside dynamic laser pulse profiling in time and space. Empirical results illustrate the impact of the laser on multiple-instruction fault injections, and controlled instruction replacement faults. Unlike previous research, quiescent photon emissions combined with laser fault injection provides fine tuning of faulty instructions in addition to reverse engineering within each clock cycle. This research is critical for understanding how to design more secure and trustworthy hardware, including countermeasures to thwart attacks.

Published

2020

25. POSTER: OS Independent Fuzz Testing of I/O Boundary

Author

Masanori Misono and Takahiro Shinagawa

Subjects

Scheme (programming language), Source code, business.industry, Computer science, media_common.quotation_subject, Hypervisor, Fault injection, Fuzz testing, Tracing, Boundary (real estate), Embedded system, Test efficiency, business, computer, media_common, computer.programming_language

Abstract

Device drivers tend to be vulnerable to errant/malicious devices because many of them assume that devices always operate correctly. If a device driver is compromised either deliberately or accidentally, this can lead to system failure or give adversaries entire system access. Therefore, testing whether device drivers can handle compromised I/O correctly is important. There are several studies on testing device drivers against I/O attacks or device failures. Previous studies, however, either require source code for testing, lack test efficiency, only support a specific OS, or only target MMIO accesses. In this paper, we present a novel testing framework of device drivers' I/O boundaries. By combining a hypervisor-based fault injection mechanism and coverage-guided fuzzing scheme, our testing framework is not only OS-independent but also efficient and can test closed-source drivers. To get the information needed to test without OS cooperation, we use IOMMU to detect DMA regions and a hardware tracing mechanism to get coverage. We describe the detailed design and the current status.

Published

2021

26. 3MileBeach

Author

Jun Zhang, Aldrin Montana, Daniel Bittman, Peter Alvaro, and Robert Ferydouni

Subjects

business.industry, Computer science, media_common.quotation_subject, Serialization, Performance tuning, Fault tolerance, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Tracing, Fault (power engineering), Debugging, Embedded system, Overhead (computing), business, media_common

Abstract

We present 3MileBeach, a tracing and fault injection platform designed for microservice-based architectures. 3Mile-Beach interposes on the message serialization libraries that are ubiquitous in this environment, avoiding the application code instrumentation that tracing and fault injection infrastructures typically require. 3MileBeach provides message-level distributed tracing at less than 50% of the overhead of the state-of-the-art tracing frameworks, and fault injection that allows higher precision experiments than existing solutions. We measure the overhead of 3MileBeach as a tracer and its efficacy as a fault injector. We qualitatively measure its promise as a platform for tuning and debugging by sharing concrete use cases in the context of bottleneck identification, performance tuning, and bug finding. Finally, we use 3MileBeach to perform a novel type of fault injection - Temporal Fault Injection (TFI), which more precisely controls individual inter-service message flow with temporal prerequisites, and makes it possible to catch an entirely new class of fault tolerance bugs.

Published

2021

27. Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure

Author

Daisuke Suzuki, Rei Ueno, Nashimoto Shoei, and Naofumi Homma

Subjects

Computer engineering. Computer hardware, Computer science, business.industry, Fault Injection, Trusted Execution Environment, RISC-V, Fault injection, Information technology, T58.5-58.64, TK7885-7895, Countermeasure, Embedded system, Side channel attack, Memory Protection, business

Abstract

RISC-V is equipped with physical memory protection (PMP) to prevent malicious software from accessing protected memory regions. PMP provides a trusted execution environment (TEE) that isolates secure and insecure applications. In this study, we propose a side-channel-assisted fault-injection attack to bypass isolation based on PMP. The proposed attack scheme involves extracting successful glitch parameters for fault injection from side-channel information under crossdevice conditions. A proof-of-concept TEE compatible with PMP in RISC-V was implemented, and the feasibility and effectiveness of the proposed attack scheme was validated through experiments in TEEs. The results indicate that an attacker can bypass the isolation of the TEE and read data from the protected memory region In addition, we experimentally demonstrate that the proposed attack applies to a real-world TEE, Keystone. Furthermore, we propose a software-based countermeasure that prevents the proposed attack.

Published

2021

28. Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models

Author

Sébanjila Kevin Bukasa, Guillaume Bouffard, Mathieu Escouteloup, Ronan Lashermes, Thomas Trouchkine, Agence nationale de la sécurité des systèmes d'information (ANSSI), Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Service Expérimentation et Développement (SED [Rennes]), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Département d'informatique - ENS Paris (DI-ENS), École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), École normale supérieure - Paris (ENS-PSL), and Département d'informatique de l'École normale supérieure (DI-ENS)

Subjects

Computer Networks and Communications, Computer science, CPU cache, Fault models, 0102 computer and information sciences, 02 engineering and technology, Hardware_PERFORMANCEANDRELIABILITY, Fault (power engineering), 01 natural sciences, Abstraction layer, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Memory management unit, System-on-Chip (SoC), 0202 electrical engineering, electronic engineering, information engineering, business.industry, Fault injection, Electromagnetic Fault Injection (EMFI), 020202 computer hardware & architecture, Physical attacks, 010201 computation theory & mathematics, Embedded system, Key (cryptography), Cache, Fault model, business, Software

Abstract

International audience; The last years have seen the emergence of fault attacks targeting modern central processing units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the electromagnetic fault injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the memory management unit (MMU). To validate our fault model, we realize a persistent fault analysis to retrieve an AES key.

Published

2021

29. Research on reliability and real-time of on-board computer based on RT-Linux

Author

Shen Jianliang, Zhonghe Jin, Guhong Zhang, and Guangkai Meng

Subjects

Single event upset, business.industry, Computer science, Embedded system, Concurrency, Redundancy (engineering), Concurrent computing, Software design, Fault injection, business, Reliability (statistics), Scheduling (computing)

Abstract

Reliability and real-time are extremely important indicators in the aerospace field. With the increasing complexity of nano satellite missions, research on the reliability and real-time of on-board computers has become very important. This paper uses AM5748 chip manufactured by Texas Instruments as the processor, which is equipped with RT-Linux for the software design of on-board computers. Aiming at the reliability of on-orbit data storage of on-board computers, this paper proposes a loading method combining U-BOOT and N-modular redundant (NMR), which can solve the static operating system’s single event upset (SEU) problem well; aiming at the concurrency problem of on-board computer OS drivers, a priority-based serialized driver framework is designed to solve the possible concurrency problems in the driver layer to a certain extent. Finally, the system's five-mode redundancy is verified by the fault injection, the driver framework is tested by Multi-process concurrency. The results shows that the system can resist the single event upset rate of up to 10-5/(bit∙day), and the driver framework can complete on-orbit multi-task scheduling, which solves the concurrency problems. Thus, the work is of great significance for the reliability and real-time research of nano satellites and on-board computers in orbit applications.

Published

2021

30. Analyzing the Single Event Upset Vulnerability of Binarized Neural Networks on SRAM FPGAs

Author

Athanasios Papadimitriou, Mihalis Psarakis, Vasileios Vlagkoulis, Ioanna Souvatzoglou, and Aitzan Sari

Subjects

Very-large-scale integration, Artificial neural network, business.industry, Single event upset, Cycles per instruction, Computer science, Embedded system, Benchmark (computing), Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Static random-access memory, business, Field-programmable gate array

Abstract

Neural Networks (NNs) are increasingly used in the last decade in several demanding applications, such as object detection and classification, autonomous driving, etc. Among different computing platforms for implementing NNs, FPGAs have multiple advantages due to design flexibility and high performance-to-watt ratio. Moreover, approximation techniques, such as quantization, have been introduced, which reduce the computational and storage requirements, thus enabling the integration of larger NNs into FPGA devices. On the other hand, FPGAs are sensitive to radiation-induced Single Event Upsets (SEUs). In this work, we perform an in-depth reliability analysis in an FPGA-based Binarized Fully Connected Neural Network (BNN) accelerator running a statistical fault injection campaign. The BNN benchmark has been produced by FINN, an open-source framework that provides an end-to-end flow from abstract level to design, making it easy to design customized FPGANN accelerators, while it also supports various approximation techniques. The campaign includes the injection of faults in the configuration memory of a state-of-the-art Xilinx Ultrascale+ FPGA running the BNN, as well an exhaustive fault injection in the user flip flops. We have analyzed the fault injection results characterizing the SEU vulnerability of the circuit per network layer, per clock cycle, and register. In general, the results show that the BNNs are inherently resilient to soft errors, since a low portion of SEUs in the configuration memory and the flip flops, cause system crashes or misclassification errors.

Published

2021

31. SEU Evaluation of Hardened-by-Replication Software in RISC- V Soft Processor

Author

Corrado De Sio, Luca Sterpone, Andrea Portaluri, and Sarah Azimi

Subjects

Reconfigurable, Hardware architecture, business.industry, Event (computing), Computer science, Fault injection, Fault injection, Reliability, Reconfigurable, SoC, RISCV, SEU, SRAM-based FPGA, Reliability, Replication (computing), law.invention, Microprocessor, RISCV, Software, law, Embedded system, RISC-V, SoC, business, Field-programmable gate array, SEU, SRAM-based FPGA

Abstract

The interest of the space industry around soft processors is increasing. However, the advantages in terms of costs and customizability provided by soft processors are countered by the reliability issues deriving by Single Event Effects, especially Single Event Upsets. Several techniques have been proposed to tackle these issues, both at the hardware- and software levels. Software approaches rely on replicating data and computations to cope with SEUs affecting the memory where the binary code is stored. Thanks to open licenses, RISC-V solutions are steadily growing in popularity among the set of available soft processors. In this works, we present a reliability evaluation of four different benchmarks running on the RI5CY soft processor implemented on SRAM-based FPGAs. The reliability of the baseline and hardened-by-replication versions of the software benchmarks are evaluated against SEUs-induced faults both at the software and hardware architecture levels through fault injection campaigns in the microprocessor memory and configuration memory, respectively. Results assess how the adoption of the hardening-by-replication technique at the software level slightly improves reliability against software-related faults but degrades reliability against architectural faults, making it an inefficient solution when it is not combined with hardware robustness.

Published

2021

32. EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model

Author

Thomas Trouchkine, Guillaume Bouffard, Jessy Clédière, Agence nationale de la sécurité des systèmes d'information (ANSSI), Département d'informatique - ENS Paris (DI-ENS), École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS), Commissariat à l'énergie atomique et aux énergies alternatives - Laboratoire d'Electronique et de Technologie de l'Information (CEA-LETI), Direction de Recherche Technologique (CEA) (DRT (CEA)), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA), Département d'informatique de l'École normale supérieure (DI-ENS), and École normale supérieure - Paris (ENS Paris)

Subjects

Reduced instruction set computing, Computer science, business.industry, Fault injection, Hardware_PERFORMANCEANDRELIABILITY, Fault injection attacks, Fault (power engineering), Fault detection and isolation, Instruction set, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Embedded system, x86, [INFO.INFO-ES]Computer Science [cs]/Embedded Systems, Central processing unit, Complex CPU, Fault model, Code analysis, business

Abstract

International audience; Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Only few works try to characterize them at the Instruction Set Architecture (ISA) level. In this article, we apply a state-of-the-art faults model characterization approach on modern CPU to evaluate the fault model on two different CPUs from different architectures with the same injection mediums. We target the CPU of the Raspberry Pi 3 (ARM) and an Intel Core i3 (x86) and perturbing them with ElectroMagnetic Fault Injection (EMFI). From the ISA point of view, we disclose a similar fault model on each component. Additionally, we evaluate a widely used complex software, OpenSSL, against this fault model.

Published

2021

33. A Compiler Extension to Protect Embedded Systems Against Data Flow Errors

Author

Jens Vankeirsbilck, Elias Verstappe, Jeroen Boydens, and Brent De Blaere

Subjects

Swift, Assembly language, Computer science, business.industry, Fault injection, computer.software_genre, ARM architecture, Data flow diagram, Embedded system, Plug-in, Compiler, Error detection and correction, business, computer, computer.programming_language

Abstract

External disturbances such as alpha particles, electromagnetic interference, or malicious external attackers can cause erroneous bit-flips in the hardware of modern embedded systems. A broad range of software-implemented error detection techniques have been presented in the past to safeguard embedded systems against these disturbances. Two well-known state-of-the-art techniques are SWIFT and SWIFT-R. However, since those solutions must be implemented in low-level code, such as assembly language, implementing them can be time-consuming and error-prone. To solve this issue, this paper describes a GCC compiler extension in the form of a plugin that can integrate the data flow error detection of SWIFT and SWIFT-R to any ARMv7-M program. We verify that the compiler implements the techniques correctly by performing fault injection campaigns on various case studies.

Published

2021

34. The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

Author

Otto Bittner, Andreas Galauner, Jean-Pierre Seifert, and Thilo Krachenfels

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Firmware, Computer science, business.industry, Fault injection, Adversary, computer.software_genre, Chip, Work (electrical), Embedded system, Threat model, Code (cryptography), business, Cryptography and Security (cs.CR), computer, Booting

Abstract

Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as self-driving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation., This is the authors' version of the article accepted for publication at the 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)

Published

2021

35. ARCHIE: A QEMU-Based Framework for Architecture-Independent Evaluation of Faults

Author

Johannes Obermaier, Lukas Auer, Kathrin Garb, Bodo Selmke, and Florian Hauschild

Subjects

Processor register, Firmware, Computer science, business.industry, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, computer.software_genre, Fault (power engineering), Embedded system, Dynamic program analysis, Transient (computer programming), Code generation, business, computer, Booting

Abstract

Fault injection is a major threat to embedded system security since it can lead to modified control flows and leakage of critical security parameters, such as secret keys. However, injecting physical faults into devices is cumbersome and difficult since it requires a lot of preparation and manual inspection of the assembly instructions. Furthermore, a single fault injection method cannot cover all possible fault types. Simulating fault injection in comparison, is, in general, less costly, more time-efficient, and can cover a large amount of possible fault combinations. Hence, many different fault injection tools have been developed for this purpose. However, previous tools have several drawbacks since they target only individual architectures or cover merely a limited amount of the possible fault types for only specific memory types. In this paper, we present ARCHIE, a QEMU-based architecture-independent fault evaluation tool, that is able to simulate transient and permanent instruction and data faults in RAM, flash, and processor registers. ARCHIE supports dynamic code analysis and parallelized execution. It makes use of the Tiny Code Generator (TCG) plugin, which we extended with our fault plugin to enable read and write operations from and to guest memory. We demonstrate ARCHIE’s capabilities through automatic binary analysis of two exemplary applications, TinyAES and a secure bootloader, and validate our tool’s results in a laser fault injection experiment. We show that ARCHIE can be run both on a server with extensive resources and on a common laptop. ARCHIE can be applied to a wide range of use cases for analyzing and enhancing open source and proprietary firmware in white, grey, or black box tests.

Published

2021

36. Towards Fault Injection Modules for Functionality Checks in MEMS-based LiDAR Systems

Author

Philipp Stelzer, Norbert Druml, Leonhard Christian Niedermueller, Andreas Strasser, Johannes Wiesmeier, Christian Steger, and Simon Maximilian Waldhuber

Subjects

Microelectromechanical systems, Lidar, Computer science, business.industry, Embedded system, Advanced driver assistance systems, Fault injection, business, Shut down, Preventive maintenance, FPGA prototype

Abstract

Advanced Driver Assistance Systems (ADAS) are increasingly being installed in vehicles. The aim is to make the car highly automated. Thus, the demands on such ADAS or systems that are necessary for these ADAS are increasing analogously. The systems must be fault-tolerant and reliable. For this purpose, it is necessary that the individual systems themselves are continuously checked by monitors. But even such monitors can fail. It is therefore important that the monitors are also constantly checked. For example, faults can be intentionally injected into the system in order to observe the subsequent reaction of the monitor. For highly automated vehicles, it is obviously necessary to apply more and more sophisticated fault injection methods in order to detect faults in the system at an early stage and accordingly replace components before a possible failure. In case, preventive maintenance is no longer possible, the system should be able to provide at least part of its functionality - fail-operational - or be shut down completely - fail-safe. In this publication, an architecture with corresponding fault injection modules for MEMS-based LiDAR systems is proposed. The architecture has been implemented in an FPGA prototyping platform to demonstrate its feasibility and evaluate its performance.

Published

2021

37. Fault Injection of TMR Open Source RISC-V Processors using Dynamic Partial Reconfiguration on SRAM-based FPGAs

Author

Michael Wirthlin and Andrew Wilson

Subjects

Automatic test equipment, Computer science, business.industry, Embedded system, RISC-V, Redundancy (engineering), Control reconfiguration, Fault tolerance, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Static random-access memory, Field-programmable gate array, business

Abstract

SRAM-based FPGAs are frequently used for critical functions in space applications. Soft processors implemented within these FPGAs are often needed to satisfy the mission requirements. The open ISA, RISC-V, has allowed for the development of a wide range of open source processors. Like all SRAM-based FPGA digital designs, these soft processors are susceptible to SEUs. This paper presents an investigation of the performances and relative SEU sensitivity of a selection of newly available open source RISC-V processors. Utilizing dynamic partial reconfiguration, this novel automatic test equipment rapidly deployed different implementations and evaluated SEU sensitivity through fault injection. Using BYU’s new SpyDrNet tools, fine-grain TMR was also applied to each processor with results ranging from a 20× to 500× reduction in sensitivity.

Published

2021

38. Radiation tolerant viterbi decoders for on-board processing (OBP) in satellite communications

Author

Ruishi Han, Lina Yan, Zhen Gao, Reviriego Pedro, Ullah Anees, and Jinhua Zhu

Subjects

Computer Networks and Communications, Computer science, business.industry, Reliability (computer networking), Fault tolerance, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Fault injection, Viterbi algorithm, 020202 computer hardware & architecture, symbols.namesake, Viterbi decoder, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Communications satellite, symbols, Overhead (computing), Data Corruption, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, business

Abstract

Modern satellite communication systems require on-board processing (OBP) for performance improvements, and SRAM-FPGAs are an attractive option for OBP implementation. However, SRAM-FPGAs are sensitive to radiation effects, among which single event upsets (SEUs) are important as they can lead to data corruption and system failure. This paper studies the fault tolerance capability of a SRAM-FPGA implemented Viterbi decoder to SEUs on the user memory. Analysis and fault injection experiments are conducted to verify that over 97% of the SEUs on user memory would not lead to output errors. To achieve a better reliability, selective protection schemes are then proposed to further improve the reliability of the decoder to SEUs on user memory with very small overhead. Although the results are obtained for a specific FPGA implementation, the developed reliability estimation model and the general conclusions still hold for other implementations.

Published

2020

39. EFIC-ME: A Fast Emulation Based Fault Injection Control and Monitoring Enhancement

Author

Zain Ul Abideen and Muhammad Rashid

Subjects

General Computer Science, fault injection, Cycles per instruction, Computer science, emulation, Context (language use), 02 engineering and technology, Hardware_PERFORMANCEANDRELIABILITY, Fault (power engineering), Dependability, 01 natural sciences, Control theory, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Field-programmable gate array, Emulation, 010308 nuclear & particles physics, business.industry, General Engineering, Fault injection, 020202 computer hardware & architecture, Upgrade, Single event upset, Opal Kelly field programmable gate array (FPGA), Embedded system, hardware security, embedded systems, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971

Abstract

The security and dependability of embedded systems are increasing due to the sensitive and condensed structure of nanodevices. As the chip area shrinks and the technologies upgrade, the probability of Single Event Upset or Multi Bit Upset proliferate which may lead to unexpected results. This article presents a fault-injection tool called EFIC-ME (Emulation based Fault Injection Control and Monitoring Enhancement) using an emulation technique with a reasonable contribution to flexibility and controllability. Existing emulation based fault-injection tools, targeting Field Programmable Gate Arrays (FPGA), reveal high efficiency and low emulation time, but they still lack the control of fault injection time. The proposed tool (EFIC-ME) achieves a low emulation time and provides a sophisticated way to inject the fault in a specific location at a specific clock cycle inside the Design Under Test (DUT). Additionally, it also employs an observability mechanism to monitor the current state of flip-flops on a user defined time. In the context of high emulation speed, it provides an Opal Kelly FPGA interface between the host controller and emulator. In order to evaluate the dependability of the proposed tool, a mechanism has been provided in terms of FoEA (Factors of emulation analysis) and fault injection rate. The FoEA estimates the failure probability of a complete DUT and the failure probability of a specific location inside the DUT which directly affects an output. The designed architecture is initially validated using simulation to verify the functional characteristics. Subsequently, the fault injection campaign has been performed on Kintex-7 FPGA for seven different DUTs. The achieved results have been discussed and compared with state-of-the-art in terms of various performance attributes.

Published

2020

40. Hiding a fault enabled virus through code construction

Author

Jean-Louis Lanet, Mohamed Mezghiche, Samiya Hamadouche, Laboratoire d’Informatique de Modélisation d’Optimisation et de Systèmes Electroniques [Boumerdes] (LIMOSE), Université M'Hamed Bougara Boumerdes (UMBB), Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Laboratoire de Haute Sécurité (LHS - Inria), Institut National de Recherche en Informatique et en Automatique (Inria)-Direction générale de l'Armement (DGA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique)

Subjects

021110 strategic, defence & security studies, business.industry, Computer science, 0211 other engineering and technologies, Process (computing), 02 engineering and technology, Fault injection, Fault (power engineering), [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Tree traversal, Computational Theory and Mathematics, Hardware and Architecture, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), Code (cryptography), [INFO.INFO-ES]Computer Science [cs]/Embedded Systems, Smart card, Heuristics, business, ComputingMilieux_MISCELLANEOUS, Software, TRACE (psycholinguistics)

Abstract

Smart cards are very secure devices designed to execute applications and store confidential data. Therefore, they become the target of many hardware and software attacks that aim to bypass their embedded security mechanisms in order to gain access to the sensitive stored data. Recently, a new kind of attacks called combined attacks has appeared. They aim to induce perturbations in the application’s execution environment. Thus, correct and legitimate application can be dynamically modified to become a hostile one after being loaded in the card using a fault injection. In this paper, we treat the problem from another angle: how to design an innocent looking code in such a way that it becomes intentionally hostile after being activated by a fault injection? We present an original approach of backward code construction based on constraints satisfaction and a tree traversal algorithm. After that, we propose a way to optimize the search process by introducing heuristics for a faster convergence towards more realistic solutions. This approach is implemented in a Trace Generator tool. Thereafter, we evaluate its capacity to generate the required solutions while giving a proof-of-concept of the code desynchronization technique.

Published

2019

41. An ALU Protection Methodology for Soft Processors on SRAM-Based FPGAs

Author

Ricardo G. Toral, Pedro Reviriego, Juan Antonio Maestro, and Alexis Ramos

Subjects

business.industry, Computer science, Fault tolerance, Fault injection, Modular design, Theoretical Computer Science, Arithmetic logic unit, Soft error, Computational Theory and Mathematics, Hardware and Architecture, Embedded system, RISC-V, Redundancy (engineering), business, Field-programmable gate array, Software

Abstract

The use of microprocessors in space missions implies that they should be protected against the effects of cosmic radiation. Commonly this objective has been achieved by applying modular redundancy techniques which provide good results in terms of reliability but increase significantly the number of used resources. Because of that, new protection techniques have appeared, trying to establish a trade-off between reliability and resource utilization. In this paper, we propose an application-based methodology, to protect a soft processor implemented in an SRAM-based FPGA, against the effect of soft errors. This is done creating a library of adaptive protection configurations, based on the profiling of the application. This hardware configuration library, combined with the reprogramming capabilities of the FPGA, helps to create an adaptive protection for each application. We propose two partial TMR configurations for the Arithmetic Logic Unit (ALU) as an example of this methodology. The proposed scheme has been tested in a RISC-V soft processor. A fault injection campaign has been performed to test its reliability.

Published

2019

42. Reliability Calculation With Respect to Functional Failures Induced by Radiation in TMR Arm Cortex-M0 Soft-Core Embedded Into SRAM-Based FPGA

Author

Adria Barros de Oliveira, Nilberto H. Medina, Fabio Benevenuti, Vitor A. P. Aguiar, M. A. Guazzelli, Fernanda Lima Kastensmidt, Nemitala Added, and Luis A. C. Benites

Subjects

Triple modular redundancy, Nuclear and High Energy Physics, 010308 nuclear & particles physics, Computer science, business.industry, Memory scrubbing, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, 01 natural sciences, Nuclear Energy and Engineering, Gate array, Embedded system, 0103 physical sciences, Netlist, Redundancy (engineering), Static random-access memory, Hardware_ARITHMETICANDLOGICSTRUCTURES, Electrical and Electronic Engineering, business, Field-programmable gate array

Abstract

This paper presents comparative results from fault injection (FI) and heavy ions accelerated irradiation on a Xilinx 7 series static RAM (SRAM)-based field-programmable gate array (FPGA) for a soft-core microprocessor mitigated by triple modular redundancy (TMR) with different levels of granularity. The Arm Cortex-M0 soft-core processor executing two software applications is employed as a case study. The TMR implementation is automatically generated from synthesized netlist and includes coarse and fine grain variants. Apart from the TMR mitigation, the configuration memory scrubbing is used as implemented by the engine natively available on Xilinx 7 series FPGAs. Experiments with FI and heavy ions allow analyzing the effectiveness of the automated TMR mitigation combined with memory scrubbing and also to analyze the consistency of reliability metrics from FI and heavy ions. The dynamic cross section of the design was improved up to 4.5 times according to the implemented TMR granularity and when associated with the configuration memory scrubbing.

Published

2019

43. Security-Aware FSM Design Flow for Identifying and Mitigating Vulnerabilities to Fault Attacks

Author

Prabhat Mishra, Farimah Farahmandi, Adib Nahiyan, Domenic Forte, and Mark Tehranipoor

Subjects

TheoryofComputation_COMPUTATIONBYABSTRACTDEVICES, Finite-state machine, Computer science, business.industry, Design flow, Fault tolerance, 02 engineering and technology, Fault injection, Fault (power engineering), Computer Graphics and Computer-Aided Design, 020202 computer hardware & architecture, Application-specific integrated circuit, Control theory, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, business, Software, Hardware_LOGICDESIGN

Abstract

The security of a system-on-chip (SoC) can be compromised by exploiting the vulnerabilities of the finite state machines (FSMs) in the SoC controller modules through fault injection attacks. These vulnerabilities may be unintentionally introduced by traditional FSM design practices or by CAD tools during synthesis. In this paper, we first analyze how the vulnerabilities in an FSM can be exploited by fault injection attacks. Then, we propose a security-aware FSM design flow for ASIC designs to mitigate them and prevent fault attacks on FSM. Our proposed FSM design flow starts with a security-aware encoding scheme which makes the FSM resilient against fault attacks. However, the vulnerabilities introduced by the CAD tools cannot be addressed by encoding schemes alone. To analyze for such vulnerabilities, we develop a novel technique named analyzing vulnerabilities in FSM. If any vulnerability exists, we propose a secure FSM architecture to address the issue. In this paper, we mainly focus on setup-time violation-based fault attacks which pose a serious threat on FSMs; though our proposed flow works for advanced laser-based fault attacks as well. We compare our proposed secure FSM design flow with traditional FSM design practices in terms of cost, performance, and security. We show that our FSM design flow ensures security while having a negligible impact on cost and performance.

Published

2019

44. A Secure Exception Mode for Fault-Attack-Resistant Processing

Author

Marjan Ghodrati, Leyla Nazhandali, Bilgiday Yuce, Chinmay Deshpande, Abhishek Bendre, and Patrick Schaumont

Subjects

Software, Embedded software, Application-specific integrated circuit, business.industry, Computer science, Embedded system, Redundancy (engineering), Cryptography, Fault injection, Electrical and Electronic Engineering, business, Fault detection and isolation, Microarchitecture

Abstract

Fault attacks are a known threat to secure embedded implementations. We propose a generic technique to detect and react to fault attacks on embedded software. The countermeasure combines a micro-architecture extension in hardware with a secure trap in software. The combined extension leads to a secure exception mode to handle fault attacks. The microprocessor hardware uses a low-level hardware checkpointing mechanism to recover from fault injection. A high-level secure trap in software then enables an application-specific response. The trap is user-defined and can be co-developed with the application. The combination of hardware fault detection and recovery, with a high-level fault response policy in software leads to significantly lower overhead when compared to traditional redundancy-based techniques in hardware or software. We demonstrate a prototype implementation of the proposed secure exception mode. The prototype is based on a modified LEON3 processor and it is able to detect and respond to setup-time violation attacks. We have realized the design in a 180 nm standard cell ASIC with integrated memory. Using several driver application examples, we characterize the software and hardware overhead of the proposed solution, and we compare it to the conventional redundancy-based solutions. In our understanding this is the first proof-in-silicon processor to offer a comprehensive secure exception mode against fault-injection attacks.

Published

2019

45. MH-QEMU: Memory-State-Aware Fault Injection Platform

Author

Hideyuki Jitsumoto, Satoshi Matsuoka, Akihiro Nomura, and Yuya Kobayashi

Subjects

Computer science, Virtual machine, business.industry, Embedded system, Overhead (computing), Fault injection, State (computer science), computer.software_genre, business, computer

Abstract

As we move towards higher-density, larger-scale, and lower-power computing hardware, new types of failures are being experienced with increasing frequency. Hardware designed for the post-Moore generation are also bringing about novel resiliency challenges. In order to improve the efficiency of resiliency methods, fault injection plays an important role in understanding how errors affect the OS and application. Memory-state-aware fault injection, in particular, can be used to investigate the memory-related faults caused by using current and future hardware under extreme conditions and assess the costs/benefit trade-off of resiliency methods. We introduce MH-QEMU, a memory-state-aware fault injection platform implemented by extending a virtual machine (VM) to intercepting memory accesses. MH-QEMU supports collecting the physical and virtual addresses of memory accesses and defining appropriate injections condition using the collected information. MH-QEMU incurs a \(3.4{\times }\) overhead, and we demonstrate how row-hammer faults can be injected using MH-QEMU to analyzing the resiliency modified NPB CG’s algorithm.

Published

2019

46. Dependability Analysis of Data Storage Systems in Presence of Soft Errors

Author

Mostafa Kishani, Mehdi B. Tahoori, and Hossein Asadi

Subjects

FOS: Computer and information sciences, Computer Science - Performance, 021103 operations research, business.industry, Computer science, CPU cache, 0211 other engineering and technologies, Data field, 02 engineering and technology, Fault injection, Data loss, Computer Science - Information Retrieval, Performance (cs.PF), Embedded system, Hardware Architecture (cs.AR), Computer data storage, Dependability, Cache, Electrical and Electronic Engineering, Unavailability, Computer Science - Hardware Architecture, Safety, Risk, Reliability and Quality, business, Information Retrieval (cs.IR)

Abstract

In recent years, high availability and reliability of Data Storage Systems (DSS) have been significantly threatened by soft errors occurring in storage controllers. Due to their specific functionality and hardware-software stack, error propagation and manifestation in DSS is quite different from general-purpose computing architectures. To our knowledge, no previous study has examined the system-level effects of soft errors on the availability and reliability of data storage systems. In this paper, we first analyze the effects of soft errors occurring in the server processors of storage controllers on the entire storage system dependability. To this end, we implemented the major functions of a typical data storage system controller, running on a full stack of storage system operating system, and developed a framework to perform fault injection experiments using a full system simulator. We then propose a new metric, Storage System Vulnerability Factor (SSVF), to accurately capture the impact of soft errors in storage systems. By conducting extensive experiments, it is revealed that depending on the controller configuration, up to 40% of cache memory contains end-user data where any unrecoverable soft errors in this part will result in Data Loss (DL) in an irreversible manner. However, soft errors in the rest of cache memory filled by Operating System (OS) and storage applications will result in Data Unavailability (DU) at the storage system level. Our analysis also shows that Detectable Unrecoverable Errors (DUEs) on the cache data field are the major cause of DU in storage systems, while Silent Data Corruptions (SDCs) in the cache tag and data field are mainly the cause of DL in storage systems.

Published

2019

47. Fault Tolerant Design Comparison Study of TMR and 5MR

Author

Noor Ezan Abdullah, Siti Lailatul Mohd Hassan, A'zraa Afhzan Ab Rahim, Muhammad Muhaymin Che Ismail, and Ili Shairah Abdul Halim

Subjects

Triple modular redundancy, business.industry, Computer science, Fault tolerance, Hardware_PERFORMANCEANDRELIABILITY, Fault injection, Modular design, Fault (power engineering), Embedded system, Logic gate, Redundancy (engineering), Hardware_ARITHMETICANDLOGICSTRUCTURES, business, Field-programmable gate array

Abstract

Field Programmable Gate Arrays (FPGAs) is widely used especially in critical application such as military system and aerospace system due to its reconfigurable advantages. FPGA may prone to fault due to many factors such as radiation. Redundancy method is used to overcome this problem and can improve the reliability of a system. In this work, fault tolerant design technique for Triple Modular Redundancy (TMR) and Five Modular Redundancy (5MR) were compared on DE1-SoC FPGA boards. Fault were injected by adding a fault module that made selected module become faulty to the circuit under test (CUT) board which is interfaced with the main FPGA board. The result of fault injection test shows 5MR produce more correct output than TMR even though 5MR use 1.67 times more resources.

Published

2021

48. EnSuRe: Energy & Accuracy Aware Fault-tolerant Scheduling on Real-time Heterogeneous Systems

Author

Shoaib Ehsan, Server Kasap, Sangeet Saha, Xiaojun Zhai, Klaus D. McDonald-Maier, Adewale Adetomi, and Tughrul Arslan

Subjects

business.industry, Computer science, Backup, Embedded system, Reliability (computer networking), Benchmark (computing), Fault tolerance, Transient (computer programming), Fault injection, business, Scheduling (computing), Efficient energy use

Abstract

This paper proposes an energy efficient real-time scheduling strategy called EnSuRe, which (i) executes real-time tasks on low power consuming primary processors to enhance the system accuracy by maintaining the deadline and (ii) provides reliability against a fixed number of transient faults by selectively executing backup tasks on high power consuming backup processor. Simulation results reveal that EnSuRe consumes nearly 25% less energy, compared to existing techniques, while satisfying the fault tolerance requirements. EnSuRe is also able to achieve 75% system accuracy with 50% system utilisation. Further, the obtained simulation outcomes are validated on benchmark tasks via a fault injection framework on Xilinx ZYNQ APSoC heterogeneous dual core platform.

Published

2021

49. TRAITOR: A Low-Cost Evaluation Platform for Multifault Injection

Author

Erven Rohou, Ludovic Claudepierre, Damien Hardy, Pierre-Yves Péneau, Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE), CentraleSupélec-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-SYSTÈMES LARGE ÉCHELLE (IRISA-D1), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Service Expérimentation et Développement (SED [Rennes]), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Pushing Architecture and Compilation for Application Performance (PACAP), Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-ARCHITECTURE (IRISA-D3), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique)

Subjects

[INFO.INFO-AR]Computer Science [cs]/Hardware Architecture [cs.AR], Exploit, Computer science, 02 engineering and technology, Hardware_PERFORMANCEANDRELIABILITY, 030218 nuclear medicine & medical imaging, 03 medical and health sciences, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 0302 clinical medicine, Software, EMI, Clock glitch, 0202 electrical engineering, electronic engineering, information engineering, Cost evaluation, business.industry, Instruction skip, 020206 networking & telecommunications, Fault injection, Multifault injection, Information sensitivity, Microcontroller, Software security assurance, Embedded system, Physical attack, [INFO.INFO-ES]Computer Science [cs]/Embedded Systems, business

Abstract

International audience; Fault injection is a well-known method to physically attack embedded systems, microcontrollers in particular. It aims to find and exploit vulnerabilities in the hardware to induce malfunction in the software and eventually bypass software security or retrieve sensitive information. We propose a low-cost platform called TRAITOR inducing faults with clock glitches with the capacity to inject numerous and precise bursts of faults. From an evaluation point of view, this platform allows easier and cheaper investigations over complex attacks than costly EMI benches or laser probes.

Published

2021

50. NVBitFI: Dynamic Fault Injection for GPUs

Author

Stephen W. Keckler, Timothy Tsai, Siva Kumar Sastry Hari, Oreste Villa, and Michael J. Sullivan

Subjects

Source code, Computer science, business.industry, media_common.quotation_subject, Reliability (computer networking), Usability, Fault injection, Software, Embedded system, Code (cryptography), Dependability, Instrumentation (computer programming), business, media_common

Abstract

GPUs have found wide acceptance in domains such as high-performance computing and autonomous vehicles, which require fast processing of large amounts of data along with provisions for reliability, availability, and safety. A key component of these dependability characteristics is the propagation of errors and their eventual effect on system outputs. In addition to analytical and simulation models, fault injection is an important technique that can evaluate the effect of errors on a complete computing system running the full software stack. However, the complexity of modern GPU systems and workloads challenges existing fault injection tools. Some tools require the recompilation of source code that may not be available, struggle to handle dynamic libraries, lack support for modern GPUs, or add unacceptable performance overheads. We introduce the NVBitFI tool for fault injection into GPU programs. In contrast with existing tools, NVBitFI performs instrumentation of code dynamically and selectively to instrument the minimal set of target dynamic kernels; as it requires no access to source code, NVBitFI provides improvements in performance and usability. The NVBitFI tool is publicly available for download and use at https://github.com/NVlabs/nvbitfi.

Published

2021