For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
Laser-Induced Controllable Instruction Replacement Fault Attack
Junichi SAKAMOTO Daisuke FUJIMOTO Tsutomu MATSUMOTO
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Publication Date: 2020/01/01
Online ISSN: 1745-1337
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
instruction replacement, instruction skip, fault attack, laser fault injection, side-channel attack,
Full Text: FreePDF(3.4MB)
To develop countermeasures against fault attacks, it is important to model an attacker's ability. The instruction skip model is a well-studied practical model for fault attacks on software. Contrastingly, few studies have investigated the instruction replacement model, which is a generalization of the instruction skip model, because replacing an instruction with a desired one is considered difficult. Some previous studies have reported successful instruction replacements; however, those studies concluded that such instruction replacements are not practical attacks because the outcomes of the replacements are uncontrollable. This paper proposes the concept of a controllable instruction replacement technique that uses the laser irradiation of flash memory. The feasibility of the proposed technique is demonstrated experimentally using a smartcard-type ARM SC100 microcontroller. Then, practical cryptosystem attacks that exploit the proposed technique are investigated. The targeted cryptosystems employ the AES with software-based anti-fault countermeasures. We demonstrate that an existing anti-instruction-skip countermeasure can be circumvented by replacing a critical instruction, e.g., a branch instruction to detect fault occurrence.