Workshop on Practical Hardware Innovations in Security Implementation and Characterization

May 20-21, 2025 – Centre Microélectronique de Provence, Gardanne (France)

Program

Below is the list of scheduled Keynotes, Talks and Posters, sorted alphabetically by title.

Keynotes

  • EUCLEAK
    • Speaker: Thomas Roche
    • Abstract: Secure elements are small microcontrollers whose main purpose is to generate/store secrets and then execute cryptographic operations. They undergo the highest level of security evaluations that exists (Common Criteria) and are often considered inviolable, even in the worst-case attack scenarios. Hence, complex secure systems build their security upon them.
      In this talk we will present a side-channel vulnerability in the cryptographic library of Infineon Technologies, one of the most important secure element manufacturers. This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion. The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract an ECDSA secret key. The attack is performed on a FIDO hardware token from Yubico where it allows to create a clone of the FIDO device. Yubico acknowledged that all YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact we show that all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library are vulnerable to the attack.
  • Si Substrate Backside of ICs as Attack Surfaces and Countermeasures of Physical Security
    • Speaker: Makoto Nagata
    • Abstract: Si substrate backside of an integrated circuit (IC) chip, more precisely, the backside surface of its Silicon substrate, provides open areas for performance improvements as well as for adversarial security attacks. These are potentially contradictory or traded off in the design of IC chip toward the higher level of performance and security particularly along with advanced packaging technologies. An attacker leverages Si substrate backside to scan side channel leakages from and also to inject intentional faults to a crypto processor, through a variety of physical interactions with electromagnetic, electrical, thermal and luminescent medias. This talk overviews Si backside physical attacks and addresses the exploration of countermeasures by physical structures. The chip-backside vulnerability of an IC chip will be experimentally given with Si examples as well as analytically described with simulation models.

Talks

  • A Hard-Label Cryptanalytic Extraction of Non-Fully Connected Deep Neural Networks using Side-Channel Attacks
    • Speaker: Benoit Coqueret
    • Author(s): Benoit Coqueret, Mathieu Carbone, Olivier Sentieys, Gabriel Zaid
    • Afiliation(s): INRIA, IRISA, CESTI Thales
    • Abstract: During the past decade, Deep Neural Networks (DNNs) proved their value on a large variety of subjects. However despite their high value and public accessibility, the protection of the intellectual property of DNNs is still an issue and an emerging research field. Recent works have successfully extracted fully-connected DNNs using cryptanalytic methods in hard-label settings, proving that it was possible to copy a DNN with high fidelity, i.e., high similitude in the output predictions. However, the current cryptanalytic attacks cannot target complex, i.e., not fully connected, DNNs and are limited to special cases of neurons present in deep networks. In this work, we introduce a new end-to-end attack framework designed for model extraction of embedded DNNs with high fidelity. We describe a new black-box side-channel attack which splits the DNN in several linear parts for which we can perform cryptanalytic extraction and retrieve the weights in hard-label settings. With this method, we are able to adapt cryptanalytic extraction, for the first time, to non-fully connected DNNs, while maintaining a high fidelity. We validate our contributions by targeting several architectures implemented on a microcontroller unit, including a Multi-Layer Perceptron (MLP) of 1.7 million parameters and a shortened MobileNetv1. Our framework successfully extracts all of these DNNs with high fidelity (88.4% for the MobileNetv1 and 93.2% for the MLP). Furthermore, we use the stolen model to generate adversarial examples and achieve close to white-box performance on the victim’s model (95.8% and 96.7% transfer rate).
  • aLeakator: formal verification of SW/HW masked implementations using HDL mixed-domain simulation
    • Speaker: Noé Amiot
    • Author(s): Noé Amiot (1), Karine Heydemann (2), Quentin Meunier (1), Emmanuelle Encrenaz (1)
    • Afiliation(s): (1) Sorbonne Université/LIP6, (2)Thalès
    • Abstract: Masking is a provable countermeasure against side-channel attacks. The proofs rely on a specified leakage model that captures what an attacker can observe. An implementation is said to be d-order secure in a given leakage model if any combination of d observations does not leak information about the sensitive values. Masked software must be proven secure at the assembly level to detect unmasking caused by the compilation flow. The verification process must also account for potential effects induced by the micro-architecture of the target device executing the software, as this may reduce security by recombining shares of masked data. This requires the ability to infer the potential sources of leakage, which  an be achieved by mastering the target device or by performing verification while considering both hardware and software components. Current solutions for the formal co-verification of masked software and hardware do not scale to full masked ciphers, as they rely on SMT or SAT solvers. In this work, we propose a new approach for verifying full masked ciphers that relies on mixed simulation to extract intermediate values, referred to as expressions, which are then transmitted to an expression verifier. Our approach supports different leakage models, ranging from the d-probing model to the robust but relaxed d-probing model. It employs optimizations to reduce the number of verifications required, using classical caching mechanisms and sound reduction of the expressions sent to the verifier w.r.t the leakage model. As our approach also enables the verification of masked hardware, our experimental results show that it reproduces existing masked hardware verification results while verifying up to 50 times faster on large circuits with a low amount of randomness. On the software running on CPUs side, our results showcase for the first time a full masked AES-128 implementation verified on four different CPUs in less than 10 minutes. Additionally, we show that our approach helps to harden masked software, ensuring that it does not leak in practice.
  • An innovative test harness for the validation of PUF reliability
    • Speaker: Valentin PELTIER, Lukas VLASAK
    • Author(s): Khaled Karray, François Forlot, Idris Rais-Ali, Oualid Trabelsi, Lukas Vlasak
    • Afiliation(s): SECURE-IC
    • Abstract: A Physically Unclonable Function (PUF) is a security mechanism that uses the inherent physical variations of a device to generate a unique and unclonable output. This output can be used as a cryptographic key or a device identifier. PUFs rely on the fact that the exact physical properties of a device, such as the physical and electrical characteristics on a chip, can never be replicated exactly. This makes PUFs a highly secure method for protecting sensitive information and ensuring device authenticity. This talk will present the mechanism of evaluation process of a PUF technology integrated into FPGA architecture, and automation set up. The characterization process consists of PUFs enrollment following a couple of selected parameters linked to environment constraints, such as FPGA temperature, voltage, latency and placement. Output data are strictly analyzed to verify performances of critical requirements such as entropy, unicity, and stability. An aging procedure will be discussed, monitoring deviation of the PUF performances during the next couple of years. The combination of temperature, voltage and logic activity accelerates degradation mechanisms such as NBTI (Negative Bias Temperature Instability) and HCI (Hot Carrier Injection); two major aging mechanisms that characterize transistors in integrated circuits.  The experimental characterizations allow quantifying the required overhead of the PUF. For instance, we showcase the Loop-PUF where the reliability vs rebuild time can be leveraged to ensure constant reliability over time.
  • DICE-based lightweight device onboarding
    • Speaker: Dr. Malek Safieh
    • Author(s): Dr. Malek Safieh and Alessandro Piccoli
    • Afiliation(s): Siemens AG
    • Abstract: Zero-touch secure device onboarding is an automated process, where credentials and configurations provided by an operator are securely installed on a device, without any external support. It is essential to establish initial trust in industrial scenarios. Existing onboarding protocols are typically based on asymmetric cryptography and public key infrastructures (e.g., RFC8995). However, industrial use cases often employ resource constrained embedded devices with very restricted computational performance, unable to efficiently support asymmetric cryptography.  Moreover, traditional asymmetric cryptographic algorithms are known to be broken by quantum computers and should be replaced by new Post-Quantum Cryptographic (PQC) algorithms. In general, multiparty protocols (incl. onboarding protocols) based only on symmetric cryptography suffer from complex shared secret management and update. On the other hand, symmetric cryptographic algorithms are typically more efficient to compute and less prone to PQC attacks, e.g., sufficient PQC security can be achieved by simply doubling the key size. The Device Identifier Composition Engine (DICE) offers a lightweight implicit attestation of device integrity status and can be used as a trust anchor (secure element) for constrained devices. In this work, we present zero-touch device onboarding protocols based on symmetric cryptographic algorithms and key material derived from DICE, which enable the following: 1) Lightweight trust anchor based on DICE, 2) Implicit DICE-based device HW- and SW- integrity attestation during onboarding, 3) Manageable update of the shared secret for the onboarding process using DICE, 4) Support for efficient migration towards PQC.
  • Exploring speculation barriers for RISC-V selective speculation
    • Speaker: Herinomena ANDRIANATREHINA
    • Author(s): Herinomena ANDRIANATREHINA
    • Afiliation(s): Inria
    • Abstract: Speculative execution poses significant security risks to modern out-of-order cores, exemplified by attacks such as Spectre.Numerous countermeasures, including selective speculation in both software and hardware, have been proposed. This approach allows enabling or disabling speculative behavior based on circumstances. However, challenges such as evolving attack methods and the complexity of simulating out-of-order cores make these solutions difficult to reproduce and compare. This paper investigates the use of RISC-V speculation fences to achieve selective speculation in a realistic scenario where the microarchitecture cannot distinguish between confidential and non-confidential data. We examine three aspects: the semantics of speculation fences (ranging from broad to selective constraints), the placement of fences in programs by compilers, and their hardware implementation in a modified NaxRiscv RISC-V out-of-order core. Using a new security metric, we compare configurations within a unified framework. Our findings highlight that speculative execution of load instructions is critical for out-of-order core performance. Furthermore, we demonstrate that selective speculation without confidentiality-tagged data fails to achieve a meaningful security-performance trade-off.
  • Fast, precise and repeatable positioning of EM-probes for local Side-Channel Attacks
    • Speaker: Matthias Probst
    • Author(s): Matthias Probst*, Alexander Wiesent*, Michael Gruber†, Georg Sigl*†
    • Afiliation(s): *School of Computation, Information and Technology, Technical University of Munich, Munich, Germany; †Fraunhofer Institute for Applied and Integrated Security (AISEC), Munich, Germany
    • Abstract: Localized side-channel analysis makes it possible to evaluate only the relevant chip area by recording near-field electromagnetic emanations. This can lead to improved attacks compared to global power measurements, as the signal-to-noise ratio is higher and unimportant circuit components are not included in the recorded measurements. Especially for profiled attacks and their reproduction, the probe position in a localized scenario is of utmost importance. Ideally, a probe should be placed identically in the profiling and attack phases, as small variations can greatly impact the attack’s success. This work presents a methodology to accurately reposition an EM probe optimized for localized measurements, i.e., near-field measurements. We evaluate cross-correlation, Oriented Fast and rotated Brief (ORB), and a particle filter approach to recalibrate the coordinate system of our setup. As a result, our methodologies show that precise positioning of an STM32F303 microcontroller is possible for a profiled attack scenario with different EM probes. Furthermore, due to requiring only a single trace per position, profiling is 2.9 times faster and repositioning is 27.9 times faster compared to the state of the art.
  • Fault attacks on the FLASH Memory Accelerator of a 32-bit Microcontroller
    • Speaker: Ziling LIAO
    • Author(s): Ziling LIAO, Philippe MAURINE, Florent GRUGUIER
    • Afiliation(s): LIRMM
    • Abstract: Program flow attacks involve disrupting the instruction execution flow in microcontrollers (MCUs), thereby threatening their operation. While traditional studies focus on program counter or instruction corruptions within pipeline operation, little attention has been paid to the stages between the memory and the CPU, such as the FLASH accelerators.Electromagnetic Fault Injection (EMFI) and Body Bias Injection (BBI) are two fault injection techniques. Based on different physical coupling with the circuit, both of them are able to cause localized disruptions in the integrated circuits (IC). While EMFI has been popular in the community for various directions including program flow attacks, the research on BBI has been limited to demonstrating of its efficiency and modeling  the induced perturbations.Within this context, our research has revealed the vulnerability of the FLASH accelerator of a widely used 32-bit MCU. We demonstrated that EMFI and BBI attacks can both disrupt instruction buffer updates in the FLASH accelerator, causing instruction lines, at the granularity of the buffer length, to be skipped or repeated, which can potentially be exploited to bypass security check or induce faults in cryptographic operations.
  • Finding a polytope: A practical fault attack against Dilithium
    • Speaker: Paco Azevedo-Oliveira
    • Author(s): Paco Azevedo-Oliveira, Andersson Calle Viera, Benoît Cogliati, Louis Goubin
    • Afiliation(s): Thales CDI, France and Laboratoire de Mathématiques de Versailles, UVSQ
    • Abstract: In Dilithium, the rejection sampling step is crucial for the proof of security and correctness of the scheme. However, to our knowledge, there is no attack in the literature that takes advantage of an attacker knowing rejected signatures. The aim of this paper is to create a practical black-box attack against Dilithium with a weakened rejection sampling. We succeed in showing that an adversary with enough rejected signatures can recover Dilithium’s secret key in less than half an hour on a desktop computer. There is one possible application for this result: by physically preventing one of the rejection sampling tests from happening, we obtain two fault attacks against Dilithium.
  • Fuzzing black-box devices using side-channel feedback
    • Speaker: Ulysse Vincenti
    • Author(s): Ulysse Vincenti, Thomas Hiscock, David Hely
    • Afiliation(s): CEA-LETI
    • Abstract: Fuzzing is a widely used technique for security assessment and vulnerability discovery. It involves repeatedly generating inputs and feeding them into a target system under test to trigger unexpected behaviors. The most effective fuzzers leverage knowledge of the target firmware or its source code to generate inputs using advanced algorithms. This presentation will focus on the challenges of fuzzing blackbox systems. We will explain what makes them difficult to fuzz and review existing techniques in the literature. Then, we will introduce a new method that converts physical side-channel information (e.g., electro-magnetic leakages, power measurements) into coverage information and use it to drive a LibAFL fuzzer. Finally, we will show practical validation of this approach on a micro-controller, both through emulation and on a real side-channel bench using electro-magnetic measurements. On realistic benchmarks (JSON parser, JPEG decoder, etc.) on the target device, we observed promising branch coverage improvements over a random fuzzer.
  • Logic Locking Schemes Resilience Against Power Analysis Attacks
    • Speaker: Nassim Riadi
    • Author(s): Nassim Riadi , Marie-Lise Flottes, Florent Bruguier, Sophie Dupuis, Pascal Benoit
    • Afiliation(s): LIRMM
    • Abstract: The globalization of the semiconductor industry has introduced numerous threats to Integrated Circuits (ICs) and Intellectual Properties (IPs). These threats include IP piracy, overproduction, and the potential insertion of hardware Trojans, all of which can compromise valuable design information and undermine trust in the design and manufacturing processes. Logic Locking (LL) is a widely adopted Design-for-Trust technique aimed at protecting against these threats at various stages, from the design house to end-user. Over the years, LL schemes have evolved to withstand a variety of attacks. Among these, Corrupt and Correct (CAC)-based LL approaches are considered as the most advanced, providing robustness against many types of attacks and generally assumed to be resistant to SAT attacks and Differential Power Analysis (DPA). However, we propose a new DPA attack framework designed to challenge these approaches. Our results demonstrate that it is possible to reveal up to 100% of the key bits used in locked designs through DPA while targeting advanced SAT-resilient locking schemes such as SFLL-HD\textsuperscript{0}, CAC2.0, and SFLL-HD\textsuperscript{h} and the compound approach. The experiments were conducted on ISCAS’85 and ITC’99 synthesized benchmarks, providing a pre-silicon evaluation of the resilience of LL schemes against power analysis-based attacks. We also provide insights into why DPA attacks are effective in scenarios where SAT attacks are not.
  • New Techniques for Random Probing Security and Application to Raccoon Signature Scheme
    • Speaker: Sonia Belaid
    • Author(s): Sonia Belaid
    • Afiliation(s): CryptoExperts
    • Abstract: The random probing model formalizes a leakage scenario where each wire in a circuit leaks with probability p. This model holds practical relevance due to its reduction to the noisy leakage model, which is widely regarded as the appropriate formalization for power and electromagnetic side-channel attacks. In this talk, we introduce new techniques to enhance random probing security with efficient constructions. We present cardinal Random Probing Composability (cardinal-RPC), a novel notion that enables more efficient composition of masking schemes while maintaining strong security guarantees. Additionally, we propose a new refresh technique that ensures arbitrary cardinal-RPC security, serving as a building block for constructing secure gadgets. We apply these techniques to Raccoon, a masking-friendly, lattice-based signature scheme. By extending the random probing security notions to handle auxiliary inputs and public outputs, we achieve the first provably secure post-quantum implementation in the random probing model. 
  • PhaseSCA: Exploiting Phase-Modulated Emanations in Side Channels
    • Speaker: Pierre Ayoub
    • Author(s): Pierre Ayoub, Aurélien Hernandez, Romain Cayre, Aurélien Francillon, Clémentine Maurice
    • Afiliation(s): LAAS-CNRS / EURECOM
    • Abstract: In recent years, the limits of electromagnetic side-channel attacks have been significantly expanded. However, while there is a growing literature on increasing attack distance or performance, the discovery of new phenomenons about compromising electromagnetic emanations remains limited. In this work, we identify a novel form of modulation produced by unintentional electromagnetic emanations: phase-modulated emanations. This observation allows us to extract a side-channel leakage that can be exploited to reveal secret cryptographic material. We introduce a technique allowing us to exploit this side-channel in order to perform a full AES key recovery, using cheap and common hardware equipment like a software-defined radio. Moreover, we demonstrate that the exploitation of this new phase leakage can be combined with traditional amplitude leakage to significantly increase attack performance. While investigating the underlying phenomenon causing this unintentional modulation, we identified several prior works that have approached similar exploitation — without being aware of each other. Creating a bridge between older and recent work, we unveil the relationship between digital jitter and signal phase shift in the context of side-channel attacks and fill the gap between prior works from various research fields.
  • PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM and HQC
    • Speaker: Antonio RAS
    • Author(s): Antonio Ras1, Antoine Loiseau1, Mikael Carmona1, Simon Pontié1,3 , Guénaël Renault3,4, Benjamin Smith3 and Emanuele Valea5
    • Afiliation(s): CEA-LETI, Hardware Security Department – LIX, INRIA, CNRS, Ecole Polytechnique, Institut Polytechnique de Paris – ANSSI – Univ. Grenoble Alpes, CEA-List
    • Abstract: The security of the public-key cryptography protecting today and tomorrow’s communication is threatened by the advent of quantum computers. Intelligent crypto-agility requires identifying and implementing efficient sharing strategies between operations, which is particularly challenging when considering cryptosystems belonging to different cryptographic families. Since the last HQC update, polynomial multiplication, implemented using 2-way Karatsuba as reference, has become the main bottleneck of the algorithm. An alternative state-of-the-art solution to replace this operation is the Frobenius Additive Fast Fourier Transform (FAFFT), an FFT-like operation applied in the binary field. We introduce PHOENIX, the first crypto-agile hardware coprocessor for ML-KEM and HQC with an effective agile sharing strategy, based on a new SuperButterfly unit, to accelerate polynomial multiplication operations with the Number Theoretic Transform (NTT) and the Frobenius Additive FFT (FAFFT). To our knowledge, PHOENIX is the first sharing strategy proposal in lattice-code crypto-agility, and also the first existing FAFFT hardware accelerator. We demonstrate how PHOENIX can be efficiently integrated into ML-KEM and HQC at all three security levels by integrating our proposal in a real System-on-Chip FPGA scenario. Our performance measurements show that efficient crypto-agility for lattice- and code-based KEMs can be provided with low overhead. The transition to quantum-safe algorithms has begun: NIST has already standardized ML-KEM, a lattice-based KEM, and has selected HQC, a code-based KEM, for future standardization. The relative immaturity of all of these schemes encourages a crypto-agile approach, to facilitate easy transitions between schemes.
  • RISC-V + SiFive Security Solutions
    • Speaker: Yann LOISEL
    • Author(s): Yann LOISEL
    • Afiliation(s): SiFive
    • Abstract: The RISC-V International Association (RVIA) enables open, collaborative, specification of architecture features for RISC-V systems. In addition to implementing those features, SiFive adds further value by designing and implementing additional features. Security is a key focus area for RISC-V and SiFive and these slides provide overview and details describing the features, how they are intended to be used and relevant HW and SW enablement.
  • Secure Compilation—with the compiler, not against: first experiments on ‘Tracing LLVM’
    • Speaker: Sébastien Michelland
    • Author(s): Sébastien Michelland, Christophe Deleuze, Laure Gonnord
    • Afiliation(s): Université Grenoble-Alpes, Grenoble INP, LCIS
    • Abstract: Countermeasures against fault injection or side-channels attacks that have software components all face the same tension: on one hand, defeating accurate, micro-architectural attack models requires precise control of assembler code; on the other hand, security requirements are application-specific and originate in the source code (usually C). Countermeasures found in literature almost never address this abstraction gap, usually finding ways to forsake either precise assembly output or control from source code, filling in the rest with compiler tricks that mostly work in practice but have no requirement to, and do fail whenever the compiler is “too smart”. This talk will discuss the role of software in defending against hardware vulnerabilities, advocate for co-designed software/hardware countermeasures, and in the process introduce Tracing LLVM, a modified LLVM compiler that helps build software countermeasures instead of hampering them.
  • Secure Migration to Post-Quantum Cryptography on Smartcard
    • Speaker: Aurélien Greuet
    • Author(s): Aurélien Greuet
    • Afiliation(s): IDEMIA Secure Transactions
    • Abstract: Classical public-key cryptography, based on RSA or elliptic curves, is vulnerable to quantum attacks. While large-scale quantum computers do not yet exist, most government agencies recommend migrating to Post-Quantum Cryptography (PQC) within the next decade to mitigate this threat. To ensure a secure transition, hybridization – combining classical and post-quantum cryptography – is strongly advised to prevent security regressions. Additionally, implementing secure update mechanisms, known as crypto-agility, is essential for adapting to evolving standards. However, quantum-safe algorithms, hybridization, and crypto-agility often demand more memory and processing power than traditional cryptographic schemes, posing significant challenges for smartcards and secure elements. These devices, widely used in bank cards, SIM cards, and passports, must meet strict security and performance constraints, making PQC deployment particularly complex. We present an overview of these constraints and describe a proof of concept on the feasibility of hybrid cryptography and crypto-agility implementation on current smartcards.
  • SRAM PUF for secure firmware updates of IoT devices
    • Speaker: Nicolas Moro
    • Author(s): Noemie Beringuier-Boher, Roel Maes, Nicolas Moro, Sander Steeghs-Turchina, Peet van Tooren, Andries Stam
    • Afiliation(s): Synopsys
    • Abstract: The rapid growth of the Internet of Things (IoT) has led to billions of connected devices across various industries, bringing both opportunities and security challenges. Firmware updates are essential for addressing vulnerabilities, fixing bugs, and introducing new features. However, insecure update mechanisms can be exploited by attackers to inject malicious code, compromising entire networks. To enhance security, we leverage our SRAM PUF technology, which provides a unique hardware-based fingerprint for each device. This ensures that only authenticated updates are applied, preventing unauthorized access and tampering. In this presentation, we will first introduce the benefits of our SRAM PUF technology. We will demonstarte that SRAM PUF is particularly well-suited for this application because it requires no additional hardware while offering a robust, unclonable identity derived from inherent manufacturing variations. We will then showcase its integration with MCUBoot, replacing the need for secure storage to protect MCUBoot’s usual cryptographic keys by utilizing SRAM PUF.  Preliminary testing results on an STM32 platform confirm its easy integration and show promising outcomes. Finally, we will outline our plan to integrate SRAM PUF technology into Crownstone, an IoT product, further reinforcing the security of connected systems. By leveraging SRAM PUF, Crownstone’s firmware update cycle will be enhanced to securely update hundreds of devices distributed across a building.
  • Understanding and Mitigating EM Fault Injection
    • Speaker: Roukoz Nabhan
    • Author(s): Roukoz Nabhan
    • Afiliation(s): Mines Saint-Etienne
    • Abstract: The security of connected objects, which are ubiquitous in our daily lives, remains a challenge. Indeed, the integrated circuits that compose them are constantly exposed to risks such as hardware attacks through fault injection, particularly those via electromagnetic disturbances (EMFI). This presentation explores the mechanisms behind EMFI-based attacks, aiming to enhance the understanding required for developing an effective detection sensor. Experimental studies conducted on an FPGA ascertained that EMFI exploits two distinct mechanisms. At high frequencies, electromagnetic disturbances, coupled with the target’s power distribution network, cause violations of temporal constraints by extending the propagation time. However, at lower frequencies, disturbances, coupled with the target’s clock distribution network, induce voltage glitches on the clock tree. By integrating these two mechanisms under the model of fault violations of temporal constraints, a comprehensive and in-depth understanding of the characteristics of these mechanisms is obtained, constituting a key contribution of this work. Building on these findings, this work proposes a new architecture for an EMFI detection sensor, validated through experimental campaigns on a hardware platform with an EMFI injection bench. The validation experiments were supported by spatial and temporal sensitivity maps covering the full-frequency spectrum of the target, which confirmed the effectiveness of the sensor.
  • Using Photon Emission Microscopy as a Hardware Attack Tool
    • Speaker: Jean-Max Dutertre
    • Author(s): Rodrigo Silva Lima (1,2), Hugo Perrin (1), Raphael Viera (1), Jean-Baptiste Rigaud (1), William Magrini (2), Matthieu Pommies (2), Anthony Bertrand (2), Jean-Max Dutertre (1)
    • Afiliation(s): (1) Mines Saint-Etienne, (2) Alphanov
    • Abstract: Photonic Emission Microscopy (PEM) stands out among other side-channel techniques because it can provide an attacker with a complete view of the (otherwise hidden) internal operations of an integrated circuit. It has proven to be a useful tool for failure analysis. However, it is a dual-use tool that can also be used for attack purposes. PEM can be carried out through the backside of an integrated circuit, the photons emitted by the target’s switching transistors travel well through the silicon substrate. The photons are then captured by an InGaAs (or CCD) camera to produce a photon emission map that reveals the location of the target’s active logic blocks. This makes PEM a powerful backside contactless observation tool with access to the entire target area. It can be used to locate points of interest to facilitate further hardware attacks (e.g., a laser fault injection attack), or even to extract confidential data (e.g., cryptographic keys). This talk will address: (1) the use of PEM to locate the registers of a microcontroller for the purpose of facilitating further LFI attacks, and (2) how PEM can be used to extract data from a microcontroller’s embedded SRAM or Flash memories as they are written or read.  The strong constraints and limitations of PEM will be discussed and the mechanisms behind light emission in ICs will be explained. The used optical setup and the operational characteristics of embedded MCU memories are described. It also aims to raise awareness of this threat by presenting realistic attack scenarios that overcome the limitations of PEM.

Posters

Poster session will be available soon

—— Sponsors ——