LEDGER

# Breaking a Recent SoC's Hardware AES Accelerator Using Body Biasing Injection

Karim M. Abdellatif, PhD





- Several security devices have been deployed in the market
- Hardware security evaluation is "must"
- Being updated with new/recent attack techniques is **important**



Source: bitcoinmagazine.com

### FAULT ATTACKS

- \_ \_ J
- Perturbing the chip during sensitive operations
  - Secure boot <sup>1</sup>
  - Cryptographic operations (AES, DES, RSA, ...)  $^2$





<sup>&</sup>lt;sup>1</sup>Albert Spruyt and Niek Timmers, "Bypassing Secure Boot Using Fault Injection", Black Hat Europe 2016.

<sup>&</sup>lt;sup>2</sup>Yifan Lu, "Attacking Hardware AES of PlayStation with DFA", 2019

#### **Power Glitches**



- The main idea is to drop the VDD of the chip for a short time (ns) during the sensitive operation
- This can be done using a MOSFET
- A challenge when the chip has different VDD sources
- It doesn't need any chip decapping





<sup>3</sup>Karim Abdellatif and Olivier Hériveaux , "Keep it Cheap: Multiple Faults Attacks in Practice", JAIF 2020.



- Injecting electromagnetic field into the chip to create perturbations
- High voltage pulse is injected to the probe to create EMFI
- It may need decapping the chip (packaging thickness)





EM Setup 4



<sup>&</sup>lt;sup>4</sup>Karim Abdellatif and Olivier Hériveaux , "SiliconToaster: A Cheap and Programmable EM Injector for Extracting Secrets", FDTC 2020.

Laser Attack



- It needs decapping the chip
- The laser energy will induce a current into transistors
- The induced current can temporarily invert the output of a logic cell, thus possibly generating an error in the circuit
- Expensive setup



Decapped chip 5



Laser Setup

<sup>&</sup>lt;sup>5</sup>Olivier Hériveaux , "Black-box Laser Fault Injection on a Secure Memory", SSTIC 2020.

### **BODY BIASING INJECTION (BBI)**

#### **Body Biasing Injection**

- It was proposed by P. Maurine <sup>6</sup>
- The main idea of BBI is to apply a voltage pulse onto the backside of the integrated circuit die by using a needle
- It needs decapping the chip
- It generates a localized ground glitching.

Source: Langer





<sup>&</sup>lt;sup>6</sup>P. Maurine, K. Tobich, T. Ordas, and P. Liardet, "Yet Another Fault Injection Technique:by Forward Body Biasing Injection", YACC, 2012.

#### **Body Biasing Injection**







Simulated BBI effect as shown in

<sup>6</sup>P. Maurine, K. Tobich, T. Ordas, and P. Liardet, "Yet Another Fault Injection Technique:by Forward Body Biasing Injection", YACC, 2012.

**CARDIS 2020** 







BBI setup shown in 7

<sup>&</sup>lt;sup>7</sup>Colin O'Flynn, "Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices", CARDIS 2020.

### HOMEMADE BBI SETUP

### Improving CARDIS 2020





#### Pulse Polarity + External power supply



BBI setup shown in

<sup>&</sup>lt;sup>7</sup>Colin O'Flynn, "Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices", CARDIS 2020.

#### Homemade BBI injector





#### Homemade BBI injector: SiliconBaguette





- The MCU is used to control charging/discharging the capacitors (**Programmability up to 250V**)
- Positive and negative voltage pulses (Dual polarity)
- Credits for soldering small components and PCB support goes to Olivier Hériveaux



- Transformer Turns Ratio = 1:50
- Max Voltage = 5 x 50 = 250V





- A low-cost and low-power system on chip (SoC)
- It is a single 2.4 GHz Wi-Fi-and-Bluetooth chip designed with the TSMC 40 nm technology
- Recently, it has been deployed in a hardware wallet as the main MCU

#### Validation







Running the glitchable application + Scanning the overall chip surface + Dual polarity

Setup







#### **Successful faults**





Positive pulse



#### **Polarity difference**





### **BREAKING HW AES**



- The DUT has cryptographic hardware accelerators: AES, SHA-2, RSA, Elliptic Curve Cryptography (ECC), Random Number Generator (RNG)
- AES-128 was selected as an evaluation target using BBI

**HW AES-128** 





#### Leakage detection <sup>8</sup>



<sup>8</sup>S. Bhasin, J. Danger, S. Guilley, Z. Najm, "NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage", IACR 2013



### Differential Fault Analysis <sup>9</sup>





• Two faults are needed for each column to attack the overall key of AES-128

<sup>&</sup>lt;sup>9</sup>P. Dusart, G. Letourneux, O. Vivolo, "Differential fault analysis on AES", 2003.

#### **Fault Analysis**





Faulting the communication of Ciphertexts using 250V  $\,$ 



Faulting the AES using 500V (external power supply)

DFA





Faulted AES power consumption

- 140
- 120
- 120
- 100
- 80
- 60
- 40
- 20
- 20
- 1
- 2
- - 0

Single byte faults in round 9 of the AES after 10K iterations

Obtained faults in round 9 are sufficient to extract the overall key of the AES-128.

<sup>&</sup>lt;sup>9</sup>P. Dusart, G. Letourneux, O. Vivolo, "Differential fault analysis on AES", 2003.





- Be careful during decapping the chip
- High voltages may damage the chip (I damaged 3 chips)
- Avoid moving the needle (X and Y), while it is in fully touch with the chip



Post experiment

## CONCLUSION



- A cheap (and compact) setup for BBI was presented
- Breaking the HW AES of a recent SoC in few hours (10K trials)
- The SiliconBaguette will be released in few days on GitHub
- Future work
  - Evaluating more SoCs
  - Studying the effect of BBI on fault detectors (ex: glitch detectors)

### THANK YOU. QUESTIONS?



Karim M. Abdellatif, PhD e-mail: karim.abdellatif@ledger.fr