Automated Profiling Method for Laser Fault Injection in FPGAs

  • Jakub BreierEmail author
  • Wei He
  • Shivam Bhasin
  • Dirmanto Jap
  • Samuel Chef
  • Hock Guan Ong
  • Chee Lip Gan


Obtaining a knowledge of internal structure of a Field Programmable Gate Array (FPGA), together with the vulnerable spots that can be targeted by a laser fault injection, can be a time-consuming task when done manually. In this chapter, we present an automated method to identify regions of interest in an FPGA, such as logic arrays and cells. Such method identifies circuits that are implemented in FPGA and helps the attacker to determine which fault models are achievable with a given laser fault injection equipment. The chapter follows a step-by-step methodology of evaluation, starting with the chip decapsulation and preparation, followed by the characterization of the laser pulse interaction with the silicon. Later it focuses on the automated profiling itself, with a case study on Virtex-5 FPGA.


  1. 1.
    M. Agoyan, J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A.-L. Ribotta, A. Tria, Single-bit DFA using multiple-byte laser fault injection, in IEEE International Conference on Technologies for Homeland Security (HST), 2010 (IEEE, Piscataway, 2010), pp. 113–119Google Scholar
  2. 2.
    M. Alderighi, F. Casini, S. d’Angelo, M. Mancini, S. Pastore, G.R. Sechi, Evaluation of single event upset mitigation schemes for SRAM based FPGAs using the FLIPPER fault injection platform, in 22nd IEEE International Symposium on Defect and Fault-Tolerance in VLSI Systems, 2007. DFT’07 (IEEE, Piscataway, 2007), pp. 105–113Google Scholar
  3. 3.
    R.J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems (Wiley, Hoboken, 2010)Google Scholar
  4. 4.
    N. Bagheri, R. Ebrahimpour, N. Ghaedi, New differential fault analysis on present. EURASIP J. Adv. Signal Process. 2013(1), 145 (2013)Google Scholar
  5. 5.
    N. Bagheri, N. Ghaedi, S.K. Sanadhya, Differential fault analysis of SHA-3, in Progress in Cryptology–INDOCRYPT 2015 (Springer, Cham, 2015), pp. 253–269zbMATHGoogle Scholar
  6. 6.
    J. Beutler, Visible light LVP on bulk silicon devices, in 41st International Symposium for Testing and Failure Analysis (November 1–5, 2015) (Asm, Novelty, 2015), pp. 1–8Google Scholar
  7. 7.
    A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: an ultra-lightweight block cipher, in Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, CHES ‘07 (Springer, Berlin, 2007), pp. 450–466zbMATHGoogle Scholar
  8. 8.
    D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)MathSciNetCrossRefGoogle Scholar
  9. 9.
    J. Breier, D. Jap, Testing feasibility of back-side laser fault injection on a microcontroller, in Proceedings of the WESS’15: Workshop on Embedded Systems Security (ACM, New York, 2015), p. 5Google Scholar
  10. 10.
    S.P. Buchner, F. Miller, V. Pouget, D.P. McMorrow, Pulsed-laser testing for single-event effect investigations. IEEE Trans. Nucl. Sci. 60(3), 1852–1875 (2013)CrossRefGoogle Scholar
  11. 11.
    G. Canivet, P. Maistri, R. Leveugle, J. Clédière, F. Valette, M. Renaudin, Glitch and laser fault attacks onto a secure AES implementation on a SRAM-based FPGA. J. Cryptol. 24(2), 247–268 (2011)CrossRefGoogle Scholar
  12. 12.
    F. Courbon, P. Loubet-Moundi, J.J.A. Fournier, A. Tria, Adjusting laser injections for fully controlled faults, in International Workshop on Constructive Side-Channel Analysis and Secure Design (Springer, Cham, 2014), pp. 229–242Google Scholar
  13. 13.
    N.T. Courtois, K. Jackson, D. Ware, Fault-algebraic attacks on inner rounds of DES, in e-Smart’10 Proceedings: The Future of Digital Security Technologies (Strategies Telecom and Multimedia, Montreuil, 2010)Google Scholar
  14. 14.
    J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A. Triaz, Reproducible single-byte laser fault injection, in Conference on Ph.D. Research in Microelectronics and Electronics (PRIME), 2010 (IEEE, Piscataway, 2010), pp. 1–4Google Scholar
  15. 15.
    W. He, A. Otero, E. de la Torre, T. Riesgo, Customized and automated routing repair toolset towards side-channel analysis resistant dual rail logic. Microprocess. Microsyst. 38(8), 899–910 (2014)CrossRefGoogle Scholar
  16. 16.
    F.L. Kastensmidt, L. Tambara, D.V. Bobrovsky, A.A. Pechenkin, A.Y. Nikiforov, Laser testing methodology for diagnosing diverse soft errors in a nanoscale SRAM-based FPGA. IEEE Trans. Nucl. Sci. 61(6), 3130–3137 (2014)CrossRefGoogle Scholar
  17. 17.
    P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Annual International Cryptology Conference (Springer, Berlin, 1999), pp. 388–397zbMATHGoogle Scholar
  18. 18.
    H. Lohrke, P. Scholz, C. Boit, S. Tajik, J.-P. Seifert, Automated detection of fault sensitive locations for reconfiguration attacks on programmable logic, in Proceedings of the 42nd International Symposium for Testing and Failure Analysis (ASM, Washington, 2016), pp. 1–6Google Scholar
  19. 19.
    A. Moradi, V. Immler, Early propagation and imbalanced routing, how to diminish in FPGAS, in Cryptographic Hardware and Embedded Systems–CHES 2014 (Springer, Berlin, 2014), pp. 598–615zbMATHGoogle Scholar
  20. 20.
    J.C.H. Phang, D.S.H. Chan, M. Palaniappan, J.M. Chin, B. Davis, M. Bruce, J. Wilcox, G. Gilfeather, C.M. Chua, L.S. Koh, H.Y. Ng, S.H. Tan, A review of laser induced techniques for microelectronic failure analysis, in Proceedings of the 11th International Symposium on the Physical and Failure Analysis of Integrated Circuits. IPFA 2004, July (2004), pp. 255–261Google Scholar
  21. 21.
    V. Pouget, A. Douin, D. Lewis, P. Fouillat, G. Foucard, P. Peronnard, V. Maingot, J. Ferron, L. Anghel, R. Leveugle, R. Velazco, Tools and methodology development for pulsed laser fault injection in SRAM-based FPGAs, in 8th LATW’07, (IEEE Computer Society, Piscataway, 2007)Google Scholar
  22. 22.
    C. Roscian, J.-M. Dutertre, A. Tria, Frontside laser fault injection on cryptosystems-application to the AES’last round, in IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2013 (IEEE, Piscataway, 2013), pp. 119–124Google Scholar
  23. 23.
    C. Roscian, A. Sarafianos, J.-M. Dutertre, A. Tria, Fault model analysis of laser-induced faults in SRAM memory cells, in Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2013 (IEEE, Piscataway, 2013), pp. 89–98Google Scholar
  24. 24.
    N. Selmane, S. Bhasin, S. Guilley, T. Graba, J.-L. Danger, WDDL is protected against setup time violation attacks, in Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2009 (IEEE, Piscataway, 2009), pp. 73–83CrossRefGoogle Scholar
  25. 25.
    B. Selmke, S. Brummer, J. Heyszl, G. Sigl, Precise laser fault injections into 90 nm and 45 nm SRAM-cells, in International Conference on Smart Card Research and Advanced Applications (Springer, Cham, 2015), pp. 193–205Google Scholar
  26. 26.
    P. Swierczynski, G.T. Becker, A. Moradi, C. Paar, Bitstream fault injections (BIFI) – automated fault attacks against SRAM-based FPGAS. IEEE Trans. Comput. PP(99), 1–14 (2017)Google Scholar
  27. 27.
    S. Tajik, H. Lohrke, F. Ganji, J.P. Seifert, C. Boit, Laser fault attack on physically unclonable functions, in 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), September (2015), pp. 85–96Google Scholar
  28. 28.
    M. Tunstall, D. Mukhopadhyay, S. Ali, Differential fault analysis of the advanced encryption standard using a single fault, in IFIP International Workshop on Information Security Theory and Practices (Springer, Berlin, 2011), pp. 224–233Google Scholar
  29. 29.
    K. Wu, R. Karri, G. Kuznetsov, M. Goessel, Low cost concurrent error detection for the advanced encryption standard, in Proceedings 2004 International Test Conference, ITC 2004 (IEEE, Piscataway, 2004), pp. 1242–1248Google Scholar
  30. 30.
    F. Zhang, S. Guo, X. Zhao, T. Wang, J. Yang, F.-X. Standaert, D. Gu, A framework for the analysis and evaluation of algebraic fault attacks on lightweight block ciphers. IEEE Trans. Inf. Forensics Secur. 11(5), 1039–1054 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Jakub Breier
    • 1
    Email author
  • Wei He
    • 2
  • Shivam Bhasin
    • 3
  • Dirmanto Jap
    • 3
  • Samuel Chef
    • 3
  • Hock Guan Ong
    • 4
  • Chee Lip Gan
    • 3
  1. 1.Underwriters LaboratoriesSingaporeSingapore
  2. 2.Shield LaboratoryHuawei International Pte. Ltd.SingaporeSingapore
  3. 3.Temasek LaboratoriesNanyang Technological UniversitySingaporeSingapore
  4. 4.Smart Memories Pte LtdSingaporeSingapore

Personalised recommendations