Design and Implementation of a Waveform-Matching Based Triggering System
Implementation attacks such as side channel attacks and fault attacks require triggering mechanisms to activate the acquisition device or fault injection equipment. Most academic works work with a very simple and reliable trigger mechanism where the device under test itself provides a dedicated signal. This however is not possible in real attack scenarios. Here the alternative is to use IO signals or coarse features of the side channel signal (co-processor switches on, power consumption goes up) for triggering. However, fault injection in particular requires very accurate timing. Our work deals with the many scenarios where such simple triggering mechanisms are not available or not effective. We present our design, architecture and FPGA implementation of a waveform-matching based triggering system. Our configurable trigger box is able to sample and match an arbitrary waveform with a latency of 128 ns. We provide results of our experimental evaluation on devices and side channel signals of different nature, and discuss the influence of several parameters.
KeywordsTriggering Waveform matching Fault injection
We would like to thank Victor Förster for initial contributions to the system’s design and architecture. This work was supported in part by the Research Council KU Leuven: C16/15/058. In addition, this work was supported by the Flemish Government, FWO G.0550.12N, by the Hercules Foundation AKUL/11/19, and through the Horizon 2020 research and innovation programme under grant agreement 644052 HECTOR. Benedikt Gierlichs is a Postdoctoral Fellow of the Fund for Scientific Research - Flanders (FWO).
- 1.BeagleBone Black Starting Guide. Beagleboard.org. http://beagleboard.org/getting-started. Accessed Dec 2015
- 2.Cyclone IV GX FPGA Development Kit. Altera. https://www.altera.com/products/boards_and_kits/dev-kits/altera/kit-cyclone-iv-gx.html. Accessed Dec 2015
- 3.Highspeed AD/DA Card. Terasic. http://www.terasic.com.tw/cgi-bin/page/archive.pl?No=278. Accessed Dec 2015
- 4.icWaves Datasheet. Riscure. https://www.riscure.com/security-tools/hardware/icwaves. Accessed Dec 2015
- 5.Agoyan, M., Dutertre, J., Mirbaha, A., Naccache, D., Ribotta, A., Tria, A.: How to flip a bit? In: IOLTS, pp. 235–239. IEEE Computer Society (2010)Google Scholar
- 7.Balasch, J., Gierlichs, B., Verbauwhede, I.: An In-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: Breveglieri, L., Guilley, S., Koren, I., Naccache, D., Takahashi, J. (eds.) FDTC, pp. 105–114. IEEE Computer Society (2011)Google Scholar
- 13.Dehbaoui, A., Dutertre, J., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: Bertoni, G., Gierlichs, B. (eds.) FDTC, pp. 7–15. IEEE Computer Society (2012)Google Scholar
- 15.Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 18.Quisquater, J.-J., Samyde, D.: Eddy current for magnetic analysis with active sensor. In: Esmart 2002, pp. 185–194 (2002)Google Scholar
- 19.Schmidt, J., Herbst, C.: A practical fault attack on square and multiply. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J. (eds.) FDTC, pp. 53–58. IEEE Computer Society (2008)Google Scholar
- 21.van Woudenberg, J.G.J., Witteman, M.F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: Breveglieri, L., Guilley, S., Koren, I., Naccache, D., Takahashi, J. (eds.) FDTC, pp. 91–99. IEEE Computer Society (2011)Google Scholar