General context

Today, as the world of the Internet of Things (IoT) or connected systems continues to grow, billions of microcontrollers are being used as state-of-the-art devices in a very wide range of applications, from industrial automation to healthcare. Such massive diffusion of embedded devices in mission-critical functions brings with it significant security implications due to the hardware and software vulnerabilities of these devices [1]. For example 1,000 billion microchips were manufactured in 2021, and according to a recent European survey, demand for chips is set to double between 2022 and 2032. These components have become a major strategic issue, a central pillar of an economy undergoing a global digital transformation that has been accelerated since the Covid-19 pandemic. Indeed, recent global shortages of semiconductors have led to plant closures and a slowdown in production in certain sectors, notably the automotive and healthcare industries, demonstrating Europe’s – and therefore our own – heavy dependence on Asian countries in the electronics value chain. Europe accounts for just 10% of the global microchip market, led by STMicroelectronics (France/Italy) and Infineon (Germany). In response to this situation, the Chip Act came into force to strengthen Europe’s competitiveness and secure the supply of semiconductors. At national level, this legislative effort is accompanied by the Plan France 2030, which aims to develop the electronics industry and double the country’s production capacity, for example via the ‘mega-fab’ project (STMicroelectronics, “GlobalFoundries”), and to support innovations to provide cutting-edge technologies in terms of performance, both in terms of energy efficiency and the security of integrated circuits, particularly with regard to Systems-On-Chip (SoC), which make up the latest generation of microcontrollers.

The efforts made by governments and circuit manufacturers clearly demonstrate the interest in SoCs. However, the increasing proliferation of connected objects means that sensitive information contained in hardware needs to be secured. Many computing unit chips incorporate encryption systems. However, a processor can only process operations ‘in the clear’, i.e. decrypted. Operations can therefore be ‘eavesdropped’ on and it is possible to deduce the encryption key to access sensitive information.
Integrated circuit manufacturers protect their circuits as effectively as possible: using countermeasures, limiting overconsumption, reducing the physical footprint of encryption modules, increasing design complexity. However, the prohibitive cost of these solutions makes it impossible to protect a circuit at 100%.
Currently, integrated circuit designers and integrators use two main physical attack techniques to assess the security level of components containing embedded information. These are side-channel attacks (SCA) and fault injection attacks (physical attacks). The SCA approach is passive and consists of observing the target’s activity (e.g. power consumption, electromagnetic emissions) for attack purposes. SCA attacks are particularly well known for extracting the secret keys used by cryptographic algorithms (by conducting statistical analyses or deep learning of leaks on the auxiliary channels measured).

The fault injection attack is active and consists of disrupting the logic gates responsible for encryption activities. The data and instructions are then altered and the behaviour of the circuit (output function – temporal, logical or functional) is studied to observe the consequences of this disruption. If these consequences are variable, it is possible to carry out a statistical analysis to potentially trace them back to the circuit’s encryption key or simply skipping the verify Pin Access code. The source of disturbance used for fault injection can be an increase in temperature, a change in the supply voltage, exposure to an electromagnetic field, a change in the clock period, or the application of a very high voltage pulse or body-biasing, etc. More particularly, the external source of disturbance to the component can also be an optical source (OFI: Optical Fault Injection) or a laser (Laser Fault Injection, LFI) generating a disturbance of the order of the processor’s cycle time. Integrated circuits or systems-on-a-chip (SoCs) are present in all modern electronic devices, and the security of these systems relies on the security of secret keys stored (resident keys) in secure hardware modules. Locating these modules and extracting the keys they contain is a real threat to the systems. Although manufacturers consider that the increasing complexity of integrated circuits offers intrinsic protection and a barrier against attacks, but this is not always sufficient. There are still methods of extracting sensitive information from devices, even in the presence of countermeasures. In this sense, optical tools, and in particular laser tools used for optical probing or laser injection of defects into integrated devices, are particularly relevant. [2]

Under laser irradiation, singular effects called Single Event Effects (SEEs) can occur in silicon. SEEs include Single Event Upsets (SEUs), which correspond to bitflips in a memory cell, and Single Event Transients (SETs), also known as voltage or current glitches. In addition, the possible effects are induced permanent damage or a reversible error after reset, for example, a latch-up or burn-out. From a physical point of view, these effects result from the generation of charge carriers generated by the absorption of infrared (IR) photons in bulk silicon, which induce a parasitic current in electronic devices and circuits, which can then lead to faults that can be exploited by an attacker. This phenomenon is known as laser fault injection (LFI). One of the future important point is the precise and shorter time control for the injected fault, for all these reason picosecond laser fault injection is a promising technic and are also expected to answer to the frequency increase in microcontrollers.

References

[1] N. Timmers, A. Spruyt, et M. Witteman, « Controlling PC on ARM Using Fault Injection », in 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), Santa Barbara, CA, USA: IEEE, août 2016, p. 25‑35. doi: 10.1109/FDTC.2016.18.
[2] T. Krachenfels, T. Kiyan, et S. Tajik, « Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks », USENIX Secur. Symp. 2021, p. 627‑644.