Switch-Glitch : Location of Fault Injection Sweet Spots by Electro-Magnetic Emanation

While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based on a single trace per location, which is then used to find promising spatial EMFI positions. We chose an STM32F303 microcontroller, which shows that the injection locations that result in data modification are almost entirely contained within areas of high Signal-to-Noise Ratio (SNR). An EMFI based attack can be accelerated up significantly using this relationship.     «

While several approaches exist to locate spatial coordinates on a chip that are susceptible to Side-Channel Analysis (SCA), e.g., Test Vector Leakage Assessment (TVLA), so far, an equivalent for localized Electro-Magnetic (EM) based Fault Injection Analysis (FIA) is missing. This work analyzes the spatial relationship between EM emanation and Electro Magnetic Fault Injection (EMFI) susceptibility and effect. Our experiments are based on a two-step approach where we first capture a heatmap based...     »