CN110032897A - A kind of multi-core processor and its fault attacks method based on time-constrain - Google Patents

A kind of multi-core processor and its fault attacks method based on time-constrain Download PDF

Info

Publication number
CN110032897A
CN110032897A CN201910310348.3A CN201910310348A CN110032897A CN 110032897 A CN110032897 A CN 110032897A CN 201910310348 A CN201910310348 A CN 201910310348A CN 110032897 A CN110032897 A CN 110032897A
Authority
CN
China
Prior art keywords
core
voltage
attack
time
electronic component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910310348.3A
Other languages
Chinese (zh)
Other versions
CN110032897B (en
Inventor
汪东升
邱朋飞
吕勇强
王淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201910310348.3A priority Critical patent/CN110032897B/en
Publication of CN110032897A publication Critical patent/CN110032897A/en
Application granted granted Critical
Publication of CN110032897B publication Critical patent/CN110032897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/81Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Power Sources (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

This application discloses a kind of multi-core processor and its fault attacks method based on time-constrain, it is related to computer processor field.Fault attacks method disclosed in the present application based on time-constrain includes: to change the voltage of sequence circuit when needing to inject hardware fault to sequence circuit as attack voltage;Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, destroys the time-constrain of sequence circuit;During the period of time, latter electronic component, using preset data as inputting and handling preset data, exports anticipatory data when rising edge clock does not receive the output of previous electronic component.Using fault filling method provided by the present application by destroying by the time-constrain in attack core on the basis of not changing other core voltages, extend the processing time of sequence circuit, hardware fault injection is realized, to achieve the purpose that load insincere application program into security context.

Description

A kind of multi-core processor and its fault attacks method based on time-constrain
Technical field
A kind of event this application involves computer processor field more particularly to multi-core processor and its based on time-constrain Hinder attack method.
Background technique
In order to improve the safety of equipment, ARM company proposes TrustZone security extension, a kind of for answering in equipment The system of protection is provided with (secure payment, digital copyright management, enterprises service, the service based on Web, encrypting and decrypting service etc.) Safety method in range.The hardware resource and software resource of equipment are divided into security context and conventional environment by TrustZone, And safe kernel and common core are virtually dissolved from each physical processor core, the generation in security context and conventional environment is executed respectively Code and data.All resources of system can be used in the application program operated in security context, operate in answering in conventional environment The resource of security context cannot be used with program, two environment are switched over by monitor mode.Conventional environment can pass through Security monitor call (Secure Monitor Call, SMC) instruction, interrupt requests (Interrupt Request, IRQ) and The machines such as the hardware interrupts such as fast interrupt requests (Fast Interrupt Request, FIQ), reading and writing data and instruction prefetch exception System enters security context by monitor mode, and the processor in security context state can also be entered by monitor mode Conventional environment state.TrustZone hardware expanding ensure that security context and conventional environment to hardware and software resource access and The isolation of change, be also required in security context to run some security softwares TrustZone hardware is managed and is configured and Trusted service is provided.The software architecture of TrustZone be not it is fixed, the operation of Special safety can be designed for security context System (such as security context operating system QSEOS of high pass), can also run some safe synchronization generations in security context Code library.
In order to protect the integrality of trusted application and insincere application program be prevented to be loaded into TrustZone, if Custom application program cannot be developed and be loaded to standby user into TrustZone, when security application is loaded, be based on RSA Signature authentication chain can be performed, TrustZone will not load the not application program by signature authentication.As widely applied Encryption Algorithm, RSA Algorithm in key long enough with relatively high safety, using common based on software realization loophole The sensitive data that attack method obtains RSA is relatively difficult.But it if intermediate state is changed when RSA Algorithm executes, attacks The person of hitting can obtain the sensitive data of RSA by the output result of mistake and the differential fault analysis of correct output result.Example Such as, if failure occurs in signature treatment process, attacker can restore the private key of RSA by differential fault analysis.
Summary of the invention
The application provides a kind of fault attacks method based on time-constrain, comprising: hard to sequence circuit injection when needing When part failure, the voltage of sequence circuit is changed as attack voltage;The time-constrain of sequence circuit is destroyed, is extended the in sequence circuit One electronic component signal is input to the period of the last one electronic component signal input;During the period of time, latter electricity Subcomponent is not when rising edge clock receives the output of previous electronic component, using preset data as input and to preset data It is handled, exports anticipatory data.
As above, wherein the time-constrain of the sequence circuit are as follows:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit; TsetupIndicate that the input of the last one timing electronic component needs to keep the stable time, and the output of intermediate logic unit The interval time met is needed to next rising edge clock;TsrcIndicate first timing electronic component outputs and inputs it Between delay, namely receive rising edge clock to provide stablize output between time;TtransferIndicate first timing electronics The processing time at interval namely intermediate logic unit between the output for being output to intermediate logic unit of element;TεIndicate one A small time constant.
As above, wherein the time-constrain for destroying sequence circuit extends first electronic component letter in sequence circuit It number is input to the period of the last one electronic component signal input, specifically: fixed setting clock cycle Tclk, TsetupBy when The characteristic of clock electronic component determines, unrelated with the frequency of circuit and voltage;After the voltage of sequence circuit is changed to attack voltage, TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed.
As above, wherein by modifying to voltage management driver, realize the electricity of any setting sequence circuit Pressure, thus, it is possible to which the voltage of sequence circuit is changed to attack voltage, the attack voltage is specially to be lower than voltage rating but make The voltage that sequence circuit can work normally at low frequencies.
As above, wherein the preset data includes the event of the data value or setting in a upper clock for electronic component Barrier value.
The application also provides a kind of fault attacks method of the multi-core processor based on time-constrain, comprising: when needing to more When a certain processor core of core processor injects hardware fault, which is appointed as to be attacked core, by other certain Device core is managed as attack core;When attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, will be by The processor core voltage of attack core is changed to attack voltage;The time-constrain for destroying the sequence circuit extends the timing electricity First electronic component signal is input to the period of the last one electronic component signal input in road;During the period of time, Latter electronic component is not when rising edge clock receives the output of previous electronic component, using preset data as input and to pre- If data are handled, anticipatory data is exported;After attack voltage continues to export anticipatory data to the sequence circuit, it will be attacked The processor core voltage for hitting core reverts to safe voltage.
It is as above, wherein the attack voltage is specially to make to be attacked core cisco unity malfunction, except by its in addition to attack core The voltage that his processor core can work normally.
As above, wherein configuration is specifically included by the processor core voltage and voltage-duration of attack core: will be attacked The processor voltage and voltage-duration of core are set as suitable parameters;Wherein, failure F is realizedfaultRequired suitable parameters packet Include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack Voltage, VbIndicate before and after safe voltage, namely setting attack voltage make attack core and can normal work by attack core Processor core voltage, the T of workpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate attack journey Sequence, which is waited, starts the time executed, T by attack codedurIndicate attack voltage-duration.
The application also provides a kind of multi-core processor, comprising: multiple processor cores and power management integrated chip, power supply pipe It manages integrated chip and provides processor core voltage to processor core by power management integrated circuit;Processor core, for working as to certain When one processor core injects hardware fault, which is appointed as to be attacked core, using other a certain processor core as attacking Hit core, when attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, use modified power supply Management driving change processor voltage is attack voltage, destroys the time-constrain of the sequence circuit, extends the sequence circuit In first electronic component signal be input to the last one electronic component signal input period;During the period of time, after One electronic component is not when rising edge clock receives the output of previous electronic component, using preset data as input and to default Data are handled, and anticipatory data is exported;Power management integrated chip, for attack core detect by attack core run to Inject failure specified sequence circuit when, by by the processor core voltage of attack core be changed to attack voltage and continue to it is described when After sequence circuit output anticipatory data, safe voltage will be reverted to by the processor core voltage of attack core.
As above, wherein attack voltage will be changed to by the processor core voltage of attack core in power management chip, specifically It include: power management integrated chip to all processor cores offer attack voltage, which prevents to be attacked core from normal Work, but attack core and other cores and can work normally;Or it individually will be by the processor of attack core by power management integrated chip Core voltage is changed to attack voltage.
What the application realized has the beneficial effect that:
(1) by modification voltage management driver, around in voltage management kernel-driven threshold voltage and voltage choosing The security mechanism selected realizes arbitrary disposition processor core voltage;
(2) by providing a low-voltage for processor core, work normally other nuclear energy enough, but cannot be just by attack core Often work, by destroying by the time-constrain in attack core, extends with this in the case where not influencing the normal work of other cores The data processing time of electronic component in sequence circuit realizes hardware fault injection;
(3) direct fault location point, attack voltage and attack time can be accurately controlled by actual experiment, reduces direct fault location When influence of the hardware fault to other code segments;
(4) sequence circuit can be made to export expected results by fault attacks method, realizes and is loaded not into security context The purpose of trusted application.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The some embodiments recorded in application can also be obtained according to these attached drawings other for those of ordinary skill in the art Attached drawing.
Fig. 1 is the temporal constraint graph that the sequence circuit that embodiment one provides needs to meet;
The software and hardware combining schematic diagram of voltage management architecture in the multi-core processor that Fig. 2 provides for embodiment two;
Fig. 3 is the method flow diagram that hardware fault is injected to sequence circuit that embodiment three provides;
Fig. 4 is the fault filling method flow chart based on multi-core processor time-constrain that example IV provides;
Fig. 5 is to attack core to by the signal by attacker injection hardware fault in the trusted application in attack core Figure;
Fig. 6 is the injection failure in RSA decipherment algorithm that embodiment five provides so that the output of RSA decipherment algorithm is expected in plain text Method flow diagram;
Fig. 7 is the attack core that provides of embodiment six in by the signature authentication mechanism in the trusted application in attack core Inject the schematic diagram of hardware fault;
Fig. 8 describes the malice V diagram for making processor cisco unity malfunction;
Fig. 9 show different voltages under Bu Tong unrelated nuclear state generate hardware fault minimum duration (sky refers to It enables and executes number);
Figure 10 shows since the time (do-nothing instruction executed being gone to attacking RSA function by attack code Execute number);
Figure 11 describes attacker and the 4th RSA decryption when TrustZone loading procedure attacked is waited to test Card function starts to execute required time (do-nothing instruction execution number);
The faulty word joint number that Figure 12 describes different attack voltages and RSA integer mould occurs under the duration.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on the present invention In embodiment, those skilled in the art's every other embodiment obtained without making creative work, all Belong to the scope of protection of the invention.
Embodiment one
The application first carries out the time-constrain of sequence circuit before introducing based on the fault filling method of time-constrain Description:
A usual sequence circuit includes multiple electronic components, these electronic components are transported under unified clock pulses control Row, each electronic component starts to process input data after input signal is stablized again, in addition, electronic component outputs and inputs it Between also have delay, therefore, sequence circuit needs to meet certain constraint condition just and can guarantee the harmonious of each electronic component The required design to sequence circuit is realized in operation by debug time constraint;
By taking a sequence circuit is started by a timing electronic component and is terminated by another timing electronic component as an example Lai Illustrate (it should be noted that the quantity of the electronic component in sequence circuit is set by being actually needed), the rising edge of clock The unlatching of control sequential electronic component, intermediate logic unit handle the output of first timing electronic component, and will Input of the result that treated as the last one timing electronic component;The sequence circuit needs the time-constrain such as Fig. 1 met It is shown:
TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit;
TsetupIndicate that the input of the last one timing electronic component needs to keep the stable time, and intermediate logic list The interval time for being output to next rising edge clock and needing to meet of member;
TsrcIt indicates the delay between the outputting and inputting of first timing electronic component, namely receives rising edge clock and arrive Provide the time stablized between output;
TtransferIndicate the interval between the output for being output to intermediate logic unit of first timing electronic component, namely The processing time of intermediate logic unit;
In order to guarantee that the input of the last one timing electronic component keeps stablizing before the arrival of next rising edge clock, So that it is guaranteed that the output of the sequence circuit and expected output are consistent, which needs to meet following time-constrain:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TεIndicate a small time constant.
Characteristic electron based on electronic component, it is electronic component that an electronic component, which needs suitable voltage (voltage rating), Enough energy progress data processings are provided to be supplied to electronic component if voltage is relatively low without enough energy, can lead Send a telegraph subcomponent performance decline, output and input between delay also can be elongated, thus the time-constrain of circuit is destroyed, electricity Subcomponent cannot will be changed with correct input processing data, the output of circuit, to realize that hardware fault is injected.
Based on the time-constrain of above-mentioned sequence circuit, the clock frequency that circuit is arranged in the present embodiment is constant, that is, is fixedly installed Clock cycle Tclk, TsetupIt is determined by the characteristic of clock electronic element, it is unrelated with the frequency of circuit and voltage;When being supplied to timing When the voltage of electronic component reduces, TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed, the last one timing electronics member Part begins to processing data before the stable output for being not received by intermediate logic unit, therefore the feelings that the input used is constant Under condition, the output of sequence circuit is different from anticipated output, to inject hardware fault into circuit.
Embodiment two
Hardware fault injection method provided by the present application based on time-constrain is the voltage by adjusting sequence circuit, from And it realizes and injects hardware fault into sequence circuit;Embodiment two describes the application for the adjustment side of sequence circuit voltage Method.
Optionally, the confirmatory experiment of the application is mainly carried out in Google Nexus 6, and Google Nexus 6 possesses The processor based on ARM Krait framework of one Qualcomm production, the voltage management kernel-driven pair that Qualcomm provides The voltage hardware manager of processor carries out configuration and provides interface to operating system;It is operated in existing Google Nexus 6 In system, malice voltage break treat with device, high pass are added to two peaces in the voltage management kernel-driven of offer in order to prevent The selection of full mechanism, i.e. threshold voltage and voltage.
Following pairs of threshold voltages and the security mechanism of voltage selection are described in detail:
Threshold voltage: in hardware management driving, threshold voltage indicates the minimum value that processor core voltage can be arranged, such as Fruit attempts that the voltage also lower than threshold voltage is arranged, and driver can provide a stable threshold voltage to processor.Threshold value The size of voltage is defined in device description file and is read by the detection steps of voltage management driver;
Voltage selection: since the frequency of different processor core can be different, for the processor core for protecting frequency high, Hardware management driving select highest frequency in the frequency of all cores OPP (voltage that multi-core processor is supported and frequency it is discrete The set of tuple) in corresponding voltage as processor core voltage.
In order to which the processor to support dynamic power management technology realizes time-constrain by change voltage, to reach event Barrier injection realizes that the purpose of sequence circuit output designated result, the application are bypassed by the modification to voltage management driver The security mechanism of threshold voltage and voltage selection in voltage management kernel-driven, realizes arbitrary disposition processor core voltage;
Specifically, the application realizes by the detection steps of modification device description file or modification driver and bypasses threshold The purpose of threshold voltage, so that processor core voltage more smaller than threshold voltage can be set in attacker;And pass through modification voltage Code is selected to cancel the security mechanism of voltage selection;Since modification device description file coverage is wider, it is preferred that To modify the detection steps of driver around threshold voltage in the embodiment of the present application;
It should be noted that the application is only to the voltage minimum of processor, i.e. threshold voltage is modified, for highest Voltage without limitation, reason are as follows: the last byte represents basic voltage in the voltage register of voltage hardware manager Multiple, the maximum number that a byte can indicate is 255, therefore, 255 times of ceiling voltage no more than basic voltage;In this Shen On verification platform please, experiments verify that processor core can work normally under all frequencies when the byte is 255.Cause This, the application confirmatory experiment is for realizing low voltage failure.
Referring to Fig. 2, Fig. 2 is the voltage management architecture in based on the multi-core processor for ARM Krait framework Software and hardware combining schematic diagram, including multi-core processor, kernel spacing and user's space;
Wherein, kernel spacing and user's space are software architecture, and kernel spacing includes that voltage management driving and frequency drive, For to each processor core in multi-core processor voltage and frequency be managed;Frequency drives for receiving user's space Setting to frequency, and driven to voltage management and attack voltage is provided;Voltage management driving is for receiving the target of frequency driving Voltage, that is, the attack voltage set, and use the register setting value of attack voltage change power management chip.
Multi-core processor is hardware structure, including multiple processor cores (CPU core) and power management integrated chip are (preferably PMA8084 power supply chip), power management integrated chip according to internal register setting value, by power management integrated circuit to Processor core provides processor core voltage, and provides peripheral hardware voltage to other external equipments;
Specifically, power management chip provides processor core voltage to processor core, specifically includes to all processor cores Unified core voltage is provided, or provides processor core voltage to each processor core respectively;
Processor core, for when injecting hardware fault to a certain processor core, which being appointed as being attacked Core runs specifying to failure to be implanted by attack core when attack core is detected by addition a certain processor core as attack core When sequence circuit, driving change processor voltage using modified power management is attack voltage, destroys the sequence circuit Time-constrain, extend first electronic component signal in the sequence circuit be input to the last one electronic component signal input Period;During the period of time, latter electronic component is not when rising edge clock receives the output of previous electronic component, Using preset data as inputting and handling preset data, anticipatory data is exported;
Power management integrated chip is run by attack core to the specified timing of failure to be implanted for detecting in attack core When circuit, attack voltage will be changed to by the processor core voltage of attack core and continue to export anticipatory data to the sequence circuit Afterwards, safe voltage will be reverted to by the processor core voltage of attack core;
Wherein, attack voltage will be changed to by the processor voltage of attack core, specifically included by power management integrated chip Attack voltage is provided to all processor cores, which makes to be attacked core cisco unity malfunction, but attacks core and other cores It can work normally;Or attack voltage individually will be changed to by the processor core voltage of attack core by power management integrated chip.
Due to the characteristic electron of multi-core processor, in the set of the multi-core processor voltage supported and the discrete tuple of frequency In OPP, the frequency of some processor core is higher, and required minimum voltage is also higher, and the frequency of processor core can be with It is separately provided, the corresponding minimum voltage of different frequency also has difference, when the voltage for being supplied to a certain processor core is lower than minimum need When seeking voltage, the time-constrain of the processor core is destroyed, and the attacker frequency of use-voltage difference thus attacked in core is realized It is to the specified fault injection attacks by attack core, hardware fault injection is specified by attack core.
When needing to specified by injection hardware fault on attack core, operation is set by the specified of attacker by attack core It is set to high-frequency, and sets low frequency for the attack core for running attacker core unrelated with other using system command, then Attacker particular moment from selected between minimum voltage needed for high-frequency and low frequency a suitable voltage as attacking It hits voltage and continues a short period;
Preferably, in the embodiment of the present application, attacker selects suitable voltage and voltage-duration to realize that failure is attacked It hits, specifically:
Ffault={ Fa;Fv;Vl;Vb;Tpre_w;Tpre_d;Tdur}
Wherein, attacker realizes failure FfaultRequired suitable parameters value Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurIt is logical Cross Experiment Result decision, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate peace The processor nuclear power for making to attack core and can be worked normally by attack core before and after full voltage, namely setting attack voltage Pressure, Tpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate that attacker was waited by attack generation Code starts the time executed, TdurIndicate attack voltage-duration.
It should be noted that not having enough energy to run since brownout will lead to electronic component, it is supplied to It is that the voltage of timing electronic component reduces premise is that guarantee that electronic component can work normally at low frequencies, only input and Delay between output can be elongated;Likewise, the operation of electronic component may become if the overtension of electronic component It is unstable, cause output that may change, if the high voltage of circuit leads to the output and expection of first timing electronic component Inconsistent, the input for being supplied to the last one timing electronic component also can be incorrect, so as to cause the output of mistake.Based on high electricity The direct fault location of pressure may bring unforeseen as a result, because if overtension, electronic component be may be damaged.Cause This, in actual use, the direct fault location based on low-voltage is more suitable.
Embodiment three
In the time-constrain of embodiment one and the voltage management of embodiment two, when the embodiment of the present application three provides one kind and is based on Between constrain and by change voltage realize to sequence circuit inject hardware fault method, as shown in Figure 3, comprising:
Step 310: when needing to inject hardware fault to sequence circuit, changing the voltage of sequence circuit as attack voltage;
Preferably, by modifying the detection steps of voltage management Kernel Driver, around the voltage rating of sequence circuit, The voltage value of sequence circuit is fallen below into voltage rating, this voltage value attacks voltage as sequence circuit, so that timing Electronic component in circuit output and input between time it is elongated, destroy the time-constrain of original sequence circuit.
Step 320: it is defeated to be input to the last one electronic component signal for first electronic component signal in extension sequence circuit The period entered destroys the time-constrain of sequence circuit;
In the present embodiment, by reducing the voltage of sequence circuit, so that the time-constrain parameter T of sequence circuitsrcWith TtransferIncrease, the time-constrain of circuit is destroyed, the last one timing electronic component is being not received by intermediate logic unit Stablize output before begin to processing data, therefore in the case that the input that uses is constant, the output and expection of sequence circuit Output is different, to inject hardware fault into circuit.
Step 330: during the period of time, latter electronic component does not receive previous electronic component in rising edge clock When output, using preset data as inputting and handling preset data, anticipatory data is exported;
Optionally, preset data can be the data value in a upper clock for electronic component, or the event of setting Barrier value;
Specifically, for the first electronic component of sequence circuit in the case where inputting constant, first electronic component is due to input Time to output is elongated, and the latter electronic component is caused not receive the defeated of previous electronic component in rising edge clock Out, latter electronic component still handles data in rising edge clock, but the data handled are not the output of previous electronic component, and It is the data of a upper clock for processing or the fault value of setting, therefore, the output of entire sequence circuit is different from expected output, It realizes and injects hardware fault into circuit.
Example IV
On the basis of embodiment one, two, three, the embodiment of the present application four provides a kind of based on multi-core processor time-constrain Fault filling method, when need to a certain processor core inject hardware fault when, which is appointed as being attacked core, will This is tied to by attacker to be executed on attack core, runs the processor core of attacker as attack core, other processors For core as other unrelated cores, the attack core for running attacker as a result, can be to operation by the specified by attack core of attacker Upper injection hardware fault does not influence other unrelated cores and the thereon normal operation of program;As shown in Figure 4, comprising:
Step 410: the attacker detection on attack core is by, by attacker, waiting is transported by attacker in attack core It goes to specified direct fault location point;
Specifically, during the attacker waiting attacked on core is run by attacker to specified direct fault location point, Execute following sub-step:
S411: the attack context of direct fault location is set;
Due in order to keep direct fault location more acurrate effectively, needing first to prepare suitable failure before carrying out direct fault location Injection attacks environment, specifically: configuration attacks the frequency of core and is safety electricity by the frequency of attack core, setting processor core voltage Pressure configures attack context, including caching, branch predictor, processor status register etc. by attacker by being performed a plurality of times Data.
S412: waiting is started to execute by attack function;
Specifically, it is encapsulated in by attack code by attack function using the object code of attack as a bit of, wherein quilt Attack function is fixed function, injects demand according to physical fault by attack code and is loaded by attack function;In attack journey After sequence starts execution, in order to realize that attacker executes cycle match with by the trusted application in attack core, to reach Failure is accurately injected in the preset failure decanting point of trusted application, after attacker starts execution, attacker Instruction execution cycle is assessed by executing do-nothing instruction, starts to execute until by attack function, attacker is waited by attack letter The time span that number starts to execute is set as Tpre_w, i.e. the do-nothing instruction execution time is Tpre_w
S413: after starting execution by attack function, waiting is started to execute in attack function by attack code;
Specifically, in order to be accurately controlled direct fault location point, and reduce direct fault location when hardware fault to by attack letter The influence of other code segments in number, after starting execution by attack function, attacker is held by executing do-nothing instruction assessment instruction Attacker is waited until being started to execute by attack code and starts the time span executed setting by attack code by the row period For Tpre_d, i.e. the do-nothing instruction execution time is Tpre_d
Step 420: when attack core detect run by attack core to the sequence circuit of failure to be implanted when, will be by attack core Processor core voltage be changed to attack voltage, the time-constrain of sequence circuit is destroyed, when extending the execution by attack core program Between;
After starting execution by attack code, attacker setting is attack voltage by the processor core voltage of attack core V1, wherein attack voltage V1 is specially to make to attack the voltage that core is normally executed, but cannot normally be executed by attack core;Pass through drop The voltage of low sequence circuit, so that the time-constrain parameter T of sequence circuitsrcAnd TtransferIncrease, the time-constrain of circuit is broken Bad, the last one timing electronic component begins to processing data before the stable output for being not received by intermediate logic unit, Therefore in the case that the input used is constant, the output of sequence circuit is different from anticipated output, to inject hardware into circuit Failure;
During the period of time, latter electronic component is not when rising edge clock receives the output of previous electronic component, Preset data as input and is handled preset data.
Step 430: safe electricity will be reverted to by the processor core voltage of attack core after attack voltage continues preset time Pressure;
Specifically, it is T that attacker, which continuously carries out time span in the case where attacking voltage,durDo-nothing instruction after, recovery attacked The processor core voltage and frequency for hitting core, prevent by the processor delay machine of attack core or system crash;Wherein, do-nothing instruction Execute time TdurKnown according to different direct fault location situations by experiment, best direct fault location is set in the experimental stage and is executed After time, by execution time TdurAs the preset time of the direct fault location situation, facilitate subsequent come into operation.
Fig. 5 is to attack core to by the signal by attacker injection hardware fault in the trusted application in attack core Figure;Include common world and safer world by attack core, caching layout and processor state and electricity are carried out in common world The setting of pressure, runs trusted application in safer world, includes by attacker and other codes in trusted application; It executes in trusted application by the period of other codes before attack function, attack core setting attack context simultaneously passes through Do-nothing instruction waiting is executed to be started to execute by attack function;It (is attacked being started to go to specified direct fault location point by attack function Code starts to execute) between, attack core continues synchronous execution do-nothing instruction waiting and is started to execute by attack code;By attack function When executing to by attack code, the change of attack core is by the processor core voltage of attack core, when destroying the sequence circuit by attack core Between constrain, realize fault attacks, then persistently after preset time restore by the processor core voltage of attack core, then by attack letter Number restores normal, continues to execute by the code after attack code and by other codes after attack function.
The application is it should be noted that the injection number of hardware fault within a preset time is not limited to once inject, with note Enter subject to hardware fault success, caching, branch predictor, processor status register etc. are made by attacker by being performed a plurality of times Data with it is highly relevant by attacker, reduce in processor with the shadow by the unrelated data of attacker to attack effect It rings.
Embodiment five
On the basis of embodiment one, two, three, four, the embodiment of the present application five is to attack core from by the RSA decryption of attack core Illustrate for acquisition RSA sensitive data in algorithm, RSA Algorithm, which is used as, applies more extensive Encryption Algorithm, enough in key With relatively high safety when long, by changing processor voltage, so that intermediate state is changed when RSA Algorithm executes, make It exports expected results.
In order to enable RSA decryption program export it is expected in plain text, and can by TrustZone based on the signature of RSA Authentication mechanism, the embodiment of the present application four provide a kind of differential fault analysis side of RSA decryption program based on Android encryption library Method, the method inject failure into processor using the multi-core technology and dynamic power management technology of processor, pass through construction Special input data and change executes the integer mould in RSA decryption program on a processor, and being reached with this decrypts RSA Program exports the purpose of expected plaintext, specifically includes following operation:
The application is before description injects failed operation into the RSA decryption program based on Android encryption library, first to RSA The specific implementation of decryption program encyclopaedizes, and referring to shown in following table, table 1 illustrates the decryption of the RSA based on Android encryption library and calculates The specific calculating process of method:
Table 1
In above-mentioned table 1, after RSA decryption program receives the ciphertext C, integer mould N and public key e of input, pass through 1~14 journey Plaintext P after sequence operation output decryption;In order to accelerate the exponent arithmetic in RSA decipherment algorithm, the RSA decipherment algorithm in table 1 is answered Multiply operation MONMUL (x, y, N, r with Montgomery-1)←x*y*r-1%N, and apply modular inversion n0inv ← 232- MODULEINVERSE(N,232) reduce the cycle-index that Montgomery multiplies operation.Just due to multiplying operation using Montgomery, The input data that big end indicates is converted to the data of small end expression, as shown in the table, table using ENDIANINVERSION function 2 illustrate the specific implementation process of ENDIANINVERSION function:
Table 2
In above-mentioned table 2, after ENDIANINVERSION function receives the variable V that the big end to be converted indicates, pass through step The data S that small end after rapid 1~10 operation output conversion indicates.
In RSA decipherment algorithm, the prime number that integer mould N is decomposed as hardly possible, the integer mould inputted due to 2 Duis of algorithm are generally set The operation such as the displacement of N frequent progress or assignment, therefore set algorithm 2 is specified direct fault location point, integer mould N inputs algorithm 2 After sequence circuit, as shown in fig. 6, executing following sub-step:
Step 610: after the sequence circuit of integer mould N input algorithm two, changing the voltage of sequence circuit as attack voltage;
Preferably, by modifying the detection steps of voltage management Kernel Driver, around the voltage rating of sequence circuit, The voltage value of sequence circuit is fallen below into voltage rating, this voltage value attacks voltage as sequence circuit, so that timing Electronic component in circuit output and input between time it is elongated, destroy the time-constrain of original sequence circuit.
Step 620: the rising edge clock of latter electronic component does not receive the defeated of previous electronic component in sequence circuit When out, using preset data Nm as the input of electronic component;
Specifically, preset data Nm can be the data of a upper rising edge clock for electronic component or the data of setting.
Step 630: judge whether Nm can carry out prime factor decomposition within a preset time, if it is, direct fault location at Function executes step 640, and otherwise direct fault location fails;
Preferably, it is realized using Python, using the library ecm (Engine ControlModule engine control module) Factor function by Nm carry out prime factor decomposition, if factor function in 60 seconds can't to Nm realize prime factor decompose, Then Nm assert the data that difficult prime factor decomposes, and cannot function as the attack data of direct fault location.
Step 640: carrying out operation using prime factor Nm in RSA decipherment algorithm, export expected plaintext P;
Specifically, operation is carried out using prime factor Nm, specifically includes following operation:
1, Edward Carmichael number algorithm construction RSA key pair is used, and is calculated according to rsa encryption according to the prime factor of Nm, public key e Method encrypts expected plaintext p, obtains ciphertext Cm;
For example, the RSA key of construction is to for { Nm, e, dm }, wherein e is public key, and dm is private key;According to RSA cryptographic algorithms Encryption is expected to obtain ciphertext in plain text, specific to calculate are as follows:
2, suitable key is constructed using Extended Euclidean Algorithm according to N, Nm and Cm and inputs C'm
Specifically, suitable key is calculated according to N, Nm and Cm and inputs C'mCalculating process such as following formula (2):
Wherein, r=22048,
Detailed analysis is carried out to the acquisition of above-mentioned formula below, specifically:
When RSA decipherment algorithm is inputted using Nm as integer mould and using Cm as ciphertext completely, the 6th row of RSA decipherment algorithm Calculated result is following formula (3):
Wherein, r=22048,
However the R in the 2nd row be generated based on N, and R can be also used in the 6th row, in addition, N the 3rd row also by It uses and is therefore transmitted to the 6th, 9,11,12 rows;If based on N and being based on NmThe n0inv calculated be it is the same, then exist 3rd exercises with N and uses NmEqually.As long as failure does not change last 32 of N it can be seen from the calculation formula of n0inv, N0inv would not change.In 2048 RSA, N has 2048, therefore it is possible that the failure injected, which does not change last 32,. The 6th row calculated result is following formula (4) at this time:
Wherein,C'mFor the suitable ciphertext to be constructed input;By PinWith P 'inIt is equal, then RSA decipherment algorithm is set to export specified expection plaintext P to get formula (2) are arrived.
3, when RSA decryption program is with N, e, C'mTo input, and N is being converted into small end expression by the hardware fault injected When inject hardware fault N be modified as Nm, RSA decryption program, which exports, is expected plaintext P.
The present embodiment obtains more N by the duration of control attack voltage and attack voltagem;The application's In confirmatory experiment, by parameter setting in formula (1) be { 0.42GHZ, 2.65GHZ, 0.65V, 1.055V, 0,87267,3800 } when, In 500 experiments, successfully inject failure 117 times, wherein produce for 23 times can prime factor dispersion Nm, in this 23 NmIn have 18 A is the same.
Embodiment six
On the basis of embodiment one, two, three, four, the embodiment of the present application six is to attack core from by attack core Hardware fault is injected in TrustZone signature authentication mechanism so as to illustrate for RSA decryption program output expected results;
Specifically, hardware fault is injected to safe kernel when TrustZone carries out last time signature authentication, changes RSA The integer mould of decryption program, and using formula (2) construction input ciphertext, then use input ciphertext replacement Widewine last Grade signature.
In the Widewine application program after load is changed, carried out most using same attack parameter in TrustZone Hardware fault is injected when a signature authentication afterwards, and then passes through the afterbody signature authentication of TrustZone, to load change Incredible Widewine program afterwards.
Due to being to inject hardware fault in afterbody, attacker needs that the 4th RSA decryption program is waited to start to transport Row, is monitored by using loading procedure of the wing passage attack method to program.The integer mould N of RSA is loaded into fixed It at memory address, is attacked by wing passage and reads N, and then judge whether the hardware fault of injection has been changed to N, it is also possible to obtain Nm
In confirmatory experiment of the invention, by parameter setting in formula (1) be 0.42GHZ, 2.65GHZ, 0.65V, 1.055V, 61942,87267,3800 }, in 200 experiments, successfully inject failure 73 times, wherein produce for 21 times can matter because The N of number dispersionm, in this 23 NmIn have 15 be it is the same, when loading insincere application program using the parameter, average 94 times Can once it succeed in trial.
Fig. 7 is attack core to by injection hardware fault in the signature authentication mechanism in the trusted application in attack core Schematic diagram;Include common world and safer world by attack core, caching layout and processor state are carried out in common world With the setting of voltage, trusted application is run in safer world, includes by attacker (this example in trusted application By taking the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication operates as an example) and other codes;Other before trusted application executes the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication In the period of code, attack in core by executing do-nothing instruction setting attack context and the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication to be signed being waited to start It executes;Starting to go to specified direct fault location point in the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication, (this example is with integer mould syllable sequence conversion operation Example) between, attack core continues the synchronous do-nothing instruction that executes and integer mould syllable sequence conversion operation is waited to start to execute;In the 4th RSA When certification starts execution to integer mould syllable sequence conversion operation, the change of attack core destroys quilt by the processor core voltage of attack core The sequence circuit time-constrain of core is attacked, realizes fault attacks, is then persistently restored after preset time by the processor of attack core Core voltage, then the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication starts to restore normal, continue to execute code after the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication operation and Other codes after signature authentication program.
The application is it should be noted that the injection number of hardware fault within a preset time is not limited to once inject, with note Enter subject to hardware fault success, caching, branch predictor, processor status register etc. are made by attacker by being performed a plurality of times Data with it is highly relevant by attacker, reduce in processor with the shadow by the unrelated data of attacker to attack effect It rings.
Embodiment seven
The embodiment of the present application seven, which is provided, injects hardware fault in RSA decipherment algorithm to obtain RSA sensitive data Confirmatory experiment:
Fig. 8 describes the malice voltage for making processor cisco unity malfunction.Suitable voltage is to guarantee that processor can be normal The necessary condition of work.If the brownout of processor, processor can be run without enough energy, to will appear event Barrier, the data for running program on a processor can be also changed.The operating status of processor core to be measured, which will affect, makes its appearance The minimum voltage size of failure.Core to be measured is busier, and the energy of consumption is more, guarantees the minimum voltage needed for it is worked normally Also higher.The figure shows the minimum voltages for making processor occur crashing or restarting under different frequency.Due to the benefit of processor core Be not with rate it is fixed, in the case where frequency is constant, the voltage of the top of line 1 is safe voltage, the voltage of line 1 and 2 quality inspection of line It is likely to occur failure, the voltage below of line 3 centainly will appear hardware fault.
Fig. 9 illustrates different voltages and generates the minimum duration (do-nothing instruction of hardware fault under Bu Tong unrelated nuclear state Execute number).Can attack voltage and attack voltage-duration be the important parameters for determining generate hardware fault, if attack Voltage-duration is shorter, it is possible that also there is a situation where voltages just to have reverted to normal voltage for failure, if attacked Overtension is hit, being supplied to can be more by the energy of attack core, and in order to inject failure, the duration for attacking voltage will also be grown It is some.In addition, the energy that unrelated core (in addition to attack core and by the processor core other than attack core) consumes under different conditions It is different, to can be influenced on being supplied to by the energy production of attack core, and then influences attack needed for successfully injecting failure Voltage-duration.
Figure 10 is illustrated since by the time of execution going to attacking RSA function by attack code, (do-nothing instruction is held Row number).The speed that frequency size influences attack core and executed instruction by attack core is attacking nuclear frequency and processor voltage not Time higher by the frequency of attack core in the case where change, being executed being gone to since by attack function by attack code It is shorter.RSA program in TrustZone with the RSA decryption program based on Android encryption library be not it is just the same, therefore, etc. To time and distinguishing.In the figure, the frequency for attacking core is 0.42GHZ, and attack voltage is 0.6V.
Figure 11 describes the 4th RSA decryption verification when attacker waits the TrustZone loading procedure attacked Function starts to execute required time (do-nothing instruction execution number).In the case that the frequency of attack core is constant, by attack core Frequency is different, and the required time is also different.In the figure, the frequency for attacking core is 0.42GHZ, and attack voltage is 0.6V。
The faulty word joint number that Figure 12 describes different attack voltages and RSA integer mould occurs under the duration.In the figure, attack The frequency for hitting core is 0.42GHZ, and the frequency by attack core is 2.65GHZ.In order to realize the fault injection attacks to RSA, it should Selecting those that can generate can be in the N of finite time endoplasm FactorizationmAs attack parameter.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.Obviously, those skilled in the art can be to the application Various modification and variations are carried out without departing from spirit and scope.If in this way, these modifications and variations of the application Belong within the scope of the claim of this application and its equivalent technologies, then the application is also intended to encompass these modification and variations and exists It is interior.

Claims (10)

1. a kind of fault attacks method based on time-constrain characterized by comprising
When needing to inject hardware fault to sequence circuit, the voltage of sequence circuit is changed as attack voltage;
Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, breaks The time-constrain of bad sequence circuit;
During the period of time, latter electronic component, will be pre- when rising edge clock does not receive the output of previous electronic component If data export anticipatory data as inputting and handling preset data.
2. fault attacks method according to claim 1, which is characterized in that the time-constrain of the sequence circuit are as follows:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit;TsetupTable Show that the input of the last one timing electronic component needs to keep the stable time, and intermediate logic unit be output to it is next A rising edge clock needs the interval time met;TsrcIndicate prolonging between the outputting and inputting of first timing electronic component When, namely rising edge clock is received to the time provided between stable output;TtransferIndicate first timing electronic component The processing time at the interval namely intermediate logic unit that are output between the output of intermediate logic unit;TεExpression one is small Time constant.
3. fault attacks method according to claim 2, which is characterized in that the time-constrain for destroying sequence circuit, Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, specifically Are as follows: fixed setting clock cycle Tclk, TsetupIt is determined by the characteristic of clock electronic element, it is unrelated with the frequency of circuit and voltage;When After the voltage of sequence circuit is changed to attack voltage, TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed.
4. fault attacks method according to claim 1, which is characterized in that by being repaired to voltage management driver Change, realizes the voltage of any setting sequence circuit, thus, it is possible to the voltage of sequence circuit is changed to attack voltage, the attack Voltage is specially the voltage for being lower than voltage rating but working normally sequence circuit can at low frequencies.
5. fault attacks method according to claim 1, which is characterized in that the preset data includes the upper of electronic component The fault value of data value or setting in one clock.
6. a kind of fault attacks method of multi-core processor based on time-constrain characterized by comprising
When needing to inject hardware fault to a certain processor core of multi-core processor, which is appointed as being attacked In addition core will be used as attack core by a certain processor core;
When attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, will be by the processor of attack core Core voltage is changed to attack voltage;
The time-constrain for destroying the sequence circuit extends first electronic component signal in the sequence circuit and is input to finally The period of one electronic component signal input;
During the period of time, latter electronic component, will be pre- when rising edge clock does not receive the output of previous electronic component If data export anticipatory data as inputting and handling preset data;
After attack voltage continues to export anticipatory data to the sequence circuit, it will be reverted to by the processor core voltage of attack core Safe voltage.
7. fault attacks method of the multi-core processor as claimed in claim 6 based on time-constrain, which is characterized in that described to attack Hitting voltage is specially to make to be attacked core cisco unity malfunction, except the electricity that can be worked normally by other processor cores in addition to attack core Pressure.
8. fault attacks method of the multi-core processor as claimed in claim 6 based on time-constrain, which is characterized in that configuration quilt The processor core voltage and voltage-duration for attacking core specifically include: when by being continued by the processor voltage of attack core and voltage Between be set as suitable parameters;Wherein, failure F is realizedfaultRequired suitable parameters include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、 Tdur, wherein FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate safety electricity Pressure, namely setting attack voltage before and after make attack core and can be worked normally by attack core processor core voltage, Tpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate that attacker is waited by attack code Start the time executed, TdurIndicate attack voltage-duration.
9. a kind of multi-core processor, which is characterized in that including multiple processor cores and power management integrated chip, power management collection Processor core voltage is provided to processor core by power management integrated circuit at chip;
Processor core will for which being appointed as to be attacked core when injecting hardware fault to a certain processor core In addition a certain processor core is run by attack core to the specified timing electricity of failure to be implanted as attack core when attack core is detected Lu Shi, driving change processor voltage using modified power management is attack voltage, destroys the time of the sequence circuit Constraint extends the time that first electronic component signal in the sequence circuit is input to the input of the last one electronic component signal Section;During the period of time, latter electronic component will be preset when rising edge clock does not receive the output of previous electronic component Data export anticipatory data as inputting and handling preset data;
Power management integrated chip is run by attack core to the specified sequence circuit of failure to be implanted for detecting in attack core When, attack voltage will be changed to by the processor core voltage of attack core and continued after exporting anticipatory data to the sequence circuit, Safe voltage will be reverted to by the processor core voltage of attack core.
10. multi-core processor as claimed in claim 9, which is characterized in that will be by the processing of attack core in power management chip Device core voltage is changed to attack voltage, specifically includes: power management integrated chip provides attack voltage to all processor cores, should Attack voltage makes to be attacked core cisco unity malfunction, but attacks core and other cores and can work normally;Or it is integrated by power management Chip individually will be changed to attack voltage by the processor core voltage of attack core.
CN201910310348.3A 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof Active CN110032897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910310348.3A CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910310348.3A CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Publications (2)

Publication Number Publication Date
CN110032897A true CN110032897A (en) 2019-07-19
CN110032897B CN110032897B (en) 2021-01-08

Family

ID=67238767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910310348.3A Active CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Country Status (1)

Country Link
CN (1) CN110032897B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115483A (en) * 2020-09-27 2020-12-22 成都中科合迅科技有限公司 Trusted computing application method for protecting nuclear power DCS (distributed control System) engineer station
CN114048470A (en) * 2022-01-13 2022-02-15 浙江大学 Method and device for defending hardware attack based on TDC module and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4759019A (en) * 1986-07-10 1988-07-19 International Business Machines Corporation Programmable fault injection tool
CN104484255A (en) * 2014-12-02 2015-04-01 北京空间飞行器总体设计部 Fault injection device for verifying system level single particle soft error protection ability
CN105281888A (en) * 2015-11-05 2016-01-27 工业和信息化部电信研究院 Fault injection method and fault injection device for password chips
CN105528284A (en) * 2014-09-28 2016-04-27 华为技术有限公司 Kernel fault injection method and electronic device
CN109470990A (en) * 2018-10-25 2019-03-15 南京南瑞继保电气有限公司 A kind of route variable quantity fault direction judgment method and device adapting to UPFC access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4759019A (en) * 1986-07-10 1988-07-19 International Business Machines Corporation Programmable fault injection tool
CN105528284A (en) * 2014-09-28 2016-04-27 华为技术有限公司 Kernel fault injection method and electronic device
CN104484255A (en) * 2014-12-02 2015-04-01 北京空间飞行器总体设计部 Fault injection device for verifying system level single particle soft error protection ability
CN105281888A (en) * 2015-11-05 2016-01-27 工业和信息化部电信研究院 Fault injection method and fault injection device for password chips
CN109470990A (en) * 2018-10-25 2019-03-15 南京南瑞继保电气有限公司 A kind of route variable quantity fault direction judgment method and device adapting to UPFC access

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
段晓毅: "最新电压毛刺( Power Glitch)攻击与防御方法研究", 《计算机科学》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115483A (en) * 2020-09-27 2020-12-22 成都中科合迅科技有限公司 Trusted computing application method for protecting nuclear power DCS (distributed control System) engineer station
CN112115483B (en) * 2020-09-27 2023-05-05 成都中科合迅科技有限公司 Trusted computing application method for protecting nuclear power DCS engineer station
CN114048470A (en) * 2022-01-13 2022-02-15 浙江大学 Method and device for defending hardware attack based on TDC module and electronic equipment

Also Published As

Publication number Publication date
CN110032897B (en) 2021-01-08

Similar Documents

Publication Publication Date Title
Tang et al. {CLKSCREW}: Exposing the perils of {Security-Oblivious} energy management
Krautter et al. FPGAhammer: Remote voltage fault attacks on shared FPGAs, suitable for DFA on AES
US8677482B2 (en) Hardware security for software processes
Duc et al. Cryptopage: An efficient secure architecture with memory encryption, integrity and information leakage protection
JP2009540405A (en) Secure boot system, method and program spanning multiple processors
US11972033B2 (en) Alert handling
US10776522B1 (en) Asymmetric protection of circuit designs
US11055409B2 (en) Protected system
Sabbagh et al. A novel GPU overdrive fault attack
Mahmoud et al. Electrical-level attacks on CPUs, FPGAs, and GPUs: Survey and implications in the heterogeneous era
CN110032897A (en) A kind of multi-core processor and its fault attacks method based on time-constrain
EP3624392B1 (en) Methods and devices for secure secret key generation
Gallais et al. Hardware trojans for inducing or amplifying side-channel leakage of cryptographic software
Krautter et al. Remote and stealthy fault attacks on virtualized FPGAs
CN114327367A (en) Pseudo data processing method, device, execution unit and processor
Köylü et al. RNN-based detection of fault attacks on RSA
Li et al. A control flow integrity checking technique based on hardware support
CN105281888A (en) Fault injection method and fault injection device for password chips
Mahmoud et al. DFAulted: Analyzing and exploiting CPU software faults caused by FPGA-driven undervolting attacks
US10382193B2 (en) Performing cryptographic data processing operations in a manner resistant to external monitoring attacks
Gross et al. Fpganeedle: Precise remote fault attacks from fpga to cpu
Qui et al. Voltjockey: Abusing the processor voltage to break arm trustzone
Tang et al. Motivating security-aware energy management
US11651089B2 (en) Terminating distributed trusted execution environment via self-isolation
Gogniat et al. Reconfigurable security support for embedded systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant