CN110032897A - A kind of multi-core processor and its fault attacks method based on time-constrain - Google Patents
A kind of multi-core processor and its fault attacks method based on time-constrain Download PDFInfo
- Publication number
- CN110032897A CN110032897A CN201910310348.3A CN201910310348A CN110032897A CN 110032897 A CN110032897 A CN 110032897A CN 201910310348 A CN201910310348 A CN 201910310348A CN 110032897 A CN110032897 A CN 110032897A
- Authority
- CN
- China
- Prior art keywords
- core
- voltage
- attack
- time
- electronic component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/81—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Power Sources (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
This application discloses a kind of multi-core processor and its fault attacks method based on time-constrain, it is related to computer processor field.Fault attacks method disclosed in the present application based on time-constrain includes: to change the voltage of sequence circuit when needing to inject hardware fault to sequence circuit as attack voltage;Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, destroys the time-constrain of sequence circuit;During the period of time, latter electronic component, using preset data as inputting and handling preset data, exports anticipatory data when rising edge clock does not receive the output of previous electronic component.Using fault filling method provided by the present application by destroying by the time-constrain in attack core on the basis of not changing other core voltages, extend the processing time of sequence circuit, hardware fault injection is realized, to achieve the purpose that load insincere application program into security context.
Description
Technical field
A kind of event this application involves computer processor field more particularly to multi-core processor and its based on time-constrain
Hinder attack method.
Background technique
In order to improve the safety of equipment, ARM company proposes TrustZone security extension, a kind of for answering in equipment
The system of protection is provided with (secure payment, digital copyright management, enterprises service, the service based on Web, encrypting and decrypting service etc.)
Safety method in range.The hardware resource and software resource of equipment are divided into security context and conventional environment by TrustZone,
And safe kernel and common core are virtually dissolved from each physical processor core, the generation in security context and conventional environment is executed respectively
Code and data.All resources of system can be used in the application program operated in security context, operate in answering in conventional environment
The resource of security context cannot be used with program, two environment are switched over by monitor mode.Conventional environment can pass through
Security monitor call (Secure Monitor Call, SMC) instruction, interrupt requests (Interrupt Request, IRQ) and
The machines such as the hardware interrupts such as fast interrupt requests (Fast Interrupt Request, FIQ), reading and writing data and instruction prefetch exception
System enters security context by monitor mode, and the processor in security context state can also be entered by monitor mode
Conventional environment state.TrustZone hardware expanding ensure that security context and conventional environment to hardware and software resource access and
The isolation of change, be also required in security context to run some security softwares TrustZone hardware is managed and is configured and
Trusted service is provided.The software architecture of TrustZone be not it is fixed, the operation of Special safety can be designed for security context
System (such as security context operating system QSEOS of high pass), can also run some safe synchronization generations in security context
Code library.
In order to protect the integrality of trusted application and insincere application program be prevented to be loaded into TrustZone, if
Custom application program cannot be developed and be loaded to standby user into TrustZone, when security application is loaded, be based on RSA
Signature authentication chain can be performed, TrustZone will not load the not application program by signature authentication.As widely applied
Encryption Algorithm, RSA Algorithm in key long enough with relatively high safety, using common based on software realization loophole
The sensitive data that attack method obtains RSA is relatively difficult.But it if intermediate state is changed when RSA Algorithm executes, attacks
The person of hitting can obtain the sensitive data of RSA by the output result of mistake and the differential fault analysis of correct output result.Example
Such as, if failure occurs in signature treatment process, attacker can restore the private key of RSA by differential fault analysis.
Summary of the invention
The application provides a kind of fault attacks method based on time-constrain, comprising: hard to sequence circuit injection when needing
When part failure, the voltage of sequence circuit is changed as attack voltage;The time-constrain of sequence circuit is destroyed, is extended the in sequence circuit
One electronic component signal is input to the period of the last one electronic component signal input;During the period of time, latter electricity
Subcomponent is not when rising edge clock receives the output of previous electronic component, using preset data as input and to preset data
It is handled, exports anticipatory data.
As above, wherein the time-constrain of the sequence circuit are as follows:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit;
TsetupIndicate that the input of the last one timing electronic component needs to keep the stable time, and the output of intermediate logic unit
The interval time met is needed to next rising edge clock;TsrcIndicate first timing electronic component outputs and inputs it
Between delay, namely receive rising edge clock to provide stablize output between time;TtransferIndicate first timing electronics
The processing time at interval namely intermediate logic unit between the output for being output to intermediate logic unit of element;TεIndicate one
A small time constant.
As above, wherein the time-constrain for destroying sequence circuit extends first electronic component letter in sequence circuit
It number is input to the period of the last one electronic component signal input, specifically: fixed setting clock cycle Tclk, TsetupBy when
The characteristic of clock electronic component determines, unrelated with the frequency of circuit and voltage;After the voltage of sequence circuit is changed to attack voltage,
TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed.
As above, wherein by modifying to voltage management driver, realize the electricity of any setting sequence circuit
Pressure, thus, it is possible to which the voltage of sequence circuit is changed to attack voltage, the attack voltage is specially to be lower than voltage rating but make
The voltage that sequence circuit can work normally at low frequencies.
As above, wherein the preset data includes the event of the data value or setting in a upper clock for electronic component
Barrier value.
The application also provides a kind of fault attacks method of the multi-core processor based on time-constrain, comprising: when needing to more
When a certain processor core of core processor injects hardware fault, which is appointed as to be attacked core, by other certain
Device core is managed as attack core;When attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, will be by
The processor core voltage of attack core is changed to attack voltage;The time-constrain for destroying the sequence circuit extends the timing electricity
First electronic component signal is input to the period of the last one electronic component signal input in road;During the period of time,
Latter electronic component is not when rising edge clock receives the output of previous electronic component, using preset data as input and to pre-
If data are handled, anticipatory data is exported;After attack voltage continues to export anticipatory data to the sequence circuit, it will be attacked
The processor core voltage for hitting core reverts to safe voltage.
It is as above, wherein the attack voltage is specially to make to be attacked core cisco unity malfunction, except by its in addition to attack core
The voltage that his processor core can work normally.
As above, wherein configuration is specifically included by the processor core voltage and voltage-duration of attack core: will be attacked
The processor voltage and voltage-duration of core are set as suitable parameters;Wherein, failure F is realizedfaultRequired suitable parameters packet
Include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack
Voltage, VbIndicate before and after safe voltage, namely setting attack voltage make attack core and can normal work by attack core
Processor core voltage, the T of workpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate attack journey
Sequence, which is waited, starts the time executed, T by attack codedurIndicate attack voltage-duration.
The application also provides a kind of multi-core processor, comprising: multiple processor cores and power management integrated chip, power supply pipe
It manages integrated chip and provides processor core voltage to processor core by power management integrated circuit;Processor core, for working as to certain
When one processor core injects hardware fault, which is appointed as to be attacked core, using other a certain processor core as attacking
Hit core, when attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, use modified power supply
Management driving change processor voltage is attack voltage, destroys the time-constrain of the sequence circuit, extends the sequence circuit
In first electronic component signal be input to the last one electronic component signal input period;During the period of time, after
One electronic component is not when rising edge clock receives the output of previous electronic component, using preset data as input and to default
Data are handled, and anticipatory data is exported;Power management integrated chip, for attack core detect by attack core run to
Inject failure specified sequence circuit when, by by the processor core voltage of attack core be changed to attack voltage and continue to it is described when
After sequence circuit output anticipatory data, safe voltage will be reverted to by the processor core voltage of attack core.
As above, wherein attack voltage will be changed to by the processor core voltage of attack core in power management chip, specifically
It include: power management integrated chip to all processor cores offer attack voltage, which prevents to be attacked core from normal
Work, but attack core and other cores and can work normally;Or it individually will be by the processor of attack core by power management integrated chip
Core voltage is changed to attack voltage.
What the application realized has the beneficial effect that:
(1) by modification voltage management driver, around in voltage management kernel-driven threshold voltage and voltage choosing
The security mechanism selected realizes arbitrary disposition processor core voltage;
(2) by providing a low-voltage for processor core, work normally other nuclear energy enough, but cannot be just by attack core
Often work, by destroying by the time-constrain in attack core, extends with this in the case where not influencing the normal work of other cores
The data processing time of electronic component in sequence circuit realizes hardware fault injection;
(3) direct fault location point, attack voltage and attack time can be accurately controlled by actual experiment, reduces direct fault location
When influence of the hardware fault to other code segments;
(4) sequence circuit can be made to export expected results by fault attacks method, realizes and is loaded not into security context
The purpose of trusted application.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The some embodiments recorded in application can also be obtained according to these attached drawings other for those of ordinary skill in the art
Attached drawing.
Fig. 1 is the temporal constraint graph that the sequence circuit that embodiment one provides needs to meet;
The software and hardware combining schematic diagram of voltage management architecture in the multi-core processor that Fig. 2 provides for embodiment two;
Fig. 3 is the method flow diagram that hardware fault is injected to sequence circuit that embodiment three provides;
Fig. 4 is the fault filling method flow chart based on multi-core processor time-constrain that example IV provides;
Fig. 5 is to attack core to by the signal by attacker injection hardware fault in the trusted application in attack core
Figure;
Fig. 6 is the injection failure in RSA decipherment algorithm that embodiment five provides so that the output of RSA decipherment algorithm is expected in plain text
Method flow diagram;
Fig. 7 is the attack core that provides of embodiment six in by the signature authentication mechanism in the trusted application in attack core
Inject the schematic diagram of hardware fault;
Fig. 8 describes the malice V diagram for making processor cisco unity malfunction;
Fig. 9 show different voltages under Bu Tong unrelated nuclear state generate hardware fault minimum duration (sky refers to
It enables and executes number);
Figure 10 shows since the time (do-nothing instruction executed being gone to attacking RSA function by attack code
Execute number);
Figure 11 describes attacker and the 4th RSA decryption when TrustZone loading procedure attacked is waited to test
Card function starts to execute required time (do-nothing instruction execution number);
The faulty word joint number that Figure 12 describes different attack voltages and RSA integer mould occurs under the duration.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on the present invention
In embodiment, those skilled in the art's every other embodiment obtained without making creative work, all
Belong to the scope of protection of the invention.
Embodiment one
The application first carries out the time-constrain of sequence circuit before introducing based on the fault filling method of time-constrain
Description:
A usual sequence circuit includes multiple electronic components, these electronic components are transported under unified clock pulses control
Row, each electronic component starts to process input data after input signal is stablized again, in addition, electronic component outputs and inputs it
Between also have delay, therefore, sequence circuit needs to meet certain constraint condition just and can guarantee the harmonious of each electronic component
The required design to sequence circuit is realized in operation by debug time constraint;
By taking a sequence circuit is started by a timing electronic component and is terminated by another timing electronic component as an example Lai
Illustrate (it should be noted that the quantity of the electronic component in sequence circuit is set by being actually needed), the rising edge of clock
The unlatching of control sequential electronic component, intermediate logic unit handle the output of first timing electronic component, and will
Input of the result that treated as the last one timing electronic component;The sequence circuit needs the time-constrain such as Fig. 1 met
It is shown:
TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit;
TsetupIndicate that the input of the last one timing electronic component needs to keep the stable time, and intermediate logic list
The interval time for being output to next rising edge clock and needing to meet of member;
TsrcIt indicates the delay between the outputting and inputting of first timing electronic component, namely receives rising edge clock and arrive
Provide the time stablized between output;
TtransferIndicate the interval between the output for being output to intermediate logic unit of first timing electronic component, namely
The processing time of intermediate logic unit;
In order to guarantee that the input of the last one timing electronic component keeps stablizing before the arrival of next rising edge clock,
So that it is guaranteed that the output of the sequence circuit and expected output are consistent, which needs to meet following time-constrain:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TεIndicate a small time constant.
Characteristic electron based on electronic component, it is electronic component that an electronic component, which needs suitable voltage (voltage rating),
Enough energy progress data processings are provided to be supplied to electronic component if voltage is relatively low without enough energy, can lead
Send a telegraph subcomponent performance decline, output and input between delay also can be elongated, thus the time-constrain of circuit is destroyed, electricity
Subcomponent cannot will be changed with correct input processing data, the output of circuit, to realize that hardware fault is injected.
Based on the time-constrain of above-mentioned sequence circuit, the clock frequency that circuit is arranged in the present embodiment is constant, that is, is fixedly installed
Clock cycle Tclk, TsetupIt is determined by the characteristic of clock electronic element, it is unrelated with the frequency of circuit and voltage;When being supplied to timing
When the voltage of electronic component reduces, TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed, the last one timing electronics member
Part begins to processing data before the stable output for being not received by intermediate logic unit, therefore the feelings that the input used is constant
Under condition, the output of sequence circuit is different from anticipated output, to inject hardware fault into circuit.
Embodiment two
Hardware fault injection method provided by the present application based on time-constrain is the voltage by adjusting sequence circuit, from
And it realizes and injects hardware fault into sequence circuit;Embodiment two describes the application for the adjustment side of sequence circuit voltage
Method.
Optionally, the confirmatory experiment of the application is mainly carried out in Google Nexus 6, and Google Nexus 6 possesses
The processor based on ARM Krait framework of one Qualcomm production, the voltage management kernel-driven pair that Qualcomm provides
The voltage hardware manager of processor carries out configuration and provides interface to operating system;It is operated in existing Google Nexus 6
In system, malice voltage break treat with device, high pass are added to two peaces in the voltage management kernel-driven of offer in order to prevent
The selection of full mechanism, i.e. threshold voltage and voltage.
Following pairs of threshold voltages and the security mechanism of voltage selection are described in detail:
Threshold voltage: in hardware management driving, threshold voltage indicates the minimum value that processor core voltage can be arranged, such as
Fruit attempts that the voltage also lower than threshold voltage is arranged, and driver can provide a stable threshold voltage to processor.Threshold value
The size of voltage is defined in device description file and is read by the detection steps of voltage management driver;
Voltage selection: since the frequency of different processor core can be different, for the processor core for protecting frequency high,
Hardware management driving select highest frequency in the frequency of all cores OPP (voltage that multi-core processor is supported and frequency it is discrete
The set of tuple) in corresponding voltage as processor core voltage.
In order to which the processor to support dynamic power management technology realizes time-constrain by change voltage, to reach event
Barrier injection realizes that the purpose of sequence circuit output designated result, the application are bypassed by the modification to voltage management driver
The security mechanism of threshold voltage and voltage selection in voltage management kernel-driven, realizes arbitrary disposition processor core voltage;
Specifically, the application realizes by the detection steps of modification device description file or modification driver and bypasses threshold
The purpose of threshold voltage, so that processor core voltage more smaller than threshold voltage can be set in attacker;And pass through modification voltage
Code is selected to cancel the security mechanism of voltage selection;Since modification device description file coverage is wider, it is preferred that
To modify the detection steps of driver around threshold voltage in the embodiment of the present application;
It should be noted that the application is only to the voltage minimum of processor, i.e. threshold voltage is modified, for highest
Voltage without limitation, reason are as follows: the last byte represents basic voltage in the voltage register of voltage hardware manager
Multiple, the maximum number that a byte can indicate is 255, therefore, 255 times of ceiling voltage no more than basic voltage;In this Shen
On verification platform please, experiments verify that processor core can work normally under all frequencies when the byte is 255.Cause
This, the application confirmatory experiment is for realizing low voltage failure.
Referring to Fig. 2, Fig. 2 is the voltage management architecture in based on the multi-core processor for ARM Krait framework
Software and hardware combining schematic diagram, including multi-core processor, kernel spacing and user's space;
Wherein, kernel spacing and user's space are software architecture, and kernel spacing includes that voltage management driving and frequency drive,
For to each processor core in multi-core processor voltage and frequency be managed;Frequency drives for receiving user's space
Setting to frequency, and driven to voltage management and attack voltage is provided;Voltage management driving is for receiving the target of frequency driving
Voltage, that is, the attack voltage set, and use the register setting value of attack voltage change power management chip.
Multi-core processor is hardware structure, including multiple processor cores (CPU core) and power management integrated chip are (preferably
PMA8084 power supply chip), power management integrated chip according to internal register setting value, by power management integrated circuit to
Processor core provides processor core voltage, and provides peripheral hardware voltage to other external equipments;
Specifically, power management chip provides processor core voltage to processor core, specifically includes to all processor cores
Unified core voltage is provided, or provides processor core voltage to each processor core respectively;
Processor core, for when injecting hardware fault to a certain processor core, which being appointed as being attacked
Core runs specifying to failure to be implanted by attack core when attack core is detected by addition a certain processor core as attack core
When sequence circuit, driving change processor voltage using modified power management is attack voltage, destroys the sequence circuit
Time-constrain, extend first electronic component signal in the sequence circuit be input to the last one electronic component signal input
Period;During the period of time, latter electronic component is not when rising edge clock receives the output of previous electronic component,
Using preset data as inputting and handling preset data, anticipatory data is exported;
Power management integrated chip is run by attack core to the specified timing of failure to be implanted for detecting in attack core
When circuit, attack voltage will be changed to by the processor core voltage of attack core and continue to export anticipatory data to the sequence circuit
Afterwards, safe voltage will be reverted to by the processor core voltage of attack core;
Wherein, attack voltage will be changed to by the processor voltage of attack core, specifically included by power management integrated chip
Attack voltage is provided to all processor cores, which makes to be attacked core cisco unity malfunction, but attacks core and other cores
It can work normally;Or attack voltage individually will be changed to by the processor core voltage of attack core by power management integrated chip.
Due to the characteristic electron of multi-core processor, in the set of the multi-core processor voltage supported and the discrete tuple of frequency
In OPP, the frequency of some processor core is higher, and required minimum voltage is also higher, and the frequency of processor core can be with
It is separately provided, the corresponding minimum voltage of different frequency also has difference, when the voltage for being supplied to a certain processor core is lower than minimum need
When seeking voltage, the time-constrain of the processor core is destroyed, and the attacker frequency of use-voltage difference thus attacked in core is realized
It is to the specified fault injection attacks by attack core, hardware fault injection is specified by attack core.
When needing to specified by injection hardware fault on attack core, operation is set by the specified of attacker by attack core
It is set to high-frequency, and sets low frequency for the attack core for running attacker core unrelated with other using system command, then
Attacker particular moment from selected between minimum voltage needed for high-frequency and low frequency a suitable voltage as attacking
It hits voltage and continues a short period;
Preferably, in the embodiment of the present application, attacker selects suitable voltage and voltage-duration to realize that failure is attacked
It hits, specifically:
Ffault={ Fa;Fv;Vl;Vb;Tpre_w;Tpre_d;Tdur}
Wherein, attacker realizes failure FfaultRequired suitable parameters value Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurIt is logical
Cross Experiment Result decision, FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate peace
The processor nuclear power for making to attack core and can be worked normally by attack core before and after full voltage, namely setting attack voltage
Pressure, Tpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate that attacker was waited by attack generation
Code starts the time executed, TdurIndicate attack voltage-duration.
It should be noted that not having enough energy to run since brownout will lead to electronic component, it is supplied to
It is that the voltage of timing electronic component reduces premise is that guarantee that electronic component can work normally at low frequencies, only input and
Delay between output can be elongated;Likewise, the operation of electronic component may become if the overtension of electronic component
It is unstable, cause output that may change, if the high voltage of circuit leads to the output and expection of first timing electronic component
Inconsistent, the input for being supplied to the last one timing electronic component also can be incorrect, so as to cause the output of mistake.Based on high electricity
The direct fault location of pressure may bring unforeseen as a result, because if overtension, electronic component be may be damaged.Cause
This, in actual use, the direct fault location based on low-voltage is more suitable.
Embodiment three
In the time-constrain of embodiment one and the voltage management of embodiment two, when the embodiment of the present application three provides one kind and is based on
Between constrain and by change voltage realize to sequence circuit inject hardware fault method, as shown in Figure 3, comprising:
Step 310: when needing to inject hardware fault to sequence circuit, changing the voltage of sequence circuit as attack voltage;
Preferably, by modifying the detection steps of voltage management Kernel Driver, around the voltage rating of sequence circuit,
The voltage value of sequence circuit is fallen below into voltage rating, this voltage value attacks voltage as sequence circuit, so that timing
Electronic component in circuit output and input between time it is elongated, destroy the time-constrain of original sequence circuit.
Step 320: it is defeated to be input to the last one electronic component signal for first electronic component signal in extension sequence circuit
The period entered destroys the time-constrain of sequence circuit;
In the present embodiment, by reducing the voltage of sequence circuit, so that the time-constrain parameter T of sequence circuitsrcWith
TtransferIncrease, the time-constrain of circuit is destroyed, the last one timing electronic component is being not received by intermediate logic unit
Stablize output before begin to processing data, therefore in the case that the input that uses is constant, the output and expection of sequence circuit
Output is different, to inject hardware fault into circuit.
Step 330: during the period of time, latter electronic component does not receive previous electronic component in rising edge clock
When output, using preset data as inputting and handling preset data, anticipatory data is exported;
Optionally, preset data can be the data value in a upper clock for electronic component, or the event of setting
Barrier value;
Specifically, for the first electronic component of sequence circuit in the case where inputting constant, first electronic component is due to input
Time to output is elongated, and the latter electronic component is caused not receive the defeated of previous electronic component in rising edge clock
Out, latter electronic component still handles data in rising edge clock, but the data handled are not the output of previous electronic component, and
It is the data of a upper clock for processing or the fault value of setting, therefore, the output of entire sequence circuit is different from expected output,
It realizes and injects hardware fault into circuit.
Example IV
On the basis of embodiment one, two, three, the embodiment of the present application four provides a kind of based on multi-core processor time-constrain
Fault filling method, when need to a certain processor core inject hardware fault when, which is appointed as being attacked core, will
This is tied to by attacker to be executed on attack core, runs the processor core of attacker as attack core, other processors
For core as other unrelated cores, the attack core for running attacker as a result, can be to operation by the specified by attack core of attacker
Upper injection hardware fault does not influence other unrelated cores and the thereon normal operation of program;As shown in Figure 4, comprising:
Step 410: the attacker detection on attack core is by, by attacker, waiting is transported by attacker in attack core
It goes to specified direct fault location point;
Specifically, during the attacker waiting attacked on core is run by attacker to specified direct fault location point,
Execute following sub-step:
S411: the attack context of direct fault location is set;
Due in order to keep direct fault location more acurrate effectively, needing first to prepare suitable failure before carrying out direct fault location
Injection attacks environment, specifically: configuration attacks the frequency of core and is safety electricity by the frequency of attack core, setting processor core voltage
Pressure configures attack context, including caching, branch predictor, processor status register etc. by attacker by being performed a plurality of times
Data.
S412: waiting is started to execute by attack function;
Specifically, it is encapsulated in by attack code by attack function using the object code of attack as a bit of, wherein quilt
Attack function is fixed function, injects demand according to physical fault by attack code and is loaded by attack function;In attack journey
After sequence starts execution, in order to realize that attacker executes cycle match with by the trusted application in attack core, to reach
Failure is accurately injected in the preset failure decanting point of trusted application, after attacker starts execution, attacker
Instruction execution cycle is assessed by executing do-nothing instruction, starts to execute until by attack function, attacker is waited by attack letter
The time span that number starts to execute is set as Tpre_w, i.e. the do-nothing instruction execution time is Tpre_w。
S413: after starting execution by attack function, waiting is started to execute in attack function by attack code;
Specifically, in order to be accurately controlled direct fault location point, and reduce direct fault location when hardware fault to by attack letter
The influence of other code segments in number, after starting execution by attack function, attacker is held by executing do-nothing instruction assessment instruction
Attacker is waited until being started to execute by attack code and starts the time span executed setting by attack code by the row period
For Tpre_d, i.e. the do-nothing instruction execution time is Tpre_d。
Step 420: when attack core detect run by attack core to the sequence circuit of failure to be implanted when, will be by attack core
Processor core voltage be changed to attack voltage, the time-constrain of sequence circuit is destroyed, when extending the execution by attack core program
Between;
After starting execution by attack code, attacker setting is attack voltage by the processor core voltage of attack core
V1, wherein attack voltage V1 is specially to make to attack the voltage that core is normally executed, but cannot normally be executed by attack core;Pass through drop
The voltage of low sequence circuit, so that the time-constrain parameter T of sequence circuitsrcAnd TtransferIncrease, the time-constrain of circuit is broken
Bad, the last one timing electronic component begins to processing data before the stable output for being not received by intermediate logic unit,
Therefore in the case that the input used is constant, the output of sequence circuit is different from anticipated output, to inject hardware into circuit
Failure;
During the period of time, latter electronic component is not when rising edge clock receives the output of previous electronic component,
Preset data as input and is handled preset data.
Step 430: safe electricity will be reverted to by the processor core voltage of attack core after attack voltage continues preset time
Pressure;
Specifically, it is T that attacker, which continuously carries out time span in the case where attacking voltage,durDo-nothing instruction after, recovery attacked
The processor core voltage and frequency for hitting core, prevent by the processor delay machine of attack core or system crash;Wherein, do-nothing instruction
Execute time TdurKnown according to different direct fault location situations by experiment, best direct fault location is set in the experimental stage and is executed
After time, by execution time TdurAs the preset time of the direct fault location situation, facilitate subsequent come into operation.
Fig. 5 is to attack core to by the signal by attacker injection hardware fault in the trusted application in attack core
Figure;Include common world and safer world by attack core, caching layout and processor state and electricity are carried out in common world
The setting of pressure, runs trusted application in safer world, includes by attacker and other codes in trusted application;
It executes in trusted application by the period of other codes before attack function, attack core setting attack context simultaneously passes through
Do-nothing instruction waiting is executed to be started to execute by attack function;It (is attacked being started to go to specified direct fault location point by attack function
Code starts to execute) between, attack core continues synchronous execution do-nothing instruction waiting and is started to execute by attack code;By attack function
When executing to by attack code, the change of attack core is by the processor core voltage of attack core, when destroying the sequence circuit by attack core
Between constrain, realize fault attacks, then persistently after preset time restore by the processor core voltage of attack core, then by attack letter
Number restores normal, continues to execute by the code after attack code and by other codes after attack function.
The application is it should be noted that the injection number of hardware fault within a preset time is not limited to once inject, with note
Enter subject to hardware fault success, caching, branch predictor, processor status register etc. are made by attacker by being performed a plurality of times
Data with it is highly relevant by attacker, reduce in processor with the shadow by the unrelated data of attacker to attack effect
It rings.
Embodiment five
On the basis of embodiment one, two, three, four, the embodiment of the present application five is to attack core from by the RSA decryption of attack core
Illustrate for acquisition RSA sensitive data in algorithm, RSA Algorithm, which is used as, applies more extensive Encryption Algorithm, enough in key
With relatively high safety when long, by changing processor voltage, so that intermediate state is changed when RSA Algorithm executes, make
It exports expected results.
In order to enable RSA decryption program export it is expected in plain text, and can by TrustZone based on the signature of RSA
Authentication mechanism, the embodiment of the present application four provide a kind of differential fault analysis side of RSA decryption program based on Android encryption library
Method, the method inject failure into processor using the multi-core technology and dynamic power management technology of processor, pass through construction
Special input data and change executes the integer mould in RSA decryption program on a processor, and being reached with this decrypts RSA
Program exports the purpose of expected plaintext, specifically includes following operation:
The application is before description injects failed operation into the RSA decryption program based on Android encryption library, first to RSA
The specific implementation of decryption program encyclopaedizes, and referring to shown in following table, table 1 illustrates the decryption of the RSA based on Android encryption library and calculates
The specific calculating process of method:
Table 1
In above-mentioned table 1, after RSA decryption program receives the ciphertext C, integer mould N and public key e of input, pass through 1~14 journey
Plaintext P after sequence operation output decryption;In order to accelerate the exponent arithmetic in RSA decipherment algorithm, the RSA decipherment algorithm in table 1 is answered
Multiply operation MONMUL (x, y, N, r with Montgomery-1)←x*y*r-1%N, and apply modular inversion n0inv ← 232-
MODULEINVERSE(N,232) reduce the cycle-index that Montgomery multiplies operation.Just due to multiplying operation using Montgomery,
The input data that big end indicates is converted to the data of small end expression, as shown in the table, table using ENDIANINVERSION function
2 illustrate the specific implementation process of ENDIANINVERSION function:
Table 2
In above-mentioned table 2, after ENDIANINVERSION function receives the variable V that the big end to be converted indicates, pass through step
The data S that small end after rapid 1~10 operation output conversion indicates.
In RSA decipherment algorithm, the prime number that integer mould N is decomposed as hardly possible, the integer mould inputted due to 2 Duis of algorithm are generally set
The operation such as the displacement of N frequent progress or assignment, therefore set algorithm 2 is specified direct fault location point, integer mould N inputs algorithm 2
After sequence circuit, as shown in fig. 6, executing following sub-step:
Step 610: after the sequence circuit of integer mould N input algorithm two, changing the voltage of sequence circuit as attack voltage;
Preferably, by modifying the detection steps of voltage management Kernel Driver, around the voltage rating of sequence circuit,
The voltage value of sequence circuit is fallen below into voltage rating, this voltage value attacks voltage as sequence circuit, so that timing
Electronic component in circuit output and input between time it is elongated, destroy the time-constrain of original sequence circuit.
Step 620: the rising edge clock of latter electronic component does not receive the defeated of previous electronic component in sequence circuit
When out, using preset data Nm as the input of electronic component;
Specifically, preset data Nm can be the data of a upper rising edge clock for electronic component or the data of setting.
Step 630: judge whether Nm can carry out prime factor decomposition within a preset time, if it is, direct fault location at
Function executes step 640, and otherwise direct fault location fails;
Preferably, it is realized using Python, using the library ecm (Engine ControlModule engine control module)
Factor function by Nm carry out prime factor decomposition, if factor function in 60 seconds can't to Nm realize prime factor decompose,
Then Nm assert the data that difficult prime factor decomposes, and cannot function as the attack data of direct fault location.
Step 640: carrying out operation using prime factor Nm in RSA decipherment algorithm, export expected plaintext P;
Specifically, operation is carried out using prime factor Nm, specifically includes following operation:
1, Edward Carmichael number algorithm construction RSA key pair is used, and is calculated according to rsa encryption according to the prime factor of Nm, public key e
Method encrypts expected plaintext p, obtains ciphertext Cm;
For example, the RSA key of construction is to for { Nm, e, dm }, wherein e is public key, and dm is private key;According to RSA cryptographic algorithms
Encryption is expected to obtain ciphertext in plain text, specific to calculate are as follows:
2, suitable key is constructed using Extended Euclidean Algorithm according to N, Nm and Cm and inputs C'm;
Specifically, suitable key is calculated according to N, Nm and Cm and inputs C'mCalculating process such as following formula (2):
Wherein, r=22048,
Detailed analysis is carried out to the acquisition of above-mentioned formula below, specifically:
When RSA decipherment algorithm is inputted using Nm as integer mould and using Cm as ciphertext completely, the 6th row of RSA decipherment algorithm
Calculated result is following formula (3):
Wherein, r=22048,
However the R in the 2nd row be generated based on N, and R can be also used in the 6th row, in addition, N the 3rd row also by
It uses and is therefore transmitted to the 6th, 9,11,12 rows;If based on N and being based on NmThe n0inv calculated be it is the same, then exist
3rd exercises with N and uses NmEqually.As long as failure does not change last 32 of N it can be seen from the calculation formula of n0inv,
N0inv would not change.In 2048 RSA, N has 2048, therefore it is possible that the failure injected, which does not change last 32,.
The 6th row calculated result is following formula (4) at this time:
Wherein,C'mFor the suitable ciphertext to be constructed input;By PinWith P 'inIt is equal, then
RSA decipherment algorithm is set to export specified expection plaintext P to get formula (2) are arrived.
3, when RSA decryption program is with N, e, C'mTo input, and N is being converted into small end expression by the hardware fault injected
When inject hardware fault N be modified as Nm, RSA decryption program, which exports, is expected plaintext P.
The present embodiment obtains more N by the duration of control attack voltage and attack voltagem;The application's
In confirmatory experiment, by parameter setting in formula (1) be { 0.42GHZ, 2.65GHZ, 0.65V, 1.055V, 0,87267,3800 } when,
In 500 experiments, successfully inject failure 117 times, wherein produce for 23 times can prime factor dispersion Nm, in this 23 NmIn have 18
A is the same.
Embodiment six
On the basis of embodiment one, two, three, four, the embodiment of the present application six is to attack core from by attack core
Hardware fault is injected in TrustZone signature authentication mechanism so as to illustrate for RSA decryption program output expected results;
Specifically, hardware fault is injected to safe kernel when TrustZone carries out last time signature authentication, changes RSA
The integer mould of decryption program, and using formula (2) construction input ciphertext, then use input ciphertext replacement Widewine last
Grade signature.
In the Widewine application program after load is changed, carried out most using same attack parameter in TrustZone
Hardware fault is injected when a signature authentication afterwards, and then passes through the afterbody signature authentication of TrustZone, to load change
Incredible Widewine program afterwards.
Due to being to inject hardware fault in afterbody, attacker needs that the 4th RSA decryption program is waited to start to transport
Row, is monitored by using loading procedure of the wing passage attack method to program.The integer mould N of RSA is loaded into fixed
It at memory address, is attacked by wing passage and reads N, and then judge whether the hardware fault of injection has been changed to N, it is also possible to obtain
Nm。
In confirmatory experiment of the invention, by parameter setting in formula (1) be 0.42GHZ, 2.65GHZ, 0.65V,
1.055V, 61942,87267,3800 }, in 200 experiments, successfully inject failure 73 times, wherein produce for 21 times can matter because
The N of number dispersionm, in this 23 NmIn have 15 be it is the same, when loading insincere application program using the parameter, average 94 times
Can once it succeed in trial.
Fig. 7 is attack core to by injection hardware fault in the signature authentication mechanism in the trusted application in attack core
Schematic diagram;Include common world and safer world by attack core, caching layout and processor state are carried out in common world
With the setting of voltage, trusted application is run in safer world, includes by attacker (this example in trusted application
By taking the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication operates as an example) and other codes;Other before trusted application executes the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication
In the period of code, attack in core by executing do-nothing instruction setting attack context and the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication to be signed being waited to start
It executes;Starting to go to specified direct fault location point in the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication, (this example is with integer mould syllable sequence conversion operation
Example) between, attack core continues the synchronous do-nothing instruction that executes and integer mould syllable sequence conversion operation is waited to start to execute;In the 4th RSA
When certification starts execution to integer mould syllable sequence conversion operation, the change of attack core destroys quilt by the processor core voltage of attack core
The sequence circuit time-constrain of core is attacked, realizes fault attacks, is then persistently restored after preset time by the processor of attack core
Core voltage, then the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication starts to restore normal, continue to execute code after the 4th Revest-Shamir-Adleman Algorithm (RSA) authentication operation and
Other codes after signature authentication program.
The application is it should be noted that the injection number of hardware fault within a preset time is not limited to once inject, with note
Enter subject to hardware fault success, caching, branch predictor, processor status register etc. are made by attacker by being performed a plurality of times
Data with it is highly relevant by attacker, reduce in processor with the shadow by the unrelated data of attacker to attack effect
It rings.
Embodiment seven
The embodiment of the present application seven, which is provided, injects hardware fault in RSA decipherment algorithm to obtain RSA sensitive data
Confirmatory experiment:
Fig. 8 describes the malice voltage for making processor cisco unity malfunction.Suitable voltage is to guarantee that processor can be normal
The necessary condition of work.If the brownout of processor, processor can be run without enough energy, to will appear event
Barrier, the data for running program on a processor can be also changed.The operating status of processor core to be measured, which will affect, makes its appearance
The minimum voltage size of failure.Core to be measured is busier, and the energy of consumption is more, guarantees the minimum voltage needed for it is worked normally
Also higher.The figure shows the minimum voltages for making processor occur crashing or restarting under different frequency.Due to the benefit of processor core
Be not with rate it is fixed, in the case where frequency is constant, the voltage of the top of line 1 is safe voltage, the voltage of line 1 and 2 quality inspection of line
It is likely to occur failure, the voltage below of line 3 centainly will appear hardware fault.
Fig. 9 illustrates different voltages and generates the minimum duration (do-nothing instruction of hardware fault under Bu Tong unrelated nuclear state
Execute number).Can attack voltage and attack voltage-duration be the important parameters for determining generate hardware fault, if attack
Voltage-duration is shorter, it is possible that also there is a situation where voltages just to have reverted to normal voltage for failure, if attacked
Overtension is hit, being supplied to can be more by the energy of attack core, and in order to inject failure, the duration for attacking voltage will also be grown
It is some.In addition, the energy that unrelated core (in addition to attack core and by the processor core other than attack core) consumes under different conditions
It is different, to can be influenced on being supplied to by the energy production of attack core, and then influences attack needed for successfully injecting failure
Voltage-duration.
Figure 10 is illustrated since by the time of execution going to attacking RSA function by attack code, (do-nothing instruction is held
Row number).The speed that frequency size influences attack core and executed instruction by attack core is attacking nuclear frequency and processor voltage not
Time higher by the frequency of attack core in the case where change, being executed being gone to since by attack function by attack code
It is shorter.RSA program in TrustZone with the RSA decryption program based on Android encryption library be not it is just the same, therefore, etc.
To time and distinguishing.In the figure, the frequency for attacking core is 0.42GHZ, and attack voltage is 0.6V.
Figure 11 describes the 4th RSA decryption verification when attacker waits the TrustZone loading procedure attacked
Function starts to execute required time (do-nothing instruction execution number).In the case that the frequency of attack core is constant, by attack core
Frequency is different, and the required time is also different.In the figure, the frequency for attacking core is 0.42GHZ, and attack voltage is
0.6V。
The faulty word joint number that Figure 12 describes different attack voltages and RSA integer mould occurs under the duration.In the figure, attack
The frequency for hitting core is 0.42GHZ, and the frequency by attack core is 2.65GHZ.In order to realize the fault injection attacks to RSA, it should
Selecting those that can generate can be in the N of finite time endoplasm FactorizationmAs attack parameter.
Although the preferred embodiment of the application has been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the application range.Obviously, those skilled in the art can be to the application
Various modification and variations are carried out without departing from spirit and scope.If in this way, these modifications and variations of the application
Belong within the scope of the claim of this application and its equivalent technologies, then the application is also intended to encompass these modification and variations and exists
It is interior.
Claims (10)
1. a kind of fault attacks method based on time-constrain characterized by comprising
When needing to inject hardware fault to sequence circuit, the voltage of sequence circuit is changed as attack voltage;
Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, breaks
The time-constrain of bad sequence circuit;
During the period of time, latter electronic component, will be pre- when rising edge clock does not receive the output of previous electronic component
If data export anticipatory data as inputting and handling preset data.
2. fault attacks method according to claim 1, which is characterized in that the time-constrain of the sequence circuit are as follows:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
Wherein, TclkIt indicates a clock cycle, is the interval of two rising edge clocks, also reflects the frequency of circuit;TsetupTable
Show that the input of the last one timing electronic component needs to keep the stable time, and intermediate logic unit be output to it is next
A rising edge clock needs the interval time met;TsrcIndicate prolonging between the outputting and inputting of first timing electronic component
When, namely rising edge clock is received to the time provided between stable output;TtransferIndicate first timing electronic component
The processing time at the interval namely intermediate logic unit that are output between the output of intermediate logic unit;TεExpression one is small
Time constant.
3. fault attacks method according to claim 2, which is characterized in that the time-constrain for destroying sequence circuit,
Extend the period that first electronic component signal in sequence circuit is input to the input of the last one electronic component signal, specifically
Are as follows: fixed setting clock cycle Tclk, TsetupIt is determined by the characteristic of clock electronic element, it is unrelated with the frequency of circuit and voltage;When
After the voltage of sequence circuit is changed to attack voltage, TsrcAnd TtransferIncrease, the time-constrain of circuit is destroyed.
4. fault attacks method according to claim 1, which is characterized in that by being repaired to voltage management driver
Change, realizes the voltage of any setting sequence circuit, thus, it is possible to the voltage of sequence circuit is changed to attack voltage, the attack
Voltage is specially the voltage for being lower than voltage rating but working normally sequence circuit can at low frequencies.
5. fault attacks method according to claim 1, which is characterized in that the preset data includes the upper of electronic component
The fault value of data value or setting in one clock.
6. a kind of fault attacks method of multi-core processor based on time-constrain characterized by comprising
When needing to inject hardware fault to a certain processor core of multi-core processor, which is appointed as being attacked
In addition core will be used as attack core by a certain processor core;
When attack core detect run by attack core to the specified sequence circuit of failure to be implanted when, will be by the processor of attack core
Core voltage is changed to attack voltage;
The time-constrain for destroying the sequence circuit extends first electronic component signal in the sequence circuit and is input to finally
The period of one electronic component signal input;
During the period of time, latter electronic component, will be pre- when rising edge clock does not receive the output of previous electronic component
If data export anticipatory data as inputting and handling preset data;
After attack voltage continues to export anticipatory data to the sequence circuit, it will be reverted to by the processor core voltage of attack core
Safe voltage.
7. fault attacks method of the multi-core processor as claimed in claim 6 based on time-constrain, which is characterized in that described to attack
Hitting voltage is specially to make to be attacked core cisco unity malfunction, except the electricity that can be worked normally by other processor cores in addition to attack core
Pressure.
8. fault attacks method of the multi-core processor as claimed in claim 6 based on time-constrain, which is characterized in that configuration quilt
The processor core voltage and voltage-duration for attacking core specifically include: when by being continued by the processor voltage of attack core and voltage
Between be set as suitable parameters;Wherein, failure F is realizedfaultRequired suitable parameters include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、
Tdur, wherein FaIndicate frequency, the F of attack corevIt indicates by the frequency of attack core, VlIndicate attack voltage, VbIndicate safety electricity
Pressure, namely setting attack voltage before and after make attack core and can be worked normally by attack core processor core voltage,
Tpre_wIt indicates that attacker waits and the time executed, T is started by attack functionpre_dIndicate that attacker is waited by attack code
Start the time executed, TdurIndicate attack voltage-duration.
9. a kind of multi-core processor, which is characterized in that including multiple processor cores and power management integrated chip, power management collection
Processor core voltage is provided to processor core by power management integrated circuit at chip;
Processor core will for which being appointed as to be attacked core when injecting hardware fault to a certain processor core
In addition a certain processor core is run by attack core to the specified timing electricity of failure to be implanted as attack core when attack core is detected
Lu Shi, driving change processor voltage using modified power management is attack voltage, destroys the time of the sequence circuit
Constraint extends the time that first electronic component signal in the sequence circuit is input to the input of the last one electronic component signal
Section;During the period of time, latter electronic component will be preset when rising edge clock does not receive the output of previous electronic component
Data export anticipatory data as inputting and handling preset data;
Power management integrated chip is run by attack core to the specified sequence circuit of failure to be implanted for detecting in attack core
When, attack voltage will be changed to by the processor core voltage of attack core and continued after exporting anticipatory data to the sequence circuit,
Safe voltage will be reverted to by the processor core voltage of attack core.
10. multi-core processor as claimed in claim 9, which is characterized in that will be by the processing of attack core in power management chip
Device core voltage is changed to attack voltage, specifically includes: power management integrated chip provides attack voltage to all processor cores, should
Attack voltage makes to be attacked core cisco unity malfunction, but attacks core and other cores and can work normally;Or it is integrated by power management
Chip individually will be changed to attack voltage by the processor core voltage of attack core.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910310348.3A CN110032897B (en) | 2019-04-17 | 2019-04-17 | Multi-core processor and time constraint-based fault attack method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910310348.3A CN110032897B (en) | 2019-04-17 | 2019-04-17 | Multi-core processor and time constraint-based fault attack method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110032897A true CN110032897A (en) | 2019-07-19 |
CN110032897B CN110032897B (en) | 2021-01-08 |
Family
ID=67238767
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910310348.3A Active CN110032897B (en) | 2019-04-17 | 2019-04-17 | Multi-core processor and time constraint-based fault attack method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110032897B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112115483A (en) * | 2020-09-27 | 2020-12-22 | 成都中科合迅科技有限公司 | Trusted computing application method for protecting nuclear power DCS (distributed control System) engineer station |
CN114048470A (en) * | 2022-01-13 | 2022-02-15 | 浙江大学 | Method and device for defending hardware attack based on TDC module and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4759019A (en) * | 1986-07-10 | 1988-07-19 | International Business Machines Corporation | Programmable fault injection tool |
CN104484255A (en) * | 2014-12-02 | 2015-04-01 | 北京空间飞行器总体设计部 | Fault injection device for verifying system level single particle soft error protection ability |
CN105281888A (en) * | 2015-11-05 | 2016-01-27 | 工业和信息化部电信研究院 | Fault injection method and fault injection device for password chips |
CN105528284A (en) * | 2014-09-28 | 2016-04-27 | 华为技术有限公司 | Kernel fault injection method and electronic device |
CN109470990A (en) * | 2018-10-25 | 2019-03-15 | 南京南瑞继保电气有限公司 | A kind of route variable quantity fault direction judgment method and device adapting to UPFC access |
-
2019
- 2019-04-17 CN CN201910310348.3A patent/CN110032897B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4759019A (en) * | 1986-07-10 | 1988-07-19 | International Business Machines Corporation | Programmable fault injection tool |
CN105528284A (en) * | 2014-09-28 | 2016-04-27 | 华为技术有限公司 | Kernel fault injection method and electronic device |
CN104484255A (en) * | 2014-12-02 | 2015-04-01 | 北京空间飞行器总体设计部 | Fault injection device for verifying system level single particle soft error protection ability |
CN105281888A (en) * | 2015-11-05 | 2016-01-27 | 工业和信息化部电信研究院 | Fault injection method and fault injection device for password chips |
CN109470990A (en) * | 2018-10-25 | 2019-03-15 | 南京南瑞继保电气有限公司 | A kind of route variable quantity fault direction judgment method and device adapting to UPFC access |
Non-Patent Citations (1)
Title |
---|
段晓毅: "最新电压毛刺( Power Glitch)攻击与防御方法研究", 《计算机科学》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112115483A (en) * | 2020-09-27 | 2020-12-22 | 成都中科合迅科技有限公司 | Trusted computing application method for protecting nuclear power DCS (distributed control System) engineer station |
CN112115483B (en) * | 2020-09-27 | 2023-05-05 | 成都中科合迅科技有限公司 | Trusted computing application method for protecting nuclear power DCS engineer station |
CN114048470A (en) * | 2022-01-13 | 2022-02-15 | 浙江大学 | Method and device for defending hardware attack based on TDC module and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110032897B (en) | 2021-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tang et al. | {CLKSCREW}: Exposing the perils of {Security-Oblivious} energy management | |
Krautter et al. | FPGAhammer: Remote voltage fault attacks on shared FPGAs, suitable for DFA on AES | |
US8677482B2 (en) | Hardware security for software processes | |
Duc et al. | Cryptopage: An efficient secure architecture with memory encryption, integrity and information leakage protection | |
JP2009540405A (en) | Secure boot system, method and program spanning multiple processors | |
US11972033B2 (en) | Alert handling | |
US10776522B1 (en) | Asymmetric protection of circuit designs | |
US11055409B2 (en) | Protected system | |
Sabbagh et al. | A novel GPU overdrive fault attack | |
Mahmoud et al. | Electrical-level attacks on CPUs, FPGAs, and GPUs: Survey and implications in the heterogeneous era | |
CN110032897A (en) | A kind of multi-core processor and its fault attacks method based on time-constrain | |
EP3624392B1 (en) | Methods and devices for secure secret key generation | |
Gallais et al. | Hardware trojans for inducing or amplifying side-channel leakage of cryptographic software | |
Krautter et al. | Remote and stealthy fault attacks on virtualized FPGAs | |
CN114327367A (en) | Pseudo data processing method, device, execution unit and processor | |
Köylü et al. | RNN-based detection of fault attacks on RSA | |
Li et al. | A control flow integrity checking technique based on hardware support | |
CN105281888A (en) | Fault injection method and fault injection device for password chips | |
Mahmoud et al. | DFAulted: Analyzing and exploiting CPU software faults caused by FPGA-driven undervolting attacks | |
US10382193B2 (en) | Performing cryptographic data processing operations in a manner resistant to external monitoring attacks | |
Gross et al. | Fpganeedle: Precise remote fault attacks from fpga to cpu | |
Qui et al. | Voltjockey: Abusing the processor voltage to break arm trustzone | |
Tang et al. | Motivating security-aware energy management | |
US11651089B2 (en) | Terminating distributed trusted execution environment via self-isolation | |
Gogniat et al. | Reconfigurable security support for embedded systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |