CN110032897B - Multi-core processor and time constraint-based fault attack method thereof - Google Patents

Multi-core processor and time constraint-based fault attack method thereof Download PDF

Info

Publication number
CN110032897B
CN110032897B CN201910310348.3A CN201910310348A CN110032897B CN 110032897 B CN110032897 B CN 110032897B CN 201910310348 A CN201910310348 A CN 201910310348A CN 110032897 B CN110032897 B CN 110032897B
Authority
CN
China
Prior art keywords
voltage
core
attacked
processor
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910310348.3A
Other languages
Chinese (zh)
Other versions
CN110032897A (en
Inventor
汪东升
邱朋飞
吕勇强
王淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201910310348.3A priority Critical patent/CN110032897B/en
Publication of CN110032897A publication Critical patent/CN110032897A/en
Application granted granted Critical
Publication of CN110032897B publication Critical patent/CN110032897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/81Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer by operating on the power supply, e.g. enabling or disabling power-on, sleep or resume operations

Abstract

The application discloses a multi-core processor and a time constraint-based fault attack method thereof, and relates to the field of computer processors. The time constraint-based fault attack method comprises the following steps: when a hardware fault needs to be injected into the sequential circuit, changing the voltage of the sequential circuit into an attack voltage; the time period from the signal input of the first electronic element to the signal input of the last electronic element in the time sequence circuit is prolonged, and the time constraint of the time sequence circuit is damaged; and in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output. By adopting the fault injection method provided by the application, the processing time of the sequential circuit is prolonged by destroying the time constraint in the attacked core on the basis of not changing the voltage of other cores, so that the hardware fault injection is realized, and the purpose of loading the untrusted application program into the safe environment is achieved.

Description

Multi-core processor and time constraint-based fault attack method thereof
Technical Field
The application relates to the field of computer processors, in particular to a multi-core processor and a time constraint-based fault attack method thereof.
Background
In order to improve the security of devices, ARM corporation has proposed a TrustZone security extension, a system-wide security method that provides protection for applications on devices (secure payment, digital rights management, enterprise services, Web-based services, encryption and decryption services, etc.). The TrustZone divides hardware resources and software resources of the device into a secure environment and a normal environment, virtualizes a secure core and a normal core from each physical processor core, and executes codes and data in the secure environment and the normal environment respectively. The application program running in the safe environment can use all the resources of the system, the application program running in the common environment can not use the resources of the safe environment, and the two environments are switched by the monitor mode. The normal environment can enter the Secure environment through a Monitor mode through mechanisms such as hardware Interrupt, data read-write and instruction prefetch exception, and the like, such as a Secure Monitor Call (SMC) instruction, an Interrupt Request (IRQ) and a Fast Interrupt Request (FIQ), and the processor in the Secure environment state can also enter the normal environment state through the Monitor mode. The TrustZone hardware expansion ensures the isolation of the hardware and software resource access and change between the secure environment and the common environment, and some secure software is required to be operated in the secure environment to manage and configure the TrustZone hardware and provide trusted service. The software architecture of TrustZone is not fixed, a special secure operating system (such as a high-pass secure environment operating system QSEOS) can be designed for the secure environment, and some secure synchronous code libraries can run in the secure environment.
In order to protect the integrity of the trusted application program and prevent the untrusted application program from being loaded into the TrustZone, a device user cannot develop and load a custom application program into the TrustZone, when the secure application program is loaded, a signature authentication chain based on RSA is executed, and the TrustZone cannot load the application program which fails in signature authentication. As a widely applied encryption algorithm, the RSA algorithm has relatively high security when the key is long enough, and it is relatively difficult to acquire sensitive data of the RSA by using a common software-based vulnerability attack method. However, if the intermediate state is changed during the execution of the RSA algorithm, an attacker can acquire the sensitive data of the RSA through the differential fault analysis of the wrong output result and the correct output result. For example, if a failure occurs during the signature process, an attacker can recover the private key of the RSA through differential failure analysis.
Disclosure of Invention
The application provides a fault attack method based on time constraint, which comprises the following steps: when a hardware fault needs to be injected into the sequential circuit, changing the voltage of the sequential circuit into an attack voltage; destroying the time constraint of the sequential circuit, and prolonging the time period from the signal input of the first electronic element to the signal input of the last electronic element in the sequential circuit; and in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output.
As above, wherein the time constraint of the sequential circuit is:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
wherein, TclkRepresents one clock cycle, is the interval of two clock rising edges, and also reflects the frequency of the circuit; t issetupThe time for representing that the input of the last sequential electronic element needs to be kept stable is also the interval time for meeting the output of the middle logic unit to the next clock rising edge; t issrcRepresenting the delay between the input and the output of the first sequential electronic element, i.e. the time between receiving a rising edge of the clock and giving a stable output; t istransferRepresenting the interval between the output of the first sequential electronic element to the output of the intermediate logic unit, i.e. the processing time of the intermediate logic unit; t isεRepresenting a small time constant.
As above, the time constraint of the sequential circuit is broken, and the time period from the input of the first electronic element signal to the input of the last electronic element signal in the sequential circuit is prolonged, specifically: fixedly setting the clock period Tclk,TsetupDetermined by the characteristics of the clock electronics, independent of the frequency and voltage of the circuit; after the voltage of the sequential circuit is changed into attack voltage, TsrcAnd TtransferIncreasing, the time constraints of the circuit are violated.
As above, by modifying the voltage management driver, it is possible to arbitrarily set the voltage of the sequential circuit, thereby being able to change the voltage of the sequential circuit to an attack voltage, which is specifically a voltage that is lower than the rated voltage but enables the sequential circuit to normally operate at a low frequency.
As above, the preset data includes a data value or a set fault value in a last clock of the electronic component.
The application also provides a fault attack method of the multi-core processor based on time constraint, which comprises the following steps: when hardware faults need to be injected into a certain processor core of the multi-core processor, the processor core is designated as an attacked core, and another certain processor core is used as an attacking core; when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with faults, changing the voltage of a processor core of the attacked core into an attacking voltage; destroying the time constraint of the sequential circuit, and prolonging the time period from the signal input of the first electronic element to the signal input of the last electronic element in the sequential circuit; in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output; and when the attack voltage is continued until the time sequence circuit outputs expected data, restoring the voltage of the processor core of the attacked core to a safe voltage.
As above, the attack voltage is specifically a voltage that makes the attacked core unable to work normally, and other processor cores except the attacked core can work normally.
As above, the configuring the processor core voltage and the voltage duration of the attacked core specifically includes: setting the processor voltage and the voltage duration of the attacked core as suitable parameters; wherein a fault F is realizedfaultSuitable parameters required include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、Tdur,FaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a security voltage, i.e. the voltage of the processor core before and after setting the attack voltage, T, enabling both the attacking and attacked core to operate normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
The present application further provides a multi-core processor, comprising: the power management integrated chip provides the processor core voltage for the processor core through the power management integrated circuit; the processor core is used for designating a certain processor core as an attacked core and using another certain processor core as an attacking core when a hardware fault is injected into the certain processor core, and when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with the fault, the voltage of the processor is changed into an attacking voltage by using the modified power management drive, the time constraint of the sequential circuit is damaged, and the time period from the signal input of a first electronic element to the signal input of a last electronic element in the sequential circuit is prolonged; in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output; and the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage and continuing until the time sequence circuit outputs expected data when the attacking core detects that the attacked core runs to the specified time sequence circuit to be injected with the fault, and then restoring the voltage of the processor core of the attacked core into a safe voltage.
As above, wherein, changing the processor core voltage of the attacked core in the power management chip to the attack voltage specifically includes: the power management integrated chip provides attack voltage for all the processor cores, the attack voltage enables the attacked core not to work normally, but the attacking core and other cores can work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
The beneficial effect that this application realized is as follows:
(1) the voltage of a processor core is randomly configured by modifying a voltage management driver and bypassing a safety mechanism of threshold voltage and voltage selection in the voltage management kernel driver;
(2) the method comprises the steps that a low voltage is provided for a processor core, so that other cores can normally work, but an attacked core cannot normally work, and under the condition that the normal work of other cores is not influenced, the data processing time of electronic elements in a sequential circuit is prolonged by destroying time constraints in the attacked core, and hardware fault injection is realized;
(3) through practical experiments, fault injection points, attack voltage and attack time can be accurately controlled, and the influence of hardware faults on other code segments during fault injection is reduced;
(4) the time sequence circuit can output expected results through a fault attack method, and the purpose of loading an untrusted application program into a safe environment is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a diagram of time constraints that need to be satisfied by a sequential circuit according to an embodiment;
fig. 2 is a schematic diagram of a combination of software and hardware of a voltage management architecture in a multi-core processor according to a second embodiment;
fig. 3 is a flowchart of a method for injecting a hardware fault into a timing circuit according to a third embodiment;
FIG. 4 is a flowchart of a method for fault injection based on time constraints of a multi-core processor according to a fourth embodiment;
FIG. 5 is a schematic diagram of an attacking core injecting a hardware fault to an attacked program in a trusted application within the attacked core;
FIG. 6 is a flowchart of a method for injecting a fault into the RSA decryption algorithm to make the RSA decryption algorithm output an expected plaintext according to the fifth embodiment;
fig. 7 is a schematic diagram of an attacking core injecting a hardware fault into a signature authentication mechanism in a trusted application in an attacked core according to a sixth embodiment;
FIG. 8 depicts a malicious voltage schematic that disables the processor;
FIG. 9 shows the minimum duration of hardware faults (number of empty instruction executions) for different voltages and different unrelated core states;
FIG. 10 shows the time from the beginning of execution of the attacked RSA function to the beginning of execution of the attacked code (number of times the null instruction is executed);
fig. 11 illustrates the time required for the fourth RSA decryption verification function to start executing (number of times of execution of null instructions) when the attacker waits for the attacked TrustZone loader;
fig. 12 illustrates the number of failed bytes occurring in RSA integer modulo for different attack voltages and durations.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Before introducing a fault injection method based on time constraint, the present application describes the time constraint of a sequential circuit:
generally, a sequential circuit comprises a plurality of electronic elements, the electronic elements operate under the control of a unified clock pulse, each electronic element starts to process input data after an input signal is stable, and in addition, time delay is also generated between the input and the output of the electronic elements, so that the sequential circuit can ensure the coordinated and consistent operation of the electronic elements only by meeting certain constraint conditions, and the on-demand design of the sequential circuit is realized through debugging time constraint;
taking an example that a sequential circuit is started by a sequential electronic element and ended by another sequential electronic element (it needs to be described that the number of the electronic elements in the sequential circuit is set by actual needs), the rising edge of a clock controls the sequential electronic element to be started, the middle logic unit processes the output of the first sequential electronic element, and the processed result is used as the input of the last sequential electronic element; the time constraints that the sequential circuit needs to satisfy are shown in fig. 1:
Tclkrepresenting one clock cycleThe period is the interval of two clock rising edges and also reflects the frequency of the circuit;
Tsetupthe time for representing that the input of the last sequential electronic element needs to be kept stable is also the interval time for meeting the output of the middle logic unit to the next clock rising edge;
Tsrcrepresenting the delay between the input and the output of the first sequential electronic element, i.e. the time between receiving a rising edge of the clock and giving a stable output;
Ttransferrepresenting the interval between the output of the first sequential electronic element to the output of the intermediate logic unit, i.e. the processing time of the intermediate logic unit;
to ensure that the input of the last sequential electronic element remains stable until the next rising clock edge, and thus to ensure that the output of the sequential circuit coincides with the expected output, the sequential circuit needs to meet the following time constraint:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
wherein, TεRepresenting a small time constant.
Based on the electronic characteristics of the electronic components, an electronic component needs a proper voltage (rated voltage) to provide enough energy for the electronic component to perform data processing, if the voltage is relatively low, the electronic component does not have enough energy to provide, which may cause performance degradation of the electronic component, and the time delay between the input and the output may also become long, so that the time constraint of the circuit is broken, the electronic component cannot process data with a correct input, and the output of the circuit may change, thereby implementing hardware fault injection.
Based on the time constraint of the sequential circuit, the clock frequency of the setting circuit of the present embodiment is not changed, i.e., the clock period T is fixedly setclk,TsetupDetermined by the characteristics of the clock electronics, independent of the frequency and voltage of the circuit; when the voltage supplied to the sequential electronic element is lowered, TsrcAnd TtransferIncreasing, breaking the time constraint of the circuit, and finally, sequencing the electronic elementsThe device begins processing data before it receives no stable output from the intermediate logic unit, and therefore uses an unchanged input, the output of the sequential circuit is different from the expected output, thereby injecting a hardware fault into the circuit.
Example two
The hardware fault injection method based on time constraint provided by the application is characterized in that the injection of hardware faults into a time sequence circuit is realized by adjusting the voltage of the time sequence circuit; the second embodiment describes a method for adjusting the voltage of the sequential circuit.
Optionally, the verification experiment of the application is mainly performed in Google Nexus 6, the Google Nexus 6 has a processor which is produced by a general company and is based on an ARM Krait architecture, and a voltage management kernel driver provided by the general company configures a voltage hardware manager of the processor and provides an interface for an operating system; in the existing Google Nexus 6 operating system, to prevent malicious voltages from damaging the processor, the high-pass adds two security mechanisms, namely threshold voltage and voltage selection, to the provided voltage management kernel driver.
The following detailed description of the safety mechanism for threshold voltage and voltage selection:
threshold voltage: in a hardware management driver, the threshold voltage represents the minimum value to which the processor core voltage can be set, and if an attempt is made to set a voltage lower than the threshold voltage, the driver will provide a stable threshold voltage to the processor. The size of the threshold voltage is defined in the device description file and is read by the detection step of the voltage management driver;
voltage selection: since the frequencies of different processor cores may be different, in order to protect processor cores with high frequencies, the hardware management driver selects, as the processor core voltage, the voltage corresponding to the highest frequency among the frequencies of all cores in the OPP (set of discrete tuples of voltages and frequencies supported by the multi-core processor).
In order to realize time constraint by changing voltage for a processor supporting a dynamic power management technology, so as to achieve the purposes of fault injection and output of a specified result of a sequential circuit, the method and the device bypass a safety mechanism of threshold voltage and voltage selection in the voltage management kernel drive by modifying a voltage management driver, and realize the random configuration of the processor core voltage;
specifically, the purpose of bypassing the threshold voltage is achieved by modifying the device description file or modifying the detection step of the driver, so that an attacker can set the processor core voltage smaller than the threshold voltage; and canceling the safety mechanism of the voltage selection by modifying the voltage selection code; since the influence range of modifying the device description file is relatively wide, it is preferable that the detection step of modifying the driver in the embodiment of the present application bypasses the threshold voltage;
it should be noted that, in the present application, only the minimum voltage value, i.e., the threshold voltage, of the processor is modified, and the maximum voltage is not limited, for the reason that: the last byte in the voltage register of the voltage hardware manager represents a multiple of the base voltage, and the maximum number that can be represented by a byte is 255, so the maximum voltage cannot exceed 255 times the base voltage; on the verification platform of the application, experiments verify that when the byte is 255, the processor core can work normally under all frequencies. Therefore, the present application verifies that the experiment is used to achieve low voltage faults.
Referring to fig. 2, fig. 2 is a schematic diagram of software and hardware combination of a voltage management architecture in a multi-core processor based on an ARM Krait architecture, which includes a multi-core processor, a kernel space and a user space;
the system comprises a multi-core processor, a kernel space and a user space, wherein the kernel space and the user space are software architectures, and the kernel space comprises a voltage management driver and a frequency driver and is used for managing the voltage and the frequency of each processor core in the multi-core processor; the frequency driver is used for receiving the frequency setting of the user space and providing attack voltage for the voltage management driver; the voltage management driver is used for receiving a target voltage of the frequency driving, namely a set attack voltage, and changing a register set value of the power management chip by using the attack voltage.
The multi-core processor is a hardware architecture and comprises a plurality of processor cores (CPU cores) and a power management integrated chip (preferably a PMA8084 power chip), wherein the power management integrated chip provides the processor core voltage for the processor cores through the power management integrated circuit according to the setting value of an internal register and provides peripheral voltage for other external equipment;
specifically, the power management chip provides processor core voltages to the processor cores, specifically including providing a uniform core voltage to all the processor cores, or providing a processor core voltage to each processor core;
the processor core is used for designating a certain processor core as an attacked core and using another certain processor core as an attacking core when a hardware fault is injected into the certain processor core, and when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with the fault, the voltage of the processor is changed into an attacking voltage by using the modified power management drive, the time constraint of the sequential circuit is damaged, and the time period from the signal input of a first electronic element to the signal input of a last electronic element in the sequential circuit is prolonged; in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output;
the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with a fault, and recovering the voltage of the processor core of the attacked core into a safe voltage after the sequential circuit outputs expected data;
the method specifically comprises the steps that a power management integrated chip provides attack voltage for all processor cores, the attack voltage enables the attacked cores not to work normally, but the attacking cores and other cores can work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
Due to the electronic characteristic of the multi-core processor, in a set OPP of discrete tuples of voltage and frequency supported by the multi-core processor, the higher the frequency of a certain processor core is, the higher the required minimum voltage is, the frequency of the processor core can be independently set, the minimum voltages corresponding to different frequencies are also different, when the voltage supplied to the certain processor core is lower than the minimum required voltage, the time constraint of the processor core is damaged, and therefore an attack program in an attack core uses the frequency-voltage difference to realize fault injection attack on a specified attacked core, and hardware faults are injected into the specified attacked core.
When hardware faults need to be injected into the appointed attacked core, the appointed attacked core running the attacked program is set to be high-frequency, the attacking core running the attacking program and other unrelated cores are set to be low-frequency by using a system command, and then the attacking program selects a proper voltage as an attacking voltage from the lowest voltage required by the high-frequency and the low-frequency at a specific moment and lasts for a short time;
preferably, in the embodiment of the present application, the attack program selects an appropriate voltage and voltage duration to implement fault attack, specifically:
Ffault={Fa;Fv;Vl;Vb;Tpre_w;Tpre_d;Tdur}
wherein the attack program implements the fault FfaultDesired value of the appropriate parameter Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurDetermined by experimental results, FaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a security voltage, i.e. the voltage of the processor core before and after setting the attack voltage, T, enabling both the attacking and attacked core to operate normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
It should be noted that, since the electronic component does not have enough energy to operate due to the low voltage, the voltage supplied to the sequential electronic component is reduced on the premise that the electronic component can be ensured to operate normally at a low frequency, but the delay between the input and the output is increased; likewise, if the voltage of an electronic component is too high, the operation of the electronic component may become unstable, resulting in a possible change in output, and if the high voltage of the circuit causes the output of the first sequential electronic component to be inconsistent with what was expected, the input provided to the last sequential electronic component may also be incorrect, resulting in an erroneous output. A fault injection based on high voltage may have unforeseen consequences because if the voltage is too high, the electronic components may be damaged. Therefore, in practical use, low voltage based fault injection is more appropriate.
EXAMPLE III
In the time constraint of the first embodiment and the voltage management of the second embodiment, a third embodiment of the present application provides a method for implementing injection of a hardware fault to a sequential circuit by changing a voltage based on the time constraint, as shown in fig. 3, including:
step 310: when a hardware fault needs to be injected into the sequential circuit, changing the voltage of the sequential circuit into an attack voltage;
preferably, the voltage value of the sequential circuit is reduced to be lower than the rated voltage by modifying the detection step of the voltage management kernel driver and bypassing the rated voltage of the sequential circuit, and the voltage value is used as the attack voltage of the sequential circuit, so that the time between the input and the output of an electronic element in the sequential circuit is prolonged, and the time constraint of the original sequential circuit is damaged.
Step 320: the time period from the signal input of the first electronic element to the signal input of the last electronic element in the time sequence circuit is prolonged, and the time constraint of the time sequence circuit is damaged;
in this embodiment, the time constraint parameter T of the sequential circuit is made by reducing the voltage of the sequential circuitsrcAnd TtransferIncreasing, the time constraints of the circuit are broken, the last sequential electronic element starts processing data before it does not receive a stable output of the intermediate logic unit, so that with the input used unchanged, the output of the sequential circuit differs from the expected output, thus injecting a hardware fault into the circuit.
Step 330: in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output;
optionally, the preset data may be a data value in the last clock of the electronic component, or may also be a set fault value;
specifically, under the condition that the input of the first electronic element of the sequential circuit is not changed, the time from the input to the output of the first electronic element is prolonged, so that the output of the former electronic element is not received by the latter electronic element at the rising edge of the clock, and the latter electronic element still processes data at the rising edge of the clock, but the processed data is not the output of the former electronic element, but the processed data of the former clock or the set fault value, so that the output of the whole sequential circuit is different from the expected output, and the injection of the hardware fault into the circuit is realized.
Example four
On the basis of the first, second and third embodiments, the fourth embodiment of the present application provides a fault injection method based on the time constraint of a multi-core processor, when a hardware fault needs to be injected into a certain processor core, the processor core is designated as an attacked core, an attacked program is bound to the attacked core for execution, the processor core running the attacked program is used as an attacking core, and other processor cores are used as other unrelated cores, so that the attacking core running the attacking program can inject the hardware fault into the designated attacked core running the attacked program without affecting the other unrelated cores and the normal running of programs thereon; as shown in fig. 4, includes:
step 410: the attack program on the attack core detects the attacked program in the attacked core and waits for the attacked program to run to a specified fault injection point;
specifically, in the process that an attacking program on an attacking core waits for the attacked program to run to a specified fault injection point, the following sub-steps are executed:
s411: setting an attack environment of fault injection;
before fault injection, in order to make fault injection more accurate and effective, a proper fault injection attack environment needs to be prepared, specifically: configuring the frequency of an attacking core and the frequency of an attacked core, setting the voltage of a processor core to be a safe voltage, and configuring an attacking environment comprising data such as a cache, a branch predictor, a processor state register and the like by executing an attacked program for multiple times.
S412: waiting for the attacked function to start executing;
specifically, an attacked target code is packaged in an attacked function as a small section of attacked code, wherein the attacked function is a fixed function, and the attacked code is loaded into the attacked function according to the actual fault injection requirement; after the attack program starts to execute, in order to realize the matching of the attack program and the execution cycle of the trusted application program in the attacked core so as to achieve the accurate fault injection in the preset fault injection point of the trusted application program, after the attack program starts to execute, the attack program evaluates the execution cycle of the instruction by executing a null instruction until the attacked function starts to execute, and the time length of the attack program waiting for the attacked function to start to execute is set as Tpre_wThat is, the null instruction has an execution time of Tpre_w
S413: after the attacked function starts to execute, waiting for the attacked code in the attacked function to start to execute;
specifically, in order to accurately control a fault injection point and reduce the influence of hardware faults on other code segments in an attacked function during fault injection, after the attacked function starts to execute, the attacking program evaluates an instruction execution period by executing a null instruction until the attacked code starts to execute, and the time length of waiting for the attacked code to start to execute of the attacking program is set as Tpre_dThat is, the null instruction has an execution time of Tpre_d
Step 420: when the attacking core detects that the attacked core runs to the sequential circuit to be injected with the fault, changing the voltage of the processor core of the attacked core into the attacking voltage, destroying the time constraint of the sequential circuit, and prolonging the execution time of the program of the attacked core;
after the attacked code begins to execute, the attacking program sets the processor core voltage of the attacked core to an attacking voltage V1, wherein the attacking program attacks the coreThe attack voltage V1 is specifically a voltage that enables the attacking core to execute normally, but the attacked core cannot execute normally; by reducing the voltage of the sequential circuit, the time constraint parameter T of the sequential circuit is enabledsrcAnd TtransferIncreasing, the time constraint of the circuit is destroyed, the last sequential electronic element starts to process data before the stable output of the intermediate logic unit is not received, so that under the condition that the used input is unchanged, the output of the sequential circuit is different from the expected output, and thus a hardware fault is injected into the circuit;
and in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, taking the preset data as input and processing the preset data.
Step 430: restoring the voltage of the processor core of the attacked core to a safe voltage after the attacking voltage lasts for a preset time;
specifically, the attack program continuously executes the time length T under the attack voltagedurAfter the null instruction, recovering the voltage and the frequency of the processor core of the attacked core, and preventing the processor of the attacked core from being down or the system from being crashed; wherein the execution time T of the null instructiondurAccording to different fault injection conditions, the fault injection method obtains the fault injection method through experiments, and after the optimal fault injection execution time is set in the experiment stage, the execution time T is obtaineddurThe fault injection condition is used as the preset time of the fault injection condition, and the subsequent use is convenient.
FIG. 5 is a schematic diagram of an attacking core injecting a hardware fault to an attacked program in a trusted application within the attacked core; the attacked core comprises a common world and a secure world, cache layout and setting of processor state and voltage are carried out in the common world, and a trusted application program is operated in the secure world and comprises an attacked program and other codes; in the time period of other codes before the trusted application program executes the attacked function, the attacking core sets an attacking environment and waits for the attacked function to start executing by executing a null instruction; between the attacked function starts to execute and a specified fault injection point (the attacked code starts to execute), the attacking core continues to synchronously execute the null instruction to wait for the attacked code to start to execute; when the attacked function is executed to the attacked code, the attacking core changes the voltage of the processor core of the attacked core, destroys the time constraint of the sequential circuit of the attacked core, realizes fault attack, then recovers the voltage of the processor core of the attacked core after lasting for a preset time, then the attacked function recovers to be normal, and continues to execute the code after the attacked code and other codes after the attacked function.
The application needs to be noted that the injection frequency of the hardware fault in the preset time is not limited to one injection, and the data of the cache, the branch predictor, the processor state register and the like are highly correlated with the attacked program by executing the attacked program for multiple times on the basis of the success of the injection of the hardware fault, so that the influence of the data irrelevant to the attacked program in the processor on the attack effect is reduced.
EXAMPLE five
On the basis of the first, second, third and fourth embodiments, the fifth embodiment of the present application takes the example that the attacking core obtains the RSA sensitive data from the RSA decryption algorithm of the attacked core, and the RSA algorithm is used as an encryption algorithm that is widely applied, and has relatively high security when the secret key is long enough, and by changing the processor voltage, the intermediate state during the execution of the RSA algorithm is changed, so that the RSA algorithm outputs the expected result.
In order to enable the RSA decryption program to output an expected plaintext and to enable the RSA decryption program to output an expected plaintext through an RSA-based signature authentication mechanism in TrustZone, a fourth embodiment of the present application provides a differential failure analysis method for an RSA decryption program based on an Android encryption library, where the method injects a failure into a processor by using a multi-core technology and a dynamic power management technology of the processor, and achieves an object of enabling the RSA decryption program to output the expected plaintext by constructing special input data and changing an integer mode in the RSA decryption program executed on the processor, and specifically includes the following operations:
before describing fault operation injected into the RSA decryption program based on the Android encryption library, detailed description is given to specific implementation of the RSA decryption program, and the following table shows that table 1 shows a specific calculation process of an RSA decryption algorithm based on the Android encryption library:
Figure BDA0002031247920000111
Figure BDA0002031247920000121
TABLE 1
In table 1, after the RSA decryption program receives the input ciphertext C, the integer modulo N, and the public key e, the decrypted plaintext P is output through 1-14 program operations; to speed up the exponentiation in the RSA decryption algorithm, the RSA decryption algorithm in Table 1 applies a Montgomery multiplication operation MONMUL (x, y, N, r)-1)←x*y*r-1% N, and application of modulo inversion N0inv ← 232-MODULEINVERSE(N,232) The number of cycles of the Montgomery multiplication operation is reduced. Just because of adopting Montgomery multiplication operation, the input data represented by the big end is converted into the data represented by the small end by adopting the ENDIANINVERSION function, as shown in the following table, the specific implementation process of the ENDIANINVERSION function is shown in Table 2:
Figure BDA0002031247920000122
TABLE 2
In table 2, after the endinversion function receives the variable V represented by the big end to be converted, the data S represented by the small end after conversion is output through the operation of steps 1 to 10.
In the RSA decryption algorithm, generally, the integer modulo N is set to be a prime number that is difficult to be decomposed, and since the algorithm 2 frequently performs operations such as shifting, or assigning values to the input integer modulo N, the algorithm 2 is set to be a designated fault injection point, and after the integer modulo N is input into the sequential circuit of the algorithm 2, as shown in fig. 6, the following sub-steps are performed:
step 610: after the integer digital-analog N is input into the sequential circuit of the second algorithm, changing the voltage of the sequential circuit into attack voltage;
preferably, the voltage value of the sequential circuit is reduced to be lower than the rated voltage by modifying the detection step of the voltage management kernel driver and bypassing the rated voltage of the sequential circuit, and the voltage value is used as the attack voltage of the sequential circuit, so that the time between the input and the output of an electronic element in the sequential circuit is prolonged, and the time constraint of the original sequential circuit is damaged.
Step 620: when the clock rising edge of the latter electronic element in the sequential circuit does not receive the output of the former electronic element, the preset data Nm is used as the input of the electronic element;
specifically, the preset data Nm may be data of a last clock rising edge of the electronic component or set data.
Step 630: judging whether quality factor decomposition can be carried out on the Nm within the preset time, if so, successfully injecting the fault, and executing the step 640, otherwise, failing to inject the fault;
preferably, the method is implemented by using a Python language, wherein the Nm is subjected to prime factorization by a factor function of an ecm (Engine control module), and if the factor function cannot realize the prime factorization on the Nm within 60 seconds, the Nm is determined as data which is difficult to decompose and cannot be used as attack data for fault injection.
Step 640: calculating by using a prime factor Nm in an RSA decryption algorithm, and outputting an expected plaintext P;
specifically, the operation is performed using the prime factor Nm, which specifically includes the following operations:
1. constructing an RSA key pair by using a Kamichael number algorithm according to the prime factor of Nm and the public key e, and encrypting an expected plaintext p according to an RSA encryption algorithm to obtain a ciphertext Cm;
for example, the constructed RSA key pair is { Nm, e, dm }, where e is the public key and dm is the private key; encrypting the expected plaintext according to an RSA encryption algorithm to obtain a ciphertext, specifically calculating as follows:
Figure BDA0002031247920000134
2. construction of appropriate Key input C 'from N, Nm and Cm Using an extended Euclidean Algorithm'm
In particular, the appropriate key input C 'is computed from N, Nm and Cm'mThe calculation procedure of (2) is as follows:
Figure BDA0002031247920000131
wherein r is 22048
Figure BDA0002031247920000132
The following detailed analysis of the above formula was obtained, specifically:
when the RSA decryption algorithm completely takes Nm as the integer modulus and Cm as the ciphertext input, the calculation result of line 6 of the RSA decryption algorithm is the following formula (3):
Figure BDA0002031247920000133
wherein r is 22048
Figure BDA0002031247920000141
However, R in row 2 is generated based on N, and R is also used in row 6, and N is also used in row 3 and thus propagated to rows 6, 9, 11, 12; if based on N and based on NmIf N0inv is calculated to be the same, then N is used in line 3 as N is usedmAs such. As can be seen from the calculation formula for N0inv, N0inv will not change as long as the fault does not change the last 32 bits of N. In 2048 bit RSA, N has 2048 bits, so it is possible that injected faults do not change the last 32 bits. The calculation result in line 6 at this time is the following formula (4):
Figure BDA0002031247920000142
wherein the content of the first and second substances,
Figure BDA0002031247920000143
C'minput for the appropriate ciphertext to be constructed; will PinAnd P'inAnd if the two are equal, the RSA decryption algorithm is enabled to output the specified expected plaintext P, and then the formula (2) is obtained.
3. When RSA decrypts program with N, e, C'mIs an input, and the injected hardware fault modifies N to N when converting N to a small-end representationmThe RSA decryption program outputs the expected plaintext P.
In the embodiment, more N is obtained by controlling the attack voltage and the duration time of the attack voltagem(ii) a In the validation experiment of the present application, when the parameter in formula (1) is set to {0.42GHZ,2.65GHZ,0.65V,1.055V,0,87267,3800}, 117 of 500 experiments succeeded in injecting faults, of which 23 produced N with dispersion of quality factorsmAt these 23Nm18 of which are identical.
EXAMPLE six
On the basis of the first, second, third and fourth embodiments, the sixth embodiment of the present application takes the example that the attacking core injects a hardware fault from the TrustZone signature authentication mechanism of the attacked core so as to enable the RSA decryption program to output an expected result;
specifically, when TrustZone conducts the last signature authentication, hardware faults are injected into the secure kernel, the integer mode of an RSA decryption program is changed, an input ciphertext is constructed by using a formula (2), and then the last-stage signature of the Widwine is replaced by the input ciphertext.
And when the modified Widewine application program is loaded, injecting hardware faults when the TrustZone carries out the last signature authentication by using the same attack parameters, and further passing the last level signature authentication of the TrustZone, thereby loading the modified untrusted Widewine program.
Since the hardware fault is injected in the last stage, the attack program needs to wait for the fourth time for the RSA decryption program to start running, and the loading process of the program is monitored by using a side channel attack method. Loading an integer modulo N of RSA to a fixed memory address, reading N through side channel attack, and further judging whether the injected hardware fault is changed to N, and obtaining Nm
In the verification experiment of the present invention, the parameter in formula (1) is set as{0.42GHZ,2.65GHZ,0.65V,1.055V,61942,87267,3800}, of 200 experiments, 73 successful injection faults, of which 21 produced quality factor dispersible NmAt these 23NmOf which 15 are identical, one of 94 attempts on average may succeed when loading an untrusted application using this parameter.
FIG. 7 is a schematic diagram of an attacking core injecting a hardware fault into a signature authentication mechanism in a trusted application within the attacked core; the attacked core comprises a common world and a secure world, cache layout and setting of processor state and voltage are carried out in the common world, and a trusted application program runs in the secure world, wherein the trusted application program comprises an attacked program (in the example, the fourth RSA authentication operation is taken as an example) and other codes; in the time period of executing other codes before the fourth RSA authentication by the trusted application program, setting an attack environment through an execution null instruction in an attack core and waiting for signing the fourth RSA authentication to start execution; when the fourth RSA authentication is started to be executed to a specified fault injection point (in the example, integer analog-to-digital endianness conversion operation is taken as an example), the attack core continues to synchronously execute the null instruction to wait for the integer analog-to-digital endianness conversion operation to start to be executed; when the fourth RSA authentication starts to execute conversion operation from integer modulus endian, the attacking core changes the voltage of the processor core of the attacked core, time constraint of a time sequence circuit of the attacked core is damaged, fault attack is realized, the voltage of the processor core of the attacked core is recovered after the preset time is continued, then the fourth RSA authentication starts to recover to be normal, and codes after the fourth RSA authentication operation and other codes after the signature authentication program continue to be executed.
The application needs to be noted that the injection frequency of the hardware fault in the preset time is not limited to one injection, and the data of the cache, the branch predictor, the processor state register and the like are highly correlated with the attacked program by executing the attacked program for multiple times on the basis of the success of the injection of the hardware fault, so that the influence of the data irrelevant to the attacked program in the processor on the attack effect is reduced.
EXAMPLE seven
The seventh embodiment of the present application provides a verification experiment for acquiring RSA-sensitive data by injecting hardware faults into an RSA decryption algorithm:
FIG. 8 depicts malicious voltages that may disable the processor from functioning properly. Proper voltage is a necessary condition to ensure that the processor can work properly. If the voltage of the processor is too low, the processor may not have enough power to operate and may malfunction, and the data of the program running on the processor may be altered. The running state of the processor core to be tested can influence the minimum voltage which causes the processor core to be in fault. The more the core to be tested is busy, the more energy is consumed, and the higher the minimum voltage required for ensuring the normal operation of the core to be tested is. The graph shows the lowest voltage at different frequencies that causes the processor to crash or restart. Because the utilization ratio of the processor core is not fixed, under the condition that the frequency is not changed, the voltage above the line 1 is safe voltage, the voltage of the quality inspection of the line 1 and the line 2 can be failed, and the voltage below the line 3 can be subjected to hardware failure.
Fig. 9 shows the minimum duration (number of times of execution of null instructions) for which a hardware fault occurs at different voltages and different unrelated core states. The attack voltage and the attack voltage duration are important parameters for determining whether a hardware fault can be generated, if the attack voltage duration is short, the situation that the fault is recovered to a normal voltage without the occurrence of the voltage may occur, if the attack voltage is too high, more energy is supplied to an attacked core, and in order to inject the fault, the attack voltage duration is longer. Furthermore, the energy consumed by the unrelated cores (processor cores other than the attacking and attacked cores) in different states is also different, thereby having an impact on the energy supplied to the attacked core and, in turn, on the attack voltage duration required to successfully inject the fault.
Fig. 10 shows the time (the number of times of execution of null instructions) from the start of execution of the attacked RSA function to the start of execution of the attacked code. The frequency size influences the speed of the attacking core and the attacked core to execute instructions, and under the condition that the frequency of the attacking core and the voltage of the processor are unchanged, the higher the frequency of the attacked core is, the shorter the time from the attacked function to the attacked code to execute is. The RSA program in TrustZone is not exactly the same as the RSA decryption program based on the Android encryption library, and thus the latency is also different. In this figure, the frequency of the attack kernel is 0.42GHZ and the attack voltage is 0.6V.
Fig. 11 depicts the time required for the fourth RSA decryption verification function to start executing (number of times of execution of null instructions) while the attacking program waits for the attacked TrustZone loader. In the case where the frequency of the attacking core is not changed, the frequency of the attacked core is different, and the required time is also different. In this figure, the frequency of the attack kernel is 0.42GHZ and the attack voltage is 0.6V.
Fig. 12 depicts the number of failed bytes of RSA integer modulo for different attack voltages and durations. In the figure, the frequency of the attacking core is 0.42GHZ, and the frequency of the attacked core is 2.65 GHZ. To implement fault injection attacks on RSA, N should be chosen that produces a prime factorization in a finite timemAs an attack parameter.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (9)

1. A fault attack method based on time constraint is characterized by comprising the following steps:
when a hardware fault needs to be injected into the sequential circuit, changing the voltage of the sequential circuit into an attack voltage which is lower than the rated voltage but enables the sequential circuit to work normally at a low frequency;
the time period from the signal input of the first electronic element to the signal input of the last electronic element in the time sequence circuit is prolonged, and the time constraint of the time sequence circuit is damaged;
and in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output.
2. The fault attack method according to claim 1, wherein the time constraint of the sequential circuit is:
Tsrc+Ttransfer≤Tclk-Tsetup-Tε
wherein, TclkRepresents one clock cycle, is the interval of two clock rising edges, and also reflects the frequency of the circuit; t issetupThe time for representing that the input of the last sequential electronic element needs to be kept stable is also the interval time for meeting the output of the middle logic unit to the next clock rising edge; t issrcRepresenting the delay between the input and the output of the first sequential electronic element, i.e. the time between receiving a rising edge of the clock and giving a stable output; t istransferRepresenting the interval between the output of the first sequential electronic element to the output of the intermediate logic unit, i.e. the processing time of the intermediate logic unit; t isεRepresenting a small time constant.
3. The fault attack method according to claim 2, wherein the time constraint of the sequential circuit is broken, and the time period from the first electronic component signal input to the last electronic component signal input in the sequential circuit is prolonged, specifically: fixedly setting the clock period Tclk,TsetupDetermined by the characteristics of the clock electronics, independent of the frequency and voltage of the circuit; after the voltage of the sequential circuit is changed into attack voltage, TsrcAnd TtransferIncreasing, the time constraints of the circuit are violated.
4. The fault attack method according to claim 1, wherein the voltage of the sequential circuit is arbitrarily set by modifying the voltage management driver, whereby the voltage of the sequential circuit can be changed to an attack voltage, specifically, a voltage lower than a rated voltage but enabling the sequential circuit to normally operate at a low frequency.
5. The fault attack method according to claim 1, wherein the preset data includes a data value in a last clock of the electronic component or a set fault value.
6. A fault attack method of a multi-core processor based on time constraint is characterized by comprising the following steps:
when hardware faults need to be injected into a certain processor core of the multi-core processor, the processor core is designated as an attacked core, and another certain processor core is used as an attacking core;
when the attacking core detects that the attacked core runs to the specified sequential circuit to be injected with the fault, the voltage of the processor core of the attacked core is changed into the attacking voltage which enables the attacked core not to work normally but other processor cores except the attacked core to work normally;
destroying the time constraint of the sequential circuit, and prolonging the time period from the signal input of the first electronic element to the signal input of the last electronic element in the sequential circuit;
in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output;
and when the attack voltage is continued until the time sequence circuit outputs expected data, restoring the voltage of the processor core of the attacked core to a safe voltage.
7. The time-constraint-based fault attack method for the multi-core processor according to claim 6, wherein the attack voltage is specifically a voltage which enables the attacked core not to work normally and enables other processor cores except the attacked core to work normally.
8. The multi-core processor time-constraint-based fault attack of claim 6The method is characterized in that the step of configuring the voltage and the voltage duration of the processor core of the attacked core specifically comprises the following steps: setting the processor voltage and the voltage duration of the attacked core as suitable parameters; wherein a fault F is realizedfaultSuitable parameters required include Fa、Fv、Vl、Vb、Tpre_w、Tpre_d、TdurWherein F isaFrequency, F, representing the attack corevFrequency, V, representing the core being attackedlRepresenting the attack voltage, VbIndicating a security voltage, i.e. the voltage of the processor core before and after setting the attack voltage, T, enabling both the attacking and attacked core to operate normallypre_wRepresenting the time, T, at which the attacking program waits for the attacked function to begin executingpre_dT represents the time when the attacking program waits for the attacked code to start executingdurRepresenting the attack voltage duration.
9. The multi-core processor is characterized by comprising a plurality of processor cores and a power management integrated chip, wherein the power management integrated chip provides a processor core voltage for the processor cores through a power management integrated circuit;
the processor core is used for designating a certain processor core as an attacked core and using another certain processor core as an attacking core when a hardware fault is injected into the certain processor core, and when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with the fault, the voltage of the processor is changed into an attacking voltage by using the modified power management drive, the time constraint of the sequential circuit is damaged, and the time period from the signal input of a first electronic element to the signal input of a last electronic element in the sequential circuit is prolonged; in the time period, when the latter electronic element does not receive the output of the former electronic element on the rising edge of the clock, the preset data is used as input and is processed, and expected data is output;
the power management integrated chip is used for changing the voltage of the processor core of the attacked core into an attack voltage when the attacking core detects that the attacked core runs to a specified sequential circuit to be injected with a fault, and recovering the voltage of the processor core of the attacked core into a safe voltage after the sequential circuit outputs expected data;
the method for changing the processor core voltage of the attacked core into the attack voltage in the power management chip specifically comprises the following steps: the power management integrated chip provides attack voltage for all the processor cores, and the attack voltage enables the attacked core not to work normally, but the attacking core and other cores to work normally; or the power management integrated chip changes the voltage of the processor core of the attacked core into the attacking voltage independently.
CN201910310348.3A 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof Active CN110032897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910310348.3A CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910310348.3A CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Publications (2)

Publication Number Publication Date
CN110032897A CN110032897A (en) 2019-07-19
CN110032897B true CN110032897B (en) 2021-01-08

Family

ID=67238767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910310348.3A Active CN110032897B (en) 2019-04-17 2019-04-17 Multi-core processor and time constraint-based fault attack method thereof

Country Status (1)

Country Link
CN (1) CN110032897B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115483B (en) * 2020-09-27 2023-05-05 成都中科合迅科技有限公司 Trusted computing application method for protecting nuclear power DCS engineer station
CN114048470B (en) * 2022-01-13 2022-06-24 浙江大学 Method and device for defending hardware attack based on TDC module and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4759019A (en) * 1986-07-10 1988-07-19 International Business Machines Corporation Programmable fault injection tool
CN104484255A (en) * 2014-12-02 2015-04-01 北京空间飞行器总体设计部 Fault injection device for verifying system level single particle soft error protection ability
CN105281888A (en) * 2015-11-05 2016-01-27 工业和信息化部电信研究院 Fault injection method and fault injection device for password chips
CN105528284A (en) * 2014-09-28 2016-04-27 华为技术有限公司 Kernel fault injection method and electronic device
CN109470990A (en) * 2018-10-25 2019-03-15 南京南瑞继保电气有限公司 A kind of route variable quantity fault direction judgment method and device adapting to UPFC access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4759019A (en) * 1986-07-10 1988-07-19 International Business Machines Corporation Programmable fault injection tool
CN105528284A (en) * 2014-09-28 2016-04-27 华为技术有限公司 Kernel fault injection method and electronic device
CN104484255A (en) * 2014-12-02 2015-04-01 北京空间飞行器总体设计部 Fault injection device for verifying system level single particle soft error protection ability
CN105281888A (en) * 2015-11-05 2016-01-27 工业和信息化部电信研究院 Fault injection method and fault injection device for password chips
CN109470990A (en) * 2018-10-25 2019-03-15 南京南瑞继保电气有限公司 A kind of route variable quantity fault direction judgment method and device adapting to UPFC access

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
最新电压毛刺( Power Glitch)攻击与防御方法研究;段晓毅;《计算机科学》;20111031;第38卷(第10A期);第428-430页 *

Also Published As

Publication number Publication date
CN110032897A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
Qiu et al. Voltjockey: Breaching trustzone by software-controlled voltage manipulation over multi-core frequencies
US9690498B2 (en) Protected mode for securing computing devices
Tang et al. {CLKSCREW}: Exposing the perils of {Security-Oblivious} energy management
JP5031029B2 (en) Secure boot system, method and program across multiple processors
US8438658B2 (en) Providing sealed storage in a data processing device
Castelluccia et al. On the difficulty of software-based attestation of embedded devices
Kovah et al. New results for timing-based attestation
US8645711B2 (en) Information processor, method for verifying authenticity of computer program, and computer program product
Buhren et al. One glitch to rule them all: Fault injection attacks against amd's secure encrypted virtualization
US8341393B2 (en) Security to extend trust
EP2895935A1 (en) Methods and apparatus to protect memory regions during low-power states
JP2014525105A (en) Firmware-based Trusted Platform Module (TPM) for ARM® Trust Zone implementation
US10678927B2 (en) Randomized execution countermeasures against fault injection attacks during boot of an embedded device
CN110032897B (en) Multi-core processor and time constraint-based fault attack method thereof
Francillon et al. Systematic treatment of remote attestation
Muñoz et al. TPM, a pattern for an architecture for trusted computing
EP1465038B1 (en) Memory security device for flexible software environment
Li et al. A control flow integrity checking technique based on hardware support
Gross et al. Fpganeedle: Precise remote fault attacks from fpga to cpu
Lin et al. Using TPM to improve boot security at BIOS layer
US9213864B2 (en) Data processing apparatus and validity verification method
CN110032485B (en) Multi-core processor and fault injection method thereof
Zuberi et al. Characterizing GPU Overclocking Faults
Caulfield et al. {ACFA}: Secure Runtime Auditing & Guaranteed Device Healing via Active Control Flow Attestation
US20230177154A1 (en) Sparse Encodings for Control Signals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant