Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Design-Agnostic Distributed Timing Fault Injection Monitor With End-to-End Design Automation

Yan He, Yumin Su, Kaiyuan Yang

TL;DR

Timing FIAs exploit clock and environmental variations to corrupt circuit operation. The authors introduce a DLL-based, design-agnostic FIA monitor that replicates the system clock and flags deviations within an end-to-end automated design framework that generates synthesizeable monitors for any technology node. Major contributions include a clock-replica based anomaly detector with same-cycle alerts, a digitally controlled three-stage delay line with automatic pulse-width locking, and an automated workflow for delay-line optimization and FSM integration. Silicon validation in 65 nm CMOS shows detection across 12 clock-glitch types and voltage, EM, and temperature attacks, with a footprint of ~1500 μm^2 per monitor, locking from 2 MHz to 1.26 GHz and typical power in the sub-mW range; the framework scales to 28 nm, enabling distributed FIA protection with low overhead.

Abstract

Fault injection attacks induce hardware failures in circuits and exploit these faults to compromise the security of the system. It has been demonstrated that FIAs can bypass system security mechanisms, cause faulty outputs, and gain access to secret information. Certain types of FIAs can be mounted with little effort by tampering with clock signals and or the chip operating conditions. To mitigate such low cost, yet powerful attacks, we propose a fully synthesizable and distributable in situ fault injection monitor that employs a delay locked loop to track the pulsewidth of the clock. We further develop a fully automated design framework to optimize and implement the FIA monitors at any process node. Our design is fabricated and verified in 65 nm CMOS technology with a small footprint of 1500 um2. It can lock to clock frequencies from 2 MHz to 1.26 GHz while detecting all 12 types of possible clock glitches, as well as timing FIA injections via the supply voltage, electromagnetic signals, and chip temperature.

Design-Agnostic Distributed Timing Fault Injection Monitor With End-to-End Design Automation

TL;DR

Timing FIAs exploit clock and environmental variations to corrupt circuit operation. The authors introduce a DLL-based, design-agnostic FIA monitor that replicates the system clock and flags deviations within an end-to-end automated design framework that generates synthesizeable monitors for any technology node. Major contributions include a clock-replica based anomaly detector with same-cycle alerts, a digitally controlled three-stage delay line with automatic pulse-width locking, and an automated workflow for delay-line optimization and FSM integration. Silicon validation in 65 nm CMOS shows detection across 12 clock-glitch types and voltage, EM, and temperature attacks, with a footprint of ~1500 μm^2 per monitor, locking from 2 MHz to 1.26 GHz and typical power in the sub-mW range; the framework scales to 28 nm, enabling distributed FIA protection with low overhead.

Abstract

Fault injection attacks induce hardware failures in circuits and exploit these faults to compromise the security of the system. It has been demonstrated that FIAs can bypass system security mechanisms, cause faulty outputs, and gain access to secret information. Certain types of FIAs can be mounted with little effort by tampering with clock signals and or the chip operating conditions. To mitigate such low cost, yet powerful attacks, we propose a fully synthesizable and distributable in situ fault injection monitor that employs a delay locked loop to track the pulsewidth of the clock. We further develop a fully automated design framework to optimize and implement the FIA monitors at any process node. Our design is fabricated and verified in 65 nm CMOS technology with a small footprint of 1500 um2. It can lock to clock frequencies from 2 MHz to 1.26 GHz while detecting all 12 types of possible clock glitches, as well as timing FIA injections via the supply voltage, electromagnetic signals, and chip temperature.
Paper Structure (35 sections, 26 figures, 3 tables)

This paper contains 35 sections, 26 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Timing Fault Injection Attacks and Mitigations
  3. Clock Glitching
  4. Pulse Addition
  5. Cycle Skipping
  6. Duty Cycle Change
  7. Phase Shift
  8. Delay Manipulation of the Logic Paths
  9. Voltage
  10. Electromagnetic Coupling
  11. Temperature
  12. Existing Timing Fault Mitigations
  13. Logic Checking
  14. Adaptive Design
  15. Anomaly Detection
  16. ...and 20 more sections

Figures (26)

  • Figure 1: (a) Timing FIAs entry points: the clock signal and the gates' delay. (b) Correct timing at the register. (c) The case where the data arrives too late, and (d) the case where the data changes too fast.
  • Figure 2: A summary of twelve possible types of clock glitches.
  • Figure 3: To alter the logic gates' delay, an attacker may (a) fault the power management circuit to produce a supply voltage glitch, or (b) remotely inject EM signals or temperature changes to a localized region of the chip.
  • Figure 4: (a) $\text{W}_\text{Neg}$ and $\text{W}_\text{Pos}$ determine the acceptance window and normal clock jitters should fall inside this window. (b) and (c) depict the scenarios where the clock's pulse width is shorter or longer than the expected value.
  • Figure 5: A voltage glitch attack increases the delay and causes the clock's pulse width to be smaller than the minimum expected value.
  • ...and 21 more figures