>
curriculum/Hardware Security
section 2 of 156 min read

2. Fault Injection: Forcing the Wrong Answer

Side channels read what the chip is doing. Fault injection makes the chip do something else. You don't recover the key by listening; you recover the key by making the device skip its key check. The attacker injects a glitch at exactly the right moment to violate timing somewhere, the chip computes a wrong value, and that wrong value is exploitable.

2.1 Voltage glitching: starve and watch

The supply voltage of a CMOS chip determines the threshold-to-rail margin that gives the gate its switching speed. Drop VDD by 30% for 100 nanoseconds and the gates run too slowly to complete their work before the next clock edge. Setup time is violated. The flip-flops on the receiving end of a long combinational path latch the wrong value, because the new value hadn't propagated yet and the metastability resolved the wrong way.

A glitch waveform looks like this:

plaintext
WaveDrom-style:
  CLK     |‾|_|‾|_|‾|_|‾|_|‾|_|‾|_|‾|_|
  V_DD    1.0V ‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾\__/‾‾‾‾‾‾‾‾‾  brief drop to 0.4V
  VICTIM  predictable up until \_/ then random output

The parameters of a glitch are width (how long VDD is dropped), depth (how far it is dropped), and offset (when relative to a trigger). A successful attack finds a parameter triple that corrupts exactly one critical instruction without crashing the chip, and a typical search runs over a 3D grid of these parameters with a few thousand attempts per cell.

Targets:

  • Skip a cmp/bne pair so a signature check returns "valid" regardless of input.
  • Corrupt a return address so execution jumps to attacker-controlled code.
  • Force a key derivation routine to produce an all-zero key.
  • Re-enable JTAG on a chip whose JTAG is supposed to be locked at boot.

The Xbox 360 reset glitch (2011) is the canonical real-world example. The Hypervisor verified the kernel signature on boot. By tying a brief reset pulse to the CPU at the correct microsecond, attackers caused the comparison instruction's flags to be misregistered, the branch fell through, and unsigned code ran with hypervisor privileges. The whole console line opened up. ChipWhisperer ($300) lets a student replicate this class of attack on training boards in an afternoon. Smart card vendors have a long history of voltage glitches breaking PIN verification on early SIMs and EMV cards.

2.2 Clock glitching: make a fast edge

If the chip has an external clock pin, you can inject a clock edge that arrives sooner than the design tolerates, again forcing setup-time violation in deep combinational paths. Clock glitching is often easier than voltage glitching because the trigger is just a fast logic gate, not an analog drop circuit.

plaintext
WaveDrom for a clock glitch:
  CLK_normal:    |‾|_|‾|_|‾|_|‾|_|‾|_|‾|_|‾|_|
  CLK_glitched:  |‾|_|‾|_|‾|_|‾|_‾|_|‾|_|‾|_|‾|_  (one early edge)
  Result:        the setup path latches a half-computed value

The Riscure Inspector and ChipWhisperer-Husky platforms drive this with sub-nanosecond precision. Some chips with external crystals can be clock-glitched without even opening the case; others use internal PLLs that filter the attack and require body-bias or EM injection instead.

2.3 EM fault injection

A small coil placed near the package, driven by a fast pulse, induces eddy currents in the metal layers that locally raise VDD-VSS noise high enough to flip a flip-flop. Compared to voltage glitching, EM is localized (you can hit one functional block), contactless (no power-line modification), and works through some plastic packages. NewAE PhyWhisperer and Riscure VC Glitcher are the standard platforms.

2.4 Optical fault injection: laser as scalpel

Decap the chip, mount it on an XY stage, focus a near-IR laser pulse on a single transistor, and that transistor's PN junction conducts photoelectrically for the duration of the pulse. You can flip individual cells in a register, in SRAM, in flash. Optical FI is the most precise and the most expensive of the family; a serious lab setup runs 50K50K-500K and includes a CCD-aligned XY stage, a femtosecond laser, and decap chemistry. But the attack is surgical: a single, repeatable fault on the same gate, run after run.

2.5 Body-bias injection

By forward-biasing the substrate (the bulk silicon) of a CMOS device, you shift the threshold voltage of the transistors that sit in that bulk. Pulses delivered through a needle on the back side of the die can cause selective timing violations without ever touching the front-side metal. Subtle, recently developed, and effective against chips that defend against the easier methods.

2.6 Common targets and the Bellcore attack

Almost every fault attack lands on a specific code or hardware structure:

  • Boot ROM signature check. A glitch on the comparison instruction makes a forged firmware appear genuine.
  • Bootloader-to-application transition. Glitch the jump so that the bootloader stays in command mode and accepts unauthenticated commands.
  • Crypto operations. The Bellcore attack on RSA-CRT (Boneh, DeMillo, Lipton, 1997) is the elegant classic: induce a single fault in one of the two CRT branches during RSA signing, and the difference between the faulty signature and a correct one factors the modulus through a single GCD. One fault, full key recovery. Defended now by validating the signature before releasing it.
  • PIN-check loops. Glitch the early-exit branch.
  • Anti-cloning fuses. Glitch the readout of the fuse value.

2.7 Defenses against fault injection

  • Sensors. On-die voltage, clock, light, and temperature sensors that trigger an immediate reset or zeroize key material on detection. High-security smart cards bristle with these.
  • Redundant computation. Compute the answer twice, compare. Defeats single faults at 2x cost. Triple modular redundancy with majority voting defeats single faults reliably.
  • Random delays. Insert random NOPs before sensitive operations. Forces the attacker to retry with parameter variation.
  • Concurrent error detection. Parity bits, MAC tags, on-the-fly checksums on intermediate values.
  • Operation-level checks. After computing a signature, verify it before output (Bellcore defense).
  • Light shields. Opaque coatings prevent optical FI. Decapping defeats them, but at significant lab cost.
  • Active mesh. Fine wires snaking over the die, broken by physical intrusion. Cutting the mesh triggers chip lockout.

A serious secure element (smart card, HSM core) layers all of these. Each one alone can be defeated; their combination raises the bar so high that even well-funded attackers spend months per chip.