Biblio

A fault attack is a well-known technique where the behaviour of a chip is voluntarily disturbed by hardware means in order to undermine the security of the information handled by the target. In this paper, we explore how Electromagnetic fault injection (EMFI) can be used to create vulnerabilities in sound software, targeting a Cortex-M3 microcontroller. Several use-cases are shown experimentally: control flow hijacking, buffer overflow (even with the presence of a canary), covert backdoor insertion and Return Oriented Programming can be achieved even if programs are not vulnerable in a software point of view. These results suggest that the protection of any software against vulnerabilities must take hardware into account as well.

Retrieving assets from inside a secure element should be difficult. While the most attractive assets are the cryptographic keys stored in the Non Volatile Memory (NVM) area, the algorithms which are executed are also of interest. This means that the confidentiality of binary code embedded in the Read Only Memory (ROM) of that device should also be protected from extraction and reverse engineering. Thanks to a previous attack, we obtained a dump of the NVM, but not of the ROM. In this paper, we demonstrate that we can reverse engineer the algorithms without having access to the code by taking advantage of the object oriented features of the platform. We have only access to the data. We use a specifically designed graphic tool to reason about the data such that we are able to understand the principle of the algorithm. Then, we are able to bypass the protection mechanism in order to get access to the binary code.