Electromagnetic Fault Injection : How Faults Occur (original) (raw)
Related papers
Modeling Injection of Electrical Fast Transients Into Power and IO Pins of ICs
IEEE Transactions on Electromagnetic Compatibility, 2014
A SPICE-based model of a microcontroller was developed to investigate its immunity to electrical fast transients (EFTs). The model includes representations of the on-die power delivery network, the ESD protection clamps, and the I/O driver circuits. Several measurement approaches were developed to characterize the linear and nonlinear components within the model. EFTs were injected into pins of the microcontroller to verify the accuracy of the proposed model. General purpose I/O were tested in several configurations (i.e., pull-up-enabled input, logical-high output, and logical-low output). The model was able to predict the voltage waveform and maximum voltage at each pin within 5ß6% of the measured values. A parasitic bipolar junction transistor associated with the output driver was found to have a critical impact on the noise coupled to the power bus. The simplicity and accuracy of this model shows its promise for understanding and predicting immunity issues in integrated circuits.
EM Injection: Fault Model and Locality
2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2015
EM injection recently emerged as an effective medium for fault injection. This paper presents an analysis of the IC susceptibility to EM pulses. It highlights that faults produced by EM pulse injection are not timing faults but correspond to a different model which is presented in this paper. This model also allows to explain experimental results introduced in former communications.
Modeling of Power Supply Transients for EMI Compliance in Digital Systems
This paper addresses the modeling of power supply voltage transients in digital systems, in order to estimate the system's tolerance to this disturbance, in order to demonstrate EMI/EMC standard compliance. Electrical simulation is extensively used to demonstrate the possibility of exploiting the duality between time excitation and delay response, for combinational CUT (Circuit Under Test). We refer this as the "accordion" effect. The proposed technique makes use of concepts derived from the VLV (Very Low Voltage) testing and V DD ramp testing techniques. Two regions of operation under ∆V DD voltage drop are defined through the threshold power supply voltage, V DDth , parameter. Electrical simulation supports the method, recently proposed, to perform fault simulation either by using faulty delays (defect size proportional to ∆V DD magnitude) in the CUT and nominal time excitation rate, or by using a fault-free CUT description and faster test application times. Furthermore, for sequential circuits it is shown that the tolerance to ∆V DD disturbances may be significantly lower than the one observed in combinational CUTs, due to de-synchronization effects in storage elements.
Electromagnetic fault injection: the curse of flip-flops
Journal of Cryptographic Engineering, 2016
ElectroMagnetic (EM) waves have been recently pointed out as a medium for fault injection within Integrated Circuits (IC). Indeed, it has been experimentally demonstrated that an EM Pulse (EMP), produced with a high voltage pulse generator and an injector similar to that used to perform EM analyses, was susceptible to create faults exploitable from a cryptanalysis viewpoint. An analysis of the induced faults revealed that they originated from timing constraint violations. In this context, this paper demonstrates that EM injection, performed with enhanced injectors, can produce not only timing faults but also bit-set and bit-reset faults on an IC at rest. This first result clearly extends the range of the threats associated with EM fault injection. It then demonstrates, considering two different ICs under operation: an FPGA and a modern microcontroller, that faults produced by EMP injection are not timing faults but correspond to a different model which is presented in this paper. This model allows to explain experimental results introduced in all former communications.
Investigation of near-field pulsed EMI at IC level
2013 Asia-Pacific Symposium on Electromagnetic Compatibility (APEMC), 2013
This article describes the use of a near-field electromagnetic pulse EMP injection technique in order to perform a hardware cryptanalysis of the AES algorithm. This characterization technique is based on the fact that conductors, such as the rails of a Power Distribution Network PDN which is one of the primary EMI risk factors, act as antennas for the radiated EMP energy. This energy induces high electrical currents in the PDN responsible for the violation of the integrated circuit's timing constraints. This modification of the chip's behavior is then exploited in order to recover the AES key by using cryptanalysis techniques based on Differential Fault Analysis (DFA).
Susceptibility of Integrated Circuits to Electrostatic Discharge
2012
The components that are considered fairly rugged can be damaged by electrostatic discharge (ESD). Bipolar transistors, the earliest of the solid state amplifiers, are not immune to ESD, though less susceptible. Devices manufactured using metal oxide semiconductor (MOS) technology can be easily damaged due to ESD but some of the newer high speed components can be ruined with as little as 3 volts. The integrated circuits (IC) are susceptible to ESD due to its small size and unavailability of larger area to dissipate the excess energy. The susceptibility of IC’s can be determined by various ESD stress tests. The different ESD stress modes on an input or output pin which is Pin-to-VSS, Pin-to-VDD are used to test an IC. The IC after ESD stresses may undergo damage not only in the input/output circuits or devices, but also in the internal circuits. The effects of ESD on various logic gates belonging to both transistor-transistor logic (TTL) and Complementary MOS (CMOS) logic families hav...
A Simple Protocol to Compare EMFI Platforms
IACR Cryptol. ePrint Arch., 2020
Several electromagnetic fault injection (EMFI) platforms have been developed these last years. They rely on different technical solutions and figures of merit used in the related datasheets or publications are also different. This renders difficult the comparison of the various EMFI platforms and the choice of the one adapted to its own usage. This paper suggests a characterization protocol which application is fast and requires equipment usually available in labs involved in security characterization. It also introduces an effective solution to enhance (by a factor 5) the timing resolution of EMFI platforms built around a commercial voltage pulse generator designed to drive 50 Ohm termination.
Analytical Estimation of the Threat of IEMI to Electronic Systems
2008
This document shows a simple method to estimate the perturbation thresholds of electronic circuits exposed to an electromagnetic field. The method is based on a simplified calculation of coupled-in waveforms and their comparison to the logic levels of the electronic device under consideration of its static and dynamic behavior. The mathematical background is shown and the perturbation of different real electronic systems is estimated and compared to measurements.
2015 10th International Workshop on the Electromagnetic Compatibility of Integrated Circuits (EMC Compo), 2015
Transient disturbance signals are getting more and more attention lately (e.g. in the automotive industry). Electromagnetic compatibility (EMC) at IC level so far focused on continuous wave (CW) disturbances and how to deal with them, but transient phenomena were not thoroughly studied yet. In this exploratory paper, we perform a case study (based on a basic current mirror) in order to reveal the effects of transient disturbances (as compared to CW ones) and to determine what IC design techniques could be used to deal with them.
EMMI Failure-Distributed Analysis of ESD Zapping and Protection Designs in Power VDMOS ICs
This paper deals with a detailed study of ESD failure modes, failures distribution and how to strengthen of the VDMOS ICs used for power applications. The ESD post-zapped failure of power VDMOS ICs due to HBM, MM, and CDM stresses are examined in this work. Through standard failure analysis techniques by using EMMI and SEM were applied to identify the failure locations. It is found that the ESD robustness is VESD(HBM) > VESD(MM) > VESD(CDM) for these non-ESD protected DUTs. Meanwhile, the ESD failure sites will be closed to the gate bonding pad as with a positive zapping and higher dV/dt pulse such as in CDM testing. And, the failure mappings have been studied to establish the difference in damaged features of HBM, MM, and CDM. Furthermore, the ESD protection designs of power VDMOS ICs are also addressed in this work. The first ESD incorporated design is Zener diodes back-to-back clamping the gate-to-source pad, and on the other hand, another one excellent design contains two Zener diodes clamping the gate-to-source and gate-to-drain terminals of a VDMOS, respectively.