TID-105: Hardware Fault Injection – Control Flow Modification
Threat Description
A threat actor with physical access to a device may be able to manipulate the processor’s intended code execution by subjecting it to hardware faults or “glitching”. Hardware faults can be induced by various methods, including voltage fault injection (power glitching), electromagnetic pulses (EM glitching), and optical fault injection. Glitching can be used to bypass various security protections on a device, such as skipping a firmware integrity check during a secure boot process or protections against firmware or data read-out from the device. This threat requires physical access to the device to perform the glitching, and also typically requires substantial iterative testing to identify the precise nature, magnitude, and timing of signals that need to be injected to cause the glitch condition.
Threat Maturity and Evidence
Known Exploitable Weakness
Glitching the Switch
In pursuit of extracting the 1st stage boot ROM code from the Nvidia Tegra X1 SoC, the researchers implemented a power glitching attack against the processor to prevent the bootloader from enabling the SoC’s readout protection for that code segment. The glitch interrupts the boot ROM code from writing to a security configuration register, leaving the processor in a state that allows exporting the code responsible for the establishing the processor’s root of trust for secure boot. Analysis of the bootloader code yielded an exploitable buffer overflow in a USB protocol implementation (see TID-327) used to inject code that bypasses secure boot and allows executing unauthorized firmware. The presence of this flaw in the unmodifiable initial boot ROM prevents patching this vulnerability in already deployed devices (see TID-220).
Proof of Concept
Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller
“These experiments confirm the fact that an attacker could change an instruction into another one and change the value of a piece of data loaded from the Flash memory. But they also provide a more accurate fault model, in which some instructions or registers seem to be more vulnerable than others”
Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M
“In this paper, we present μ-Glitch, the first Voltage Fault Injection (VFI) platform which is capable of injecting multiple, coordinated voltage faults into a target device, requiring only a single trigger signal…We evaluate and showcase the effectiveness and practicality of our attack platform on four real-world chips, featuring TrustZone-M”
CWE
CWE-1247: Improper Protection Against Voltage and Clock Glitches (Base)
“The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.”
CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI) (Base)
“The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.”