DE LA RECHERCHE À L'INDUSTRIE

INSPIRING INNOVATION | INNOVANTE PAR TRADITION





# Cosade 2013



### From physical stresses to timing constraints violation

ZUSSA Loïc, **DUTERTRE Jean-Max**, CLEDIERE Jessy, TRIA Assia





INSPIRING INNOVATION | INNOVANTE PAR TRADITIO

### Research subject

Caracterization and analysis of common fault injection mechanism

### Today's subject

Power glitches fault injection mechanism
Analysis and practice

### Introduction



INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### Agenda

- Timing constraints of synchronous digital IC
- Static stresses (global effect)
- Transient stresses
- Conclusion



### Timing constraints



INSPIRING INNOVATION | INNOVANTE PAR TRADITION



data arrival time = 
$$D_{clk \rightarrow Q} + D_{pMax}$$

data required time = 
$$T_{clk} + T_{skew} - \delta_{su}$$

$$\longrightarrow$$
  $T_{clk}$  >  $D_{clk \rightarrow Q}$  +  $D_{pMax}$  -  $T_{skew}$  +  $\delta_{su}$ 

### Timing constraints violation



# How to inject faults through timing constraints violation?

Overclocking: (Frequency increase, i.e. period decrease)

$$T_{clk} \leftarrow D_{clk \rightarrow Q} + D_{pMax} - T_{skew} + \delta_{su}$$

Underpowering or overheating: (Propagation time increase)

$$T_{clk} \leftarrow D_{clk \rightarrow Q} + D_{pMax} - T_{skew} + \delta_{su}$$

### Experimental setup



INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### **Target**

- Platform: FPGA Spartan 3A
- Algorithm: AES 128 bit none-secure implementation
- Frequency: 100 MHz
- Power supply: 1.2V





### Common fault injection means

- Clock stress (overclocking)
- Power stress (underpowering)
- Overheating

### Experimental proof

- 10,000 input dataset
- Critical path faulted

#### A common mechanism!

⇒ Timing constraints violations.

### Static perturbations



#### Issues

Low timing resolution



www.emse.fr

### Transient perturbations



INSPIRING INNOVATION | INNOVANTE PAR TRADITION

#### Transient perturbations

- Clock glitch
- Power supply glitch

#### Questions



Achievable resolution?





INSPIRING INNOVATION

INNOVANTE PAR TRADITION

### Clock glitch

- 35ps resolution
- Global effect



- Timing constraints violation (obvious)
- A tool for critical time measurement
- Used to build a template/reference library

To be compared,

#### www.emse.fr

#### INSPIRING INNOVATION | INNOVANTE PAR TRADITION



### Power glitch: Ideal



INSPIRING INNOVATION

INNOVANTE PAR TRADITION



### Power glitch: Ideal





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### Power glitch: Input capacitance





#### Power glitch: impedance adaptation





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### Power glitch: Input capacitance



www.emse.fr

INSPIRING INNOVATION | INNOVANTE PAR TRADITION





#### Power glitch: impedance adaptation



www.emse.fr

# Transient perturbations



INSPIRING INNOVATION | INNOVANTE PAR TRADITION

#### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION

INNOVANTE PAR TRADITION

#### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

#### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

#### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

#### Power glitch

 Target a specific round but also affect the neighboring rounds,





INSPIRING INNOVATION | INNOVANTE PAR TRADITION

### Power glitch

 Target a specific round but also affect the neighboring rounds,



### Conclusion



INSPIRING INNOVATION | INNOVANTE PAR TRADITIO

### Power glitch

Analysis of injected faults:

70% identical to clock glitch injection

20% neighboring rounds

10% the second most critical path of the round

 Conclusion: Clock and power glitch induced faults are due to timing constraints violation

>90% single-bit fault

#### A spatial effect component?

Linked to voltage transient propagation through the power supply grid

# Questions



INSPIRING INNOVATION | INNOVANTE PAR TRADITION

