Riscure_Whitepaper_The_Price_for_Faults

last highlighted date: 2024-01-18

Highlights

• For this purpose , traps can be used, that catch fault injection attempts and subsequently disable product functionality.
• Most devices today are completely vulnerable against these attacks as d evelopers have little awareness of the threat, and do not know how to protect their code.
• A voltage glitch would affect all transistors simultaneously, whereas a light pulse can be directed at a very small group of transistors.
• The price range for attack tools ranges from $100forthesimplestto$100K for the most precise tool.
• As fault injection leads to a change of digital value in the computer chip. The consequence can be either a calculation mistake or a change in the program flow. The latter is caused by changing the res ult of a condition, changing the termination of a loop, skipping instructions, or changing the program counter at a branch, jump or return. Since these constructs are so common, we estimate that at least one exploitable fault injection vulnerability exists for every ten lines of critical code. That means that the vulnerability density is extremely high compared to logical security issues, which have a 100 times lower density ( on average , one per thousand lines of code ) .
• By changing memory pointers and/or loop termination, it is possible to make a chip transmit other than the intended data at any given data communication event
• By changing critical decisions , it may be possible to escalate pri vileges and bypass an authentication mechanism, such as a password verification or a secure boot verification. The attacker uses this to gain unauthorized control over a device.
• When a computational error is introduced during a cryptographic calculation, it may be possible for an attacker to derive the secret key by comparing the corrupted res ult with the expected result
• Gligli used a short voltage dip in the reset line to br ing the Xbox in a particular state where the memcmp function would return true, even if incorrect
• Escalating privileges in Linux based products [6] Niek Timmers and Cristofaro Mune discovered that with voltage glitch equipment , an attacker can easily get root privilege in a Linux system. Since many products build on a Linux kernel , this puts large product segments at risk.
• Extracting secret keys from a Playstation Vita [5] Yifan Lu demonstrated that cryptographic signatures in a popular gaming console can be corrupted and that cryptographic keys can be extracted using a textbook Differential Fault Analysis method
• Resistance can be introduced by making useful values hard to achieve (avoid 0 vs 1 but use complex values like 0xA5 or 0x3E) or by creating non - determinism , making it hard to find the right timing to manipulate a decision.
• This includes double - checking to verify value correctness and crypto results, but also double - checking conditional statements, branches, loops, and program flow.
• Furthermore, there is typically no need to protect the entire code base: protecting the critical code is often good enough.
• A sad but illustrative example of mounting cost for late - identified issues can be found in the impact of the 737 MAX software bug for Boeing . In March 2019 , the airliner was grounded following two dramatic crashes. Over the next six months , Boeing lost 17 % of market cap value (more than 40B value evaporated ) . CNN estimates that the total incident cost for the company reached $18.7B in a year ‘s time [8]
• We le arned that applying a Fault Mitigation Pattern costs a trained developer , on average , 12 minutes. We base this on our experience of training developers and observing the speed of applying this knowledge. For repairing code that appeared to be flawed in the field, we follow the 100 - fold factor proposed by IBM , thereby assuming that each vulnerability will cost 20 hrs to fix in maintenance.
• To study the cost of bug fixing, we consider a hypothetical IoT product development case. We base our estimates on the f ollowing assumptions:  An average IoT product has 1 00 K LOC, but only 5% = 5 KLOC critical code  Developing a 1 00 K LOC product costs five man - years of work ≈ 9 k hrs  A developer costs 100 per hour  Total development cost s are: 900 K