Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
backside:start [2018/02/20 21:38] – mcmaster | backside:start [2018/02/20 21:54] – mcmaster |
---|
| |
====== Optical fault injection ====== | ====== Optical fault injection ====== |
| |
| Basic idea: change how the circuit switches current in order to introduce a glitch. For a combinitorial circuit you probably want a CW laser to keep the glitch active. If its a CPU, you probably want a pulsed laser to trigger the glitch for a short period of time |
| |
{{:backside:transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-ir.png?400|}} | {{:backside:transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-ir.png?400|}} |
| |
Above: "FIGURE 3.1 Transmission spectrum of crystalline silicon from the visible to the near-IR." ([[https://www.researchgate.net/figure/Transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-IR_fig1_235941520|source]]) | Above: "FIGURE 3.1 Transmission spectrum of crystalline silicon from the visible to the near-IR." ([[https://www.researchgate.net/figure/Transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-IR_fig1_235941520|source]]) |
| |
| |
In its simplest form, a CSP can be strobed with a camera flash | In its simplest form, a CSP can be strobed with a camera flash |
| |
[[https://www.cl.cam.ac.uk/~sps32/ches2010-bumping.pdf|Sergei paper]] references using 1065 nm laser. The paper shows using IR objectives. So maybe a broadband source would work okay too. | [[https://www.cl.cam.ac.uk/~sps32/ches2010-bumping.pdf|Sergei paper]] references using 1065 nm laser. The paper shows using IR objectives. So maybe a broadband source would work okay too. |
| |
| {{:backside:transmission-spectrum-of-crystalline-silicon-from-the-visible-to-the-near-ir_mod.png?400|}} |
| |
| Above: silicon transmission marked with bandgap and for 980 nm laser (commonly available) |
| |
| Possible sources: |
| * Photo flash, such as with mask |
| * 980 nm laser will have high attenuation (roughly 2% transmittance), but should work if power is high enough |
| * Specifically? Maybe 100's of mW, maybe even 500. Needs testing |
| * 1065 nm (ie 1064 nm from Nd:YAG) and such is probably ideal |
| * Must Nd:YAG are flashlamp pumped |
| * Depending on glitch target might want either flashlamp or diode pumped |
| |
[[https://www.riscure.com/uploads/2017/09/Practical-optical-fault-injection-on-secure-microcontrollers.pdf|Riscure paper]] | [[https://www.riscure.com/uploads/2017/09/Practical-optical-fault-injection-on-secure-microcontrollers.pdf|Riscure paper]] |
| |
Solutions include: | Commercial solutions include: |
* [[http://www.alphanov.com/40-optoelectronics-systems-and-microscopy-single-spot-laser-station.html|Alphanov]] | * [[http://www.alphanov.com/40-optoelectronics-systems-and-microscopy-single-spot-laser-station.html|Alphanov]] |
* [[https://www.riscure.com/security-tools/inspector-fi/|Riscure Inspector FI]] | * [[https://www.riscure.com/security-tools/inspector-fi/|Riscure Inspector FI]] |
* ChipWispherer has voltage glitching. Could probably rig something similar up for optical glitching | * ChipWhispherer has voltage glitching. Could probably rig something similar up for optical glitching |
| |