Case study on multiple fault dependability and security evaluations Johannes Grinschgl a,⇑ , Armin Krieg a , Christian Steger a , Reinhold Weiss a , Holger Bock b , Josef Haid b , Thomas Aichinger c , Christiane Ulbricht c a Institute for Technical Informatics, Graz University of Technology, Inffeldgasse 16/I, Graz, Austria b Infineon Technologies Austria AG, Design Center Graz, Babenbergerstrasse 10, Graz, Austria c Austria Card Plastikkarten und Ausweissysteme GmbH, Lamezanstrasse 4-8, Wien, Austria article info Article history: Available online 19 June 2012 Keywords: Fault injection Fault emulation Multi-bit faults Saboteurs abstract The increasing level of integration and decreasing size of circuit elements leads to higher probabilities of operational faults. More vulnerable electronic devices are also more prone to external influence from energizing radiation. Additionally, the concerns of chip designers include not only the natural causes of faults but also the misbehavior of chips due to ‘‘planned’’ attacks, as, for example, in critical security applications. In particular, smart cards are exposed to complex attacks through which an adversary attempts to extract knowledge from secured systems by provoking undefined states. These problems increase the need to test new designs for their fault robustness. This paper presents a case study on fault injection strategies. An in-system fault injection strategy for automatic test pattern injection by enabling the emulation of fault effects on the circuit level is intro- duced. Second, an approach is presented that provides an abstraction of the internal fault injection struc- tures to a more generic high-level view. Through this abstraction, it is possible to help the operating system designer test a product against different fault effects without knowing how to produce this effect by a fault attack. Therefore, we implemented a modular fault injection controller that is located along with the system under test on the emulator platform. Ó 2012 Elsevier B.V. All rights reserved. 1. Introduction The continuing success of the semiconductor industry with re- gard to downscaling structures has led to highly integrated but also highly sensitive devices. External radiation effects and thermal and electric degradation have become common problems for the dependability of a system [1]. Through these effects, transient or even permanent faults are introduced, which leads to a change in the system behavior. These faults occur randomly, unlike faults resulting from so-called fault attack scenarios. In this case, an attacker deliberately injects faults into a system to change the system behavior. Without dedicated precautions, such attacks are easy to implement [2]. In recent years, intensive research has introduced several differ- ent tools to simulate or emulate possible fault scenarios during the design phase. In particular, fault emulation proved to be a very effective way of testing systems under the influence of fault sources. The platform usually used to emulate such a faulty system is a field programmable gate array FPGA because of its flexibility. An example of such an FPGA fault injection platform is shown in Fig. 1. There are different ways to inject faults into circuits. One is the use of partial reconfiguration features of the FPGA [3], but this design approach heavily limits the platform choice because there are only a few candidates, such as the Virtex families from Xilinx [4]. Another way is to instrument the given circuit either with manipulated logic elements or with integrated controllable fault elements. The latter case can distinguish between saboteurs and mutants [5]. Saboteurs are small circuit elements that do not affect the system behavior under normal conditions. If activated, they directly inject faults into the targeted submodule by disturb- ing the internal signals. To disturb signals, saboteurs must be placed between their source and their sink. Mutants are modified submodules that also do not affect system behavior under normal conditions but, if activated, behave like a faulty version of the ori- ginal. To simulate or emulate fault attacks with mutants, the sub- module must be replaced by a mutated submodule. To accomplish such a test setup, it is necessary to have access to the hardware description or a standardized test interface. Such a test interface could consist of test chains [6]. Another important step in creating an effective fault injection platform is the selection of a proper fault model. For dependability evaluations, a single event upset (SEU) fault model is often sufficient. If the faults are caused by radiation or degradation, it can be safely assumed that only a single random fault will occur at a time [7]. In contrast, secu- rity evaluations consider intentional faults. Therefore, it is possible 0141-9331/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.micpro.2012.05.016 ⇑ Corresponding author. E-mail address: Johannes.Grinschgl@tugraz.at (J. Grinschgl). Microprocessors and Microsystems 37 (2013) 218–227 Contents lists available at SciVerse ScienceDirect Microprocessors and Microsystems journal homepage: www.elsevier.com/locate/micpro