Efficiency of a Glitch Detector against Electromagnetic Fault Injection Loic Zussa * , Amine Dehbaoui * , Karim Tobich † , Jean-Max Dutertre * , Philippe Maurine † Ludovic Guillaume-Sage † , Jessy Clediere ‡ , Assia Tria ‡ * Ecole Nationale Superieure des Mines de Saint-Etienne (ENSM.SE) Gardanne, France Email: {loic.zussa,amine.dehbaoui,jean-max.dutertre}@mines-stetienne.fr † Laboratoire d’Informatique et de Robotique et de Microelectronique de Montpellier (LIRMM) Montpellier, France Email: {karim.tobich,philippe.maurine,ludovic.guillaume-sage}@lirmm.fr ‡ Commissariat a l’Energie Atomique et aux Energies Alternatives (CEA) Gardanne/Grenoble, France Email: {assia.tria,jessy.clediere}@cea.fr Abstract—The use of electromagnetic glitches has recently emerged as an effective fault injection technique for the pur- pose of conducting physical attacks against integrated circuits. First research works have shown that electromagnetic faults are induced by timing constraint violations and that they are also located in the vicinity of the injection probe. This paper reports the study of the efficiency of a glitch detector against injection. This detector was originally designed to detect any attempt of inducing timing violations by means of clock or power glitches. Because electromagnetic disturbances are more local than global, the use of a single detector proved to be inefficient. Our subsequent investigation of the use of several detectors to obtain a full fault detection coverage is reported, it also provides further insights into the properties of electromagnetic injection and into the key role played by the injection probe. I. I NTRODUCTION Since the early warning of Quisquater et al. in 2002 [1], the use of electromagnetic (EM) glitches has recently emerged as an effective fault injection technique for the purpose of conducting physical attacks against ICs [2], [3], [4]. These latter works indicate that the mechanism related to the injec- tion of faults involves timing constraint violations. The timing constraint violation is induced by a transient underpowering of the target created by the EM disturbances. This effect is highly correlated with the quality of the coupling between the supply network of the target (the victim) and the injection probe (the aggressor). Further, the underpowering seems to be more local than global: faults are located in the vicinity of the injection probe. The novelty of this threat explains that no countermeasure dedicated to cope with EM injection has been yet proposed (to the best of our knowledge). There is two other common fault injection means related to timing violations: clock and power supply glitches. They both have a global effect (i.e. the disturbance affects the whole chip). A delay-based countermeasure (CM) has been recently proposed and validated by [5] to cope with this kind of timing violation. However, the question of its efficiency against EM glitches was to be raised. Indeed, an EM disturbance located away from the actual implementation of the CM may induce a fault without triggering an alarm. This paper reports an evaluation of a delay-based CM against EM glitches. Because a single CM was insufficient to detect with a high level of confidence EM induced faults, we have investigated the use of several CMs to attain this purpose. Conducting these experiments also provides many further insights into the properties of EM injection: how local its effect is and how the design of the injection probe may influence the process. The contributions of this paper to that research field are: • the disclosure of guidelines to implement delay-based countermeasure against EM injection, • a study and evidences of its local effect, • an illustration of the key role of the injection probe, • a further assessment of the actual threat related to EM injection. This article is organized as follows. Section II recalls some basics related to timing violations, describes the delay-based countermeasure, and reports its efficiency against clock and power glitches. Section III describes the experimental set-up and protocol, presents the experimental results and provides an interpretation. Finally section IV concludes the paper. II. PRELIMINARIES This section reminds the mechanisms involved in fault injection by timing constraint violation. It also describes the principle of the delay-based countermeasure we designed to cope with this injection technique. Its efficiency against clock and power supply glitches is reported likewise.