BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection

Authors: 

Ang Cui and Rick Housley, Red Balloon Security

Abstract: 

Numerous Electromagnetic Fault Injection (EMFI) techniques have been used to attack FPGAs, ASICs, cryptographic devices, and microcontrollers. Unlike other classes of fault injection techniques, EMFI-based attacks can, in theory, be carried out non-invasively without requiring physical contact with the victim device. Prior research has demonstrated the viability of EMFI-based attacks against relatively simple, low-frequency, synchronous digital circuits. However, theoretical and practical constraints limit the range, degree of isolation and temporal resolution of existing EM injector hardware. These limitations, combined with the trend towards faster, denser and more complex digital circuits has made the application of many previously proposed EMFI techniques infeasible against modern computers and embedded devices.

This paper makes two contributions. First, we present a novel method of leveraging controlled electromagnetic pulses to attack modern computers using second-order effects of induced faults across multiple components of the target computer. Second, we present the design and implementation of BADFET: a low-cost, high-performance pulsed EMFI platform. We aim to share BADFET with the research community in order to democratize future EMFI research. Using these two contributions, we present a reliable and effective attack against a widely used TrustZone-based secure boot implementation on a multi-core 1Ghz+ ARM embedded system. Additionally, we disclose two novel vulnerabilities within a widely used implementation of TrustZone SMC in Appendix A.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {206182,
author = {Ang Cui and Rick Housley},
title = {{BADFET}: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection},
booktitle = {11th {USENIX} Workshop on Offensive Technologies ({WOOT} 17)},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/woot17/workshop-program/presentation/cui},
publisher = {{USENIX} Association},
}