Firmware Signature Verification

• Firmware image usually signed, with signature stored next to image.
• Signature verified with public key from manufacturer. Correct verification ⇒ boot

Ideal Fault injection can target status bits for system checks

Differential Fault Analysis

• Fault injection ⇒ leak cryptographic keys
• Decrypt known input data (with/without fault injection), analyze output data for key
• “Information-Theoretic Approach to Optimal Differential Fault Analysis” - Kazuo Sakiyama et al

Inject faults into code

• Flip flags
• Change return values
• Change checks

Common fault injection methods

• Overclocking
• Under-volting
• Overheating
• (EM pulses)

Discover Fault primitives