Fault Injection Simulators and Their Applicability to Fault Attacks
In simulation-based fault injection, the target system as well as the possible hardware faults are modeled and simulated by a software program, usually called fault simulator. The fault simulation is performed by modifying either the hardware model or the software state of the target system. This means that the system could behave as if there was a hardware fault . There are two categories of fault injection: runtime fault injection and compile-time fault injection. In the former, faults are injected during the simulation or the execution of the model. In the latter, faults are injected at compile time in the target hardware model or in the software executed by the target system. The advantage of the simulation-based fault injection techniques is that there is no risk to damage the system in use. In addition, they are cheaper in terms of time and efforts than the hardware techniques. They also have a higher controllability and observability of the system behavior in the presence of faults. Nevertheless, simulation-based fault injection techniques may lack in the accuracy of the fault model and the system model. In addition, they have a poor time-resolution, which may cause fidelity problems. Software fault injection is a special case of simulation- based fault injection where the target system is a large microprocessor-based machine that may include caches, memories, and devices, running a complex software. This technique is able to target applications and operating systems, which is not easy to do with the hardware fault injection.
Fault-injection simulators are attractive because they do not require expensive hardware. Moreover, they can be used to support all system abstraction levels, as applications and operative systems, which is difficult at hardware level. The controllability of fault-injection simulators is very high: given sufficient detail in the model, it is possible to modify any signal value in any desired way, with the results of the fault-injection easily observable regardless of the location of the modified signal within the model. The main goal of an early analysis of the resistance against fault attacks is to allow designers to easily identify the weakest point of their design, and to protect it with appropriate countermeasures. Although this approach is flexible, it has some shortcomings:
- • Large development efforts are required, as they involve the construction of the simulation model of the system under analysis, including a detailed model of the processor in use. This increase the cost of using simulation-based fault-injection tools.
- • Not all the fault attacks previously discussed can be simulated in the simulation model.
- • The fidelity of the model strongly depends on the accuracy of the models used.
- • High time consuming, due to the length of the experiment.
Some attacks, in particular setup-time violations, can be reliably simulated using state of the art EDA commodities. For some others, instead, it is impossible to have a complete simulation. It is however possible to model the type of error which will be induced into the device, and simulate the behavior of a device when a similar type of error occurs with cycle accurate or with behavioral simulators. The strategy usually adopted by these injection frameworks is to evaluate the effects, that the injected faults have on the final result of the computation. Designer then attempts to mount an attacks using the simulated data and can determine if the amount of information which will be available to the attacker will be sufficient to successfully extract secret information. In the rest of this section we revise known tools and approaches used in the past for injecting and simulating faults at different level of abstraction and we discuss their suitability for evaluating the resistance against fault attacks.