Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M

The presentation discusses the implementation of multiple fault injection attacks on security-critical devices and the need for such attacks to break secure interdependent security measures.

• Multiple fault injection attacks can be implemented cheaply using voltage fault injection attacks
• Such attacks can be used to break instruction level counter metals and transom implementations
• Multiple fault injection attacks are required to fully break the Trust online architecture
• The presentation introduces a multiple fault injection engine for implementing such attacks
• The engine uses single voltage fault injection units and multiple multiplexers to inject multiple voltage faults
• The presentation emphasizes the need for optimizing parameter search and suggests the use of duplication-based approaches combined with random delays
• The authors thank NXP for their exceptional engagement in the responsible disclosure process

The presentation provides an example of an NXP datasheet that highlights the difficulty of hacking the Trust online architecture due to the detection of inconsistencies between the SAU and the HB secure controller configurations. The authors emphasize the need for multiple fault injection attacks to overcome such security measures.

Fault Injection (FI), also referred to as Glitching, has proven to be a severe threat to real-world computing devices. In this kind of attack, physical faults are injected into a device at runtime, to deliberately alter the target's behavior. In order to address this threat, various countermeasures have been proposed to counteract the different types of fault injection methods at different abstraction layers, either requiring modifying the underlying hardware or firmware at the machine instruction level. Moreover, only recently, individual chip manufacturers have started to respond to this threat by integrating certain countermeasures in their products. Multiple Fault Injection (MFI) could theoretically be used against instruction-level based countermeasures, however, as stated by previous work conducting those attacks are considered highly impractical due to the lack of precise MFI tools and efficient parameter search algorithms. In this presentation, we showcase μ-Glitch, the first FI platform dedicated to injecting multiple, coordinated voltage faults into a target device. We'll show a novel flow for MFI attacks to significantly reduce the search complexity for fault parameters, as otherwise, the search space increases exponentially with each additional fault to be injected. After that, we'll show the effectiveness and practicality of the attack platform on two real-world systems, featuring TrustZone-M: The first one has interdependent backchecking mechanisms, while the second has additionally integrated countermeasures against fault injection. It will be revealed that μ-Glitch can successfully inject four consecutive successful faults within an average time of one day.