Laser fault injection consists in changing some logical states inside digital devices by sending laser pulses at different locations inside the chip. Fault injection is a mandatory technique to validate the safety level of chips embedded in critical applications. Our team has worked in this field to validate the robustness of chips toward external threats.

An example of threat is the random one, induced by any transient external activity of the system surrounding the component. For example, we have tested airbag controllers. These devices have to be hardened against any kind of transients arriving inside it, in order not to fire the airbag when it is not necessary. Sending laser pulses in the different parts of the controller allowed identifying the less robust. Having this information, the device manufacturer can modify the design of the controller to improve its safety.

Another example of threat is the man-made one. We have tested devices used in highly confidential applications, such as banking or government applications. The laser has been identified as a potential way to extract some secret codes embedded inside the chip. Of course such extraction needs a good knowledge of the device in order to interpret correctly the observed faults and to retrieve the hidden information. The laser injection fault method has been identified to be a real threat so that secured chips incorporate specific protections against it. Our team helps to validate the robustness level of these components. Our different laser parameters (wavelength, pulse duration, spot size) can be used to validate the embedded protections against optical attacks.

We have done some work in this field but it is often not open to publication as the results have to be kept confidential.

Figure 1 shows some results about a case study of fault injection inside a Xilinx Virtex II FPGA.

Laser mapping of the number of error bits (a), and the application errors for different delays between the laser pulse arrival and the clock: b- 225 ns, c- 800 ns and d-1250 ns

Figure 1: Laser mapping of the number of error bits (a), and the application errors for different delays between the laser pulse arrival and the clock: b- 225 ns, c- 800 ns and d-1250 ns.

Fault injection inside FPGA is an interesting topic, because embedded codes have to be robust against glitches. Different teams develop codes to reduce the number of errors associated with the digital treatment of the data inside FPGAs or ASICs. Injecting faults with a laser in well identified locations inside the components helps to verify the hardness level of theses codes.


Publications