Negative Voltage Fault Injection Attacks on Microcontrollers

Fault attacks are a well known physical attack type in the area of hardware security. A common fault injection technique is a short term variation of the supply voltage causing a vulnerable processor to misinterpret or skip instructions. Fortunately, an increasing number of microcontroller manufacturers recognize the importance of hardened hardware and implement countermeasures against fault attacks into their products. In this work, we present a new fault injection attack method. While conventional attacks pull the power supply rail to GND, in the new method we pull into the negative voltage supply range instead. The hypothesis of this work is that negative voltage fault injection attacks provide advantages over their conventional counterparts with respect to shorter glitch durations in presence of capacitive charges. Utilizing negative voltage during the generation of a fault, we expect higher slew rates due to faster discharging of the circuit implementations outside and within microcontrollers. Within this work, we implemented and evaluated a negative voltage fault injection prototype to test this hypothesis. The results show that especially in presence of higher capacitive loads, fault injection attacks are not only simplified, but they become feasible in the first place. In contrast to classical attacks, shorter glitches were achieved opening the attack vector even to controllers with higher clock rates.