Studying EM Pulse Effects on Superscalar Microarchitectures at ISA Level

TL;DR

This paper investigates electromagnetic pulse effects on complex superscalar microarchitectures at the ISA level, revealing diverse fault effects and proposing a methodology for characterization to aid in designing countermeasures.

Contribution

It introduces a novel characterization methodology for EM pulse-induced faults at the ISA level in superscalar microprocessors, including new fault effect classifications.

Findings

EM pulses can corrupt loop iteration counts in complex processors.

Fault effects include instruction skip, register corruption, operand substitution, and control-flow hijacking.

The methodology aids in understanding and defending against EM-induced faults.

Abstract

In the area of physical attacks, system-on-chip (SoC) designs have not received the same level of attention as simpler micro-controllers. We try to model the behavior of secure software running on a superscalar out-of-order microprocessor typical of more complex SoC, in the presence of electromagnetic (EM) pulses. We first show that it is possible, in a black box approach, to corrupt the loop iteration count of both original and hardened versions of two sensitive loops. We propose a characterization methodology based on very simple codes, to understand and classify the fault effects at the level of the instruction set architecture (ISA). The resulting classification includes the well established instruction skip and register corruption models, as well as new effects specific to more complex processors, such as operand substitution, multiple correlated register corruptions, advanced control-flow hijacking, and combinations of all reported effects. This diversity and complexity of effects can lead to powerful attacks. The proposed methodology and fault classification at ISA level is a first step towards a more complete characterization. It is also a tool supporting the designers of software and hardware countermeasures.