EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware

TL;DR

This paper presents a detailed, replicable electromagnetic fault injection (EMFI) setup for attacking modern desktop and server CPUs, demonstrating its effectiveness by successfully attacking an AMD Secure Processor and revealing vulnerabilities in firmware verification.

Contribution

It provides a comprehensive guide to building an automated EMFI setup and demonstrates its application on AMD SoCs, including the first EMFI attack on an AMD desktop CPU.

Findings

Successfully attacked AMD Secure Processor using EMFI

Identified vulnerabilities in firmware signature verification

Provided detailed design for replicable EMFI setup

Abstract

EMFI has become a popular fault injection (FI) technique due to its ability to inject faults precisely considering timing and location. Recently, ARM, RISC-V, and even x86 processing units in different packages were shown to be vulnerable to electromagnetic fault injection (EMFI) attacks. However, past publications lack a detailed description of the entire attack setup, hindering researchers and companies from easily replicating the presented attacks on their devices. In this work, we first show how to build an automated EMFI setup with high scanning resolution and good repeatability that is large enough to attack modern desktop and server CPUs. We structurally lay out all details on mechanics, hardware, and software along with this paper. Second, we use our setup to attack a deeply embedded security co-processor in modern AMD systems on a chip (SoCs), the AMD Secure Processor (AMD-SP). Using a previously published code execution exploit, we run two custom payloads on the AMD-SP that utilize the SoC to different degrees. We then visualize these fault locations on SoC photographs allowing us to reason about the SoC's components under attack. Finally, we show that the signature verification process of one of the first executed firmware parts is susceptible to EMFI attacks, undermining the security architecture of the entire SoC. To the best of our knowledge, this is the first reported EMFI attack against an AMD desktop CPU.