Physical Threat Model

Device includes a microprocessor (MITRE EM3ED PID-11)

Cryptographic Algorithm Implementation

• Keys: Cryptographic Algorithm Implementation | Cryptographic Algorithm Implementation | Cryptographic Operation
• Description: Cryptographic algorithm implementation emits exploitable information to the side-channel

• Attack Vectors and Threats:

  • Power Side-Channel (MITRE EM3ED TID-101)

    • Secret-dependent operations lead to secret extraction through measuring power consumption

    • Key-dependent exponentiation leads to single-trace key extraction through measuring power consumption

    • Key-dependent multiplication leads to key extraction through measuring power consumption

    • Correlation between power consumption and key material in an unprotected cryptographic implementation leads to key extraction

    • Second order correlation between power consumption and key material in a first-order protected cryptographic implementation leads to key extraction

    • Nth order correlation between power consumption and key material in an (n-1)-order protected cryptographic implementation leads to key extraction

    • Misaligned traces can be aligned using alignment techniques

  • Electromagnetic Side-Channel (MITRE EM3ED TID-102)

    • Key-dependent exponentiation leads to single-trace key extraction through measuring electromagnetic emanations

    • Key-dependent multiplication leads to key extraction through measuring electromagnetic emanations

    • Correlation between electromagnetic emanations and key material in an unprotected cryptographic implementation leads to key extraction

    • Second order correlation between electromagnetic emanations and key material in a first-order protected cryptographic implementation leads to key extraction

    • Nth order correlation between electromagnetic emanations and key material in an (n-1)-order protected cryptographic implementation leads to key extraction

    • Function mapping from EM

  • FA (MITRE EM3ED TID-105)

    • Voltage Glitching causes fault leading to key extraction using differential fault analysis

    • Clock glitching causes fault leading to key extraction using differential fault analysis

    • Laser fault injection causes fault leading to key extraction using differential fault analysis

    • Electromagnetic fault injection causes fault leading to key extraction using differential fault analysis

  • SEM (MITRE EM3ED TID-102)

    • Function mapping from photo-emission

Controller Implementation

• Keys: Controller Implementation | Controller Implementation | CPU Implementation | CPU | MCU | Microprocessor | SoC
• Description: Controller/CPU Implementation missbehaviour can disclose sensitive data

• Attack Vectors and Threats:

  • FA (MITRE EM3ED TID-105)

    • Voltage glitching leads to instruction skip

    • Clock glitching leads to instruction skip

    • Laser fault injection leads to instruction skip

    • Electromagnetic fault injection leads to instruction skip

    • Differential fault analysis

    • Enabling debug interface via fault injection

    • Bus transaction injection

  • FIB (MITRE EM3ED TID-105)

    • FIB modification

Countermeasure Implementation

• Keys: Countermeasure Implementation | Counter-measure Implementation
• Description: Disabling countermeasure leads to making the device vulnerable again

• Attack Vectors and Threats:

  • FIB (MITRE EM3ED TID-105)

    • Shield Bypass

Speculation

• Keys: Speculation | Speculative HW
• Description: Optimizations leading to speculative execution in the hardware

• Attack Vectors and Threats:

  • Speculative Execution (MITRE EM3ED TID-103)

    • The CPU can execute instructions transiently (being reverted before their results are committed to the architectural state), sometimes operating on secret operands they were not supposed to access. Traces of these executions can leak the secret values.

    • Transient execution that results from mispredicted conditional branches can cause persistent changes in the microarchitecture, which can be used to intentionally leak secrets from a victim process using a covert channel

    • Transient execution that results from mispredicted indirect branches can cause persistent changes in the microarchitecture, which can be used to intentionally leak secrets from a victim process using a covert channel

    • Transient execution that results from mispredicted return instructions can cause persistent changes in the microarchitecture, which can be used to intentionally leak secrets from a victim process using a covert channel

    • Transient execution that results from mispredicted store-to-load dependencies can cause persistent changes in the microarchitecture, which can be used to intentionally leak secrets from a victim process using a covert channel

  • Power Consumption Analysis Side Channel (MITRE EM3ED TID-101)

  • Electromagnetic Analysis Side Channel (MITRE EM3ED TID-102)

  • Microarchitectural Side Channels (MITRE EM3ED TID-103)

  • Hardware Fault Injection – Control Flow Modification (MITRE EM3ED TID-105)

Device includes Memory/Storage (external to CPU) (MITRE EM3ED PID-12)

Memory

• Keys: Memory | Non-Volatile Memory
• Description: Device includes memory/storage external to CPU

• Attack Vectors and Threats:

  • FA (MITRE EM3ED TID-105)

    • LCE Instruction flow modification (through micro-probing)

  • FIB (MITRE EM3ED TID-105)

    • Prevent Flash Operation

  • ROM Extraction (MITRE EM3ED TID-108)

    • ROM analytical dump with scrambled data (Retrieving ROM content from pictures)

    • UV erase of Protection bits

  • SEM (MITRE EM3ED TID-102)

    • ROM optical dump (Retrieving ROM content from pictures)

Private Key

• Keys: Private Key | private key
• Description: Device contains memory, where sensitive data are stored

• Attack Vectors and Threats:

  • FIB (MITRE EM3ED TID-105)

    • Fuse modification

  • ROM Extraction (MITRE EM3ED TID-108)

    • Fuse reading after their copy to a dedicated RAM

    • Fuse optical readout

EM3ED-only: Device includes buses for external memory/storage (MITRE EM3ED PID-121)

• Attack Vectors and Threats:

  • Data Bus Interception (MITRE EM3ED TID-106)

EM3ED-only: Device includes discrete chips/devices that have access to the same physical memory (MITRE EM3ED PID-122)

• Attack Vectors and Threats:

  • Unauthorized Direct Memory Access (DMA) (MITRE EM3ED TID-107)

EM3ED-only: Device includes ROM, VRAM, or removable Storage (MITRE EM3ED PID-123)

• Attack Vectors and Threats:

  • ROM/NVRAM Data Extraction or Modification (MITRE EM3ED TID-108)

EM3ED-only: Device includes Random Access Memory (RAM) chips (MITRE EM3ED PID-124)

• Attack Vectors and Threats:

  • RAM Chip Contents Readout (MITRE EM3ED TID-109)

EM3ED-only: Device includes DDR DRAM (MITRE EM3ED PID-1241)

• Attack Vectors and Threats:

  • Hardware Fault Injection – Data Manipulation (MITRE EM3ED TID-110)

EM3ED-only: Device includes peripheral chips and integrated data buses (MITRE EM3ED PID-13)

• Attack Vectors and Threats:

  • Unverified Peripheral Firmware Loaded (MITRE EM3ED TID-113)

  • Peripheral Data Bus Interception (MITRE EM3ED TID-114)

EM3ED-only: Device includes external peripheral interconnects (e.g., USB, Serial) (MITRE EM3ED PID-14)

• Attack Vectors and Threats:

  • Untrusted External Storage (MITRE EM3ED TID-111)

  • Weak Peripheral Port Electrical Damage Protection (MITRE EM3ED TID-118)

Device includes a hardware access port (e.g., UART, JTAG) (MITRE EM3ED PID-15)

Debug Interface

• Keys: Debug Interface
• Description: Debug Interface provides acces to internal units

• Attack Vectors and Threats:

  • FIB (MITRE EM3ED TID-105)

    • JTAG reactivation

  • Privileged Access Port (MITRE EM3ED TID-116)

    • Use test pads to gain privileges

  • Firmware/Data Extraction via Hardware Interface (MITRE EM3ED TID-115)

  • Latent Privileged Access Port (MITRE EM3ED TID-116)

  • Latent Hardware Debug Port Allows Memory/Code Manipulation (MITRE EM3ED TID-119)

EM3ED-only: Device includes a debugging capabilities (MITRE EM3ED PID-22)

• Attack Vectors and Threats:

  • Excessive Access via Software Diagnostic Features (MITRE EM3ED TID-224)