| With the proliferation of Internet of Things, embedded systems become widely used not only in people's daily life but also in many safety-critical infrastructures, so their security is of great concern. As the two most common techniques in the field of hardware security, fault injection and side-channel leaks are able to compromise the targeted hardware's security, by maliciously changing the hardware states and extracting execution dependent information from physical channels respectively. Motivated by the above threat, we in this thesis study the security of different components inside embedded systems under fault injection and side-channel leaks.;In the first part, we study fault injection attack on the cipher used in many embedded systems. Differential fault analysis (DFA) is a serious threat t the security of cryptographic devices, which intends to recover the secrete key via fault injection. Various DFA techniques have been presented, and they differ in terms of the underlining assumption on the fault models, the key distinguisher and the complexity of the associated analytical algorithm. We propose a new DFA method that uses the inherent bias of the error rates among different signals as the foundation of the key distinguisher design, namely differential error rate analysis (DERA). Compared to existing DFA solutions, DERA is a more efficient and effective attack, in terms of both temporal and spatial needs for the attack, as demonstrated with FPGA emulation in our experiments.;For the second part, we investigate the impact of fault injection attack on the deep neural networks (DNNs) deployed in embedded systems. DNNhas become the de-facto technique used in many mission-critical embedded systems, whose security is therefore of great concern. We propose two kinds of fault injection attacks for DNNs, which can misclassify a specified input pattern into an adversarial class by modifying the parameters in DNN via fault injection. Without considering stealthiness of the attack, single bias attack (SBA) only requires to modify one parameter in DNN, based on the observation that DNN's outputs may linearly depend on some parameters. Gradient descent attack (GDA) considers stealthiness. By controlling the amount of modification to DNN parameters, GDA can minimize the fault injection impact on input patterns other than the specified one. Experimental results demonstrate the effectiveness and efficiency of the proposed attacks.;At last, we focus on the challenge of code execution tracking via side-channel leaks. Code execution tracking is the basis of many attack and defense methods. However, such capability is limited in embedded systems, especially legacy systems, which have limited resources and may not support software or hardware update. We propose a non-intrusive code execution tracking solution via power-side channel, wherein we represent the code execution and its power consumption with a revised hidden Markov model and recover the most likely executed instruction sequence with a revised Viterbi algorithm. By observing the power consumption of the microcontroller unit during execution, we are able to recover the program execution flow with a high accuracy and detect abnormal code execution behavior even when only a single instruction is modified. |
