Professional Documents
Culture Documents
Abstract—Radio frequency identification (RFID) is analysis on a tag architecture. This analysis included an
widespread and still necessary in many important applications. exhaustive SEU and SET faults emulation, for a supposed
However, and in various significant cases, the use of this communication scenario, and led to identify the faults effects
technology faces multiple security issues that must be addressed. and the tag vulnerable parts. The work presented in this paper
This is mainly related to the use of RFID tags (transponders) constitutes a continuation of the analysis of [5], but this time,
which are electronic components communicating wirelessly, and the targeted analysis covers MBU random emulation in order
hence they are vulnerable to multiple attacks through several to evaluate in advance the tag robustness. Thus, the platform
means. In this work, an extensive fault analysis is performed on presented in [5] has been reused in this work including the tag
a tag architecture in order to evaluate its hardness. Tens of
architecture and the communication scenario.
millions of single-bit upset (SBU) and multiple-bit upset (MBU)
faults are emulated randomly on this tag architecture using an II. MBU EMULATION
FPGA-based emulation platform. The emulated faults are
classified under five groups according to faults effect on the tag Several random MBU experimentations were realised
behaviour. The obtained results show the faults effect variation with the use of different parameters in order to vary the
in function of the number of MBU affected bits. The maximum number of flip-flops (FFs) targeted by one MBU
interpretation of this variation allows evaluating the tag injection. Each experimentation is composed of several
robustness. The proposed approach represents an efficient emulation cycles and every cycle is processed in four phases:
mean that permits to study tag architectures at the design level (1) initialising the two tag–reader pairs, (2) enabling readers
and evaluating their robustness and vulnerability to fault and tags to communicate together for a sufficient period in
attacks. order to accomplish the desired scenario. During this time,
MBU fault is effectively introduced randomly into the faulty
Keywords—RFID, fault injection, fault attacks, emulation, tag, (3) collecting and transferring produced results to the host
SEU, SBU, MBU, robustness computer, (4) finally, analysing and saving MBU emulation
I. INTRODUCTION results. The adopted communication scenario between the pair
tag–reader is identical to the scenario used in [5].
Radio frequency identification (RFID) technology is used
in several main applications including the internet of things. All tag FFs, 314 in total, were the subject of the performed
In many cases, the deployment of this technology is facing MBU experimentations. The number of affected FFs in every
various challenges relating to authentication, security, and emulation cycle varies randomly from one to twelve.
reliability. The key element of RFID, who is the tag Consequently, the emulated fault can be a single bit upset
(transponder), is vulnerable to external disturbance and (SBU) when only one FF is affected, or MBU when more than
susceptible to fault attacks [1]. Therefore, evaluating tag fault one FF are affected. When a fault injection is enabled, the fault
tolerance and its security assessments are required. Fault injection mechanism takes charge to emulate the SEU effect
analysis represents then a powerful mean that can be used to on the targeted FFs. These latter are selected randomly from
evaluate tags robustness and identify tags weak parts. the whole tag FFs.
Single-event upset (SEU) represents a potential fault that Produced MBU emulation results for each emulation cycle
can be occurred in electronic devices resulting from a heavy are analysed when received by the computer application, from
particle effect, it affects a storage element by changing its the FPGA board, and the emulated MBU is then classified in
state. A heavy particle can also introduce a single-event five classes according to its effect on the scenario progression
transient (SET) which occurs in combinational cells as a [5]: Silent (S), Frame Alteration (FA), Latent (L), Latent with
transient output pulse. Moreover, as an effect of a heavy Frame Alteration (L&FA) and Failure (F).
particle, multiple storage elements can change their states and
these occurrences are called multiple-bit upset (MBU) [2]. III. EMULATION RESULTS
Estimating SEU, SET sensitivity is a crucial task in safety- The total number of emulated faults is 75,151,357
critical circuit design [3]. combined between SBU and MBU. The experimentations
were setting in a manner to cover all cycle equally of the
The purpose of this work is evaluating the robustness of communication scenario (about 7,600 cycles). The emulated
RFID tags through a deep fault analysis. Almost all reported faults are grouped in twelve categories (SBU and 2bit-MBU
works in this field have focused on the practice of side- to 12bit-MBU); each category corresponds to a different
channel attacks on tags via several means as well as contact- number of affected bits (FFs) in one emulated fault, which
based fault injection techniques [1]. Both methods have varies, as said, between one and twelve. In order to obtain
demonstrated that fault attacks can effectively break valuable results, we experimented more than two million
cryptographic functions embedded into tags. Other MBUs for every number of affected bits category. The aim is
approaches have used FPGA boards to perform fault injection to obtain a high fault coverage able to cover, in the case of
analysis on a tag [4]. However, all these approaches do not SBU, 314 FFs (in space) and 7,600 cycles (in time), that yields
process thoroughly analysis and deliver weak information 2,386,400 possible cases (314 × 7,600).
about injected fault effects. A different approach is presented
in [5] where authors use an FPGA board to perform a fault
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:47:44 UTC from IEEE Xplore. Restrictions apply.
!
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:47:44 UTC from IEEE Xplore. Restrictions apply.