International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2024

Phase Modulation Side Channels: Jittery JTAG for On-Chip Voltage Measurements


Colin O’Flynn
Dalhousie University, Halifax, Canada


Keywords: power analysis, phase modulation, remote power analysis, JTAG


Abstract

Measuring fluctuations of the clock phase was identified as a source of leakage in early electromagnetic side-channel investigations. Despite this, only recently was measuring the clock phase (or jitter) of digital signals (not electromagnetic signals) from a target used as a source of exploitable leakage. As the phase of a clock output will be related to signal propagation delay through the target, and this propagation delay is related to voltage, this means that most digital devices perform an unintended phase modulation (PM) of their internal voltage onto clock outputs.
This paper first demonstrates an unprofiled CPA attack against a Cortex-M microcontroller using the phase of a clock output, observing the signal on both optically isolated and capacitively isolated paths. The unprofiled attack takes only 2–4x more traces than an attack using a classic shunt-resistor measurement.
It is then demonstrated how the JTAG bypass mode can be used to force a clock through a digital device. This forced clock signal can then be used as a highly effective oscilloscope that is located on the target device. As the attack does not require modifications to the device (such as capacitor removal or heat spreader removal) it is difficult to detect using existing countermeasures. The example attack over JTAG uses an unprofiled CPA attack, requiring only about 5x more traces than an ideal shunt-resistor based measurement. In addition, a version of this attack using a fault correlation analysis attack is also demonstrated.
Countermeasures are discussed, and a simple resampling countermeasure is tested. All tools both offensive and defensive presented in the paper have been released under open-source licenses.

Publication

Transactions of Cryptographic Hardware and Embedded Systems, Volume 2024, Issue 4

Paper

Artifact

Artifact number
tches/2024/a29

Artifact published
September 25, 2024

Badge
🏆 IACR CHES Results Reproduced

README

ZIP (18898874 Bytes)  

View on Github

License

Some files in this archive are licensed under a different license. See the contents of this archive for more information.


BibTeX How to cite

Colin O’Flynn. Phase Modulation Side Channels: Jittery JTAG for On-Chip Voltage Measurements. (2024). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(4), 382-424. https://doi.org/10.46586/tches.v2024.i4.382-424 Artifact available at https://artifacts.iacr.org/tches/2024/a29