Fault Injection Attack Implementation

# Fault Injection Attack Implementation ## Detector 使用流程 ### 1. Create Project 勾選"Do note specify sources at this time" ![](https://i.imgur.com/r4Z0z37.png) 點選上方的board，搜尋zedboard ![](https://i.imgur.com/UDjLvTG.png) ### 2. Add Design Sources 進入Wenwei->3.Implementation->Detector->src->"clocking_generator.v" "controlClk.v" "detector.v" "test_clock_detector.v" ![](https://i.imgur.com/ufQJKI1.png) Note:若路徑太長可能會有問題，建議額外把src內的檔案存出來記得勾選"Copy sources into project" ![](https://i.imgur.com/NhTliKF.png) ### 3.Add Design Constriants 進入Wenwei->3.Implementation->Detector->constraint->"IOPlan.xdc" ![](https://i.imgur.com/w5gFmu7.png) ### 4. Generate Bitstream ![](https://i.imgur.com/yK5M3Sb.png) Note:記得開到16核心，這樣跑比較快 ### 5. Open Hardware Manager 要把zedboard的電源打開 ![](https://i.imgur.com/L648Wtn.png) Open Target -> Auto Connect ![](https://i.imgur.com/w3ue9E9.png) Program Device ![](https://i.imgur.com/WPojJ1m.png) ### 6. Experiment Setting 點選左邊的Settings (hw_ila_1)，將Capture Mode改成BASIC ![](https://i.imgur.com/kvejvcN.png) 設定Trigger Setup 設定rst_IBUF，並將value設成"R"(0 to 1 transition) ![](https://i.imgur.com/CIk22fO.png) 設定Capture Mode 設定rst_IBUF，並將operation設成"!="、value設成"R"(0 to 1 transition) ![](https://i.imgur.com/m8JPzsx.png) 因無法直接看clock，因此我們在這邊有設定counter 設定cnt[3:0]，並將operation設成"<="或"!="、value設成"F"(4'b1111) ![](https://i.imgur.com/VMmEQHh.png) ### 7. Run Experiment 按Run ![](https://i.imgur.com/s6sqKRV.png) 長按板子上的中間的button 我們是設定在reset後才看得到Glitch發生 Setup發生的位置 ![](https://i.imgur.com/rh2Xlqt.png) Glitch發生的狀況 ![](https://i.imgur.com/nJXqz1B.png) ## Instruction Skipping 使用流程 ### 1. Create Project 勾選"Do note specify sources at this time" ![](https://i.imgur.com/96c4K4s.png) 點選上方的board，搜尋zedboard ![](https://i.imgur.com/UDjLvTG.png) ### 2. Add Design Sources 進入Wenwei->3.Implementation->SkipInstruction->src -> "Add.v" "ALU.v" "clocking_generator.v" "Compare.v" "Control.v" "controlClk.v" "CPZero.v" "Divide.v" "EXMEM_Stage.v" "Hazard_Detection.v" "IDEX_Stage.v" "IFID_Stage.v" "IM.v" "Interface.v" "MemControl.v" "MEMWB_Stage.v" "MIPS_Parameters.v" "Mux2.v" "Mux4.v" "Processor.v" "Register.v" "RegisterFile.v" "TrapDetect.v" ![](https://i.imgur.com/Pee30KJ.png) Note:若路徑太長可能會有問題，建議額外把src內的檔案存出來 ### 3. Add Design Constriants 進入Wenwei->3.Implementation->SkipInstruction->constraint->"IOPlan.xdc" ![](https://i.imgur.com/HfjicDW.png) ### 4. Generate Bitstream ![](https://i.imgur.com/Glnc7AU.png) Note:記得開到16核心，這樣跑比較快 ### 5. Ila Error (If there's no error, then skip) 打開左側Synthesis->Open Synthesized Design->Set Up Debug 選Disconnect all nets and remove debug cores ![](https://i.imgur.com/rxT7a7n.png) 點開"IOPlan.xdc"，刪除關於ila的相關constriants ![](https://i.imgur.com/UxF6bfs.png) Run Synthesis 打開左側Synthesis->Open Synthesized Design->Set Up Debug 點選Open Design ![](https://i.imgur.com/q6KoaDG.png) 打開左側Netlist，點開Nets，選要關注的Signals，拉進來Nets to Debug 我們在這邊選擇要觀察的Signals有： - cnt - rst_IBUF - InstMem_Addr - InstMem_In - glitch_OBUF ![](https://i.imgur.com/4ngSGO1.png) 打開Capture control ![](https://i.imgur.com/tjpbipd.png) ### 6. Open Hardware Manager 要把zedboard的電源打開點選Open Hardware Manager ![](https://i.imgur.com/UK63wWM.png) Open Target -> Auto Connect ![](https://i.imgur.com/wjaPZtC.png) Program Device ![](https://i.imgur.com/wBn6RQq.png) ### 7. Experiment Setting 點選左邊的Settings (hw_ila_1)，將Capture Mode改成BASIC ![](https://i.imgur.com/KNN37KM.png) 設定Trigger Setup 設定rst_IBUF，並將value設成"R"(0 to 1 transition) 設定InstMem_In，並將value設成"8'h00000000" ![](https://i.imgur.com/bvGz7p5.png) 設定Capture Mode 設定rst_IBUF，並將operation設成"!="、value設成"R"(0 to 1 transition) 設定cnt[3:0]，並將operation設成"<="或"!="、value設成"F"(4'b1111) ![](https://i.imgur.com/BNogKGc.png) ### 8. Run Experiment 按Run ![](https://i.imgur.com/4ivIFsi.png) 長按板子上的中間的button 我們是設定在reset後才看得到Glitch發生 Setup發生的位置 ![](https://i.imgur.com/x7yZuDc.png) Glitch發生的狀況 ![](https://i.imgur.com/EPwQbr7.png) 原本應該有的Instruction(已寫好在memory的instructions) ![](https://i.imgur.com/6yVZ0Jm.png) 可以對比上面兩張圖發現，在Glitch發生的時候，第10個指令32'h01094820被跳過，證明有完成instruction skipping。 ## Recovery 使用流程 (only Simulation) ### 1. Create Project 勾選"Do note specify sources at this time" ![](https://i.imgur.com/lHWjGCc.png) 點選上方的board，搜尋zedboard ![](https://i.imgur.com/UDjLvTG.png) ### 2. Add Design Sources 進入Wenwei->3.Implementation->RecoverySimulation->src -> "Add.v" "ALU.v" "clocking_generator.v" "Compare.v" "Control.v" "controlClk.v" "CPZero.v" "detector.v" "Divide.v" "DM.v" "DM_buffer.v" "EXMEM_Stage.v" "Hazard_Detection.v" "IDEX_Stage.v" "IFID_Stage.v" "IM.v" "Interface.v" "MemControl.v" "MEMWB_Stage.v" "MIPS_Parameters.v" "Mux2.v" "Mux4.v" "Processor.v" "Register.v" "RegisterFile.v" "TrapDetect.v" ![](https://i.imgur.com/bWJGUb0.png) Note:若路徑太長可能會有問題，建議額外把src內的檔案存出來 ### 3. Add Create Simulation Sources 進入Wenwei->3.Implementation->RecoverySimulation->sim->testbench.v ![](https://i.imgur.com/EpZ5Lst.png) ### 4. Run Simulation 按Run Simulation->Run Behavior Simulation ![](https://i.imgur.com/MF6ZJlT.png) ### 5. Run Experiment 打開左側"Scope"，選要關注的Signals 我們在這邊選擇要觀察的Signals有： - glitch/glitch_test - Glitch_Flush(ID/IF/EX/M) - InstMem_In/InstMem_Address - registers 如何找到這些Signals glitch及glitch_test在testfixture/DUT底下 ![](https://i.imgur.com/NvbvCtm.png) Glitch_Flush(ID/IF/EX/M)在testfixture/DUT/mips32底下 ![](https://i.imgur.com/EFWJRXh.png) InstMem_In及InstMem_Address在testfixture/DUT/mips32底下 ![](https://i.imgur.com/k5wFWu1.png) registers在testfixture/DUT/mips32/RegisterFile底下 ![](https://i.imgur.com/aPxAftJ.png) 將全部的訊號拉好之後，在Tcl Console輸入： ``` run 5ns ``` 上述訊號的波形便可以生成，如下圖示 ![](https://i.imgur.com/OjpS4sA.png) 由這邊可以發現0a指令因為受到glitch的關係，因此在五個回合做recovery，回復到0a指令，由0a指令重新繼續執行instructions，recovery後的值是相同的。