

# False Injections: Tales of Physics, Misconceptions and Weird Machines

Cristofaro Mune <u>cristofaro@raelize.com</u> <u>@pulsoid</u>

#### Security boundaries



#### Notes from Micro-architectural attacks [2017]

- Security models aren't just a Software (SW) thing
- Most of the Hardware (HW) has no idea of security boundaries:
  - unless factored in during design
- HW resources shared across security boundaries can be problematic
- It's painful to recover

#### Are we missing anything?



# Walking on thin ice...

- The whole computing model assumes that:
  - the right logical values
  - are correctly represented
  - at the rising edge
  - of each clock cycle.
  - Everywhere
- That's why we have constraints on operating conditions (e.g. temperature range)



#### Fig. 1. Internal architecture of digital ICs.

Zussa et al –"Analysis of the fault injection mechanism related to negative and positive power supply glitches using an on-chip voltmeter" - [ZDRC2014]

What can go wrong?

#### **Examples: Natural Phenomena**





Ziegler, Lanford –"Effects of cosmic rays on computer memories" (1979) <u>May, Woods – "Alpha-particle-induced soft errors in dynamic memories"</u> (1979)

6

# Physics and Computing

- The general relationship between Physics and Computing is mostly unexplored in CS:
  - R. P. Feynman "Feynman Lectures on Computation" Caltech lectures
- We are aware of "physical attacks":
  - Mostly seen as a computing problem

- More in general, physics fundamentals are just seldomly discussed:
  - In academic papers, in the industry, as well as in the security community
  - Maybe "left as an exercise to the reader..."?

#### Consequences

- Imprecise descriptions
- Perpetuation of beliefs
- Incorrect/sub-optimal modeling
- (Lack of) identification of fundamental problems

# How far does the rabbit hole go?

#### Goals

- Show examples of gaps in our approaches
  - We will be (mostly) using Fault Injection (FI) for our investigation

- Realize the potential of including physics in our model of computing:
  - We will be identifying threats, opportunities and attacks

#### Fault Injection Reference Model (FIRM)



### Breaks down FI attacks in several comprehensible stages.

Voltage glitch shape.

#### Some widespread statements...

"You want to affect a single instruction..."

"you have to glitch WHEN the instruction is being executed..."

"CPU is fast. You need to be \_very\_ fast..."

"Hit within one single clock cycle..."

"Your glitch needs to be sharp..."

### Assumptions?

- Fault is introduced by the glitch shape
  - regardless of target's physical parameters. (e.g.: Impedance, amount of stored energy, ...)
- Glitch effectiveness depends on its shape/sharpness

- Precision depends on sharpness
  - To be adjusted to CPU speed

• Glitch is somewhat instantaneous

Physics has objections...

• Glitch effect cannot travel faster than light

- We need to consider two different times:
  - Time of glitch (T<sub>g</sub>)
  - Time of fault  $(T_f)$



Glitch effect cannot be instantaneous

### In literature: Shaping the Glitch

- Effectiveness of glitch shape has been investigated:
  - <u>"Shaping the Glitch: Optimizing Voltage Fault Injection Attacks" Bozzato et</u>
     <u>al</u>
  - Confirmed that arbitrarily shaped voltage glitches may be effective
- Tests performed targeting security protections preventing firmware dump
- No actual analysis of effects on CPU instructions execution

#### Shaping the Glitch: Research aproach



- Measured parameters shaping vs attack success
- No analysis on the underlying physics mechanisms that causes faults:
  - Reference to [ZDRC2014] (discussed later)

## Still many questions...

• Has a glitch to be sharp in order to affect a single instruction?

• Does a glitch need to be faster than a single clock cycle?

- Are multiple glitch shapes possible and effective in attackin CPU code execution?
  - Or are we just constrained to a single shape?

...without an answer (yet)

# Let's perform some experiments!

#### Target: Espressif ESP32 (DOWDQ6)

• A feature-rich SoC with integrated Wi-Fi and Bluetooth connectivity

- Relevant (for us) features:
  - Clock speed: 80, 160, 240 MHz
  - Nominal voltage: 3.3 V
  - CPU architecture: Xtensa



#### Espressif ESP32 – Power Scheme



We glitch both CPU and RTC at the same time

# Raelize ESP32 Training Target v1.2

- Custom board for easy signal access during FI experiments:
  - Reset
  - UART TX/RX
  - Trigger
  - VCC (main power @ 3.3V)
    - used for subsystems other than CPU. E.g.
       Flash
  - Voltage Glitch (CPU + RTC)



#### Generating a voltage glitch: techniques

- Original power source is retained:
  - Power line is pulled down to GND ("crowbar")
  - Used by common hacking tools

- Original power source is replaced:
  - power supplied to the target is fully controlled in the experiment

# We are going to use the latter

### Our setup

- Riscure Spider:
  - FPGA used for
    - Glitch generation
    - Glitch timing
    - Target reset
- Riscure Amplifier:
  - More stable glitch
- Espressif ESP-PROG:
  - Serial communications
  - Powering the main target power rail (3.3V)







\* Source: Riscure website

\*



Glitch Amplifier

# Target code: single add instruction



# Attack Window



# Glitch parameters



# Fl campaign

- Normal voltage: Fixed. 2.1V
- Glitch delay: Random. Between 10us and 13.2us
- Glitch voltage: Random. Between 0.5V and 2.1V
- Glitch length: Random. Between 200ns and 5000ns
- Experiments: ~270k
- Success: 32 (0.01%)

# Data visualization provides valuable information

# Distribution: glitch\_voltage vs glitch\_length



• Green: No effect

• Red: Successful glitch

• Yellow: Garbage output/mute/reset

• Blue: Comments

### Some interesting results

В

#### • Glitch A:

- Sharper, shorter, later
- glitch\_voltage: 0.558 V
- glitch\_length: 721 ns
- glitch\_delay: 12744 ns



#### • Glitch B:

- Shallower, longer, earlier
- glitch\_voltage: 1.211 V
- glitch\_length: 3944 ns
- glitch\_delay: 11199 ns



• Both glitches are successful

### Sharpness vs CPU speed

- ESP32 CPU clock speed: Min 80 MHz  $\rightarrow$  1 clock cycle = 12.5 ns (or shorter)
- Successful glitch lengths:
  - Minimum: 200ns (16 times max clock cycle duration)
  - Maximum: 5000us (400 times max clock cycle duration)

• Our glitches are WAY longer than the duration of a single CPU clock cycle

#### We have answers!

• Has a glitch to be sharp in order to affect a single instruction? NO

• Does a glitch need to be faster than single clock cycle duration? NO

A quite widespread belief is incorrect

# Data analysis.

#### Patterns

- An interesting relationship between glitch\_voltage and glitch\_length:
  - Higher the glitch\_voltage  $\rightarrow$  longer glitch\_length

• Glitches are mostly located along the green/yellow border

- Is there an actual curve profile?
  - Very likely, but it doesn't look great for this specific target
  - See the following...

# Distribution: glitch\_voltage vs glitch\_delay



• Green: No effect

• Red: Successful glitch

• Yellow: Garbage output/mute/reset

• Dashed blue: Just a marker stroking a "curve"

#### More patterns...

- Another apparent relationship between glitch\_voltage and glitch\_delay:
  - Higher glitch\_voltage -> lower glitch\_delay (i.e. start glitching earlier)

• Successful glitches seem to align on some kind of curve

# Is this chip special?

- Not at all.
- Such patterns are common and they are present for almost all chips
  - See a clearer one on the right

• Yet...they are unknown to the most.



Yuce et al. - "Fault Attacks on Secure Embedded Software: Threats, Design, and <u>Evaluation"</u>

\* Glitch Voltage plotted as the deviation from normal\_voltage

# Why?

- They just rarely surface in literature:
  - Both in academia and security community works

- Identification requires:
  - Varying glitch voltage/length:
    - most glitchers out there only glitch to GND
  - Data visualization and analysis
    - Still rarely used in FI attacks
    - some research mostly focuses on getting to success and increasing the success rate
       ③

#### Why do these patterns exist?

- A thorough investigation is still lacking in the public domain:
  - To the best of my knowledge  $\textcircled{\odot}$

- When reported, they are usually not accompanied by physics modeling:
  - E.g. The <u>paper</u> we got the example pattern from.

# Current understanding

- Voltage glitches are caused by setup time violations:
  - See [1], [2], [3], [4]
- In a nutshell, lower voltages increases propagation time...and wrong values are sampled

- Totally valid. But it may be challenging to explain the patterns...
  - E.g. why does glitch\_length matter at?

# Are we missing something important?

#### Idea: Energy-based interpretation

- Lowering the voltage deprives the target of energy:
  - i.e. we discharge our target over time
  - The amount of energy depends on both glitch\_voltage and glitch\_time

• The internal voltages drop as well

• Below a certain level  $V_{f}$ , representing logical "1" is not possible anymore.

# Glitch profile



# Implications

- Different glitch shapes are always possible:
  - Requirement: internal voltage must drop below  $V_f$  at the right time

- It is possible to perform attacks with very shallow and very long glitches:
  - Yes. We have been using them 🙂
  - This may help bypassing hardware countermeasures (e.g. glitch detector, brownout detectors,..)

# Summary

- Widespread beliefs found to be incorrect
- Physics modeling in paper is rare
- Parameter space visualization is rare
- Some interesting patterns and features are:
  - Not discussed
  - Challenging to explain with the current interpretation
- We may be missing on some fundamental understanding...
- ...as well as some powerful attacks.

# Sub-optimal modeling.

# Guess how FI affects code execution...





Microelectronics Reliability Volume 155, April 2024, 115370



Experimental analysis of the electromagnetic instruction skip fault model and consequences for software countermeasures

Microelectronics Reliability

Volume 121, June 2021, 114133

Research paper

Software countermeasures against the multiple instructions skip fault model

Nicolas Moro<sup>1,2</sup>, Karine Heydemann<sup>1</sup>, Emmanuelle Encrenaz<sup>1</sup>, and Bruno Robisson<sup>2</sup>

Formal verification of a software countermeasure against instruction

skip attacks

<sup>1</sup>Sorbonne Universités, UPMC Univ Paris 06, UMR 7606, LIP6, 75005 Paris, France firstname.lastname@lip6.fr <sup>2</sup>CEA, CEA-Tech PACA, LSAS, 13541 Gardanne, France firstname.lastname@cea.fr

February 24, 2014

# Instruction skipping

- The most common fault model for describing FI effect on CPU execution:
  - Been with us for at least 3 decades 😳

- First attacks mostly targeted security relevant decisions
  - Smart Card pin authentication
  - Signature checks
  - •

"It is as if...we skipped that instruction"

# Typical attacks

- Targets:
  - Conditionals:
    - To "skip" the compare instruction
  - Function calls:
    - To "skip" the execution of a security relevant function
  - Infinite loops:
    - To "skip" the current instruction an fall into the next one
- This requires precise targeting of specific instructions:
  - Strong timing requirements
  - Potential targets are easy to predict

# Example



#### Attack execution

int load\_exec\_next\_boot\_stage() {

1

6

8

9

10

11 12

13

14 15

16

17 18

19

20 21

// Copy next stage image from Flash to SRAM
load\_next\_stage\_img(img\_addr);

```
// Copy signature from Flash to SRAM
load_next_stage_signature(sig_addr);
```

```
if (verify_signature(img_addr, sig_addr))
```

```
// Wrong signature. Reset system
reset_SOC();
```

// Signature valid. Exec next stage code
exec\_stage(img\_addr);

- "Instruction skipping"
- requires accurate timing
  - Synchronization with target often required

- Can be executed blindly:
  - i.e. no assumption on type of fault
  - "Glitch 'n pray"

#### SW countermeasures: Multiple checks

| 1                          | int | load_exec_next_boot_stage() {                                                                               |
|----------------------------|-----|-------------------------------------------------------------------------------------------------------------|
| 2<br>3<br>4<br>5<br>6      |     | <pre>// Destination addresses in SRAM uint32_t img_addr = 0xd0000000; uint32_t sig_addr = 0xd1000000;</pre> |
| 7<br>8<br>9                |     | <pre>// Copy next stage image from Flash to SRAM load_next_stage_img(img_addr);</pre>                       |
| 10<br>11<br>12             |     | <pre>// Copy signature from Flash to SRAM load_next_stage_signature(sig_addr);</pre>                        |
| 13<br>14<br>15<br>16       |     | <pre>if (verify_signature(img_addr, sig_addr)) {     reset_SOC(); }</pre>                                   |
| 17<br>18<br>19<br>20       |     | <pre>if (verify_signature(img_addr, sig_addr)) {     reset_SOC(); }</pre>                                   |
| 20<br>21<br>22<br>23<br>24 |     | <pre>if (verify_signature(img_addr, sig_addr)) {     reset_SOC(); }</pre>                                   |
| 25<br>26                   |     | <pre>// Signature valid. Exec next stage code exec_stage(img_addr);</pre>                                   |

27

• Checks are performed multiple times

#### • Assumption:

• A glitch is required for

```
every check
```

# SW countermeasures: Making synchronization harder

int load\_exec\_next\_boot\_stage() {

// Destination addresses in SRAM
uint32\_t img\_addr = 0xd0000000;
uint32\_t sig\_addr = 0xd1000000;

// Copy next stage image from Flash to SRAM
load\_next\_stage\_img(img\_addr);

// Copy signature from Flash to SPAin load\_next\_stage\_signature(sig\_addr);

random\_delay(); .

if (verify\_signature(img\_addr,\_sig\_addr)) {
 reset\_SOC();

J

15

23

random\_delay();

if (verify\_signature(img\_addr, sig\_addr)) {
 reset\_SOC();

random\_delay();

```
if (verify_signature(img_addr, sig_addr)) {
    reset_SOC();
```

random\_delay();

// Signature valid. Exec next stage code
exec\_stage(img\_addr);

 Random delays are introduced around critical checks

 Location in time is not fixed anymore

- Assumption:
  - A glitch must "hit" a specific point in time

# Observations

- SW-based countermeasures are widely used in the industry and academia
  - Multiple checks and random delays are two prominent examples
  - Additional countermeasures available

• Commonly advised and implemented in FI-resistant targets

- They reduce attack success rate:
  - Multiple glitch required
  - Target synchronoziation more difficult

But...

#### Instruction skipping is the assumed fault model



# Test code: Counter (unrolled loop)



### Results



# Data analysis (1)

| AMOUNT        | ♦ COLOR | <pre>\$ DELAYMIN</pre> | <pre>\$ DELAYMAX</pre> | <pre>\$LENGTHMIN</pre> | ♣LENGTHMAX | <pre>\$RESPONSE</pre>        |                      |
|---------------|---------|------------------------|------------------------|------------------------|------------|------------------------------|----------------------|
| Aafilter data | Aa F    | Aa                     |                        |                        |            | Aa                           |                      |
| 11            | R       | 1090                   | 1850                   | 2815                   | 4331       | XXXX000003ffYYYY000003ffZZZZ | *                    |
| 5             | R       | 1191                   | 1233                   | 2931                   | 4218       | XXXX3ffe417aYYYY3ffe417aZZZZ |                      |
| 4             | R       | 1735                   | 1790                   | 3098                   | 3853       | XXXX3ffe414eYYYY3ffe414eZZZZ |                      |
| 4             | R       | 1012                   | 1391                   | 2972                   | 3811       | XXXX000003feYYYY000003feZZZZ | Instruction skipping |
| 3             | R       | 1435                   | 1844                   | 2975                   | 4077       | XXXX00000401YYYY00000401ZZZZ |                      |
| 3             | R       | 1471                   | 1475                   | 3946                   | 4211       | XXXX00000407YYYY00000407ZZZZ |                      |
| 2             | R       | 1461                   | 1472                   | 3392                   | 3817       | XXXX00000408YYYY00000408ZZZZ |                      |
| 2             | R       | 1065                   | 1092                   | 3170                   | 3559       | XXXX800812edYYYY800812edZZZZ |                      |

# Something weird...

| ♠ AM  | 10UNT    | \$<br>COLOR | <pre>\$ DELAYMIN</pre> | <pre>DELAYMAX</pre> | <pre>\$LENGTHMIN</pre> | ♣LENGTHMAX | \$RESPONSE                   |
|-------|----------|-------------|------------------------|---------------------|------------------------|------------|------------------------------|
| Aafil | ter dat: | R           |                        |                     |                        |            | Aa                           |
| 1     | 11       | R           | 1090                   | 1850                | 2815                   | 4331       | XXXX000003ffYYYY000003ffZZZZ |
|       | 5        | R           | 1191                   | 1233                | 2931                   | 4218       | XXXX3ffe417aYYYY3ffe417aZZZZ |
|       | 4        | R           | 1735                   | 1790                | 3098                   | 3853       | XXXX3ffe414eYYYY3ffe414eZZZZ |
|       | 4        | R           | 1012                   | 1391                | 2972                   | 3811       | XXXX000003feYYYY000003feZZZZ |
|       | 3        | R           | 1435                   | 1844                | 2975                   | 4077       | xxxx00000401YYYY00000401ZZZZ |
|       | 3        | R           | 1471                   | 1475                | 3946                   | 4211       | XXXX00000407YYYY00000407ZZZZ |
|       | 2        | R           | 1461                   | 1472                | 3392                   | 3817       | xxxx00000408YYYY00000408ZZZZ |
|       | 2        | R           | 1065                   | 1092                | 3170                   | 3559       | XXXX800812edYYYY800812edZZZZ |

How do we explain these results with instruction skipping?

# ...and weirder...

| AMOUNT        | \$ | COLOR | <pre>\$ DELAYMIN</pre> | <pre>DELAYMAX</pre> | ¢LENGTHMIN | ⇒LENGTHMAX | \$RESPONSE                   |
|---------------|----|-------|------------------------|---------------------|------------|------------|------------------------------|
| Aafilter data | Aa | R     |                        |                     |            |            | Aa                           |
| 11            |    | R     | 1090                   | 1850                | 2815       | 4331       | XXXX000003ffYYYY000003ffZZZZ |
| 5             |    | R     | 1191                   | 1233                | 2931       | 4218       | XXXX3ffe417aYYYY3ffe417aZZZZ |
| 4             |    | R     | 1735                   | 1790                | 3098       | 3853       | XXXX3ffe414eYYYY3ffe414eZZZZ |
| 4             |    | R     | 1012                   | 1391                | 2972       | 3811       | XXXX000003feYYYY000003feZZZZ |
| 3             |    | R     | 1435                   | 1844                | 2975       | 4077       | XXXX00000401YYYY00000401ZZZZ |
| 3             |    | R     | 1471                   | 1475                | 3946       | 4211       | XXXX00000407YYYY00000407ZZZZ |
| 2             |    | R     | 1461                   | 1472                | 3392       | 3817       | XXXX00000408YYYY00000408ZZZZ |
| 2             |    | R     | 1065                   | 1092                | 3170       | 3559       | XXXX800812edYYYY800812edZZZZ |

What are the values in these responses?

# Some hints

#### Table 1-2. Embedded Memory Address Mapping

| Bus Type | Boundary    | / Address    | Size   | Target          | Comment      |
|----------|-------------|--------------|--------|-----------------|--------------|
| Dus Type | Low Address | High Address | SIZE   |                 |              |
| Data     | 0x3FF8_0000 | 0x3FF8_1FFF  | 8 KB   | RTC FAST Memory | PRO_CPU Only |
|          | 0x3FF8_2000 | 0x3FF8_FFFF  | 56 KB  | Reserved        | -            |
| Data     | 0x3FF9_0000 | 0x3FF9_FFFF  | 64 KB  | Internal ROM 1  | -            |
|          | 0x3FFA_0000 | 0x3FFA_DFFF  | 56 KB  | Reserved        | -            |
| Data     | 0x3FFA_E000 | 0x3FFD_FFFF  | 200 KB | Internal SRAM 2 | DMA          |
| Data     | 0x3FFE 0000 | 0x3FFF FFFF  | 128 KB | Internal SRAM 1 | DMA          |

A memory address? how?

#### Our instruction (+ encoding)



What could be happening?

### Occam's razor

• Our glitches are most likely corrupting instructions

- This fault model alone is able to explain all the responses we see
  - Responses slightly above  $0x400 \rightarrow$  Immediate corruption
  - Responses containing a memory address  $\rightarrow$  Source register corruption
  - Responses below 0x400 (i.e. "instruction skipping")
    - Instruction is mutated into one without side effects. E.g. addi.n a8, a8, 0
- Also all the exceptions can be explained!

Weird machines... out of Data transfers.

#### Instruction corruption

Glitches may corrupt instructions (examples on ARM32)

| <ul> <li>Single bit corruptions</li> </ul> | add<br>add | x0, x1, x3<br>x0, x1, <mark>x2</mark> | <pre>= 1000101100000011000000000000000000000</pre>             |
|--------------------------------------------|------------|---------------------------------------|----------------------------------------------------------------|
| <ul> <li>Multi bit corruptions</li> </ul>  | ldr<br>str |                                       | ] = 1111100101000000000001001111100000<br>= 111110010000000000 |

- Most chips are affected by this fault model
  - Which bits can be controlled, and how, depends on the target, ...

• As software is modified; any software security model breaks

#### Data transfers are a great target

• All devices transfer data

• From memory to memory

• Using external interfaces



# Transferred data may be under attacker's control



• It's everywhere.

• SW security: Parameters are typically checked (dest, src and n)

• Transferred content itself not considered security critical

# Let's use it as a Fault Injection target...

# PC control with Instruction corruption.

#### Example: USB data transfer (ARM32)



PC set to attacker data. Control flow directly hijacked

#### We regularly use this technique...

- Escalating privileges from user to kernel in Linux
  - <u>ROOting the Unexploitable using Hardware Fault Injection @ BlueHat v17</u>

- Bypassing encrypted secure boot
  - <u>Hardening Secure Boot on Embedded Devices</u> @ Blue Hat IL 2019

- Taking control of an AUTOSAR based ECU
  - Attacking AUTOSAR using Software and Hardware Attacks @ escar USA 2019

# Works on multiple architectures

- We identified multiple variants and techniques
- Yield arbitrary code execution:
  - from controlled data only
  - By corrupting instruction destination registers
- Sufficiently generic to work across multiple architectures
- Examples:
  - Corrupting stored PC (in regs) or SP
  - Hijacking jump/call (through registers)
  - Corrupting callee saved regs (across function calls)

# More details <u>here</u>

#### Example: ARMv8 RET instruction

- Used for returning from a function call.
  - Return address stored in register (default X30)

• It has the following encoding:



• **RET** instruction can encode any register (x0 to x30)

## Real world example

- Google Bionic's (LIBC) memcpy
- Copying 16 bytes executes the following code:
  - Source data resides in x6 and x7
  - Source data is not wiped before RET

• Glitch RET instruction into RET x6 or RET x7:

• Equivalently glitch ldr x6, ... to ldr x30, ...



memcpy: 0:8b020024 add x4, x1, x2 4:8b020005 add x5, x0, x2 8:f100405f cmp x2, #0x10 c:54000229 b.ls50 <memcpy+0x50 ... 50:f100205f cmp x2, #0x8 54:540000e3 b.cc70 <memcpy+0x70> 58:f9400026 ldr x6, [x1] 5c:f85f8087 ldur x7, [x4, #-8] 60:f9000006 str x6, [x0] 64:f81f80a7 stur x7, [x5, #-8] 68:d65f03c0 ret

# PC hijacked from controlled data.

#### "Instruction corruption": Recipe for success

- Identify data transfers you control
- Send sled of pointers
  - E.g. Point to your shellcode location
- Glitch during ANY memcpy
- PC control

# A stack overflow...without SW vulns 🙂

## Attacking Secure Boot



#### SW-based countermeasures bypass



# Key points

- SW-based countermeasures completely ineffective:
  - Countermeasures code not executed
- The attack:
  - does NOT target checks. Is unrelated to checks location (weak locality)
  - Can target ANY data transfer before SW checks
- ROM control flow hijacked:
  - Instruction "skipping" only yields bootloader-level access

Very hard to protect against. Applicable to FI-resistant targets.

## Observations

• FI SW countermeasures have been designed with an implicit fault model assumption

 Comes from a partial/incorrect understanding of FI effects on CPU code execution

- This leaves room to powerful attacks:
  - SW-based countermeasures are mostly ineffective
  - Exploit mitigation countermeasures may be applicable

# PoC: ESP32.

#### Test code: Pointers "sled" copy

- We set a specific pointer in Flash:
  - 0x4005a980: ROM code printing "Falling back..."



esp\_rom\_printf("AAAA%08xBBBB%08xCCCC\r\n", \*(uint32\_t\*)(buffer\_A), \*(uint32\_t\*)(buffer\_B));

# PC control $\rightarrow$ Jump to pointer $\rightarrow$ Print "Falling..."

# Trigger



## Our Attack window: ~35.60us

## Results



# Conclusion.

## Final considerations

- Identified some gaps in our approach towards Physics and Computing
- Concrete impact in our understanding of the security of modern digital systems.
- Mostly due to Physics (+ its modeling and approach) not being part of the regular Computing discussion.
- WE may be missing on:
  - A holistic view of systems security
  - Understanding of critical scientific fundamentals
  - Understanding of threats
  - ...and powerful attacks

## I would like to thank my friend Niek Timmers!

This talk could have not been possible without his key contribution, to Raelize, to our research and to the field.



# Thank you! Any questions!?

Cristofaro Mune <u>cristofaro@raelize.com</u> <u>@pulsoid</u>