Physical attack technologies may be divided into two main categories - non-invasive and invasive.
Non-invasive attacks include playing around with the supply voltage and clock signal. to disable protection circuits or force processors to perform incorrectly. Power and clock transients can also be used to affect the decoding and execution of individual instructions. Another possible non-invasive attack is side-channel attack in which we measure fluctuations in the current consumed or the EM radiated by the device. Distinguishable power and EM signatures of instructions often allows code to be reconstructed and so can be combined with other techniques to support an attack.
Non-invasive attacks can be particularly dangerous for two reasons:
- The owner of the compromised device might not notice that secret keys have been stolen, so it makes it difficult for compromised keys to be revoked before they are abused.
- Some types of non-invasive attacks can be scalable, as the necessary equipment can usually be reproduced and updated at low cost.
The main problem with performing such attacks is the requirement for detailed knowledge of both the processor and the software.
Invasive attacks start with the removal of the chip package. After the chip is opened, it is possible to perform probing or modification attacks by etching drilling or laser cutting at least part of the passivation layer.
Invasive attacks generally require days, or weeks, in a specialized laboratory with highly qualified specialists with a significant budget.
There is thus a large gap between these two types of attack. So TBSA-M focuses on non-invasive attacks, although it does not require countermeasures for side-channel attacks.