Software Engineer - Secure Boot Security Against Electromagnetic Fault Attacks - Internship H/F apple

Apple System-on-Chips implement a secure boot mechanism to ensure platform integrity, which is a mandatory prerequisite for guaranteeing user data confidentiality. Fault injection is a well known technique used to break secure boot by bypassing firmware signature verification, hence allowing the execution of malicious firmware [1]. This firmware can then be used to characterize the SoC behavior and further investigate on complementary security mechanisms. Laser Fault injection (LFI) is today the most effective technique to inject faults in SoC but it requires expensive tools and eventually chip preparation that are only accessible to well equipped laboratories. Moreover, this technique can't be used in the case of stacked components. Electromagnetic Fault Injection (EMFI) technique is a cost effective alternative which already gave promising results on SoC components [2]. The objective of this internship proposal is to challenge the security of iBoot against EMFI. [1] Laser-Induced Fault Injection on Smartphone Bypassing the Secure Boot (https://ieeexplore.ieee.org/document/8167709 (https://ieeexplore.ieee.org/document/8167709)) [2] TROUCHKINE, Thomas, BOUFFARD, Guillaume, et CLÉDIÈRE, Jessy. EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model. In : 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC). IEEE, 2021. p. 31-38. https://www.bouffard.info/assets/pdf/conf/fdtc/TrouchkineBC21.pdf (https://www.bouffard.info/assets/pdf/conf/fdtc/TrouchkineBC21.pdf) The internship is expected to happen in 2025/2026 in Paris, for a 6 month duration. The program will consist in the following steps: - Reproduce on an internal SoC, directly accessible from backside, the tests already done internally, using a test program. - Improve EMFI setup to increase injection probe resolution and reduce EM pulse duration. Modify progressively the test program parameters to execute it in the same conditions as iBoot. - Modify a signed Flash image and bypass the iBoot verification with EMFI. - If previous steps successfully performed, try to reproduce the fault injection with the DRAM stacked over the SoC.
- Experience in physical attacks
- Knowledge of electromagnetism fundamentals
- Knowledge and experience in analog electronic and microprocessors architecture
- Great analytical and presentation skills.

- Proficiency in switching power supply techniques
- Applied cryptography
- Experience in fault attacks