Embedded & Hardware Security
Est. read time: 2 minutes | Last updated: July 10, 2026 by John Gentile
Contents
- Random Number Generators (RNGs)
- Fault Injection
- Side Channel Analysis (SCA)
- FPGA-Specific Security
- References
Random Number Generators (RNGs)
There are a variety of Hardware random number generators:
- Ring oscillator - Wikipedia
- Fast Digital TRNG Based on Metastable Ring Oscillator
- stnolting/neoTRNG: 🎲 A Tiny and Platform-Independent True Random Number Generator for any FPGA.
- True random number generators based on FPGA - Controlpaths.com
Attacks on HW TRNGs
Fault Injection
Voltage Fault Injection (Voltage Glitching)
- Shaping the Glitch: Optimizing Voltage Fault Injection Attacks - CHES
- Who Watches the Watchers: Attacking Glitch Detection Circuits
- Nominally use FET which can short power rail to GND quickly under digital control
- See this custom board used to perform voltage fault injection on the Starlink SoC for more bespoke hardware FI.
Countermeasures & Mitigations
- Software Countermeasures for Fault Injection Attacks - nuvoTon
- Outputs that could be used to understand timing (such as boot) should be randomized
- For example, in Markus Gaasedelen’s RE//verse 2026 talk on hacking the Xbox One, Microsoft had 37 random stalls throughout the SP0 bootrom, and no POST code outputs (eFUSED off) that would could usually be used to anchor glitch timing off of. However, in initial bootrom, the GPIO initialization from tri-state/Hi-Z to logic low was deterministic which allowed for glitch timing.
Side Channel Analysis (SCA)
Side-channel attacks can take many forms.
Power Analysis
Power analysis is a form of SCA where an attacker studies the power consumption of a cryptographic hardware device.
Attacks & Case Studies
- PACMAN - YouTube: microarchitecture side channel attack to break ARM Pointer Authentication Code (PAC).
- Screaming Channels: side-channel attack that leaks AES via analog disturbances in RF wireless signal for mixed-signal SoCs.
- AIR-GAP RESEARCH - covertchannels.com: this website is dedicated to air-gap jumping academic research
FPGA-Specific Security
Hardware Trojans
- FPGA-Based Protection Scheme against Hardware Trojan Horse Insertion Using Dummy Logic
- Dynamic FPGA Detection and Protection of Hardware Trojan: A Comparative Analysis
Configuration Scrubbing
Scrubbing is the periodic reprogramming, or checking, of FPGA configuration space (e.g. how Programmable Logic fabric is programmed and routed) to prevent/fix errors. These errors could be caused by radiation (e.x. FPGAs operating in a space or nuclear environment) or malicious actors.
- A Hybrid Approach to FPGA Configuration Scrubbing
- Redundant-Configuration Scrubbing of SRAM-Based FPGAs
- Configuration Scrubbing Architectures for High-Reliability FPGA Systems
- Partial Reconfiguration via Configuration Scrubbing
- Scrubbing SRAM-based FPGAs to Prevent the Accumulation of SEUs
- Programmable Scrubber for FPGAs- Micro-RDC
References
To Read
- Secure Hardware Design 6.595x: MIT’s Secure Hardware Design Class (6.5950/6.5951) is an open-source course that teaches students both how to attack modern CPUs and design architectures resilient to those attacks.
- NewAE Education & Training
- Security Engineering, 3rd Ed
- VoidStar Security Wiki and Security Blog
- Practical Reverse Engineering Part 1 - Hunting for Debug Ports
- IACR Transactions on Cryptographic Hardware and Embedded Systems