Atoi() vulnerability against fault injection

1.6k views Asked by At

I’m using atoi to convert an string to integer in a embedded c application. However, I could exploit the vulnerability in atoi() using clock glitching fault injection attack. I mean when I have a single or multiple glitch, the processor missed some characters and returns faulty integer. Is there any alternative for atoi function which is more robust against fault injection? Can I use its complementary (itoa function) to regenerate the string and compare two strings?

  • I saw the strtol function as an alternative for validation instead of atoi(). could that be a case for my problem or it just returns the software errors?
1

There are 1 answers

5
chqrlie On BEST ANSWER

This is a typical case of a CPU controlled by a Schrödinger cat. With her quantic paws, she can decide which instructions to execute or skip...

It is difficult to imagine code that would be resilient in such an environment.

As a matter of fact, any attempt at testing output consistency could be defeated by skipping the corresponding instructions.

As commented by Barmar, you could just call atoi() twice and compare the values, hoping for a moment of distraction of the clock glitcher.