ECC Errors

The dsPIC33A family of devices have an Error Correcting Code (ECC) feature to help correct Flash read errors during operation. This module has two possible modes of reporting data when an error happens:

  • The address, data, parity and syndrome information of a fault are reported.
  • Only the address of the fault is reported.

The address and correction code of an ECC error can be useful for debugging or analyzing operational failures. This information, however, could be used as an attack vector to attempt to read out the protected Flash memory, including the IRT/boot code. For code/data that are intended to be confidential, the ECC data and correction code data could be used to assemble a version of the image over time through ECC fault injection.

The attacker would attempt to force a Flash read error during the operation of the device that is recovered by the ECC module, possibly through running the device out of operational range. The ECC module corrects the corrupted read and stores the Flash data and correction code into the ECC registers. The associated data could be read by the attacker and the attack process repeated until the attacker built up knowledge about the internal code operation.

There is an option in the Flash region configuration that forces the ECC module to only report the address information in the case of an ECC error.

Enabling the ECC Address Only Error Report Feature on Flash Protection Region 0

//Error Report Address Only->ECC error reporting 
//  information restricted to address only
#pragma config FPR0CTRL_ERAO = ON

In many cases, the ECC error reporting can be used during development to address issues and then disabled for production. Some applications may wish to keep ECC reporting in place in production for logging or field diagnostic purposes. A system designer needs to weigh the benefit and risk for address-only reporting or full-error information reporting on an ECC error for each Flash region and select what is most appropriate for their system.

Key Considerations:

  • Properly configure an IRT region for the boot code and exit the IRT section correctly when transitioning to non-IRT code
  • Consider if ECC error data are required and enable address-only error reporting if more complete error information is not required
  • Enable Code Protection to restrict ICSP access