Warning: Use of undefined constant FILTER_VALIDATE_BOOL - assumed 'FILTER_VALIDATE_BOOL' (this will throw an Error in a future version of PHP) in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184

Warning: filter_var() expects parameter 2 to be int, string given in /html/wp-content/plugins/woocommerce/src/Admin/WCAdminHelper.php on line 184
System on chip - Quarkslab
Talk to an expert
Talk to an expert

System on chip

Semiconductors, trusted hardware

One hardware vulnerability. Hundreds of millions of devices.

SoCs concentrate crypto, DRM, TEE and private keys. A hardware flaw cannot be patched remotely and affects every unit produced simultaneously. Spectre, Meltdown, TrustZone bypass — Quarkslab operates at the level where others don’t go.

1 ns
A voltage glitch is enough to bypass ARM TrustZone (Quarkslab demonstrates it)
EAL 1
The highest CC level, ANSSI-approved CESTI evaluation
FIPS  1
PQC (post-quantum) migration mandatory for all crypto SoCs
1 %
Of global SoC production at TSMC: the #1 supply-chain risk

WHY SILICON IS THE ULTIMATE TARGET

SCA: extracting private keys via physical emanations
DPA, CPA and DEMA attacks extract secret information by analyzing power consumption or EM radiation during operation. Naive implementations of AES, RSA and ECC give up their private keys within a few thousand measurements. CC EAL4+ qualification requires SCA resistance.
FIA: 100 ns to bypass ARM TrustZone secure boot
Voltage/clock glitching, localized EM injection or laser attacks deliberately disturb the SoC to bypass security mechanisms. A 100-nanosecond glitch can bypass a bootloader's signature verification and install code in the secure world.
Spectre 2025: new variants, $50 of hardware is enough
CVE-2025-40300: a $50 DDR4 interposer breaks isolation between cloud VMs. These vulnerabilities can't be fixed with a patch — they require a micro-architectural redesign or performance-costly mitigations.
Hardware trojans: trust in third-party IP
A modern SoC integrates IP from dozens of suppliers (ARM Cortex, Synopsys, crypto blocks). Each third-party IP is a potential hardware-trojan vector. The TSMC concentration creates systemic risk: a process compromise would affect 70% of global production.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

  • Full SoC Red Team: fault injection, side-channel, JTAG, TEE analysis
  • Hardware-trojan attack simulation and supply-chain integrity verification
  • Firmware & secure-boot pentest: bypass, UEFI analysis, bootloader attacks
  • TEE/TrustZone Red Team — physical-attack simulation on trusted environments
  • Automotive SoC Red Team: ISO 21434, centralized ECU, OTA exploitation.
  • Automotive SoC Red Team: ISO 21434, centralized ECU, OTA exploitation.
Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

  • Audit of crypto implementations (AES, RSA, ECC, PQC) against SCA and FIA — CC compliance
  • Micro-architectural 0-day research (Spectre/Meltdown variants, recent architectures)
  • Hardware supply-chain analysis: third-party IP, hardware-trojan detection
  • Vulnerability research on TrustZone, RISC-V TEE, Intel SGX/TDX, AMD SEV-SNP
  • Common Criteria evaluation (ANSSI-approved CESTI) — from EAL4 to EAL7.
Discover QLab

QSHIELD

SOFTWARE PROTECTION

  • Protection of embedded firmware against post-production extraction
  • Anti-cloning for SoC makers exporting to geopolitically risky markets
  • IP protection of proprietary algorithms implemented in SoCs
  • Obfuscation of bootloader code and security mechanisms
  • Certifiable anti-tamper compatible with Common Criteria EAL.
Discover QShield

QUARKSLAB DIFFERENCIATOR

Some providers specialize in SCA/FIA but are not offensive and have no QShield; others lack micro-architectural depth. Quarkslab is the only French player combining an ANSSI-approved hardware lab (SCA, FIA, laser), published research on micro-architectures (Spectre variants), CC CESTI evaluation and QShield protection for embedded code. From the test bench to protecting code in production.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Does your AES implementation withstand a DPA attack with 10,000 measurement traces?

Most security teams assess their SoCs through software tests and code scans. SCA and FIA attacks don’t go through software — they read the chip’s physical emanations while it operates. A SoC that passes every software test can give up its AES key in 10 minutes with an oscilloscope and the right setup.

CESTI ANSSI — SCA, FIA, laser
Quarkslab operates a hardware lab approved for Common Criteria evaluations. We master the entire physical stack.
Spectre, TrustZone, SGX — recent publications
Our engineers publish on micro-architectural and TEE vulnerabilities. The credibility you won't find at a generalist integrator.
Assess → find → protect.
QLab assesses. QRedTeam simulates the attacker. QShield protects what cannot be fixed. A single provider for the entire chain.
Your algorithms, tamper-proof in production
QShield protects your embedded innovations against extraction and reverse engineering — even after delivery to the end customer.
Our publications & CVEs
Request an expert briefing