Supervision : Emmanuelle ENCRENAZ
Co-supervision : ROBISSON Bruno, HEYDEMANN Karine
Security of assembly programs against fault attacks on embedded processors
This thesis focuses on the security of embedded programs against fault injection attacks. Due to the spreadings of embedded systems in our common life, development of countermeasures is important.
First, a fault model based on practical experiments with a pulsed electromagnetic fault injection technique has been built. The experimental results show that the injected faults were due to the corruption of the bus transfers between the Flash memory and the processor’s pipeline. Such faults enable to perform instruction replacements, instruction skips or to corrupt some data transfers from the Flash memory.
Although replacing an instruction with another very specific one is very difficult to control, skipping an instruction seems much easier to perform in practice and has been observed very frequently. Furthermore many simple attacks can carried out with an instruction skip. A countermeasure that prevents such instruction skip attacks has been designed and formally verified with model-checking tool. The countermeasure replaces each instruction by a sequence of instructions.
However, this countermeasure does not protect the data loads from the Flash memory. To do this, it can be combined with another assembly-level countermeasure that performs a fault detection. A first experimental test of these two countermeasures has been achieved, both on isolated instructions and complex codes from a FreeRTOS implementation. The proposed countermeasure appears to be a good complement for this detection countermeasure and allows to correct some of its flaws.
Defence : 11/13/2014
Jury members :
BERTHOMÉ Pascal (INSA Centre Val de Loire) [Rapporteur]
LANET Jean-Louis (INRIA Rennes) [Rapporteur]
BAJARD Jean-Claude (UPMC)
GIRAUD Christophe (Oberthur Technologies)
GUILLEY Sylvain (Telecom ParisTech)
LALANDE Jean-François (INSA Centre Val de Loire)
PAILLIER Pascal (CryptoExperts)
HEYDEMANN Karine (UPMC)
ENCRENAZ Emmanuelle (UPMC)
ROBISSON Bruno (CEA)
- N. Moro : “Sécurisation de programmes assembleur face aux attaques visant les processeurs embarqués”, thesis, defence 11/13/2014, supervision Encrenaz, Emmanuelle, co-supervision : Robisson, Bruno, Heydemann, Karine (2014)
- N. Moro, K. Heydemann, E. Encrenaz, B. Robisson : “Formal verification of a software countermeasure against instruction skip attacks”, Journal of Cryptographic Engineering, vol. 4 (3), pp. 145-156, (Springer) (2014)
- N. Moro, K. Heydemann, A. Dehbaoui, B. Robisson, E. Encrenaz : “Fault attacks on two software countermeasures”, TRUDEVICE 2014, Paderborn, Germany (2014)
- N. Moro, K. Heydemann, A. Dehbaoui, B. Robisson, E. Encrenaz : “Experimental evaluation of two software countermeasures against fault attacks”, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), Arlington, United States, pp. 112-117 (2014)
- N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, E. Encrenaz : “Electromagnetic fault injection on microcontrollers”, Chip-to-Cloud Security Forum 2013, Nice, France (2013)
- K. Heydemann, N. Moro, E. Encrenaz, B. Robisson : “Formal verification of a software countermeasure against instruction skip attacks”, PROOFS 2013, Santa-Barbara, United States (2013)
- N. Moro, A. Dehbaoui, K. Heydemann, B. Robisson, E. Encrenaz : “Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller”, Proceedings of the 10th workshop on Fault Diagnosis and Tolerance in Cryptography, Santa-Barbara, United States, pp. 77-88 (2013)
- H. Le Bouder, N. Moro, B. Robisson, E. Encrenaz, A. Tria : “Un formalisme commun aux attaques par canaux auxiliaires et par injection de fautes”, Colloque National GDR SOC-SIP 2012, Paris, France (2012)