Publications
2024
Generic SCARE: reverse engineering without knowing the algorithm nor the machine
JCEN2024
Ronan Lashermes, Hélène Le Bouder
In Journal of Cryptographic Engineering
We introduce a novel side-channel-based reverse engineering technique capable of reconstructing a procedure solely from inputs, outputs, and traces of execution. Beyond generic restrictions, we do not assume any prior knowledge of the procedure or the chip it operates on. These restrictions confine our analysis to 8-bit RISC constant-time software implementations. Specifically we demonstrate with simulated traces the theoretical feasibility of reconstructing a symmetric cryptographic cipher, even in scenarios where traces are sampled with information loss and noise, such as when measuring the power consumption of the chip.
Characterizing and Modeling Synchronous Clock-Glitch Fault Injection
COSADE2024
Amélie Marotta, Ronan Lashermes, Guillaume Bouffard, Olivier Sentieys, Rachid Dafali
In the International Workshop on Constructive Side-Channel Analysis and Secure Design
In the realm of fault injection (FI), electromagnetic fault injection (EMFI) attacks have garnered significant attention, particularly for their effectiveness against embedded systems with minimal setup. These attacks exploit vulnerabilities with ease, underscoring the importance of comprehensively understanding EMFI. Recent studies have highlighted the impact of EMFI on phase-locked loops (PLLs), uncovering specific clock glitches that induce faults. However, these studies lack a detailed explanation of how these glitches translate into a specific fault model. Addressing this gap, our research investigates the physical fault model of synchronous clock glitches (SCGs), a clock glitch injection mechanism likely to arise from EMFI interactions within the clock network. Through an integrated approach combining experimental and simulation techniques, we critically analyze the adequacy of existing fault models, such as the Timing Fault Model and the Sampling Fault Model in explaining SCGs. Our findings reveal specific failure modes in D flip-flops (DFFs), contributing to a deeper understanding of EMFI effects and aiding in the development of more robust defensive strategies against such attacks.
2021
Under the dome: preventing hardware timing information leakage
CARDIS2021
Mathieu Escouteloup, Ronan Lashermes, Jacques Fournier, Jean-Louis Lanet
In the 20th Smartcard Research and Advanced Application Confirence (CARDIS), 2021
Numerous timing side channels attacks have been proposed in the recent years, showing that all shared states inside the microarchitecture are potential threats. Previous works have dealt with this problem by considering those “shared states” separately and not by looking at the system as a whole. In this paper, instead of reconsidering the problematic shared resources one by one, we lay out generic guidelines to design complete cores immune to microarchitectural timing information leakage. Two implementations are described using the RISC-V ISA with a simple extension. The cores are evaluated with respect to performances, area and security, with a new open-source benchmark assessing timing leakages. We show that with this “generic” approach, designing secure cores even with complex features such as simultaneous multithreading is possible. We discuss about the trade-offs that need to be done in that respect regarding the microarchitecture design.
Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models
JCEN2021
Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, Guillaume Bouffard
In the Journal of Cryptographic Engineering
The last years have seen the emergence of fault attacks targeting modern central processing units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the electromagnetic fault injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the memory management unit (MMU). To validate our fault model, we realize a persistent fault analysis to retrieve an AES key.
2020
Recommendations for a radically secure ISA
CARRV2020
Mathieu Escouteloup, Jacques Fournier, Jean-Louis Lanet, Ronan Lashermes
In the Fourth Workshop on Computer Architecture Research with RISC-V
The rising number of attacks targeting processors at micro-architecture level encourages more research on hardware level solutions. In this position paper, we specify a new RV32S “secure” instruction setarchitecture (ISA) derived from the RV32I RISC-V ISA. We propose modifications in the ISA to prevent timing side channels, strengthen control flow integrity and ensure micro-architectural state isolation. The goal is to provide a new minimal hardware/software approach through which software attacks exploiting hardware vulnerabilities can be circumvented.
2019
A case against indirect jumps for secure programs
SSPREW2019
Alexandre Gonzalvez, Ronan Lashermes
In The 9th Software Security, Protection and Reverse Engineering Workshop
A desired property of secure programs is control flow integrity (CFI): an attacker must not be able to alter how instructions are chained as specified in the program. Numerous techniques try to achieve this property with various trade-offs. But to achieve fine-grained CFI, one is required to extract a precise control flow graph (CFG), describing how instructions are chained together. Unfortunately it is not achievable in general. In this paper, we propose a way to overcome this impossibility result by restricting the instruction set architecture (ISA) semantics. We show that forbidding indirect jumps unlocks a precise CFG extraction for all acceptable programs. We discuss the implications and limitations of the new semantics and argue for the adoption of restricted ISAs for security-related computation.
2018
Hardware-Assisted Program Execution Integrity: HAPEI
NordSec2018
Ronan Lashermes, Hélène Le Bouder, Gaël Thomas
In The 23rd Nordic Conference on Secure IT Systems
Even if a software is proven sound and secure, an attacker can still insert vulnerabilities with fault attacks. In this paper, we propose HAPEI, an Instruction Set Randomization scheme to guarantee Program Execution Integrity even in the presence of hardware fault injection. In particular, we propose a new solution to the multi-predecessors problem. This scheme is then implemented as a hardened CHIP-8 virtual machine, able to ensure program execution integrity, to prove the viability and to explore the limits of HAPEI.
When fault injection collides with hardware complexity
FPS2018
Sebanjila Kevin Bukasa, Ludovic Claudepierre, Ronan Lashermes, Jean-Louis Lanet
In the 11th International Symposium on Foundations and Practice of Security
Fault Injections (FI) against hardware circuits can make a system inoperable or lead to information security breaches. FI can be used preemptively in order to detect and mitigate weaknesses in a design. FI is an old field of study and therefore numerous techniques and tools can be used for that purpose. Each technique can be used at different levels of circuit design, and has strengths and weaknesses. In this paper, we review these techniques to show their pros and cons and more precisely we highlight their shortcomings with respect to the complexity of modern systems.
Let’s shock our IoT’s heart: ARMv7-M under (fault) attacks
ARES2018
Sebanjila K. Bukasa, Ronan Lashermes, Jean-Louis Lanet, Axel Legay
In The 13th International Conference on Availability, Reliability and Security
A fault attack is a well-known technique where the behaviour of a chip is voluntarily disturbed by hardware means in order to undermine the security of the information handled by the target. In this paper, we explore how Electromagnetic fault injection (EMFI) can be used to create vulnerabilities in sound software, targeting a Cortex-M3 microcontroller. Several use-cases are shown experimentally: control flow hijacking, buffer overflow (even with the presence of a canary), covert backdoor insertion and Return Oriented Programming can be achieved even if programs are not vulnerable in a software point of view. These results suggest that the protection of any software against vulnerabilities must take hardware into account as well.
Verifying a PIN
MISC97
Ronan Lashermes, Hélène Le Bouder
MISC No. 97
Entering a PIN code to use a bank card or unlock a mobile phone has become a daily routine. The device must verify that the entered code is correct. How should this verification be implemented? It might seem like a simple comparison of two data arrays. Think again! Physical attacks will make this challenging.
Fault Injection Attacks
MISC96
Ronan Lashermes
MISC No. 96
Making secure code vulnerable, creating an undetectable backdoor—these are some possibilities of fault injection attacks. Fire up your RF amplifier; we're going to make some sparks!
2017
How TrustZone could be bypassed: Side-Channel Attacks on a modern System-on-Chip
WISTP2017
Sebanjila Kevin Bukasa, Ronan Lashermes, Hélène Le Bouder, Jean-Louis Lanet, Axel Legay
In the 11th International Conference on Information Security Theory and Practice
Side-channel attacks (SCA) exploit the reification of a computation through its physical dimensions (current consumption, EM emission, ... ). Focusing on Elecromagnetic analyses (EMA), such analyses have mostly been considered on low-end devices: smartcards and microcontrollers. In the wake of recent works, we propose to analyze the effects of a modern microarchitecture on the efficiency of EMA (here Correlation Power Analysis and template attacks). We show that despite the difficulty to synchronize the measurements, the speed of the targeted core and the activity of other cores on the same chip can still be accommodated. Finally, we confirm that enabling the secure mode of TrustZone (a hardware-assisted software countermeasure) has no effect whatsoever on the EMA efficiency. Therefore, critical applications in TrustZone are not more secure than in the normal world with respect to EMA, in accordance with the fact that it is not a countermeasure against physical attacks. For the best of our knowledge this is the first application of EMA against TrustZone.
2016
A Multi-Round Side Channel Attack on AES using Belief Propagation
FPS2016
Hélène Le Bouder, Ronan Lashermes, Yanis Linge, Gaël Thomas, Jean-Yves Zie
In the 9th International Symposium on Foundations and Practice of Security
This paper presents a new side channel attack to recover a block cipher key. No plaintext and no ciphertext are required, no tem- plates are built. Only the leakage measurements collected in many different rounds of the algorithm are exploited. The leakage is considered as a Hamming weight with a Gaussian noise. The chosen target is the Advanced Encryption Standard (AES). Bayesian inference is used to score all guesses on several consecutive round-key bytes. From these scores a Belief Propagation algorithm is used, based on the relations of the Key-Expansion, to discriminate the unique correct guess. Theoretical results according to various noise models are obtained with simulations.
High-performance Elliptic Curve Cryptography by Using the CIOS Method for Modular Multiplication
CRiSIS2016
Amine Mrabet, Nadia El-Mrabet, Ronan Lashermes, Jean-Baptiste Rigaud, Belgacem Bouallegue, Sihem Mesnager, Mohsen Machhout
In the 11th International Conference on Risks and Security of Internet and Systems
Elliptic Curve Cryptography (ECC) is becoming unavoidable, and should be used for public key protocols. It has gained increasing acceptance in practice due to the significantly smaller bit size of the operands compared to RSA for the same security level. Most protocols based on ECC imply the computation of a scalar multiplication. ECC can be performed in affine, projective, Jacobian or others models of coordinates. The arithmetic in a finite field constitutes the core of ECC Public Key Cryptography. This paper discusses an efficient hardware implementation of scalar multiplication in Jacobian coordinates by using the Coarsely Integrated Operand Scanning method (CIOS) of Montgomery Modular Multiplication (MMM) combined with an effective systolic architecture designed with a two-dimensional array of Processing Elements (PE). As far as we know this is the first implementation of such a design for large prime fields. The proposed architectures are designed for Field Programmable Gate Array (FPGA) platforms. The objective is to reduce the number of clock cycles of the modular multiplication, which implies a good performance for ECC. The presented implementation results focuses on various security levels useful for cryptography. This architecture have been designed in order to use the flexible DSP48 on Xilinx FPGAs. Our architecture for MMM is scalable and depends only on the number and size of words.
A template attack against VERIFY PIN algorithms
SECRYPT2016
Hélène Le Bouder, Thierno Barry, Damien Couroussé, Jean-Louis Lanet, Ronan Lashermes
In the 13th International Conference on Security and Cryptography
This paper presents the first side channel analysis from electromagnetic emissions on VERIFY PIN algorithms. To enter a PIN code, a user has a limited number of trials. Therefore the main difficulty of the attack is to succeed with very few traces. More precisely, this work implements a template attack and experimentally verifies its success rate. It becomes a new real threat, and it is feasible on a low cost and portable platform. Moreover, this paper shows that some protections for VERIFY PIN algorithms against fault attacks introduce new vulnerabilities with respect to side channel analysis.
2014
Practical Validation of Several Fault Attacks against the Miller Algorithm
FDTC2014
Ronan Lashermes, Marie Paindavoine, Nadia El Mrabet, Jacques J.A. Fournier, Louis Goubin
In the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014
Pairing based cryptography (PBC) is touted as an efficient approach to address usability and privacy issues in the cyberspace. Like most cryptographic algorithms, PBC must be robust not only against theoretical cryptanalysis but also against practical physical attacks such as fault injections. The computation of the Tate pairing can be divided into two parts, the Miller Algorithm and the Final Exponentiation. In this paper, we describe practical implementations of fault attacks against the Miller Algorithm validating common fault models used against pairings. In the light of the implemented fault attacks, we show that some blinding techniques proposed to protect the algorithm against Side-Channels Analyses cannot be used as countermeasures against the implemented fault attacks.
2013
Inverting the Final Exponentiation of Tate Pairings on Ordinary Elliptic Curves Using Faults
CHES2013
Ronan Lashermes, Jacques Fournier, Louis Goubin
In Cryptographic Hardware and Embedded Systems - 2013
The calculation of the Tate pairing on ordinary curves involves two major steps: the Miller Loop (ML) followed by the Final Exponentiation (FE). The first step for achieving a full pairing inversion would be to invert this FE, which in itself is a mathematically difficult problem. To our best knowledge, most fault attack schemes proposed against pairing algorithms have mainly focussed on the ML. They solved, if at all, the inversion of the FE in some special ‘easy’ cases or even showed that the complexity of the FE is an intrinsic countermeasure against a successful full fault attack on the Tate pairing. In this paper, we present a fault attack on the FE whereby the inversion of the final exponentiation becomes feasible using 3 independent faults.
2012
A DFA on AES based on the entropy of error distributions
FDTC2012
Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson, Assia Tria
In Workshop on Fault Diagnosis and Tolerance in Cryptography
Differential fault analysis (DFA) techniques have been widely studied during the past decade. To our best knowledge, most DFA techniques on the Advanced Encryption Standard (AES) either impose strong constraints on the fault injection process or require numerous faults in order to recover the secret key. This article presents a simple methodology based on information theory which allows to adapt the number of required faults for the analysis to the fault injection process. With this technique, the constraints on the fault model to recover the last round key are considerably lowered. Additionally, entropy is proposed as a tool to apprehend the most complex fault models in DFA. A practical realization and simulations are presented to illustrate our methodology.