



list



# Application outillée de contre-mesures contre les attaques matérielles

Soutenance d'Habilitation à Diriger des Recherches

Damien Couroussé

28 août 2024

Composition du jury

Rapporteurs    **Guy Gogniat**

**Guillaume Hiet**

**Ingrid Verbauwhede**

Examinateurs    **Aurélien Francillon**

**David Hély**

**Karine Heydemann**

**Marie-Laure Potet**

professeur à l'Université Bretagne Sud

professeur à CentraleSupélec Rennes

professeure à KU Leuven

professeur à EURECOM

professeur à LCIS, Université Grenoble Alpes

experte sécurité à Thalès DIS, chercheuse associée au LIP6

professeure à Université Grenoble Alpes



# Cybersecurity: a challenge for the information society



Once there were two “mental chess” experts who had become tired of their pastime. “Let’s play ‘Mental Poker,’ for variety” suggested one. “Sure” said the other. “Just let me deal!”



cve™





# Physical attacks

## Side-channel analysis



## Fault injection attacks



Highly effective against cryptographic implementations  
Can leverage software vulnerabilities [Cui & Rousley, 2017]



# Physical attacks, conceptually

Side-channel analysis



Fault injection attacks





# Physical attacks, behind the scenes

## Side-channel analysis



[Casalino PhD, 2024]

## Fault injection attacks



[Yuce & al. 2018]

# Towards the production of secure digital systems

countermeasures are applied  
at every abstraction level,  
from software to silicon





# (Legacy) compilers are not designed for security

## No support for FIA / SCA countermeasures

- Software security: support of control-flow protections such as stack canaries, etc. (GCC, LLVM)

## Compiler optimizations are harmful to countermeasures

- Redundancy / dead code elimination (FIA)
- Inversion of commutative operations (masking vs. SCA)

## Compile without optimizations (-O0)? Not even better!

- Poor performance
- Large attack surface: code size, high nb of mem accesses





# (Legacy) compilers are not designed for security

## No support for FIA / SCA countermeasures

- Software security: support of control-flow protections such as stack canaries, etc. (GCC, LLVM)

## Compiler optimizations are harmful to countermeasures

- Redundancy / dead code elimination (FIA)
- Inversion of commutative operations (masking vs. SCA)

## Compile without optimizations (-O0)? Not even better!

- Poor performance
- Large attack surface: code size, high nb of mem accesses

## Consequences

- **High manual effort** for hardening implementations
- **Fragile implementations** (compiler tricks, recipes, workarounds...)
- **Requires careful inspection** of compiler outputs

Same bottlenecks with synthesis tools, e.g. [Nasahl & al., 2022]



Research question:

**Provide tools to help secure digital systems**

### → Application of countermeasures

- Automation
- Flexibility: security/cost trade-off
- Effective at the binary level

# Towards the production of secure digital systems



# Towards the production of secure digital systems

Research question:

**Provide tools to help secure digital systems**



## → Application of countermeasures

- Automation
- Flexibility: security/cost trade-off
- Effective at the binary level

## → Security verification

- Automation
- Flexibility: variable threat models
- SW level, HW level, **SW+HW**



## ■ Research overview

# Research overview



# Research overview



## Compilation of software countermeasures

### 1. Against fault injection attacks

- Fault tolerance against instruction-skip fault attacks [CS2, 2016]
- Control-flow integrity [Barry PhD, 2017]

# Research overview



## Compilation of software countermeasures

1. Against fault injection attacks
  - Fault tolerance against instruction-skip fault attacks [CS2, 2016]
  - Control-flow integrity against fault injection attacks [Barry PhD, 2017]
2. Against side-channel attacks
  - Code polymorphism as a hiding countermeasure [WISTP, 2016] [TACO, 2019]
  - First-order Boolean masking [TCAD, 2020]

[WISTP, 2016] Runtime Code Polymorphism as a Protection against Side Channel Attacks. [10.1007/978-3-319-45931-8\\_9](https://doi.org/10.1007/978-3-319-45931-8_9)

[TACO, 2019] Automated Software Protection for the Masses against Side-Channel Attacks. [10.1145/3281662](https://doi.org/10.1145/3281662)

[TCAD, 2020] Maskara: Compilation of a Masking Countermeasure with Optimised Polynomial Interpolation. [10.1109/TCAD.2020.3012237](https://doi.org/10.1109/TCAD.2020.3012237)

# Research overview



## Compilation of software countermeasures

1. Against fault injection attacks [CS2, 2016] [Barry PhD, 2017]
2. Against side-channel attacks [WISTP, 2016] [TACO, 2019] [TCAD, 2020]

## Hardware-software co-design of secure systems

3. Confidentiality and side-channel protection [DTRAP, 2022]

# Research overview



## Compilation of software countermeasures

1. Against fault injection attacks [CS2, 2016] [Barry PhD, 2017]
2. Against side-channel attacks [WISTP, 2016] [TACO, 2019] [TCAD, 2020]

## Hardware-software co-design of secure systems

3. Confidentiality and side-channel protection [DTRAP, 2022]
4. Control-signal integrity of a processor microarchitecture [TCAD, 2023]

# Research overview



## Compilation of software countermeasures

1. Against fault injection attacks [CS2, 2016] [Barry PhD, 2017]
2. Against side-channel attacks [WISTP, 2016] [TACO, 2019] [TCAD, 2020]

## Hardware-software co-design of secure systems

3. Confidentiality and side-channel protection [DTRAP, 2022]
4. Control-signal integrity of a processor microarchitecture [TCAD, 2023]

## Security formal verification

5. Characterization of software vulnerabilities [POPL, 2024]
  - Application to fault injection attacks

# Research overview



## Compilation of software countermeasures

1. Against fault injection attacks [CS2, 2016] [Barry PhD, 2017]
2. Against side-channel attacks [WISTP, 2016] [TACO, 2019] [TCAD, 2020]

## Hardware-software co-design of secure systems

3. Confidentiality and side-channel protection [DTRAP, 2022]
4. Control-signal integrity of a processor microarchitecture [TCAD, 2023]

## Security formal verification

5. Characterization of software vulnerabilities [POPL, 2024]
6. Verification of processor microarchitecture for fault robustness HW+SW analysis [FDTC, 2022] [TCHES, 2024]



# Compilation of Software ■ Countermeasures

# Detour: Runtime Code Generation for Embedded Systems

PhD. Fernando Endo, 2015

## Architecture- and data-driven code specialization for time and energy efficiency

### Challenge



### Approach



### Results



# Detour: Runtime Code Generation for Embedded Systems

PhD. Fernando Endo, 2015

## Architecture- and data-driven code specialization for time and energy efficiency

### Challenge



### Approach



### Results



# Code Polymorphism

COGITO, ANR 2013-2017

PhD. Nicolas Belleville, 2019

Regularly changing the behavior of a software component, at runtime, while preserving functional properties

Challenges:

High observational variability



Applicability to constrained  
embedded systems



# Code Polymorphism

COGITO, ANR 2013-2017

PhD. Nicolas Belleville, 2019

Regularly changing the behavior of a software component, at runtime, while preserving functional properties

## Challenges:

### High observational variability



### Applicability to constrained embedded systems



# Runtime Code Transformations

COGITO, ANR 2013-2017

PhD. Nicolas Belleville, 2019

|              | Register shuffling                                                                                                                                                                                                                                                                     | Instruction shuffling                                                                                                                                                                        |                                                                                                                                                                                                                                                              |
|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| compile time | random general purpose register permutation<br>                                                                                                                                                     | independent instructions are emitted in a random order<br>                                                |                                                                                                                                                                                                                                                              |
| runtime      | <b>Semantic variants</b><br>replacement of an instruction by a randomly selected semantic variant<br><br><code>add r4, r4, r5<br/>xor r6, r5, #12348<br/>xor r6, r6, r8<br/>xor r6, r6, #12348</code> | <b>Noise instructions</b><br>insertion of a random number of randomly chosen useless instructions<br><code>add r4, r4, r5<br/>sub r7, r6, r2<br/>load r3, r10, #53<br/>xor r6, r5, r8</code> | <b>Dynamic noise</b><br>random execution of noise instructions<br><code>add r4, r4, r5<br/>jump ?<br/>sub r7, r6, r2<br/>load r3, r10, #53<br/>xor r6, r5, r8</code><br> |

# Runtime Code Transformations

COGITO, ANR 2013-2017

PhD. Nicolas Belleville, 2019



# Security Evaluation

CLAPs, IRT NanoElec 2017-2020

## GreyBox Evaluation, unprotected ARM Cortex-M3

CPA attack, EM, without alignment

- $\sim A_{auto}$  [ESORICS, 2020]



[TACO, 2019]

## WhiteBox Evaluation, unprotected ARM Cortex-M4

Several attacks with attacker models of increasing power:

- Automated attack **without alignment** →  $A_{auto}$
- CPA with **manual alignment** →  $A_{CPA_{aligned}}$
- Gaussian template with **manual alignment** →  $A_{gT_{aligned}}$
- CNN **designed by expert** →  $A_{CNN}$

### # traces for successful leakage exploitation

| Scenario            | mbedTLS               | AES 8-bit |
|---------------------|-----------------------|-----------|
| $A_{auto}$          | $> 10^5$              | $> 10^5$  |
| $A_{CPA_{aligned}}$ | $3 \cdot 10^3 - 10^5$ | $> 10^5$  |
| $A_{gT_{aligned}}$  | $20 - 10^3$           | $> 10^5$  |
| $A_{CNN}$           | $< 20$                | $< 10$    |

[ESORICS, 2020]

Software hiding with higher noise can be effective against deep learning attacks

[Belleville & Masure, 2024]

[TACO, 2019] Automated Software Protection for the Masses against Side-Channel Attacks. [10.1145/3281662](https://doi.org/10.1145/3281662)

[ESORICS, 2020] Deep Learning Side-Channel Analysis on Large-Scale Traces – a Case Study on a Polymorphic AES. [10.1007/978-3-030-58951-6\\_22](https://doi.org/10.1007/978-3-030-58951-6_22)

[Belleville & Masure, 2024] Combining Loop Shuffling and Code PolyMorphism for Enhanced AES Side-Channel Security. [10.1007/978-3-031-57543-3\\_14](https://doi.org/10.1007/978-3-031-57543-3_14)

# Security Evaluation

CLAPs, IRT NanoElec 2017-2020

## GreyBox Evaluation, unprotected ARM Cortex-M3

CPA attack, EM, without alignment

- $\sim A_{auto}$  [ESORICS, 2020]



[TACO, 2019]

## WhiteBox Evaluation, unprotected ARM Cortex-M4

Several attacks with attacker models of increasing power:

- Automated attack **without alignment**  $\xrightarrow{\hspace{1cm}}$
- CPA with **manual alignment**  $\xrightarrow{\hspace{1cm}}$
- Gaussian template with **manual alignment**  $\xrightarrow{\hspace{1cm}}$
- CNN **designed by expert**  $\xrightarrow{\hspace{1cm}}$

### # traces for successful leakage exploitation

| Scenario            | mbedTLS               | AES 8-bit |
|---------------------|-----------------------|-----------|
| $A_{auto}$          | $> 10^5$              | $> 10^5$  |
| $A_{CPA_{aligned}}$ | $3 \cdot 10^3 - 10^5$ | $> 10^5$  |
| $A_{gT_{aligned}}$  | $20 - 10^3$           | $> 10^5$  |
| $A_{CNN}$           | $< 20$                | $< 10$    |

[ESORICS, 2020]

Software hiding with higher noise can be effective against deep learning attacks

[Belleville & Masure, 2024]

[TACO, 2019] Automated Software Protection for the Masses against Side-Channel Attacks. [10.1145/3281662](https://doi.org/10.1145/3281662)

[ESORICS, 2020] Deep Learning Side-Channel Analysis on Large-Scale Traces – a Case Study on a Polymorphic AES. [10.1007/978-3-030-58951-6\\_22](https://doi.org/10.1007/978-3-030-58951-6_22)

[Belleville & Masure, 2024] Combining Loop Shuffling and Code PolyMorphism for Enhanced AES Side-Channel Security. [10.1007/978-3-031-57543-3\\_14](https://doi.org/10.1007/978-3-031-57543-3_14)

# Compilation of First-Order Boolean Masking

PROSECCO, ANR 2015-2019

PhD. Nicolas Belleville, 2019

## Masking of secret variables in control-flow structures

- Confidentiality analysis in CFG, masking propagation, remasking analysis



## Masking of non-linear operations, typically AES/SubBytes:

- usually by *ad hoc* masking schemes
- mostly implemented as Look-Up Tables (LUT)
- Masked evaluation of a **polynomial interpolation** of the target LUT



# Compilation of First-Order Boolean Masking

PROSECCO, ANR 2015-2019

PhD. Nicolas Belleville, 2019

## Security evaluation

- **Formally verified** in the value-based leakage model [TCAD, 2020]
  - Collaboration LIP6 [Ben El Ouahma & al., 2017]
- Leakage observed from EM measurements
- Leakage hypothesis: transition-based leakage, **empirically removed by the compiler's back-end**
  - Memory accesses
  - ALU operations



| Function               | #inst | Distribution of instruction result |      |     |     |     |
|------------------------|-------|------------------------------------|------|-----|-----|-----|
|                        |       | CST                                | RUD  | ISD | SDD | UKD |
| AddRoundKey            | 181   | 53                                 | 128  | 0   | 0   | 0   |
| InterpolatedSboxAccess | 707   | 211                                | 496  | 0   | 0   | 0   |
| SubBytes               | 11332 | 3396                               | 7936 | 0   | 0   | 0   |
| ShiftRows              | 54    | 2                                  | 52   | 0   | 0   | 0   |
| MixColumn              | 346   | 30                                 | 273  | 43  | 0   | 0   |
| KeySchedule            | 2971  | 858                                | 2113 | 0   | 0   | 0   |

No leakage detected: 0 cases in SSD (statistically dependent from secrets) or UKD (unknown)



# Microarchitectural information leakage

IDROMEL, ANR 2021-2024

PhD. Lorenzo Casalino, 2024

## Practical resilience analysis of masked software implementations

- Also vulnerable to micro-architectural leakage [Access, 2023]

## Compilation of masking secured against micro-architectural leakage

- Instruction scheduling: compiler's backend extended with a micro-architectural model of the data path
- Register allocation: policy with leakage interference constraints





# Hardware-Software ■ Co-Design

# Problem: Faults targeting control signals

COFFI, ANR 2019-2023

PhD. Thomas Chamelot, 2022

- Data integrity
- Code authenticity / integrity
- Control-flow integrity



# Problem: Faults targeting control signals

COFFI, ANR 2019-2023

PhD. Thomas Chamelot, 2022

- Data integrity
- Code authenticity / integrity
- Control-flow integrity
- Control-signal integrity** [TCAD, 2023]



# MAFIA: Protection of the microarchitecture against fault injection attacks

COFFI, ANR 2019-2023

PhD. Thomas Chamelot, 2022

- Data integrity (not supported)
- Code authenticity / integrity
- Control-flow integrity
- Control-signal integrity





# Code Authenticity and Control-Flow Integrity (CACFI)

- 🛡️ Code authenticity / integrity
- 🛡️ Control-flow integrity
- 🛡️ Control-signal integrity

signature function  $f$   
signature chaining  
signature computed from **pipeline state** values

$$\begin{aligned}
 \text{BB0:} \\
 & \text{Insn0} = f(\Sigma_0, IV_0) \\
 & \text{Insn1} = f(\Sigma_1, S_0) \\
 & \text{Insn2} = f(\Sigma_2, S_1) \\
 & \dots \\
 & \text{InsnN} = f(\Sigma_N, S_{N-1}) \\
 & S_{BB0} = f(\Sigma_N, S_{N-1}) \\
 \downarrow \\
 \text{BB1:} \\
 & \text{Insn0} = f(\Sigma_0, S_{BB0}) \\
 & \dots \\
 & \text{InsnM} = f(\Sigma_M, S_{M-1}) \\
 & S_{BB1} = f(\Sigma_M, S_{M-1})
 \end{aligned}$$





# Control-Signal Integrity (CSI)

Control-signal integrity

- Integrity ensured by redundancy  
e.g. duplication
- Signals are verified at each stage (until consumption)

Code authenticity / integrity  
Control-flow integrity  
Control-signal integrity



# MAFIA: Software support

COFFI, ANR 2019-2023

PhD. Thomas Chamelot, 2022





## ■ Perspectives



# Conclusion

The compiler: the “place to be” for the application of countermeasure?

- automated
- optimized
- configurable and flexible

Can also leverage support for complex countermeasures

# HW/SW security formal verification of fault robustness



## Status

- Faults incur extra analysis complexity:
  - State space explosion
  - Multiple faults: combinatorial explosion
- Must consider HW+SW [Laurent & al., 2021]
- Proof of concept of formal HW+SW [FDTC, 2022]

## Challenge

- Growing complexity of real case studies
  - Large HW designs, large programs (SW)

## First step

- Opportunity: rely on specific design properties
- k-partitioning for concurrent error detection [TCHES, 2024]
  - 1-fault analysis on OpenTitan + bootloader
  - 3-fault analysis on crypto IPs

PhD Simon Tollec (2021-2024)

PhD 2024-2027. collab. CEA-List / ANSSI

[Laurent & al., 2021] Bridging the Gap between RTL and Software Fault Injection. [10.1145/3446214](https://doi.org/10.1145/3446214)

[FDTC, 2022] Exploration of fault effects on formal RISC-V microarchitecture models. [10.1109/FDTC57191.2022.00017](https://doi.org/10.1109/FDTC57191.2022.00017)

[TCHES, 2024] Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults. <https://eprint.iacr.org/2024/247>

# HW/SW security formal verification of fault robustness



## Status

- Faults incur extra analysis complexity:
  - State space explosion
  - Multiple faults: combinatorial explosion
- Must consider HW+SW [Laurent & al., 2021]
- Proof of concept of formal HW+SW [FDTC, 2022]

## Challenge

- Growing complexity of real case studies
  - Large HW designs, large programs (SW)

## First step

- Opportunity: rely on specific design properties
- k-partitioning for concurrent error detection [TCHES, 2024]
  - 1-fault analysis on OpenTitan + bootloader
  - 3-fault analysis on crypto IPs

PhD Simon Tollec (2021-2024)

PhD 2024-2027. collab. CEA-List / ANSSI

[Laurent & al., 2021] Bridging the Gap between RTL and Software Fault Injection. [10.1145/3446214](https://doi.org/10.1145/3446214)

[FDTC, 2022] Exploration of fault effects on formal RISC-V microarchitecture models. [10.1109/FDTC57191.2022.00017](https://doi.org/10.1109/FDTC57191.2022.00017)

[TCHES, 2024] Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults. <https://eprint.iacr.org/2024/247>

# Characterization of vulnerabilities



## Status

- Formal methods for proving security properties
- UNSAT → examples
  - Corner case? Unreachable in practice
  - Easily exploitable?

## Challenges

- « severity » of a vulnerability wrt. threat model?
- Characterization of countermeasures that partially support a threat model

## First step

- Generation of constraints ensuring the satisfiability of a target property [POPL, 2024]
- Application to fault injection robustness analysis

# Combination of countermeasures



## Status

- Many existing countermeasures [Springer, 2018], but **designed in silos**
- Trend: « one countermeasure to rule them all » **SCA + FIA**
  - Data protection only, in crypto

## Challenges

- Rely on known countermeasures / security designs
- Compose countermeasures at compilation time
- Articulation with hardware properties

Combination of hiding and masking against SCA  
(FlexSecurity, Carnot List)



# Application of hardware countermeasures



[Gorius & al., 2022]

## Challenges

- Demonstrate the automated synthesis of typical countermeasures (redundancy, etc.)
- Microarchitectural-level countermeasures (MAFIA) require to « open the box » of the synthesis flow

ANR LOTR (lead IRISA)

# Proof of functional correctness



## Status

- ✓ Automated security application
- ✓ Formal security verification
- ✗ Functional correctness

## Challenges

- Extend relational analysis [Daniel & al., 2020] to program analysis
- Prove that the **reference** and the **hardened programs** are **functionally equivalent**

[PhD, 2024-2027] collab. CEA-List DILS/DSCIN



# Supervision & funding support

## Supervision and co-supervision

- 6 PhD students
- 7 research engineers, post-docs
- 1 development engineer

## Collaborative projects (most representative)

- COGITO (ANR 2013-2017) – coordinator
- PROSECCO (ANR 2016-2019)
- CLAPs (IRT Pulse, 2017-2020) – coordinator
- Serene-IoT (PENTA, 2016-2019) – WP lead
- COFFI (ANR 2019-2023)
- IDROMEL (ANR 2021-2025)
- LOTR (ANR 2023-2027)

## Scientific collaborations (most representative)

### CEA

- CEA Leti/List – DACLE / DSCIN
- CEA Leti – DSYS
- CEA Leti – Cesti
- CEA List – DILS

### France

- LSAS Gardanne – joint team CEA Leti + EMSE
- XLIM
- INRIA Rennes
- LIP6 – Sorbonne Univ.
- VERIMAG – Univ. Grenoble Alpes
- ARM France
- Thalès
- ANSSI

### International

- TU Graz
- Univ. Milano – POLIMI



list



# Application outillée de contre-mesures contre les attaques matérielles

Soutenance d'Habilitation à Diriger des Recherches

Damien Couroussé

28 août 2024

Composition du jury

Rapporteurs    **Guy Gogniat**

**Guillaume Hiet**

**Ingrid Verbauwhede**

Examinateurs    **Aurélien Francillon**

**David Hély**

**Karine Heydemann**

**Marie-Laure Potet**

professeur à l'Université Bretagne Sud

professeur à CentraleSupélec Rennes

professeure à KU Leuven

professeur à EURECOM

professeur à LCIS, Université Grenoble Alpes

experte sécurité à Thalès DIS, chercheuse associée au LIP6

professeure à Université Grenoble Alpes