Formal verification of a software countermeasure against instruction skip attacks

Formal verification of a software countermeasure against instruction skip attacks

Nicolas Moro Karine Heydemann Sorbonne Universités, UPMC Univ Paris 06, UMR 7606, LIP6, 75005 Paris, France Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris 06, UMR 7606, LIP6, 75005 Paris, France Bruno Robisson CEA, CEA-Tech PACA, LSAS, 13541 Gardanne, France

Fault attacks against embedded circuits enabled to define many new attack paths against secure circuits. Every attack path relies on a specific fault model which defines the type of faults that the attacker can perform. On embedded processors, a fault model consisting in an assembly instruction skip can be very useful for an attacker and has been obtained by using several fault injection means. To avoid this threat, some countermeasure schemes which rely on temporal redundancy have been proposed. Nevertheless, double fault injection in a long enough time interval is practical and can bypass those countermeasure schemes. Some fine-grained countermeasure schemes have also been proposed for specific instructions. However, to the best of our knowledge, no approach that enables to secure a generic assembly program in order to make it fault-tolerant to instruction skip attacks has been formally proven yet. In this paper, we provide a fault-tolerant replacement sequence for almost all the instructions of the Thumb-2 instruction set and provide a formal verification for this fault tolerance. This simple transformation enables to add a reasonably good security level to an embedded program and makes practical fault injection attacks much harder to achieve.


The final publication is available at Springer via

1 Introduction

Physical attacks were introduced in the late 1990s as a new way to break cryptosystems. Unlike classical cryptanalysis, they use some weaknesses in the cryptosystems’ implementations as a way to break them. Among them, faults attacks were introduced in 1997 by Boneh et al. [Boneh1997]. In this class of attacks, attackers try to modify a circuit’s environment in order to change its behaviour or induce faults into its computations [BarEl2006, Barenghi2012Book]. This attack principle was first introduced against cryptographic circuits but can be used against a larger set of embedded circuits. Many physical means can be used to induce such faults: laser shots [Trichina2010], clock glitches [Balasch2011], chip underpowering [Zussa2012], temperature increase [Skorobogatov2009] or electromagnetic glitches [Dehbaoui2012].

Among fault attacks, three subclasses can be distinguished: differential fault analysis, safe error and algorithm modifications. Differential fault analysis (DFA) aims at retrieving some ciphering keys by comparing correct ciphertexts with ciphertexts obtained from a faulted encryption [Boneh1997]. Safe-error attacks are based on the fact that a fault injection may have or not have an impact on the output [Barenghi2012]. Finally, algorithm modifications target an embedded processor and aim at injecting faults into an embedded program’s control flow [Schmidt2008, Balasch2011].

Those attack schemes rely on an attacker’s fault model which defines the set of faults an attacker can perform [Barenghi2012]. As a consequence, countermeasure schemes must take this fault model aspect into account. On microcontrollers and embedded processors, the fault model in which an attacker can skip an assembly instruction has been observed on different architectures [Schmidt2008, Barenghi2012] and for different fault injection means [Balasch2011, Dehbaoui2012, Trichina2010]. As a consequence, this fault model is a realistic threat for an embedded program.

In this paper, we consider this instruction skip fault model and propose a countermeasure scheme that enables to secure any assembly code against instruction skip faults. Some countermeasures based on multiple executions of a function have already been proposed and can theoretically handle this issue [BarEl2006]. However, this kind of high granularity temporal redundancy is vulnerable to multiple fault attacks. Even with commonly-used low-cost fault injection means, a high temporal accuracy can be obtained by an attacker, and performing the same fault injection on several executions of an algorithm is practical [Trichina2010]. On the contrary, performing faults on two instructions separated by a few clock cycles is significantly harder [Barenghi2010] while still possible. Indeed, it requires a much more costly fault injection equipment and very high synchronization capabilities. It is then not yet considered as a realistic threat.

The securing approach proposed in this paper uses an instruction-scale temporal redundancy to ensure a fault-tolerant execution of an embedded program. It is based on the statement that performing two faults on two instructions separated by few clock cycles is hardly feasible. A fault-tolerant replacement sequence for most of the instructions of the whole Thumb-2 instruction set has been designed. We also show how to formally prove the fault tolerance of replacement sequences by using a model-checking tool.

By using such a fine-grained redundancy scheme, it is then possible to strengthen most assembly programs against fault attacks without any specific knowledge about the program itself. In the experimental results, we evaluate the overhead induced by fault tolerance and show that it can be reduced by only applying this countermeasure scheme to the sensitive parts of an implementation.

The rest of this paper is organized as follows. Section 2 introduces our fault model and gives details about some related research papers. Section 3 introduces our countermeasure scheme and details our replacement sequences. Section LABEL:Section:PreuveFormelle explains the approach we use for the formal verification. Finally, section LABEL:Section:Implementations evaluates the efficiency of our countermeasure scheme on several implementations.

2 Related works and fault model

This section is dedicated to related works. First, fault models are discussed in section 2.1. Countermeasure schemes that have previously been proposed are addressed in section 2.2. Section 2.3 presents some related research papers on formal verification.

2.1 Fault model

On embedded processors, a fault model in which an attacker can skip an assembly instruction or equivalently replace it by a nop has been observed on several architectures and for several fault injection means [Karaklajic2009]. On a 8-bit AVR microcontroller, Schmidt et al. [Schmidt2008] and Balasch et al. [Balasch2011] obtained instruction skip effects by using clock glitches. Dehbaoui et al. obtained the same kind of effects on another 8-bit AVR microcontroller by using electromagnetic glitches [Dehbaoui2012]. On a 32-bit ARM9 processor, Barenghi et al. obtained some instruction skip effects by using voltage glitches. On a more recent 32-bit ARM Cortex-M3 processor, Trichina et al. were able to perform instruction skips by using laser shots [Trichina2010]. Moreover, this fault model has also been used as a basis for several cryptanalytic attacks [Barenghi2012]. As a consequence, it is considered as a common fault model an attacker may be able to perform [Karaklajic2009].

A more generic fault model is the instruction replacement model, in which nop replacements correspond to one possible case. In some previous experiments on an ARM Cortex-M3 processor by using electromagnetic glitches, we have observed a corruption of the instructions binary encodings during the bus transfers [Moro2013] leading to such instruction replacements. Actually, instruction skips correspond to specific cases of instruction replacements: replacing an instruction by another one that does not affect any useful register has the same effect as a nop replacement and so is equivalent to an instruction skip. Many injection means enable to perform instruction replacement attacks [Moro2013, Balasch2011, Barenghi2012Book]. Nevertheless, even with very accurate fault injection means, being able to precisely control an instruction replacement is a very tough task and, to the best of our knowledge, no practical attack based on such a fault model has been published yet.

As a conclusion, we consider in this paper the potentially harmful fault model in which an attacker is able to skip a single instruction.

2.2 Countermeasure schemes

Several countermeasures schemes have been defined to protect embedded processor architectures against specific fault models. At hardware level, many countermeasures have been proposed. As an example, Nguyen et al. [Nguyen2011] propose to use integrity checks to ensure that no instruction replacement took place.

Software-only countermeasure schemes, which aim at protecting the assembly code, are more flexible and avoid any modification of the hardware. Against fault attacks, the most common software fault detection approach relies on function-level temporal redundancy [BarEl2006]. For example, this principle applied to a cryptographic implementation can be achieved by calling twice the same encryption algorithm on the same input and then comparing the outputs. For encryption algorithms, an alternative way is to call the deciphering algorithm on the output of an encryption and to compare its output with the initial input. These approaches enable fault detection and involves doubling the execution time of the algorithm. Triplication approaches with voting enabling fault tolerance at the price of tripling the execution time of the whole algorithm have also been proposed [BarEl2006].

At algorithm level, in [Medwed2008], Medwed et al. propose a generic approach based on the use of specific algebraic structures named AN+B codes. Their approach enables to protect both the control and data flow.

At assembly level, in [Barenghi2010], Barenghi et al. propose three countermeasure schemes based on instruction duplication, instruction triplication and parity checking. Their approach ensures a fault detection for a small number of instructions against instruction skip or transient data corruption fault models. Our scheme enables a fault tolerance only against the instruction skip fault model but for almost all the instructions of the considered instruction set. Moreover, our countermeasure scheme has been formally proven fault tolerant.

2.3 Formal verification of software countermeasures

Formal methods and formal verification tools have been used for cryptographic protocols’ verification of to check that an implementation could meet the Common Criteria security specifications [Chetali2008]. However, to the best of our knowledge, very few formal verification approaches to check the correctness of software countermeasure schemes against fault attacks have been proposed yet. One of the most significant contributions has been proposed by Christofi et al. [Christofi2013]. Their approach aims at performing a source code level verification of the effectiveness of a countermeasure scheme on a CRT-RSA implementation by using the Frama-C program analyzer. In this paper, we formally prove all our proposed countermeasures against an instruction skip fault model at assembly level. Another more recent contribution of a formal methodology at algorithm level has been proposed by Rauzy et al. [Rauzy2013]. In their scheme, an attacker can induce faults in the data flow of a target implementation described in a high-level language. This scheme enables them to detect unnecessary countermeasures or possible flaws on several CRT-RSA implementations.

3 Countermeasure scheme

The proposed countermeasure scheme aims at ensuring a fault-tolerant execution of an assembly code against instruction skip faults. The approach we propose relies on providing a formally proven fault-tolerant replacement sequence for almost all the assembly instructions of a whole instruction set. We chose the ARM Thumb-2 instruction set [Thumb2] since ARM is a widely used target architecture for embedded processors. In this section, we give some details about the considered instruction set and present some of the replacement sequences we have defined for each instruction. This fine-grained redundancy scheme enables to strengthen most assembly codes against fault attacks without any specific knowledge about them.

Instruction class Examples Replacement scheme
Idempotent instructions mov r1,r8 Instruction duplication
add r3,r1,r2
Separable instructions add r1,r1,#1 Use of extra registers and
push {r4,r5,r6} decomposition into an idempotent instruction sequence
Specific instructions bl function Replacement sequence specific to each instruction
it blocks
Table 1: Instruction classes in the Thumb-2 instruction set
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description