Fault injections are increasingly used to attack secure applications. Software countermeasures against fault injections can be categorized into (i) algorithm-level countermeasures, which are easy to deploy and introduce low overhead but not so difficult to bypass, and (ii) instruction-level countermeasures, which are more robust but introduce high overhead and require changes in the instruction set. In this paper, we define formal models of runtime monitors that can detect fault injections that result in test inversion and arbitrary jumps in the control flow of a program. Runtime monitors offer several advantages. The code implementing a runtime monitor is small compared to the entire application code, have the advantages of algorithm-level countermeasures. They benefit from a formal semantics; it can be proved that they effectively detect attacks. Each monitor is a module dedicated to an attack and can be deployed as needed to secure the application. It can run separately from the application (e.g., in a trusted memory zone) or "weaved" inside the application. These features make monitors suitable for low-resource devices such as IoT devices. Our monitors have been validated by detecting simulated attacks on a program that verifies a user PIN under the control of a number of trials.
Introduction
Fault injections are effective techniques to exploit vulnerabilities in embedded applications and implementations of cryptographic primitives [1, 2, 3, 4, 5, 6] . Fault injections can be thwarted (or detected) using software or hardware countermeasures [7, 8] . Hardware countermeasures are expensive and unpractical for off-the-shelf products. Henceforth, software countermeasures are commonly adopted. Software countermeasures can be categorized into algorithm-level and instruction-level countermeasures.
Most of the existing algorithm-level countermeasures make use of redundancy such as computing a cryptographic operation twice then comparing the outputs [9] , or using parity bits [10] . Algorithm-level countermeasures are easy to implement and deploy and usually introduce low (computational and footprint) overhead. However, as they are usually based on redundancy, they can be broken using multiple faults injection or by skipping critical instruction [11, 12] .
In the other hand, instruction-level countermeasures require changes to the low level instruction code, for example by applying instruction duplication or triplication [13, 14] . Instruction-level countermeasures are more robust than algorithm-level countermeasures. Indeed, it is believed that instruction-level countermeasures are secure against multiple faults injection under the assumption that skipping two consecutive instructions is too expensive and requires high synchronization capabilities [13, 15 ]. However, instruction-level countermeasures introduce a large overhead, for instance, instruction duplication doubles the execution time. Moreover, instruction-level countermeasures require changing the instruction set (with dedicated compilers) since e.g., some instructions have to be replaced by a sequence of idempotent or semantically equivalent instructions.
In this paper, we use runtime verification principles [16, 17, 18, 19] and monitors to detect fault injections that result in test inversion or unexpected jumps in the control flow of a program. A monitor can run off-line after the end of an execution provided that the necessary events have been saved in a safe log, or on-line in parallel with the execution. We use Quantified Event Automata (QEAs) [20] to express our monitors. We prove that our monitors for test inversion and jump attacks detect them if and only if such attack occur at runtime -Propositions 1 and 2, respectively. From an implementation point of view, we validate Java implementations of our monitors using attack examples on a program that verifies a user PIN code taken from the FISSC benchmark [21] . Our monitors are lightweight and small in size. The monitors execution time is proportional to the size of the program under surveillance. However, the memory overhead can be bounded as only data related to the "active" basic block need to be kept in memory.
This make them suitable for low-resource devices where monitors can run in a small (hardware)-secured memory (where the entire application may not fit). Moreover, monitors can run separately from the application under surveillance, and thus can run remotely (in a secure environment) provided a secure communication channel.
The rest of the paper is structured as follows. Section 2 overviews Quantified Event Automata. Section 3 introduces preliminaries. Section 4 introduces execution and attacker models. Section 5 introduces our monitors. Section 6 describes an experiment that validates the effectiveness of our monitors. Section 7 discusses related work. Finally, Section 8 concludes and outlines avenues for future work.
Quantified Event Automata
We briefly overview Quantified Event Automata [20] (QEAs) which are used to express monitors. QEAs are an expressive formalism to represent parametric specifications to be checked at runtime. An Event Automaton (EA) is a (possibly non-deterministic) finite-state automaton whose alphabet consists of parametric events and whose transitions may be labeled with guards and assignments. The syntax of EA is built from a set of event names N , a set of values Val, and a set of variables Var (disjoint from Val). The set of symbols is defined as Sym = Val ∪ Var. An event is a tuple e, p 1 , . . . , p n , where e ∈ N is the event name and p 1 , . . . , p n ∈ Sym n are the event parameters. We use a functional notation to denote events: e, p 1 , . . . , p n is denoted by e(p 1 , . . . , p n ). Events that are variable-free are called ground events, i.e., an event e(p 1 , . . . , p n ) is ground if p 1 , . . . , p n ∈ Val n . A trace is defined as a finite sequence of ground events. We denote the empty trace by ǫ.
The semantics of an EA is close to the one of a finite-state automaton with the natural addition of guards and assignments on transitions. A transition can be triggered only if its guard evaluates to True with the current binding (a map from variables to concrete values), and the assignment updates the current binding.
A QEA is an EA with some (or none) of its variables quantified by ∀ or ∃. Unquantified variables are left free and they can be manipulated through assignments and updated during the processing of the trace. A QEA accepts a trace if after instantiating the quantified variables with the values derived from the trace, the resulting EAs accept the trace. Each EA consumes only a certain set of events, however a trace can contain other events which are filtered out. The quantification ∀ means that a trace has to be accepted by all EAs, while the quantification ∃ means that it has to be accepted by at least one EA. For a QEA M with quantified variables x 1 , . . . , x n , We use the functional notation M(x 1 , . . . , x n ) to refer to the related EAs depending on the values taken by x 1 , . . . , x n . We depict QEAs graphically. The initial state of a QEA has an arrow pointing to it. The shaded states are final states (i.e., accepting states), while white states are failure states (i.e., non-accepting states). Square states are closed-tofailure, i.e., if no transition can be taken then there is an implicit transition to a (sink) failure state. Circular states are closed-to-self (aka skip-states), i.e., if no transition can be taken, then there is an implicit self-looping transition. We use the notation guard assignment to write guards and assignments on transitions, := for variable assignment, and == for equality test.
Example 1 (QEA). Figure 1 
Preliminaries and Notations
Throughout the paper, as a running example, we consider function verifyPIN, which is depicted in Listing 1 1 . Function verifyPIN is the main function for the verification of a user PIN. It handles the counter of user trials (variable g_ptc), which is initialized to 3, i.e., the user is allowed for 3 authentication trials (one trial per execution). The user is authenticated if the value of g_ptc is greater than 0, and function byteArrayCompare returns BOOL_TRUE. Function byteArrayCompare returns BOOL_TRUE if g_userPin and g_cardPin are equal. Note that BOOL_TRUE and BOOL_FALSE are hardened booleans which have the values 0xAA and 0x55, respectively. The monitors defined in Section 5 are generic. They are independent from any programming language and do not require changes to the low-level code since the required instrumentation to produce events can be made at the level of the source code. However, to describe attacks at a lower level, we make use of the three-address code (TAC) representation. TAC is an intermediate-code representation which reassembles for instance LLVM-IR. TAC is machine independent, easy to generate from source code, and can be easily converted into assembly code. In TAC, a program is a finite sequence of three-address instructions. In particular, an instruction ifZ z goto L is conditional branch instruction that directs the execution flow to L (i.e., makes a branching into L) if the value of z is 0 (i.e., false). An instruction goto L is an unconditional branch instruction that directs the execution flow to L. A label L can be assigned to any instruction in the TAC. Instruction Push x pushes the value of x onto the stack. Before making a function call, parameters are individually pushed onto the stack from right to left. While Pop k pops k bytes from the stack; it is used to pop parameters after a function call. To specify how the program under verification has to be instrumented, in Section 4.1, we refer to the control flow graph (CFG) of the program. The CFG of a program is a representation of all the paths that might be taken during its execution. A CFG is a rooted directed graph (V, E), where V is a set of nodes representing basic blocks, and E is a set of directed edges representing possible control flow paths between basic blocks. A CFG has an entry node and one exit node. The entry node has no incoming edges while the exit node has no outgoing edges. A basic block is a maximal sequence S 1 . . . S n of instructions such that
• it can be entered only at the beginning, i.e., none of the instructions S 2 . . . S n has a label (i.e., target of a branch), and
• it can be exited only at the end, i.e., none of the instructions S 1 . . . S n−1 is a branch instruction or a return.
A CFG may contain loops. A loop is a sequence B 1 , . . . , B n of basic blocks dominated by the first basic block: B 1 , and having exactly one back-edge from the last basic block: B n into B 1 . Note that, in a CFG, a basic block B dominates a basic block B We define a test, in TAC, as an instruction that involves a logical expression, i.e., an instruction of the form z := (x oprel y) where oprel is a logical operator, followed by the conditional branch instruction ifZ z goto L for some label L. For a test A we use the notation cond(A) to refer to the condition (i.e., the logical expression) involved in A.
Example 4 (Test). Function verifyPIN contains two tests:
• _t0 := (g_ptc > 0), ifZ _t0 goto L1 and
Let B be a basic block. We use the notation B L to refer to the successor of B whose head is labeled by L if tail B is an unconditional jump instruction goto L. Similarly, we use the notation B T (resp. B F ) to refer to the successor of B that is executed when (x oprel y) = True (resp. (x oprel y) = False) if B ends with a test A where cond(A) = (x oprel y). Note that, B F is the basic block whose head is labeled by L.
Finally, in what follows, variable i is used to denote the unique identifier of a basic block B, and i is used to denote the unique identifier of a basic block B .
Modeling
We define our execution model in Section 4.1. Then, in Section 4.2, we define an attacker model for test inversion and jump attacks. 
Modeling Execution
We define a program execution (a program run) by a finite sequence of events, a trace. Such event-based modeling of program executions is appropriate for monitoring actual events of the program. Events mark important steps in an execution. We consider parametric events of the form e(p 1 , . . . , p n ), where e is the event name, and p 1 , . . . , p n is the list of symbolic parameters that take some concrete values at runtime.
As we consider fault injection attacks, then events themselves are under threat (e.g., an attacker may skip an event emission). In order to ensure events emission, we assume that the program under verification is instrumented so that every event is consecutively emitted twice. In practice, an event emission may be implemented using a function call. Thus, events duplication ensures events emission under the assumption that injecting faults onto two consecutive instructions is too expensive [13, 15] .
We define the following events which have to be emitted during a program execution, where G = (V, E) is the CFG of the program:
• For every basic block B ∈ V, event begin(i) has to be emitted at the beginning of B.
• For every basic block B ∈ V, event end(i) has to be emitted:
-just before instruction return, if the tail of B is return.
-at the beginning of B L , if the tail of B is an unconditional jump instruction goto L. Note that, in this case, events end(i) have to be emitted before event begin(i L ).
-at the beginning of both B T and B F , if the tail of B is a conditional jump instruction ifZ z goto L. Note again that, in this case, events end(i) have to be emitted before events begin(i T ) and begin(i F ).
-at the end of B, otherwise.
• For every loop B 1 , . . . , B n in G, events reset(i 1 ), . . . , reset(i n ) have to be emitted at the end of B n . Event reset(i) means that the basic block whose identifier is i may be executed again as it is involved in a loop. Note that, in this case, reset events have to be emitted before event end(i n ) as the latter is used to detect jump attacks.
• For every basic block B ∈ V that ends with a test A, events bT(i, x, y) and bF(i, x, y) have to be emitted at the beginning of B T and B F , respectively, where cond(A) = (x oprel i y). We note that, in this case, the identifier i also identifies the test A and the logical operator oprel i as a basic block can contain at most one test. We define a program execution as follows.
Definition 1. (Program Execution)
. Let P be a program. An execution P exec of P is a finite sequence of events e 1 . · · · .e n , where n ∈ N, such that e j ∈ Σ ALL = {begin(i), end(i), reset(i), bT(i, x, y), bF(i, x, y)} for every j ∈ {1, . . . , n}.
Modeling the Attacker
We focus on test inversion and jump attacks. A test inversion attack is an attack where the result of a test is inverted. Whereas, a jump attack is an attack that directs the control flow of a program execution in a way that results in a path that does not exist inside the CFG of the program.
We assume multiple faults injection model for test inversion attacks, whereas we assume single fault injection model for jump attacks. Indeed, when it comes to multiple faults it is difficult to detect jump attacks in our model. For instance, a jump from a basic block B into a basic block B ′ that is directly followed by a jump from B ′ into B may not be detected by our monitors.
Consider a basic block B that ends with a test A = z := (x oprel y), ifZ z goto L. There is a test inversion attack on A when B T is executed while (x oprel y) = False, or when B F is executed while (x oprel y) = True. In practice, the result of A can be inverted, for example, by:
• skipping the conditional branch instruction, so that B T is executed regardless whether (x oprel y) evaluates to True or False), • skipping the instruction that involves the logical expression provided that variable z already holds the value that results in branch inversion, or • flipping the value of z after the logical expression being evaluated. Definition 2. (Test Inversion Attack). Let P be a program, and let P exec = e 1 , . . . , e n be an execution of P. We say that there is a test inversion attack on P exec if it violates R 1 or R 2 which are defined as follows, where i identifies oprel i :
• R 1 : if there exists e j = eT(i, x, y) for some identifier i and some integer j, then we have that (x oprel i y) = True.
• R 2 : if there exists e j = eF(i, x, y) for some identifier i and some integer j, then we have that (x oprel i y) = False.
In our model, a jump attack interrupts an execution of a basic block, or starts an execution of a basic block not at its beginning. In the practice, a jump attack can be performed, for example, by manipulating the target address of a branch or return. We note that, we do not consider jumps into memory zones that are outside a program code (i.e., outside the original CFG), intra-basic block jumps (that are equivalent to one or more instructions skip inside a basic block), and jumps from the end a basic block B into the beginning of a basic block
Let B be a basic block, and consider only events begin(i) and end(i). Then, in absence of jump attack, an execution of B results in one of the following traces depending on whether none, one, or two events are skipped (assuming events duplication):
•
begin(i).begin(i).end(i).end(i), • begin(i).end(i).end(i), • begin(i).begin(i).end(i), or • begin(i).end(i).
Moreover, during a program execution, B may get executed more than once if it is involved in a loop. In this case, between every two executions of B, event reset(i) occurs.
Interrupting an execution of a basic block B results in event begin(i) that is not directly followed by event end(i).
Starting an execution of a basic block B not from its beginning results in event end(i) that is not directly preceded by event begin(i).
Definition 3. (Jump Attack)
. Let P be a program, and let P exec = e 1 , . . . , e n be an execution of P. We say that there is a jump attack on P exec if it violates R 3 , R 4 or R 5 which are defined as follows:
• R 3 : if e j = begin(i) for some identifier i and some integer j, then -e j+1 = end(i), if e j−1 = begin(i).
-e j+1 = end(i), or e j+1 = begin(i) and e j+2 = end(i), if e j−1 = begin(i).
• R 4 : if e j = end(i) for some identifier i and some integer j, then -e j−1 = begin(i), if e j+1 = end(i).
-e j−1 = begin(i), or e j−1 = end(i) and e j−2 = begin(i), if e j+1 = end(i).
• R 5 : there is no j such that e j = end(i) and e j+1 = begin(i) for any identifier i.
Monitors
We propose monitors that checks for the presence/absence of test inversion and jump attacks on a given execution.
A Monitor for Detecting Test Inversions
Figure 3 depicts monitor M TI , a QEA that detects test inversion attacks on a given execution. The alphabet of M TI is Σ TI = {eT(i, x, y), eF(i, x, y)}. Monitor M TI has only one state, which is an accepting square state. It fails when event eT(i, x, y) is emitted while (x oprel i y) = False (i.e., if the requirement R 1 is violated), or when event eF(i, x, y) is emitted while (x oprel i y) = True (i.e., if the requirement R 2 is violated). M TI accepts multiple occurrences of events eT(i, x, y) and eF(i, x, y) as long as the related guards hold. Note that the parameter i is used to identify oprel i and it allows reporting the test that has been inverted in case of failure. Proposition 2. Let P be a program, and let P exec be an execution of P. Monitor M J rejects P exec iff there is a jump attack on P exec .
A Monitor for Detecting Jump Attacks
Proof. The proof is provided in Appendix A.
Indeed, M J cannot output a final verdict concerning R 1 until the end of the execution as event end(i) may occur at any point in the future. One way to explicitly catch the end of an execution is to include event exit in Σ J , and add a transition from state (5), labeled by exit, to a new accepting square state, say state (6). Then, an occurrence of event exit in state (3) means that event end(i) will definitely not occur, and thus leads to an implicit failure state. A self-loop on state (4) labeled by exit is also required. Note that, an occurrence of event exit at state (1) will also lead to failure. Figure 2) . This attack interrupts the execution of B 2 , and allows the attacker to get authenticated with a wrong PIN as it skips the test that follows byteArrayCompare. Consequently, B 3 (the success branch) will be executed regardless of the value returned by byteArrayCompare. Provided that verifyPIN is instrumented as described in Section 4.1, the faulted execution after filtering out any event that is not in Σ J is as follows, where I j is the identifier of B j :
Example 7 (Jump Attack). An attacker can perform a jump attack on verifyPIN by modifying the return address of the function byteArrayCompare, for example, into the address of the first instruction (g_ptc := 3) of the basic block B 3 (See

begin(I 1 ).begin(I 1 ).end(I 1 ).end(I 1 ).begin(I 2 ).begin(I 2 ).begin(I 3 ). begin(I 3 ).end(I 3 ).end(I 3 ).begin(I 5 ).begin(I 5 ).end(I 5 ).end(I 5 )
The faulted execution is sliced by M J , based on the values that i can take, into the following four slices:
i → I 1 : begin(I 1 ).begin(I 1 ).end(I 1 ).end(I 1 ) i → I 2 : begin(I 2 ).begin(I 2 ) i → I 3 : begin(I 3 ).begin(I 3 ).end(I 3 ).end(I 3 ) i → I 5 : begin(I 5 ).begin(I 5 ).end(I 5 ).end(I 5 ) Slices i → I 1 , i → I 3 , and i → I 5 satisfy requirements R 3 , R 4 and R 5 . Thus, they are respectively accepted by M J (I 1 ), M J (I 3 ), and M J (I 5 ). However, slice i → I 2 does not satisfy the requirement R 3 as it contains two consecutive occurrences of event begin(I 2 ) that are not followed by event end(I 2 ). Thus it is rejected by M J (I 2 ). Indeed, the first occurrence of event begin(I 2 ) fires the transition from state (1) into state (2) , and the second occurrence of begin(I 2 ) fires the transition from state (2) into state (3) , see Figure 4 . Thus, M J (I 2 ) ends in state (3) , which is a failure state. Therefore, since slice i → I 2 is rejected by M J (I 2 ), the whole faulted execution is rejected by M J .
We note that, given a CFG (V, E), monitor M J cannot detect an attack where a jump from the end of B ∈ V into the beginning of B ′ ∈ V with (B, B ′ ) / ∈ E is executed. Indeed, in order to detect such a jump, a global monitor with a structure similar to the CFG is needed where basic blocks are replaced by EAs that resemble M J (i) with the adjustment of reset transitions in accordance with the loops.
Monitor Validation
We validate our monitors by demonstrating their effectiveness in detecting simulated attacks against verifyPIN. Following the initial C implementation, we have implemented verifyPIN and the monitors using Java and AspectJ. We have instrumented verifyPIN at the source code level. More precisely, for every required event we defined an associated function which is called inside verifyPIN at the positions where the event has to be emitted as specified in Section 4.1. The associated functions are used to define pointcuts in AspectJ. When a function is called, i.e., a pointcut is reached, the corresponding event is fed to the running monitor which makes a transition based on its current state and the received event, and reports a verdict. The code segments executed by the monitor (called advices) are woven within the original source files to generate the final source code that is compiled into an executable.
p u b l i c c l a s s V e r i f i c a t i o n M o n i t o r T I { 2 p r i v a t e S t a t e c u r r e n t S t a t e = S t a t e . Ok ; 3 4 p u b l i c v o i d u p d a t e S t a t e ( E v e n t e ) { 5 s w i t c h ( t h i s . c u r r e n t S t a t e ) { 6
c a s e Ok : 7 i n t x = e . getX ( ) ; 8 i n t y = e . getY ( ) ; 9 S t r i n g o p r e l = e . g e t O p r e l ( ) ; 10 b o o l e a n c o n d i t i o n = e v a l u a t e C o n d ( x , y , o p r e l ) ; 11 i f ( ( e .
getName ( ) . e q u a l s ( " eT " ) && ! c o n d i t i o n ) | | ( e . getName ( ) . e q u a l s ( " eF " ) && c o n d i t i o n ) ) 12
{ t h i s . c u r r e n t S t a t e = S t a t e . E r r o r ; } 13 b r e a k ; 14 c a s e E r r o r : 15 / / No n e e d t o e x e c u t e any c o d e . 16 b r e a k ; 17 } 18
System . o u t . p r i n t l n ( " moved t o s t a t e " + t h i s . c u r r e n t S t a t e ) ; 19 } 20 21 p u b l i c V e r d i c t c u r r e n t V e r d i c t ( ) { 22 s w i t c h ( t h i s . c u r r e n t S t a t e ) { 23 c a s e Ok : r e t u r n V e r d i c t . CURRENTLY_TRUE ; 24 c a s e E r r o r : r e t u r n V e r d i c t . FALSE ; 25 d e f a u l t : r e t u r n V e r d i c t . FALSE ; 26 } 27 } 28 } Listing 3: Java implementation of M TI . Table 1 summarizes the computation time and memory consumption by our monitors. Indeed, the execution time of the monitors is proportional to the size of the program as parsing more events means more computational time. However, the memory consumption can be bounded since only variables related to the EA that corresponds to the basic block being executed have to be kept in memory.
In the following, we illustrate about how we carried out the simulation and the obtained results.
Test Inversion Attack
Our experiment showed that M TI can detect the attack presented in Example 6. In Java bytecode, the test _t2 := (_t1 == BOOL_TRUE), ifZ _t2 goto L2 is expressed using one instruction if_icmpne L2. The instruction if_icmpne L2 compares _t1 and BOOL_TRUE, which are previously loaded into the stack, and makes a branch into L2 if they are not equal. In case of a wrong user PIN, the test can be inverted by replacing if_icmpne with if_icmpeq, which makes a branch if the operands are equal, or with nop, which is equivalent to skipping if_icmpne and results in the execution of branch B T regardless of the value of _t1. The binary opcodes of if_icmpne, if_icmpeq and nop are respectively "1010 0000", "1001 1111" and "0000 0000". Thus, replacing if_icmpne with if_icmpeq requires modifying 6 bits, whereas replacing if_icmpne with nop requires modifying only 2 bits. Note that, replacing if_icmpne with nop only works with Java 6 or earlier versions 2 .
Jump Attack
A jump attack can be simulated, in Java bytecode, by replacing an instruction with goto L for a certain line number L. However, again this results in an inconsistent stackmap frame for Java 7 and latest versions. Nevertheless, it is possible to simulate the jump attack presented in Example 7 at the source code level 3 . We note here that the main purpose is not performing the attack, but to validate that M J can detect jump attacks. The latter was confirmed by our experiment.
Related Work
To the best of our knowledge, this work is the first that proposes formal monitors to detect fault attacks. Nevertheless, runtime monitoring was successfully applied to several domains, e.g., for monitoring financial transactions [23] , monitoring IT logs [24] , monitoring electronic exams [25] , monitoring smart homes [26] .
Regarding the protection against fault attacks, several research endeavors propose software-based protections. We split these approaches in two: algorithm level and instruction level. Then, we compare our approach to the approaches of control-flow integrity. 2 Indeed, starting from Java 7, the type checking rules requires a stack map frame at the beginning of each basic block [22] . Thus, a stack map frame is required by every branching instruction. The stack map frame specifies the verification type of each operand stack entry and of each local variable. Replacing if_icmpne with if_icmpeq does not result in a violation of the related stack map frame, however, replacing it with nop does. Hence, in order to simulate the attack by replacing if_icmpne with nop, the stack map frame also has to be modified. 3 Indeed, it is not possible to simulate this attack by modifying the return address of byteArrayCompare. However, one can simulate the effect of goto using break and continue statements.
Algorithm-level Approaches
Such approaches work at the algorithmic level and do not require changes to the instruction code. Some of them [27, 1, 11, 8, 28] use basic temporal redundancy, such as computing a cryptographic operation twice then comparing the outputs, or computing the inverse operation then comparing the output to the input plain text. Other approaches make use of parity codes [10] or digest values [29] . Recently, Lac et al. [30] proposed a generic approach for faults detection with a possibility for correction.
Algorithm-level approaches are easy to implement and deploy, and they usually introduce an acceptable overhead. However, they are not effective against compile-time modifications. Moreover, it has been shown that they are not robust against multiple fault injections [11, 12] or skipping the critical parts of the code [31, 32] . Furthermore, most of the existing algorithm-level approaches are not generic.
Our approach is more general as it can be applied to any program. Runtime monitoring is based on extracting some information from the running system, and then using this information to verify whether some requirements are satisfied or not. Thus, a monitor can run separately from the program under verification. Moreover, monitors may run in a hardware-protected memory as they are lightweight and small, or remotely in a supervised environment. This makes applying multiple fault attacks on both the program under verification and the corresponding monitors more difficult to achieve. Furthermore, runtime monitoring can be complementary to the existing approaches, for instance, to detect fault attacks on critical parts such as a test that compares the outputs when an operation is computed twice.
Note, to ensure the correct extraction of the necessary information (i.e., events) from a running program, we use emission duplication. This may require the duplication of every related instruction as duplication at the algorithmic level may not be sufficient.
Instruction-level Approaches
Instruction-level approaches are those that require changes to the instruction code. At instruction-level, there are approaches that apply instruction duplication or triplication [13, 14] in order to provide 100% protection against skip fault injections. Reis et al. [33] enhance instruction duplication technique by inserting comparison instructions at critical points inside the code, such as conditional branches, in order to ensure correct control flow transfer. There are also the approaches that rely on replacing every instruction with a sequence of functionally equivalent instructions such that skipping any of these instructions does not affect the outcome [15, 34] . These approaches provide fault tolerance, and they are believed to be secure against multiple fault injections under the assumption that skipping two consecutive instructions is too expensive and requires high synchronization capabilities [13, 15] . Other instructionlevel approaches include ASLR (address space layout randomization) technique [35] , which introduces randomness into addresses used by a given program in order to prevent some exploit techniques, and ExecShield technology [36] , which has been developed by Red Hat in order to reduce the impact of security vulnerabilities and thus make security exploits more difficult.
Instruction-level approaches provides more guarantees than algorithm-level approaches, and they are more robust against multiple fault injections. However, they require dedicated compilers for code generation. Moreover, approaches that apply instructions duplication or replacement are processor dependent as some instructions have to be replaced by a sequence of idempotent or functionally equivalent instructions. Furthermore, instruction-level approaches introduce a large overhead in performance and footprint. For instance, instruction duplication increases the overhead at least twice. Nevertheless, the overhead can be decreased by protecting only the critical parts of the code.
In comparison, our monitors are generic, and easy to implement and deploy as is the case with algorithm-level countermeasures. Note that, runtime monitoring does not provide 100% protection against fault attacks. In particular, our monitors can detect test inversion and jump attacks. Providing more guarantees requires more monitors or monitors that are larger in size. So, similar to instruction-level approaches, there is a trade-off between provided guarantees and introduced overhead. Furthermore, runtime monitoring is compatible, not only with algorithm-level approaches, but also with instruction-level approaches.
Control-Flow Integrity
Control flow integrity (CFI) aiming at ensuring that an execution takes a path that is inside the CFG of the given program. Most of existing CFI approaches follow the seminal work by Abadi et al. [37] , which makes use of a special set of instructions in order to check the source and destination addresses involved in indirect jumps and indirect function calls. CFI approaches do not aim to provide a 100% fault coverage. Instead they aim at providing protections against jump-oriented attacks [38, 39] , and return-oriented attacks [40] . A related technique called control flow locking (CFL) has been introduced by Bletsch et al. [41] in order to provide protection against code-reuse attacks. Instead of inserting checks at control flow transfers, CFL locks the corresponding memory address before a control flow transfer, and then unlocks it after the transfer is executed.
Existing CFI approaches are instruction-based, and thus have the same advantages and weaknesses of the instructionlevel approaches mentioned above. Moreover, detecting jump attacks by our monitors is some sort of reporting CFI violations. Note that, CFI does not deal with test inversion attacks as taking any of the branches after a conditional branch does not violate CFI.
Conclusions and Perspectives
We formally define test inversion and attacks. Then, we propose monitors expressed as Quantified Event Automata in order to detect these attacks. Monitors can run under supervision in another device or in a protected memory area as they are lightweight and small in size. Our monitors support the duplication of events emission, which is crucial to protect events against skip attacks. Finally, we demonstrate the validity of our monitors using attack examples on verifyPIN function. We note that, implementing events emission with function calls in AspectJ shows that the duplication at source level does not protect event arguments. Indeed, at the bytecode level, when an event is called after a conditional branch the operands involved in the condition, which are passed as arguments to the event, get loaded again before the event (function) call. Thus, a duplication of all related instruction at low level or an implementation that handle events emission with one instruction (i.e., a one that allows to directly use the already loaded values) is required to protect events.
As a future work, we plan to conduct more case studies, and to use a Java bytecode editing tool, such as ASM [42] or JNIF [43] , to simulate faults. We also consider proposing more monitors in order to detect additional attacks following the principles exposed in this paper. Moreover, we consider developing a runtime enforcement [44, 45, 46] Proof. Assume that M TI rejects P exec . We have to show that there is a test inversion attack on P exec , i.e., P exec violates R 1 or R 2 . As M TI rejects P exec then there exists i such that M TI (i) fails (i.e., ends in a failure state). Thus, M TI (i) fires a transition into an implicit failure state since M TI (i) has only one (explicit) state which is an accepting state. This means that P exec contains, for some x and y, event eT(i, x, y) such that (x oprel i y) = False which violates R 1 , or event eF(i, x, y) such that (x oprel i y) = True which violates R 2 . So, P exec violates R 1 or R 2 , and thus there is a test inversion attack on P exec . Hence, we can conclude for the first direction.
To prove the second direction, we assume that there is a test inversion attack on P exec , and we show that M TI rejects P exec . If there is a test inversion attack on P exec , then P exec violates R 1 or R 2 . If P exec violates R 1 then it contains an event eT(i, x, y) such that (x oprel i y) = False, which fires a transition into an implicit failure state as the guard related to event eT(i, x, y) is not satisfied. Thus, M TI fails and rejects P exec . If P exec violates R 2 then it contains an event eF(i, x, y) such that (x oprel i y) = True, which fires a transition into an implicit failure state as the guard related to event eF(i, x, y) is not satisfied. Thus, M TI fails and rejects P exec . Hence, we conclude for the second direction and the proof is done.
Proposition 2. Let P be a program, and let P exec be an execution of P. Monitor M J rejects P exec iff there is a jump attack on P exec .
Proof. Assume that M J rejects P exec = e 1 , . . . , e n . We have to show that P exec violates R 3 , R 4 or R 5 . As M J rejects P exec then there exists i such that M J (i) fails while consuming P exec . We split according to the cases in which M J (i) fails.
• M J (i) has encountered event end(i) in state (1) . This means that there exists j such that e j = end(i),
and that e j−1 is either ǫ or reset(i) since state (1) is the initial state and it can only be reached by event reset(i). Thus, P exec violates R 4 in this case.
• M J (i) ends in state (2) . This means that there exists j such that e j = begin(i) since state (2) can only be reached from state (1) through event begin(i). Moreover, we can deduce that e j+1 is neither begin(i) nor end(i). Thus, P exec violates R 3 .
• M J (i) has encountered event e j = reset(i) in state (2) . State (2) can only be reached from state (1) through event begin(i). Then, e j−1 = begin(i). So, there exists e j−1 = begin(i) such that e j is neither end(i) nor begin(i) which violates R 3 .
• M J (i) ends in state (3). This means that there exists j such that e j−1 = e j = begin(i) since state (2) can only be reached from state (1) through event begin(i), and state (2) can only be reached from state (1) through event begin(i). Moreover, e j+1 = end(i) as there is a transition from state (3) into state (4) labeled by end(i), but M J (i) ends in state (3). Thus, P exec violates R 3 .
• M J (i) has encountered event reset(i) in state (3). This case is similar to the previous case and violates R 3 .
• M J (i) has encountered event begin(i) in state (3). This means that there exists j such that e j−1 = e j = e j+1 = begin(i), which violates R 3 .
• M J (i) has encountered event begin(i) in state (4) . This means that there exists j such that e j = begin(i), and e j−1 = end(i) since state (4) can only be reached by event end(i) from state (2) or state (3), which can be reached only be reached by event begin(i). Thus, P exec violates R 5 .
• M J (i) has encountered event end(i) in state (5) . This means that there exists j such that e j−1 = e j = e j+1 = end(i) since state (5) can only be reached from state (4) also by event end(i), and state (4) can only
