Detecting Fault Injection Attacks with Runtime Verification by Kassem, Ali & Falcone, Yliès
ar
X
iv
:1
90
7.
03
30
9v
2 
 [c
s.C
R]
  2
0 S
ep
 20
19
DETECTING FAULT INJECTION ATTACKS WITH RUNTIME
VERIFICATION
A PREPRINT
Ali Kassem
Univ. Grenoble Alpes, Inria,
CNRS, Grenoble INP, LIG
38000 Grenoble
France
ali.kassem@inria.fr
Yliès Falcone
Univ. Grenoble Alpes, Inria,
CNRS, Grenoble INP, LIG
38000 Grenoble
France
ylies.falcone@inria.fr
September 23, 2019
ABSTRACT
Fault injections are increasingly used to attack/test secure applications. In this paper, we define
formal models of runtime monitors that can detect fault injections that result in test inversion attacks
and arbitrary jumps in the control flow. Runtime verification monitors offer several advantages.
The code implementing a monitor is small compared to the entire application code. Monitors have
a formal semantics; and we prove that they effectively detect attacks. Each monitor is a module
dedicated to detecting an attack and can be deployed as needed to secure the application. A monitor
can run separately from the application or it can be “weaved” inside the application. Our monitors
have been validated by detecting simulated attacks on a program that verifies a user PIN.
Keywords Runtime Verification, Monitor, Fault Injection, Detection, Quantified Event Automata, Attacker Model
1 Introduction
Fault injections are effective techniques to exploit vulnerabilities in embedded applications and implementations of
cryptographic primitives [1, 2, 3, 4, 5, 6]. Fault injections can be thwarted (or detected) using software or hard-
ware countermeasures [7, 8]. Hardware countermeasures are expensive and unpractical for off-the-shelf products.
Henceforth, software countermeasures are commonly adopted. Software countermeasures can be categorized into
algorithm-level and instruction-level countermeasures.
Most of the existing algorithm-level countermeasures make use of redundancy such as computing a cryptographic
operation twice then comparing the outputs [9], or using parity bits [10]. Algorithm-level countermeasures are easy to
implement and deploy and usually introduce low (computational and footprint) overhead. However, as they are usually
based on redundancy, they can be broken using multiple faults injection or by skipping critical instruction [11, 12].
In the other hand, instruction-level countermeasures require changes to the low level instruction code, for example
by applying instruction duplication or triplication [13, 14]. Instruction-level countermeasures are more robust than
algorithm-level countermeasures. Indeed, it is believed that instruction-level countermeasures are secure against mul-
tiple faults injection under the assumption that skipping two consecutive instructions is too expensive and requires
high synchronization capabilities [13, 15]. However, instruction-level countermeasures introduce a large overhead,
for instance, instruction duplication doubles the execution time. Moreover, instruction-level countermeasures require
changing the instruction set (with dedicated compilers) since e.g., some instructions have to be replaced by a sequence
of idempotent or semantically equivalent instructions.
In this paper, we use runtime verification principles [16, 17, 18, 19] and monitors to detect fault injections that result
in test inversion or unexpected jumps in the control flow of a program. A monitor can run off-line after the end of an
execution provided that the necessary events have been saved in a safe log, or on-line in parallel with the execution.
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
∀i
1 2
e1(i)
Figure 1: MR, a QEA for requirement R from Example 1.
We use Quantified Event Automata (QEAs) [20] to express our monitors. We prove that our monitors for test inversion
and jump attacks detect them if and only if such attack occur at runtime – Propositions 1 and 2, respectively. From an
implementation point of view, we validate Java implementations of our monitors using attack examples on a program
that verifies a user PIN code taken from the FISSC benchmark [21]. Our monitors are lightweight and small in size.
The monitors execution time is proportional to the size of the program under surveillance. However, the memory
overhead can be bounded as only data related to the “active” basic block need to be kept in memory.
This make them suitable for low-resource devices where monitors can run in a small (hardware)-secured memory
(where the entire application may not fit). Moreover, monitors can run separately from the application under surveil-
lance, and thus can run remotely (in a secure environment) provided a secure communication channel.
The rest of the paper is structured as follows. Section 2 overviews Quantified Event Automata. Section 3 introduces
preliminaries. Section 4 introduces execution and attacker models. Section 5 introduces our monitors. Section 6
describes an experiment that validates the effectiveness of our monitors. Section 7 discusses related work. Finally,
Section 8 concludes and outlines avenues for future work.
2 Quantified Event Automata
We briefly overview Quantified Event Automata [20] (QEAs) which are used to express monitors. QEAs are an
expressive formalism to represent parametric specifications to be checked at runtime. An Event Automaton (EA) is a
(possibly non-deterministic) finite-state automaton whose alphabet consists of parametric events and whose transitions
may be labeled with guards and assignments. The syntax of EA is built from a set of event names N , a set of values
Val, and a set of variables Var (disjoint from Val). The set of symbols is defined as Sym = Val ∪ Var. An event
is a tuple 〈e, p1, . . . , pn〉, where e ∈ N is the event name and p1, . . . , pn ∈ Symn are the event parameters. We use
a functional notation to denote events: 〈e, p1, . . . , pn〉 is denoted by e(p1, . . . , pn). Events that are variable-free are
called ground events, i.e., an event e(p1, . . . , pn) is ground if p1, . . . , pn ∈ Valn. A trace is defined as a finite sequence
of ground events. We denote the empty trace by ǫ.
The semantics of an EA is close to the one of a finite-state automaton with the natural addition of guards and assign-
ments on transitions. A transition can be triggered only if its guard evaluates to True with the current binding (a map
from variables to concrete values), and the assignment updates the current binding.
A QEA is an EA with some (or none) of its variables quantified by ∀ or ∃. Unquantified variables are left free and
they can be manipulated through assignments and updated during the processing of the trace. A QEA accepts a trace
if after instantiating the quantified variables with the values derived from the trace, the resulting EAs accept the trace.
Each EA consumes only a certain set of events, however a trace can contain other events which are filtered out. The
quantification ∀ means that a trace has to be accepted by all EAs, while the quantification ∃ means that it has to
be accepted by at least one EA. For a QEA M with quantified variables x1, . . . , xn. We use the functional notation
M(x1, . . . , xn) to refer to the related EAs depending on the values taken by x1, . . . , xn.
We depict QEAs graphically. The initial state of a QEA has an arrow pointing to it. The shaded states are final states
(i.e., accepting states), while white states are failure states (i.e., non-accepting states). Square states are closed-to-
failure, i.e., if no transition can be taken then there is an implicit transition to a (sink) failure state. Circular states are
closed-to-self (aka skip-states), i.e., if no transition can be taken, then there is an implicit self-looping transition. We
use the notation guard
assignment
to write guards and assignments on transitions, := for variable assignment, and == for
equality test.
Example 1 (QEA). Figure 1 depicts MR, a QEA that checks whether a given trace satisfies requirement R: “for all i,
event e1(i) should precede event e2(i)”. The alphabet of MR is ΣR = {e1(i), e2(i)}. Consequently, any event in an
input trace that is not an instantiation of e1(i) or e2(i) is ignored by MR. QEA MR has two states (1) and (2), which are
both accepting states, one quantified variable i, and zero free variables. As its initial state (1) is an accepting state,
the empty trace is accepted by MR. State (1) is a square state, hence an event e2(i) at state (1) leads into an implicit
failure state, which is what we want as it would not be preceded by event e1(i) in this case. An event e1(i) at state
(1) leads into state (2) which is a skipping state, so after an occurrence of event e1(i) any sequence of events (for the
2
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
Listing 1: Code of verifyPIN.
1 void ve r i f yP IN ( ) {
2 g _ a u t h e n t i c a t e d = BOOL_FALSE;
3 i f ( g_p t c > 0) {
4 i f ( byteArrayCompare ( g_us e rP i n , g_ca r dP i n ) == BOOL_TRUE) {
5 g_p t c = 3 ; /∗ r e s e t t h e c oun t e r o f t r i a l s ∗ /
6 g _ a u t h e n t i c a t e d = BOOL_TRUE; }
7 e l s e
8 { g_ptc−−; } /∗ one t r i a l l e s s r ema i n i ng ∗ /
9 }
10 re turn g _ a u t h e n t i c a t e d ;
11 }
same value of i) is accepted. We note that one can equivalently replace state (2) with an accepting square state with
a self-loop labeled by ΣR.
Quantification ∀i means that the property must hold for all values that i takes in a trace. Each instantiation of i
results in an EA.
To decide whether a trace is accepted by MR or not, the trace is first sliced based on the values that can match i.
Then, each slice is checked against the event automaton instantiated with the appropriate value for i. For instance,
the trace e1(I1).e2(I2).e2(I1).e1(I2) is sliced into the following two slices: i 7→ I1 : e1(I1).e2(I1), and i 7→ I2 :
e2(I2).e1(I2). Each slice is checked independently. The slice associated with I1 is accepted by MR(I1) as it ends in
the accepting state (2), while the slice associated with I2 is rejected by MR(I2) since the event e2(I2) at state (1) leads
to an implicit failure state. Therefore, the whole trace is rejected by the QEA because of the universal quantification
on i.
3 Preliminaries and Notations
As a running example, we consider function verifyPIN which is depicted in Listing 11. Function verifyPIN is
the main function for the verification of a user PIN. It handles the counter of user trials (variable g_ptc), which is
initialized to 3, i.e., the user is allowed for 3 trials (one trial per execution). The user is authenticated if the value of
g_ptc is greater than 0, and function byteArrayCompare returns BOOL_TRUE. Function byteArrayCompare returns
BOOL_TRUE if g_userPin and g_cardPin are equal. Note that BOOL_TRUE and BOOL_FALSE have the values 0xAA
and 0x55, respectively. This provides a better protection against faults that modifies data-bytes.
The monitors defined in Section 5 are generic. They are independent from programming language and do not require
changes to the low-level code because the required instrumentation to produce events can be made at the the source
code level. However, to describe attacks at a lower level, we make use of the three-address code (TAC) representation.
TAC is an intermediate-code representation which reassembles for instance LLVM-IR. TAC is machine independent,
easy to generate from source code, and can be easily converted into assembly code. In TAC, a program is a finite
sequence of three-address instructions. In particular, an instruction ifZ z goto L is a conditional branch instruction
that directs the execution flow to L if the value of z is 0 (i.e., false). An instruction goto L is an unconditional branch
instruction that directs the execution flow to L. A label L can be assigned to any instruction in the TAC. Instruction
Push x pushes the value of x onto the stack. Before making a function call, parameters are individually pushed onto
the stack from right to left. While Pop k pops k bytes from the stack; it is used to pop parameters after a function call.
Example 2. Listing 2 depicts the TAC representation of verifyPIN. The variables _t0, _t1 and _t2 are compiler-
generated temporaries.
To specify how the program under verification has to be instrumented, in Section 4.1, we refer to the control flow
graph (CFG) of the program. The CFG of a program is a representation of all the paths that might be taken during
its execution. A CFG is a rooted directed graph (V, E), where V is a set of nodes representing basic blocks, and E is
a set of directed edges representing possible control flow paths between basic blocks. A CFG has an entry node and
one exit node. The entry node has no incoming edges while the exit node has no outgoing edges. A basic block is a
maximal sequence S1 . . .Sn of instructions such that
1 The code is inspired from the C version in the FISSC benchmark [21].
3
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
B1
g_authenticated := BOOL_FALSE
_t0 := (g_ptc > 0)
ifZ _t0 goto L1
B2
Push g_cardPin
Push g_userPin
_t1:= call byteArrayCompare
Pop 64
_t2 := (_t1 == BOOL_TRUE)
ifZ _t2 goto L2
B3
g_ptc := 3
g_authenticated := BOOL_TRUE
goto L1
B4
L2:g_ptc := -g_ptc
B5
L1:return g_authenticated
T
F
T
F
Figure 2: CFG for the verifyPIN function.
• it can be entered only at the beginning, i.e., none of the instructions S2 . . .Sn has a label (i.e., target of a
branch), and
• it can be exited only at the end, i.e., none of the instructions S1 . . .Sn−1 is a branch instruction or a return.
A CFG may contain loops. A loop is a sequence B1, . . . , Bn of basic blocks dominated by the first basic block: B1, and
having exactly one back-edge from the last basic block: Bn into B1. Note that in a CFG, a basic block B dominates
a basic block B′ if every path from the entry node to B′ goes through B. An edge (B′, B) is called a back-edge if B
dominates B′.
Example 3. Figure 2 depicts the CFG of verifyPIN.
We define a test, in TAC, as an instruction that involves a logical expression, i.e., an instruction of the form
z := (x oprel y) where oprel is a logical operator, followed by the conditional branch instruction ifZ z goto L for
some label L. For a test A we use the notation cond(A) to refer to the condition (i.e., the logical expression) involved
in A.
Listing 2: The TAC representation of verifyPIN.
1 ve r i f yP IN :
2 g _ a u t h e n t i c a t e d := BOOL_FALSE
3 _ t 0 := ( g_p t c > 0)
4 i f Z _ t 0 goto L1
5 Push g_ca r dP i n
6 Push g_use rP i n
7 _ t 1 := c a l l byteArrayCompare
8 Pop 64
9 _ t 2 := ( _ t 1 == BOOL_TRUE)
10 i f Z _ t 2 goto L2
11 g_p t c := 3
12 g _ a u t h e n t i c a t e d := BOOL_TRUE
13 goto L1
14 L2 : g_p t c := −g_p t c
15 L1 : re turn g _ a u t h e n t i c a t e d
4
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
Example 4 (Test). Function verifyPIN contains two tests:
• _t0 := (g_ptc > 0), ifZ _t0 goto L1
• _t2 := (_t1 == BOOL_TRUE), ifZ _t2 goto L2.
Let B be a basic block. We use the notation BL to refer to the successor of B whose head is labeled by L if the
tail of B is an unconditional jump instruction goto L. Similarly, we use the notation BT (resp. BF) to refer to the
successor of B that is executed when (x oprel y) = True (resp. (x oprel y) = False) if B ends with a test A where
cond(A) = (x oprel y). Note that BF is the basic block whose head is labeled by L.
Finally, in what follows, variable i is used to denote the unique identifier of a basic block B, and i is used to denote
the unique identifier of a basic block B.
4 Modeling
We define our execution model in Section 4.1. Then, in Section 4.2, we define an attacker model for test inversion and
jump attacks.
4.1 Modeling Execution
We define a program execution (a program run) by a finite sequence of events, a trace. Such event-based modeling
of program executions is appropriate for monitoring actual events of the program. Events mark important steps in an
execution. We consider parametric events of the form e(p1, . . . , pn), where e is the event name, and p1, . . . , pn is the
list of symbolic parameters that take some concrete values at runtime.
As we consider fault injection attacks, then events themselves are under threat (e.g., an attacker may skip an event
emission). Skipping an event may result in a monitor reporting a false attack. In order to ensure events emission, we
assume that the program under verification is instrumented so that every event is consecutively emitted twice.
We define the following events which have to be emitted, two consecutive times each, during a program execution,
where G = (V, E) is the CFG of the program:
• For every basic block B ∈ V, event begin(i) has to be emitted at the beginning of B.
• For every basic block B ∈ V, event end(i) has to be emitted:
– just before instruction return, if the tail of B is return.
– at the beginning of BL, if the tail of B is an unconditional jump instruction goto L. Note that, in this
case, events end(i) have to be emitted before event begin(iL).
– at the beginning of both BT and BF, if the tail of B is a conditional jump instruction ifZ z goto L. Note
again that, in this case, events end(i) have to be emitted before events begin(iT) and begin(iF).
– at the end of B, otherwise.
• For every loop B1, . . . , Bn in graph G, events reset(i1), . . ., reset(in) have to be emitted at the end of Bn.
Event reset(i) means that the basic block whose identifier is i may be executed again as it is involved in
a loop. Note that, in this case, reset events have to be emitted before event end(in) as the latter is used to
detect jump attacks.
• For every basic block B ∈ V that ends with a test A, events bT(i, x, y) and bF(i, x, y) have to be emitted at the
beginning of BT and BF, respectively, where cond(A) = (x opreli y). We note that, in this case, the identifier
i also identifies the test A and the logical operator opreli as a basic block can contain at most one test.
We define a program execution as follows.
Definition 1. (Program Execution). Let P be a program. An execution Pexec of P is a finite sequence of events
e1. · · · .en, where n ∈ N, such that ej ∈ ΣALL = {begin(i), end(i), reset(i), bT(i, x, y), bF(i, x, y)} for every
j ∈ {1, . . . , n}.
For an execution Pexec, we use the functional notation Pexec(i) to refer to the trace obtained from Pexec by considering
only the related events depending on the values taken by i. Indeed, Pexec(i) contains only the event related to the
basic block identified by i.
5
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
4.2 Modeling Attacker
We focus on test inversion and jump attacks. A test inversion attack is an attack where the result of a test is inverted.
Whereas, a jump attack is an attack that directs the control flow of a program execution in a way that results in a path
that does not exist inside the CFG of the program.
Test inversion and jump attacks can be performed using physical means [8], such as voltage and clock glitches, and
electromagnetic and laser perturbations, to disturb program executions. An attack can also result from transient errors
or malicious software.
We consider the multiple fault injection model for test inversion attacks, whereas we consider the single fault injection
model for jump attacks. Indeed, the scenario where a jump from a basic block B into a basic block B′ that is directly
followed by a jump from B′ into B may not be detected by our monitors. Note that the limitation of our monitors in
detecting jump attacks in case of multiple fault injections is restricted to the case where the injections result in multiple
jump attacks. Nevertheless, scenarios where there is only one jump attack and (possibly) other attacks, such as test
inversion attack and event skip attack (provided that at most one occurrence of an event is skipped), can be detected
by our monitors.
Furthermore, we assume that the attacker can skip at most one of the two consecutive occurrences of an event. Other-
wise, monitors may not receive all the necessary events to output correct verdicts.
Test inversion attack. Consider a basic block B that ends with a test A = z := (x oprel y), ifZ z goto L. There
is a test inversion attack on A when BT is executed when (x oprel y) = False, or when BF is executed when
(x oprel y) = True. In practice, the result of A can be inverted, for example, by:
• skipping the conditional branch instruction, so that BT is executed regardless whether (x oprel y) evaluates
to True or False),
• skipping the instruction that involves the logical expression provided that variable z already holds the value
that results in branch inversion, or
• flipping the value of z after the logical expression being evaluated.
Definition 2. (Test Inversion Attack). Let P be a program, and let Pexec = e1, . . . , en be an execution of P. We say
that there is a test inversion attack on Pexec if it violates R1 or R2 which are defined as follows, where i identifies
opreli :
• R1: for every j, if ej = eT(i, x, y) then (x opreli y) = True.
• R2: for every j, if ej = eF(i, x, y) then (x opreli y) = False.
Jump attack. In our model, a jump attack interrupts an execution of a basic block, starts an execution of a basic
block not at its first instruction, or results in an edge that does not exist in the CFG. In practice, a jump attack can
be performed, for example, by manipulating the target address of a branch or return. Note that we do not consider
intra-basic block jumps (which are equivalent to skipping one or more instruction inside the same basic block).
Let B be a basic block, and consider only events begin(i) and end(i). Then, in the absence of jump attacks, an
execution of B results in one of the following traces depending on whether none, one, or two events are skipped
(assuming events duplication):
• tr1 = begin(i).begin(i).end(i).end(i),
• tr2 = begin(i).end(i).end(i),
• tr3 = begin(i).begin(i).end(i), or
• tr4 = begin(i).end(i).
During a program execution, B may get executed more than once only if it is involved in a loop. In this case, between
every two executions of B event reset(i) should be emitted.
Definition 3. (Jump Attack). Let P be a program, and let Pexec be an execution of P. Let P
J
exec(i) = e1, . . . , en denote
the trace obtained from Pexec(i) by filtering out all the events that are not in ΣJ = {begin(i), end(i), reset(i)}.
We say that there is a jump attack on Pexec if there exists i such that P
J
exec(i) violates R3, R4 or R5, which are defined
as follows:
• R3: for every j, if ej = begin(i) then
6
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
– ej+1 = end(i), if ej−1 = begin(i).
– ej+1 = end(i), or ej+1 = begin(i) and ej+2 = end(i), if ej−1 6= begin(i).
• R4: for every j, if ej = end(i) then
– ej−1 = begin(i), if ej+1 = end(i).
– ej−1 = begin(i), or ej−1 = end(i) and ej−2 = begin(i), if ej+1 6= end(i).
• R5: there is no j such that ej = end(i) and ej+1 = begin(i).
Definition 3 considers the jump attacks that result in executions that cannot be built by concatenating elements from
{tr1, tr2, tr3, tr4, reset(i)}. Namely, it considers the following attacks:
• Any attack that interrupts an execution of a basic block B. This attack results in one or two consecutive
occurrences of event begin(i) that is not directly followed by event end(i), which violates requirement R3
of Definition 3.
• Any attack that starts the execution of a basic block B not from its beginning. This attack results in event
end(i) that is not directly preceded by event begin(i), which violates requirement R4 of Definition 3.
• Any attack that performs a backward jump from the end of a basic block B2 into the beginning of a basic
block B1 (i.e., the execution already went through B1 before reaching B2) such that there is no edge from
B2 to B1 inside the related CFG. This attack results in two executions of B1 that are not separated by, at
least, an emission of event reset(i). Thus, it results in event end(i) that is directly followed by event
begin(i), which violates requirement R5 of Definition 3. Note that similar forward jumps are not considered
by Definition 3 as they do not violate R3, R4 nor R5.
Finally, we note that a trace PJexec(i) that starts with event reset(i) or containsmore than two consecutive occurrences
of event reset(i) does violate any of the requirements R3, R4 and R5. However, such a trace is produced only if there
is a basic block B′, with i′ 6= i, that is executed not from its beginning. Consequently, PJexec(i
′) violates R4 in this
case, and thus the attack that can result in such situation is considered by Definition 3.
Example 5 (Number of Events). In order to check verifyPIN for test inversion attacks, it has to be instrumented to
produce 8 events (4 bT(i, x, y) events and 4 bF(i, x, y) events) since verifyPIN contains two tests and every event
has to be emitted twice. Whereas, to check verifyPIN for jump attacks, it has to be instrumented to produce 24 events
(10 begin(i) events and 14 end(i) events) since verifyPIN has 5 basic blocks, contains two conditional branches,
and every event has to be emitted twice.
5 Monitors
We propose monitors that check for the presence/absence of test inversion and jump attacks on a given execution.
We assume that each event is consecutively emitted twice. Note that, in the absence of event skip attack, our monitors
can still detect test inversion and jump attacks if each event is emitted only once2. Note also that our monitors can be
easily modified to report event skip attack by using a variable to count the number of received events or by tracing the
visited states3.
5.1 A Monitor for Detecting Test Inversions
Figure 3 depicts monitor MTI, a QEA that detects test inversion attacks on a given execution. The alphabet of MTI is
ΣTI = {eT(i, x, y), eF(i, x, y)}. Monitor MTI has only one state, which is an accepting square state. It fails when event
eT(i, x, y) is emitted while (x opreli y) = False (i.e., if the requirement R1 is violated), or when event eF(i, x, y) is
emitted while (x opreli y) = True (i.e., if the requirement R2 is violated). MTI accepts multiple occurrences of events
eT(i, x, y) and eF(i, x, y) as long as the related guards hold. Note that parameter i is used to identify opreli and it
allows reporting the test that has been inverted in case of failure.
Proposition 1. Let P be a program and Pexec an execution of P. Monitor MTI rejects Pexec iff there is a test inversion
attack on Pexec.
Example 6 (Test Inversion Attack). An attacker can perform a test inversion attack on verifyPIN by skipping the
second conditional branch: ifZ _t2 goto L2 (Line 10 of Listing 2). This attack allows the attacker to get authenti-
cated with a wrong PIN. Assuming a wrong PIN, function byteArrayCompare returns a value BOOL_FALSE (which
2A smaller monitor can be used for jump attacks in this case, see Figure 4.
3An additional state has to be added to MTI in this case, see Figure 3.
7
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
∀ i
1
eT(i, x, y) (x oprel
i
y)==True
eF(i, x, y) (x oprel
i
y)==False
Figure 3: MTI, a QEA detecting test inversion attacks.
is assigned to _t1). Thus, value 0 is assigned to variable _t2 as a result of the logical instruction _t2:=(_t1 ==
BOOL_TRUE). At this point, if the conditional branch is skipped, the execution branches to B3 (the success branch) in-
stead of B4 (the failure branch) which was supposed to be executed as the value of _t2 is 0. Provided that verifyPIN
is instrumented as described in Section 4.1, the faulted execution after filtering out any event that is not in ΣIT is as
follows, where Ij is the identifier of Bj, and initially we have g_ptc=3:
eT(I1, 3, 0).eT(I1, 3, 0).eT(I2, BOOL_FALSE, BOOL_TRUE)
.eT(I2, BOOL_FALSE, BOOL_TRUE)
Note that eT(I1, 3, 0) is emitted at the beginning of B2, the success branch of the first test. It takes the arguments I1, 3,
and 0 since the corresponding test is inside B1, and the involved condition is (g_ptc > 0) where g_ptc = 3. On the
other hand, eT(I2, BOOL_FALSE, BOOL_TRUE) is emitted at the beginning of B3, the success branch of the second test.
It takes the arguments I2, BOOL_FALSE, and BOOL_TRUE since the corresponding test is inside B2, and the involved
condition is (_t1 == BOOL_TRUE) where byteArrayCompare returns BOOL_FALSE into _t1 (as g_userPin is a
wrong PIN).
The faulted execution is sliced by MIT, based on the values that i can take, into the following two slices:
i 7→ I1 : eT(I1, 3, 0).eT(I1, 3, 0)
i 7→ I2 : eT(I2, BOOL_FALSE, BOOL_TRUE).eT(I2, BOOL_FALSE, BOOL_TRUE)
Slice i 7→ I1 satisfies both requirements R1 and R2, and thus it is accepted by MTI(I1). While,
slice i 7→ I2 does not satisfy the requirement R1 as event eT(I2, BOOL_FALSE, BOOL_TRUE) is emitted
but (BOOL_FALSE == BOOL_TRUE) = False, and thus it is rejected by MIT(I2). Indeed, the occurrence of
eT(I2, BOOL_FALSE, BOOL_TRUE) leads into an implicit failure state since the related guard is not satisfied. Therefore,
since slice i 7→ I2 is rejected by MIT(I2), the whole faulted execution is rejected by MIT.
5.2 A Monitor for Detecting Jump Attacks
Figure 4 depicts monitor MJ, a QEA that detects jump attacks on a given program execution. The alphabet of MJ(i) is
ΣJ = {begin(i), end(i), reset(i)}. Monitor MJ covers every basic block i inside the CFG of the given program.
An instantiation of i results in the EA MJ(i). Note that MJ assumes a single fault injection model.
∀ i
1 2 3 4 5
begin(i) begin(i) end(i) end(i)
end(i)
resetB(i)
reset(i)
reset(i)
Figure 4: MJ, a QEA detecting jump attacks.
Proposition 2. Let P be a program, and let Pexec be an execution of P. Monitor MJ rejects Pexec iff there is a jump
attack on Pexec.
Indeed, MJ cannot output a final verdict concerning R1 until the end of the execution as event end(i) may occur at
any point in the future. One way to explicitly catch the end of an execution is to include event exit in ΣJ, and add
a transition from state (5), labeled by exit, to a new accepting square state, say state (6). Then, an occurrence of
event exit in state (3) means that event end(i) will definitely not occur, and thus leads to an implicit failure state. A
self-loop on state (4) labeled by exit is also required. Note that an occurrence of event exit at state (1) will also lead
to failure.
8
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
Example 7 (Jump Attack). An attacker can perform a jump attack on verifyPIN by modifying the return address
of the function byteArrayCompare, for example, into the address of the first instruction (g_ptc := 3) of the basic
block B3 (see Figure 2). This attack interrupts the execution of B2, and allows the attacker to get authenticated with a
wrong PIN as it skips the test that follows byteArrayCompare. Consequently, B3 (the success branch) will be executed
regardless of the value returned by byteArrayCompare. Provided that verifyPIN is instrumented as described in
Section 4.1, the faulted execution after filtering out any event that is not in ΣJ is as follows, where Ij is the identifier
of Bj:
begin(I1).begin(I1).end(I1).end(I1).begin(I2).begin(I2).begin(I3)
.begin(I3).end(I3).end(I3).begin(I5).begin(I5).end(I5).end(I5)
The faulted execution is sliced by MJ, based on the values that i can take, into the following four slices:
i 7→ I1 : begin(I1).begin(I1).end(I1).end(I1),
i 7→ I2 : begin(I2).begin(I2),
i 7→ I3 : begin(I3).begin(I3).end(I3).end(I3), and
i 7→ I5 : begin(I5).begin(I5).end(I5).end(I5).
Slices i 7→ I1, i 7→ I3, and i 7→ I5 satisfy requirements R3, R4 and R5. Thus, they are respectively accepted by
MJ(I1), MJ(I3), and MJ(I5). However, slice i 7→ I2 does not satisfy the requirement R3 as it contains two consecutive
occurrences of event begin(I2) that are not followed by event end(I2). Thus it is rejected by MJ(I2). Indeed, the
first occurrence of event begin(I2) fires the transition from state (1) into state (2), and the second occurrence of
begin(I2) fires the transition from state (2) into state (3), see Figure 4. Thus, MJ(I2) ends in state (3), which is a
failure state. Therefore, since slice i 7→ I2 is rejected by MJ(I2), the whole faulted execution is rejected by MJ.
Note, given a CFG (V, E), monitor MJ cannot detect an attack where a forward jump from the end of B ∈ V into
the beginning of B′ ∈ V with (B, B′) /∈ E is executed. Indeed, in order to detect such a jump, a global monitor with a
structure similar to the CFG is needed where basic blocks are replaced by EAs that resemble MJ(i)with the adjustment
of reset transitions in accordance with the loops.
6 Monitor Validation
We validate our monitors by demonstrating their effectiveness in detecting simulated attacks against P = verifyPIN.
Following the initial C implementation, we have implemented verifyPIN and the monitors using Java and AspectJ4.
We have instrumented verifyPIN at the source code level. More precisely, for every required event we have defined
an associated function which is called inside verifyPIN at the positions where the event has to be emitted as specified
in Section 4.1. The associated functions are used to define pointcuts in AspectJ. When a function is called, i.e., a
pointcut is triggered, the corresponding event is fed to the running monitor. The monitor then makes a transition based
on its current state and the received event, and reports a verdict. The code segments executed by the monitor (called
advices) are woven within the original source files to generate the final source code that is compiled into an executable.
For example, Listing 3 depicts the Java implementation of MTI. Two states are defined: Ok (accepting state) and
Error (failure state). Function updateState (Lines 4-19) takes an event and then, after evaluating the condition
(x oprel y), it updates the currentState. If the monitor is in state Ok, the state is updated into Error if the received
event is eT and the condition evaluates to false, or the received event is eF and the condition evaluates to true. Once
state Error is reached, the monitor cannot exit from it. Function currentVerdict (Lines 21-26) emits verdict
CURRENTLY_TRUE if the currentState is Ok, whereas it emits verdict FALSE if the currentState is Error.
In what follows, we illustrate about how we carried out our experiment and the obtained results. The experiment was
conducted using Eclipse 4.11 and Java JDK 8u181 on a standard PC (Intel Core i7 2.2 GHz, 16 GB RAM).
6.1 Normal Executions
Providing events duplication, running instrumented verifyPIN in the absence of an attacker results in one of the
following 3 executions depending on the values of g_ptc and g_userPin:
• Pexec1 which contains 10 events: 4 events begin, 4 events end and 2 events eF that result from executing B1
and B5 (see Figure 2). This execution is performed when g_ptc ≤ 0.
4www.eclipse.org/aspectj/
9
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
Listing 3: Java implementation of MTI.
1 p u b l i c c l a s s V e r i f i c a t i o nMon i t o r T I {
2 p r i v a t e S t a t e c u r r e n t S t a t e = S t a t e . Ok ;
3
4 p u b l i c vo id u p d a t e S t a t e ( Event e ) {
5 sw i t c h ( t h i s . c u r r e n t S t a t e ) {
6 ca s e Ok :
7 i n t x = e . getX ( ) ;
8 i n t y = e . getY ( ) ;
9 S t r i n g o p r e l = e . g e tOp r e l ( ) ;
10 boo l e an c o n d i t i o n = eva l ua t eCond ( x , y , o p r e l ) ;
11 i f ( ( e . getName ( ) . e q u a l s ( " eT " ) && ! c o n d i t i o n ) | | ( e . getName ( ) . e q u a l s ( " eF " ) &&
co n d i t i o n ) )
12 { t h i s . c u r r e n t S t a t e = S t a t e . E r r o r ; }
13 b r e ak ;
14 ca s e E r r o r :
15 / / No need t o e x e c u t e any code .
16 b r e ak ;
17 }
18 System . ou t . p r i n t l n ( "moved t o "+ t h i s . c u r r e n t S t a t e ) ;
19 }
20
21 p u b l i c Ve r d i c t c u r r e n t V e r d i c t ( ) {
22 sw i t c h ( t h i s . c u r r e n t S t a t e ) {
23 ca s e Ok : r e t u r n Ve r d i c t .CURRENTLY_TRUE ;
24 ca s e E r r o r : r e t u r n Ve r d i c t . FALSE ;
25 d e f a u l t : r e t u r n Ve r d i c t . FALSE ;
26 }
27 }
28 }
• Pexec2 which contains 20 events: 8 events begin, 8 events end, 2 events eT and 2 events eF that result from
executing B1, B2, B4 and B5. This execution is performed when g_ptc> 0 and g_userPin 6= g_cardPin.
• Pexec3 which contains 20 events: 8 events begin, 8 events end and 4 events eT that result from executing B1,
B2, B3 and B5. This execution is performed when g_ptc > 0 and g_userPin = g_cardPin.
Table 1 summarizes the cumulative execution time and the memory footprint of 100K runs of Pexec3 : (i) without
instrumentation, (ii) with instrumentation, and (iii) with instrumentation and the monitors. Note that the memory
consumption can be bounded as a monitor processes only one event at a time, keeps track only of the current state, and
are parametrized by the current executing block.5
The time overhead depends on the size of the application and the number of events. The size of verifyPIN is small;
hence the measured overhead represents an extreme and unfavorable situation. A more representative measure of the
overhead should be done on larger applications, especially because our approach aims at protecting the critical parts
of an application instead of protecting every single instruction. Moreover, we note that our implementation is not
optimized yet, and that using AspectJ for instrumentation is not the best choice performance-wise. Instrumentation
causes most of the overhead (see Table 1). In the future, using tools such as ASM [22] to directly instrument the
bytecode would result in a smaller overhead.
Table 1: Cumulative execution time and memory footprint of 100K runs of Pexec3 .
CPU Time (ms) Memory (KB)
verifyPIN 164 284
Inst. verifyPIN 209 (× 1.27) 796.6 (× 2.8)
Inst. verifyPIN&Monitors 228 (× 1.39) 801 (× 2.82)
5We verified empirically that the memory consumption is insensitive to the number of events. However, we did not report the
numbers because of lack of space.
10
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
6.2 Test Inversion Attack
Function verifyPIN contains two tests. The first test: _t0 := (g_ptc > 0), ifZ _t0 goto L1 is represented, in
Java bytecode, using the instruction ifle L1. The instruction ifle L1 compares g_ptc and 0, which are previously
loaded into the stack, and performs a branch into L1 if g_ptc is less than or equal to 0. This test can be inverted by
replacing ifle L1 with ifgt L1, which performs a branch if g_ptc is greater than 0.
Similarly, the second one: _t2 := (_t1 == BOOL_TRUE), ifZ _t2 goto L2 is represented using the instruction
if_icmpne L2, which compares _t1 and BOOL_TRUE, and performs a branch into L2 if they are not equal. This test
can be inverted by replacing if_icmpnewith if_icmpeq, which performs a branch if the operands are equal.
The binary opcodes of ifle, ifgt, if_icmpne and if_icmpeq are respectively “1001 1110”, “1001 1101”, “1010
0000” and “1001 1111”. Hence, replacing ifle with ifgt (resp. if_icmpnewith if_icmpeq) requires modifying 2
bits (resp. 6 bits).
Depending on the values of g_ptc and g_userPin, a test inversion attack can be used, e.g., to force authentication
with a wrong PIN or to prevent the authentication with the correct PIN.
As verifyPIN contains two tests, we consider the two following scenarios:
• In case of a wrong user PIN in the first trial (i.e., g_ptc = 3), inverting the second test results in a successful
authentication. This is the attack presented in Example 6. Note that monitor MTI reports an attack after processing
the first occurrence of event eT corresponding to the second test as the related guard does not hold in this case. That
is after receiving 11 events: 4 events begin, 4 events end and 3 events eT. Whereas, the full execution contains 20
events.
• In case of a wrong user PIN in the fourth trial (i.e., g_ptc = 0), inverting both tests results in a successful authenti-
cation. Again, MTI reports an attack after processing the first occurrence of event eT. That is after receiving 5 events:
2 events begin, 2 events end and 1 events eT.
Forcing the “success branch”, in the scenarios above, can be also performed by replacing ifle and/or if_icmpnewith
nop, which is equivalent to instruction skip, and thus results in the execution of the the “success branch” regardless
of the operands’ values. Replacing ifle (resp. if_icmpne) with nop (“0000 0000”, in binary) requires modifying 5
bits (resp. 2 bits). Note that replacing ifle or if_icmpnewith nop only works with Java 6 or earlier6.
Our experiment showed that MTI can detect both attack scenarios presented above.
6.3 Jump Attack
A jump attack can be simulated, in Java bytecode, by replacing an instruction with goto L for a certain line number
L. However, this results in an inconsistent stackmap frame for Java 7 and latest versions. Nevertheless, it is possible to
simulate the jump attack presented in Example 7 at the source code level 7. We note here that the main purpose is not
performing the attack, but to validate that MJ can detect jump attacks. The latter is confirmed by our experiment.
The faulted execution presented in Example 7 contains 16 events: 6 events begin, 6 events end and 2 events eT.
However, MJ reports an attack after processing the first occurrence of event end corresponding to B3. That is, after
receiving 9 events: 4 events begin, 3 events end and 2 events eT. Note that the execution of B2 has been interrupted
before, but MJ cannot report an attack in this case until the end of the execution as event end may appear at any time
in the future.
7 Related Work
This work introduces formal runtime verification monitors to detect fault attacks. Runtime verification/monitoring
was successfully applied to several domains, e.g., for monitoring financial transactions [24], monitoring IT logs [25],
monitoring electronic exams [26], monitoring smart homes [27].
6 Starting from Java 7, the typing system requires a stack map frame at the beginning of each basic block [23]. Thus, a stack
map frame is required by every branching instruction. The stack map frame specifies the verification type of each operand stack
entry and of each local variable. Replacing if_icmpne with if_icmpeq does not result in a violation of the related stack map
frame, however, replacing it with nop does. Hence, in order to simulate the attack by replacing if_icmpne with nop, the stack
map frame also has to be modified.
7 Indeed, it is not possible to simulate this attack by modifying the return address of byteArrayCompare. However, one can
simulate the effect of goto using break and continue statements.
11
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
In the following, we compare our work to the research endeavors that propose software-based protections against
attacks. We distinguish between algorithm-level and instruction-level approaches.
7.1 Algorithm-level Approaches
At the algorithm level, there are approaches that use basic temporal redundancy [28, 1, 11, 8, 29] such as computing
a cryptographic operation twice then comparing the outputs. There are also approaches that use parity codes [10] and
digest values [30].
Some other works make use of signature mechanisms and techniques to monitor executions, such as state automata
and watchdog processor, in order to detect errors or protect the executions control flow. For instance, [31, 32, 33] use
watchdogs for error detection at runtime. The underlying principle is to provide a watchdog processor [34] with some
information about the process (or processor) to be verified. Then, the watchdog concurrently collects the relevant
information at runtime. An error is reported when the comparison test between the collected and provided information
fails. The watchdog processor can also be used to detect control flow errors, as illustrated in [32], by verifying that
the inserted assertions are executed in the order specified by the CFG. Ersoz et al. [31] propose the watchdog task, a
software abstraction of the watchdog processor, to detect execution errors using some assertions. Saxena et al. [33]
propose a control-flow checking method using checksums and watchdog. To ensure the control flow of a program, a
signature is derived from the instructions based on checksum. However, these approaches focus on protecting solely
basic blocks and the control flow, and do not protect branch instructions. Whereas our monitors detect attacks on
branch instructions. Moreover, using a watchdog processor for monitoring involves larger communication overhead
than using runtime verification.
Nicolescu et al. [35] propose a technique (SIED) to detect transient errors such as bit-flip. This technique has been
designed to be combined with an instruction duplication approach. It performs comparison checks and uses signatures
to protect the intra-block and inter-block control flow, respectively. Relaying on comparison checks make it subject
to fault injections that skip the check itself [36, 37]. Note that experiments have shown that SIED cannot detect all
bit-flip faults. Later in [38], the authors propose another error-detection mechanism that provides full coverage against
single bit-flip faults. These works only consider single bit-flip as a fault model, whereas our definition of the attacks
is independent of the technique used to perform the attack.
Sere et al. [39] propose a set of countermeasures based on basic block signatures and security checks. The framework
allows developers to detect mutant applications given a fault model, and thus developing secure applications. The
countermeasures can be activated by the developer using an annotation mechanism. This approach requires some
modifications in the Java Virtual Machine in order to perform the security checks. Bouffard et al. [40] propose an
automaton-based countermeasure against fault injection attacks. For a given program, every state of the corresponding
automaton corresponds to a basic block of the CFG, and each transition corresponds to an edge, i.e., allowed control
flow. Thus the size of the resulting automaton is proportional to the size of the CFG of the program. Whereas, our
monitors are lightweight and small in size.
Fontaine et al. [41] propose a model to protect control flow integrity (CFI). The approach relies on instrumenting the
LLVM IR code, and then using an external monitor (state automaton) which enforces CFI at runtime. Lalande et
al. [42] propose an approach to detect intra-procedural jump attacks at source code level, and to automatically inject
some countermeasures. However, these approaches do not consider test inversion attacks.
Algorithm-level approaches do not require changes to the instruction code. However, they are not effective against
compile-time modifications. Moreover, it has been shown that they are not robust against multiple fault injections [11,
12] or skipping the critical parts of the code [36, 37]. Furthermore, most of the existing algorithm-level approaches
are not generic.
Our approach is based on the formal model of QEAs, which is one of the most expressive and efficient form of
runtime monitor [43]. Our approach is also generic as it can be applied to any application and the monitors can
be easily tweaked and used in combination with the monitors for the program requirements. Moreover, monitors
may run in a hardware-protected memory as they are lightweight and small in size. This provides more protection
against synchronized multiple fault injections on both the monitored program and the monitor. Furthermore, runtime
monitoring is modular and compatible with the existing approaches, for instance, monitor MTI can be used to detect
fault attacks on the test that compares the outputs when an operation is computed twice.
Note, to ensure the correct extraction of the necessary information (i.e., events) from a running program, we use
emission duplication. This may require the duplication of every related instruction as duplication at the source code
level may not be sufficient.
12
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
7.2 Instruction-level Approaches
At instruction-level, there are approaches that aim at providing fault-tolerance. These include (i) the approaches that
apply the duplication or triplication of instructions [13, 14] in order to provide 100% protection against skip fault
injections, and (ii) the approaches that rely on replacing every instruction with a sequence of functionally equiva-
lent instructions such that skipping any of these instructions does not affect the outcome [15, 44]. Such approaches
provide more guarantees than algorithm-level approaches. Indeed, it is believed that they are robust against multiple
fault injections under the assumption that skipping two consecutive instructions is too expensive and requires high
synchronization capabilities [13, 15]. However, they require dedicated compilers for code generation. Moreover,
approaches that apply the duplication or replacement of instructions are processor dependent as some instructions
have to be replaced by a sequence of idempotent or functionally equivalent instructions. Furthermore, they introduce
a large overhead in performance and footprint. For instance, instruction duplication increases the overhead at least
twice. Nevertheless, the overhead can be decreased by protecting only the critical parts of the code. In comparison,
our monitors are easy to implement and deploy, introduce smaller overhead, and are independent of the processor and
the complier. Note that, runtime monitoring does not provide 100% protection against all fault attacks. Our monitors
can detect test inversion and jump attacks. Providing more guarantees requires more monitors.
There are also approaches that aim at ensuring CFI. Most existing CFI approaches follow the seminal work by Abadi et
al. [45], which makes use of a special set of instructions in order to check the source and destination addresses involved
in indirect jumps and indirect function calls. CFI approaches do not aim to provide a 100% fault coverage. Instead
they aim at providing protections against jump-oriented attacks [46, 47], and return-oriented attacks [48]. A related
technique called control flow locking (CFL) has been introduced by Bletsch et al. [49] in order to provide protection
against code-reuse attacks. Instead of inserting checks at control flow transfers, CFL locks the correspondingmemory
address before a control flow transfer, and then unlocks it after the transfer is executed.
Similar to other instruction-level approaches, these CFI approaches requires change to the instruction code, and usually
introduce large overhead. Note that detecting jump attacks by our monitors is some sort of reporting CFI violations.
Note also that CFI does not deal with test inversion attacks as taking any of the branches after a conditional branch
does not violate CFI.
8 Conclusions and Perspectives
We formally define test inversion and jump attacks. Then, we propose monitors expressed as Quantified Event Au-
tomata in order to detect these attacks. Our monitors are lightweight and small in size, and they support the duplication
of events emission which provides protection against event skip attacks. Finally, we demonstrate the validity of our
monitors using attack examples on verifyPIN.
In the future, we will define more monitors to detect additional attacks following the principles exposed in this paper.
For example, a monitor that can detect attacks on function calls. We also plan (i) to verify applications larger than
verifyPIN, combined with detailed feasibility and performance analysis, (ii) to use a Java bytecode editing tool, such
as ASM [22] or JNIF [50], to simulate faults, and (iii) to deploy the monitors on hardware architectures such as smart
cards, Raspberry Pi, and microcontrollers based on Arm Cortex-M processor. Furthermore, we consider building a
tool for automatic generation of monitors from QEAs, and developing a runtime enforcement [51, 52, 53] framework
where some corrective actions and countermeasures are automatically executed and taken respecticely once an attack
is detected.
References
[1] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols
for faults (extended abstract). In Advances in Cryptology - EUROCRYPT ’97, International Conference on the
Theory and Application of Cryptographic Techniques, Konstanz, Germany, 1997, Proceeding, 1997.
[2] Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. An in-depth and black-box characterization of the
effects of clock glitches on 8-bit mcus. In FDTC’11, Tokyo, Japan, September 29, 2011, pages 105–114, 2011.
[3] Amine Dehbaoui, Amir-Pasha Mirbaha, Nicolas Moro, Jean-Max Dutertre, and Assia Tria. Electromagnetic
glitch on the AES round counter. In COSADE’13, Revised Selected Papers, pages 17–31, 2013.
[4] Dilip S. V. Kumar, Arthur Beckers, Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. An in-depth
and black-box characterization of the effects of laser pulses on atmega328p. In CARDIS 2018, France, 2018,
Revised Selected Papers., 2018.
13
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
[5] Pascal Berthomé, Karine Heydemann, Xavier Kauffmann-Tourkestansky, and Jean-François Lalande. High level
model of control flow attacks for smart card functional security. In ARES 2012, Czech Republic, 2012, 2012.
[6] Bilgiday Yuce, Patrick Schaumont, and Marc Witteman. Fault attacks on secure embedded software: Threats,
design, and evaluation. J. Hardware and Systems Security, 2(2), 2018.
[7] Dusko Karaklajic, Jörn-Marc Schmidt, and Ingrid Verbauwhede. Hardware designer’s guide to fault attacks.
IEEE Trans. VLSI Syst., 21(12), 2013.
[8] Hagai Bar-El, Hamid Choukri, David Naccache, Michael Tunstall, and Claire Whelan. The sorcerer’s apprentice
guide to fault attacks. Proceedings of the IEEE, 94(2):370–382, 2006.
[9] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of eliminating errors in cryptographic
computations. J. Cryptology, 14(2), 2001.
[10] Ramesh Karri, Grigori Kuznetsov, and Michael Gössel. Parity-based concurrent error detection of substitution-
permutation network block ciphers. In CHES’03, Proceedings, 2003.
[11] Christian Aumüller, Peter Bier, Wieland Fischer, Peter Hofreiter, and Jean-Pierre Seifert. Fault attacks on RSA
with CRT: concrete results and practical countermeasures. In Cryptographic Hardware and Embedded Systems
- CHES 2002, Redwood Shores, USA, 2002, Revised Papers, pages 260–275, 2002.
[12] Sho Endo, Naofumi Homma, Yu-ichi Hayashi, Junko Takahashi, Hitoshi Fuji, and Takafumi Aoki. A multiple-
fault injection attack by adaptive timing control under black-box conditions and a countermeasure. In Construc-
tive Side-Channel Analysis and Secure Design - 5th InternationalWorkshop, COSADE 2014, Paris, France, April
13-15, 2014. Revised Selected Papers, pages 214–228, 2014.
[13] Alessandro Barenghi, Luca Breveglieri, Israel Koren, Gerardo Pelosi, and Francesco Regazzoni. Countermea-
sures against fault attacks on software implemented AES: effectiveness and cost. In Proceedings of the 5th
Workshop on Embedded Systems Security, WESS 2010, Scottsdale, AZ, USA, October 24, 2010, page 7. ACM,
2010.
[14] Thierno Barry, Damien Couroussé, and Bruno Robisson. Compilation of a countermeasure against instruction-
skip fault attacks. In Proceedings of the Third Workshop on Cryptography and Security in Computing Systems,
CS2@HiPEAC, Prague, Czech Republic, January 20, 2016, 2016.
[15] Nicolas Moro, Karine Heydemann, Emmanuelle Encrenaz, and Bruno Robisson. Formal verification of a soft-
ware countermeasure against instruction skip attacks. J. Cryptographic Engineering, 4(3):145–156, 2014.
[16] Klaus Havelund and Allen Goldberg. Verify your runs. In Bertrand Meyer and Jim Woodcock, editors, Verified
Software: Theories, Tools, Experiments, First IFIP TC 2/WG 2.3 Conference, VSTTE 2005, Zurich, Switzerland,
October 10-13, 2005, Revised Selected Papers and Discussions, volume 4171 of Lecture Notes in Computer
Science, pages 374–383. Springer, 2005.
[17] Martin Leucker and Christian Schallhart. A brief account of runtime verification. J. Log. Algebr. Program.,
78(5):293–303, 2009.
[18] Yliès Falcone, Klaus Havelund, and Giles Reger. A tutorial on runtime verification. In Engineering Dependable
Software Systems, pages 141–175. 2013.
[19] Ezio Bartocci, Yliès Falcone, Adrian Francalanza, and Giles Reger. Introduction to runtime verification. In
Lectures on Runtime Verification - Introductory and Advanced Topics. 2018.
[20] Howard Barringer, Yliès Falcone, Klaus Havelund, Giles Reger, and David E. Rydeheard. Quantified event au-
tomata: Towards expressive and efficient runtime monitors. In Dimitra Giannakopoulou and Dominique Méry,
editors, FM 2012: Formal Methods - 18th International Symposium, Paris, France, August 27-31, 2012. Pro-
ceedings, volume 7436 of Lecture Notes in Computer Science, pages 68–84. Springer, 2012.
[21] Louis Dureuil, Guillaume Petiot, Marie-Laure Potet, Aude Crohen, and Philippe De Choudens. FISSC: a Fault
Injection and Simulation Secure Collection. In International Conference on Computer Safety, reliability and
Security, volume 9922 of LNCS, pages 3–11, Trondheim, Norway, 2016. Springer Berlin / Heidelberg.
[22] Eugene Kuleshov. Using the asm framework to implement common java bytecode transformation patterns, 2007.
[23] Tim Lindholm, Frank Yellin, Gilad Bracha, and Alex Buckley. The java virtual machine specification, java se 7
edition, 2013.
[24] Christian Colombo and Gordon J. Pace. Fast-forward runtime monitoring — an industrial case study. In Shaz
Qadeer and Serdar Tasiran, editors, Runtime Verification: Third International Conference, RV 2012, Istanbul,
Turkey, September 25-28, 2012, Revised Selected Papers, pages 214–228, Berlin, Heidelberg, 2013. Springer
Berlin Heidelberg.
[25] David Basin, Germano Caronni, Sarah Ereth, Matúš Harvan, Felix Klaedtke, and Heiko Mantel. Scalable offline
monitoring. In Borzoo Bonakdarpour and Scott A. Smolka, editors, Runtime Verification: 5th International
Conference, RV 2014. Proceedings, pages 31–47. Springer International Publishing, 2014.
14
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
[26] Ali Kassem, Yliès Falcone, and Pascal Lafourcade. Formal analysis and offline monitoring of electronic exams.
Formal Methods in System Design, 51(1):117–153, 2017.
[27] Antoine El-Hokayem and Yliès Falcone. Bringing runtime verification home. In Christian Colombo and Martin
Leucker, editors, Runtime Verification - 18th International Conference, RV 2018, Limassol, Cyprus, November
10-13, 2018, Proceedings, volume 11237 of Lecture Notes in Computer Science, pages 222–240. Springer, 2018.
[28] Burton S. Kaliski Jr. and Matthew J. B. Robshaw. Comments on some new attacks on cryptographic devices.
RSA Laboratories Bulletin 5, July 1997.
[29] Mathieu Ciet and Marc Joye. Practical fault countermeasures for chinese remaindering based rsa (extended
abstract). In IN PROC. FDTC’05, pages 124–131, 2005.
[30] Laurie Genelle, Christophe Giraud, and Emmanuel Prouff. Securing AES implementation against fault attacks.
In Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2009, Lausanne,
2009, 2009.
[31] A. Ersoz, D. M. Andrews, and E. J. McCluskey. The watchdog task: Concurrent error detection using assertions.
Technical Report CRC – 85-8, Stanford University, July 1985.
[32] Aamer Mahmood, Edward J. McCluskey, and Aydin Ersoz. Concurrent system-level error detection using a
watchdog processor. In Proceedings International Test Conference 1985, Philadelphia, PA, USA, November
1985, pages 145–152, 1985.
[33] Nirmal R. Saxena and Edward J. McCluskey. Control-flow checking using watchdog assists and extended-
precision checksums. IEEE Trans. Computers, 39(4), 1990.
[34] Davia J. Lu. Watchdog processors and vlsi. 1980.
[35] Bogdan Nicolescu, Yvon Savaria, and Raoul Velazco. SIED: software implemented error detection. In DFT
2003, USA, Proceedings, 2003.
[36] Alberto Battistello and Christophe Giraud. Fault cryptanalysis of CHES 2014 symmetric infective countermea-
sure. IACR Cryptology ePrint Archive, 2015:500, 2015.
[37] Jörn-Marc Schmidt and Christoph Herbst. A practical fault attack on square and multiply. In Fifth International
Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008, FDTC 2008, Washington, USA, 10 August
2008, 2008.
[38] B. Nicolescu, Y. Savaria, and R. Velazco. Software detection mechanisms providing full coverage against single
bit-flip faults. IEEE Transactions on Nuclear Science, 51(6), Dec 2004.
[39] Ahmadou Al Khary Séré, Julien Iguchi-Cartigny, and Jean-Louis Lanet. Evaluation of countermeasures against
fault attacks on smart cards. 2011.
[40] Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet. Detecting laser fault injection for smart
cards using security automata. In SSCC 2013, India, 2013. Proceedings, 2013.
[41] Arnaud Fontaine, Pierre Chifflier, and Thomas Coudray. Picon : Control flow integrity on llvm ir. SSTIC, 2015.
[42] Jean-François Lalande, Karine Heydemann, and Pascal Berthomé. Software countermeasures for control flow
integrity of smart card C codes. In Computer Security - ESORICS 2014, Poland, 2014. Proceedings, Part II,
2014.
[43] Ezio Bartocci, Yliès Falcone, Borzoo Bonakdarpour, Christian Colombo, Normann Decker, Klaus Havelund,
Yogi Joshi, Felix Klaedtke, Reed Milewicz, Giles Reger, Grigore Rosu, Julien Signoles, Daniel Thoma, Eugen
Zalinescu, and Yi Zhang. First international competition on runtime verification: rules, benchmarks, tools, and
final results of crv 2014. International Journal on Software Tools for Technology Transfer, pages 1–40, 2017.
[44] Sikhar Patranabis, Abhishek Chakraborty, and Debdeep Mukhopadhyay. Fault tolerant infective countermeasure
for AES. J. Hardware and Systems Security, 1(1):3–17, 2017.
[45] Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementa-
tions, and applications. ACM Trans. Inf. Syst. Secur., 13(1):4:1–4:40, 2009.
[46] William Arthur, Ben Mehne, Reetuparna Das, and Todd M. Austin. Getting in control of your control flow with
control-data isolation. In Kunle Olukotun, Aaron Smith, Robert Hundt, and Jason Mars, editors, Proceedings of
the 13th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2015, San
Francisco, CA, USA, February 07 - 11, 2015, pages 79–90. IEEE Computer Society, 2015.
[47] Mathias Payer, Antonio Barresi, and Thomas R. Gross. Fine-grained control-flow integrity through binary hard-
ening. In Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors, Detection of Intrusions and Mal-
ware, and Vulnerability Assessment - 12th International Conference, DIMVA 2015, Milan, Italy, July 9-10, 2015,
Proceedings, volume 9148 of Lecture Notes in Computer Science, pages 144–164. Springer, 2015.
15
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
[48] Hovav Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the
x86). In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, Proceedings of the 2007
ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October
28-31, 2007, pages 552–561. ACM, 2007.
[49] Tyler K. Bletsch, Xuxian Jiang, and Vincent W. Freeh. Mitigating code-reuse attacks with control-flow locking.
In ACSAC’11, Orlando, 2011, 2011.
[50] Luis Mastrangelo and Matthias Hauswirth. Jnif: Java native instrumentation framework. In Proceedings of
the 2014 International Conference on Principles and Practices of Programming on the Java Platform: Virtual
Machines, Languages, and Tools, PPPJ ’14, pages 194–199, New York, NY, USA, 2014. ACM.
[51] Yliès Falcone, Laurent Mounier, Jean-Claude Fernandez, and Jean-Luc Richier. Runtime enforcement monitors:
composition, synthesis, and enforcement abilities. Formal Methods in System Design, 38(3):223–262, 2011.
[52] Yliès Falcone. You should better enforce than verify. In Howard Barringer, Yliès Falcone, Bernd Finkbeiner,
Klaus Havelund, Insup Lee, Gordon J. Pace, Grigore Rosu, Oleg Sokolsky, and Nikolai Tillmann, editors, Run-
time Verification - First International Conference, RV 2010. Proceedings, volume 6418 of Lecture Notes in
Computer Science, pages 89–105. Springer, 2010.
[53] Yliès Falcone, Leonardo Mariani, Antoine Rollet, and Saikat Saha. Runtime failure prevention and reaction. In
Ezio Bartocci and Yliès Falcone, editors, Lectures on Runtime Verification - Introductory and Advanced Topics,
volume 10457 of Lecture Notes in Computer Science, pages 103–134. Springer, 2018.
A Proofs
Proposition 1. Let P be a program and Pexec an execution of P. Monitor MTI rejects Pexec iff there is a test inversion
attack on Pexec.
Proof. Assume that MTI rejects Pexec. We have to show that there is a test inversion attack on Pexec, i.e., Pexec violates
R1 or R2. As MTI rejects Pexec then there exists i such that MTI(i) fails (i.e., ends in a failure state). Thus, MTI(i) fires
a transition into an implicit failure state since MTI(i) has only one (explicit) state which is an accepting state. This
means that Pexec contains, for some x and y, event eT(i, x, y) such that (x opreli y) = False which violates R1, or
event eF(i, x, y) such that (x opreli y) = True which violates R2. So, Pexec violates R1 or R2, and thus there is a test
inversion attack on Pexec. Hence, we can conclude for the first direction.
To prove the second direction, we assume that there is a test inversion attack on Pexec, and we show that MTI rejects
Pexec. If there is a test inversion attack on Pexec, then Pexec violates R1 or R2. If Pexec violates R1 then it contains an
event eT(i, x, y) such that (x opreli y) = False, which fires a transition into an implicit failure state as the guard
related to event eT(i, x, y) is not satisfied. Thus, MTI fails and rejects Pexec. If Pexec violates R2 then it contains an event
eF(i, x, y) such that (x opreli y) = True, which fires a transition into an implicit failure state as the guard related to
event eF(i, x, y) is not satisfied. Thus, MTI fails and rejects Pexec. Hence, we conclude for the second direction and
the proof is done.
Proposition 2. Let P be a program, and let Pexec be an execution of P. Monitor MJ rejects Pexec iff there is a jump
attack on Pexec.
Proof. Assume that MJ rejects Pexec. We have to show that there is a jump attack on Pexec, i.e., there exists i such
that PJexec(i) = e1, . . . , en violates R3, R4 or R5. As MJ rejects Pexec then there exists i such that EA MJ(i) fails while
consuming PJexec(i). We split according to the cases in which MJ(i) fails.
• MJ(i) has encountered event end(i) in state (1). This means that there exists j such that ej = end(i), and
that ej−1 is either ǫ or reset(i) since state (1) is the initial state and it can only be reached by reset(i).
Thus, PJexec(i) violates R4.
• MJ(i) ends in state (2). Then, in this case, there exists j such that ej = begin(i) since state (2) can only be
reached from state (1) through event begin(i). Moreover, we can deduce that ej+1 is neither begin(i) nor
end(i). Thus, PJexec(i) violates R3.
• MJ(i) has encountered event ej = reset(i) in state (2). State (2) can only be reached from state (1) through
event begin(i). Then, ej−1 = begin(i). So, there exists ej−1 = begin(i) such that ej is neither end(i)
nor begin(i) which violates R3.
16
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
• MJ(i) ends in state (3). Then there exists j such that ej−1 = ej = begin(i) because state (2) can only
be reached from state (1) and state (3) can only be reached from state (2), both through event begin(i).
Moreover, ej+1 6= end(i) as there is a transition from state (3) into state (4) labeled by end(i), but MJ(i)
ends in state (3). Thus, PJexec(i) violates R3.
• MJ(i) has encountered event reset(i) in state (3). This case is similar to the previous case and violates R3.
• MJ(i) has encountered event begin(i) in state (3). Then there exists j such that ej−1 = ej = ej+1 =
begin(i), which violates R3.
• MJ(i) has encountered event begin(i) in state (4). This means that there exists j such that ej = begin(i),
and ej−1 = end(i) since state (4) can only be reached by end(i) from state (2) or state (3), which can be
reached only be reached by begin(i). Thus, PJexec(i) violates R5.
• MJ(i) has encountered event end(i) in state (5). Then there exists j such that ej−1 = ej = ej+1 = end(i)
because state (5) can only be reached from state (4) by end(i), and state (4) can only be reached by end(i).
Thus, we have that ej = ej+1 = end(i) and ej−1 6= begin(i), which violates R4.
• MJ(i) has encountered event begin(i) in state (5). This means that there exists j such that ej = begin(i)
and ej−1 = end(i) since state (5) can only be reached by end(i). Thus, PJexec(i) violates R5.
Hence, there exists i such that PJexec(i) violates R3, R4 or R5, and we can conclude about the first direction.
To prove the second direction, we assume that there exist i such that PJexec(i) violates R3, R4 or R5 and we show that
MJ rejects Pexec. We split cases according which requirement is violated.
• If PJexec(i) violates R3, then it contains an event ej = begin(i) for some integer j such that:
– ej−1 = begin(i) and ej+1 6= end(i). In this case if, before receiving ej−1, MJ(i) was:
∗ in state (1). Then ej−1 = begin(i) leads into state (2) and ej = begin(i) leads into state (3). As
ej+1 6= end(i) and from state (3) there is only one explicit transition labeled by end(i), then MJ(i)
ends in state (3) (i.e., ej+1 = ǫ) or a transition into an implicit failure state is fired.
∗ in state (2). Then ej−1 = begin(i) leads into state (3), and ej = begin(i) leads into an implicit
failure state.
∗ in state (3), (4) or (5). Then MJ(i) fails since none of the states (3), (4) and (5) has an explicit
outgoing transition labeled by begin(i).
– or ej−1 6= begin(i) and ej+1 6= end(i), and “ej+1 6= begin(i) or ej+2 6= end(i)”. This is equivalent
to ej−1 6= begin(i) and, ej+1 = ǫ (i.e., j = n) or ej+1 = reset(i) or “ej+1 = begin(i) and
ej+2 6= end(i)” since ΣJ = {begin(i), end(i), reset(i)}. In this case if, before receiving ej−1,
MJ(i) was:
∗ in state (1). If ej−1 is end(i), a transition into an implicit failure state is fired. Otherwise, we have
that ej−1 is reset(i) or ǫ (i.e., j = 1), and thus MJ(i) stays in state (1). Then, ej = begin(i) leads
into state (2). Then in state (2), if ej+1 is reset(i) a transition into an implicit failure state is fired;
if ej+1 is ǫ then MJ(i) ends in failure state (2); if ej+1 is begin(i) the transition from state (2) into
state (3) is fired and, as ej+2 6= end(i) in this case, then a transition into an implicit failure state is
fired or MJ(i) ends in failure state (3).
∗ in state (2). If ej−1 is reset(i), a transition into an implicit failure state is fired. Otherwise, we have
that ej−1 = end(i) which leads from state (2) into state (4). Then in state (4), as ej = begin(i), a
transition into an implicit failure state is fired.
∗ in state (3). Similar to the case of state (2).
∗ in state (4). If ej−1 is end(i), the transition into state (5) is fired. Then in state (5), as
ej = begin(i), a transition into an implicit failure state is fired. Otherwise, we have that
ej−1 = reset(i), and thus the transition from state (4) into state (1) is fired. Then in state (1),
as ej = begin(i), the transition into state (2) is fired. Then in state (2), if ej+1 is reset(i) a tran-
sition into an implicit failure state is fired; if ej+1 is ǫ then MJ(i) ends in state (2) which is a failure
state; if ej+1 is begin(i) the transition from state (2) into state (3) is fired and, as ej+2 6= end(i)
in this case, then a transition into an implicit failure state is fired or MJ(i) ends in state (3), which is
a failure state.
∗ in state (5). If ej−1 is reset(i) the reasoning is similar to the case of state (4) when ej−1 =
reset(i). Otherwise, we have that ej−1 = end(i) which leads into an implicit failure state.
17
Detecting Fault Injection Attacks with Runtime Verification A PREPRINT
Hence, If PJexec(i) violates R3 then MJ(i) fails, and thus MJ rejects Pexec.
• If PJexec(i) violates R4, then it contains an event ej = end(i) for some integer j such that
– ej−1 6= begin(i) and ej+1 = end(i). In this case if, before receiving ej−1, MJ(i) was:
∗ in state (1). If ej−1 is reset(i) the self-loop transition over state (1) is fired. Then, as ej = end(i),
a transition into an implicit failure state is fired. Otherwise, if ej−1 is end(i), then a transition into an
implicit failure state is fired. Otherwise, we have that ej−1 = ǫ (i.e., j = 1), and thus ej = end(i)
leads from state (1) into an implicit failure state.
∗ in state (2). If ej−1 is reset(i) a transition into an implicit failure state is fired. Otherwise, we have
that ej−1 = end(i), and thus the transition from state (2) into state (4) is fired. Then in state (4),
event ej = end(i) leads into state (5). Then in state (5), event ej+1 = end(i) leads into an implicit
failure state.
∗ in state (3). Similar to the case of state (2).
∗ in state (4). If ej−1 = reset(i) the transition to state (1) is fired. Then in state (1),
ej = end(i)leads into an implicit failure state. Otherwise, we have that ej−1 = end(i) which
fires the transition from state (4) into state (5). Then in state (5), ej = end(i) leads into an implicit
failure state.
∗ in state (5). If ej−1 = reset(i) the transition to state (1) is fired. Then ej = end(i) leads into an
implicit failure state. Otherwise, we have ej−1 = end(i) which fires a transition into an implicit
failure state.
– or ej+1 6= end(i) and ej−1 6= begin(i), and “ej−1 6= end(i) or ej−2 6= begin(i)”. This is equivalent
to ej+1 6= end(i), and ej−1 = reset(i) or “ej−1 = end(i) and ej−2 6= begin(i)” since ΣJ =
{begin(i), end(i), reset(i)}. In this case if, before receiving ej−1, MJ(i) was:
∗ in state (1). If ej−1 is end(i), a transition into an implicit failure state is fired. Otherwise, we have
that ej−1 is reset(i) or ǫ (i.e., j = 1), and thus MJ(i) stays in state (1). Then, as ej = end(i), a
transition into an implicit failure state is fired.
∗ in state (2). In this case ej−1 must be equal to reset(i) since if ej−1 = end(i), then ej−2 6=
begin(i) and thus state (2) cannot be reached. Indeed, state (2) can only be reached from state (1)
by begin(i). In state (2), ej−1 = reset(i) leads into an implicit failure state.
∗ in state (3). Similar to the case of state (2).
∗ in state (4). If ej−1 is reset(i) the transition into state (1) is fired. Then in state (1), as ej = end(i),
a transition into an implicit failure state is fired. Otherwise, we have that ej−1 = end(i)which leads
into state (5). Then in state (5), ej = end(i) leads into an implicit failure state.
∗ in state (5). If ej−1 = reset(i) the transition into state (1) is fired. Then, as ej = end(i), a
transition into an implicit failure state is fired. Otherwise, we have that ej−1 = end(i) which leads
into an implicit failure state.
Hence, If PJexec(i) violates R4 then MJ(i) fails, and thus MJ rejects Pexec.
• If PJexec(i) violates R5, then it contains an event ej = end(i) for some integer j such that ej+1 = begin(i).
In this case if, before receiving ej, MJ(i) was:
– in state (1). Then event ej = end(i) fires a transition into an implicit failure state.
– in state (2). Then event ej = end(i) fires the transition into state (4). In state (4), ej+1 = begin(i)
fires a transition into an implicit failure state.
– in state (3). Similar to the case of state (2).
– in state (4). Then ej = end(i) fires the transition into state (5). In state (5), ej+1 = begin(i) fires a
transition into an implicit failure state.
– in state (5). Then ej = end(i) fires a transition into an implicit failure state.
Hence, if PJexec(i) violates R5 then MJ(i) fails, and thus MJ rejects Pexec.
Therefore, if there exists i such that PJexec(i) violates R3, R4 or R5 then MJ rejects Pexec. Thus, we can conclude for the
second direction and the proof is done.
18
