Compiler-based Countermeasure Against Fault Attacks by Barry, Thierno et al.
Compiler-based Countermeasure Against Fault Attacks
Thierno Barry, Damien Courousse´, Bruno Robisson
To cite this version:
Thierno Barry, Damien Courousse´, Bruno Robisson. Compiler-based Countermeasure Against
Fault Attacks. Workshop on Cryptographic Hardware and Embedded Systems, Sep 2015,
Saint-Malo, France. <http://www.chesworkshop.org/ches2015/>. <emse-01232664>
HAL Id: emse-01232664
https://hal-emse.ccsd.cnrs.fr/emse-01232664
Submitted on 23 Nov 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
& 
Compiler-based Countermeasure Against Fault Attacks 
CONTEXT 
The goal is to implement the instruction duplication technique as a countermeasure against Fault 
Attacks on an ARM 32-bit Microcontroller[1,2]. Operating inside a compiler allowed us to reduce the 
security overhead thanks to the flexibility and code transformations opportunities offered by compilers  
Instruction 
Selection 
Clang 
@__to_secure__(“fault”) 
int foo(int a, int b){ 
  . . .  
  return a * b + a; 
} 
Generation of 3-address instructions: 
add r0, r1, r2 
str r5, [r3, #4] 
add r0, r1, r2 
add r0, r1, r2 
str r5, [r3, #4] 
str r5, [r3, #4] 
str r5, [r3, #4] 
add r0, r1, r2 
str r5, [r3, #4] 
add r0, r1, r2 
Before scheduling After scheduling 
Duplication  
Scheduling 
Before duplication 
WORKFLOW  The user identifies the portions of the program to protect 
Source 
Code 
LLVM 
bytecode 
Binary 
Code 
 Instructions cannot be duplicated at the middle-end due to the SSA form 
entry: 
  %mul = mul %a, %b 
  %add = add %mul, %a 
  ret %add 
entry: 
  %mul  = mul %a, %b 
  %mul2 = mul %a, %b 
  %add  = add %mul, %a 
  %add2 = add %mul, %a 
Unused and will be 
removed by the Dead 
Code Elimination pass 
 We only select instructions that are suitable for duplication 
+ 
* a 
a b 
multiply and accumulate: mla a, a, b is matched 
we separately match: a mul followed by add 
By default 
1 
2 
Instead of generating add vreg1, vreg2 
 
We generate add vreg3, vreg1, vreg2 
When the liveness intervals (L) of registers are disjoint:         {L(vreg3) } ∩ {L(vreg1) . L(vreg2)} = ∅ 
add r0, r0, r1 
add r0, r1, r2 
We introduce a constraint: 
$𝑑𝑠𝑡 ≠ $𝑠𝑟𝑐 ≠ 
 Registers are allocated in favor of duplication  
The register allocator tends to reduce register pressure: Reusing the allocated registers as soon as possible  
By default 
Instead  
 Instructions are duplicated before scheduling  
Attempted 
duplication 
LLVM bytecode 
C source code 
The user has a full control over parts of the code to protect 
add vreg3, vreg1, vreg2 
Register 
Allocation 
Instruction 
Scheduling 
Code  
Emission 
 Comparison with assembly approach 
FUTURE WORK & REFERENCES 
 Using code annotation for more flexibility when defining the code 
regions to protect 
 Automatic identification of the most vulnerable parts of the program 
 compiler-based implementation of the masking countermeasure 
[1] Barenghi et al. Countermeasures against fault attacks on software implemented AES 
[2] Moro et al. Electromagnetic Fault Injection : Towards a Fault Model on a 32-bit Microcontroller 
FUTURE WORK REFERENCES 
LEGEND 
Duplicable Not duplicable 
  Instruction Transformation Duplication 
Assembly 
approach 
add r0, r0, r2 mov rx, r0 
add r0, rx, r2 
mov rx, r0 
mov rx, r0 
add r0, rx, r2 
add r0, rx, r2 
Our 
approach 
add r0, r1, r2   add r0, r1, r2 
add r0, r1, r2 
X 4 
X 2 
M
id
d
le
-e
n
d
 
Fr
o
n
t-
en
d
 
B
ac
k-
en
d
 
Thierno Barry*      Damien Couroussé*      Bruno Robisson** 
*Univ. Grenoble Alpes, F-38000 Grenoble, France 
CEA, LIST, Minatec Campus, F-38054 Grenoble, France 
**CEA-Tech DPACA, Gardanne, France 
firstname.lastname@cea.fr 
sources destination llc 
AES 8-bit NIST on ARM Cortex-M3 
Unprotected Protected  Overhead 
 8541 cycles 17311 cycles × 2.03 
