Formal verification of a software countermeasure against instruction skip attacks

Fault attacks against embedded circuits enabled to define many new attack paths against secure circuits. Every attack path relies on a specific fault model which defines the type of faults that the attacker can perform. On embedded processors, a fault model consisting in an assembly instruction skip can be very useful for an attacker and has been obtained by using several fault injection means. To avoid this threat, some countermeasure schemes which rely on temporal redundancy have been proposed. Nevertheless, double fault injection in a long enough time interval is practical and can bypass those countermeasure schemes. Some fine-grained countermeasure schemes have also been proposed for specific instructions. However, to the best of our knowledge, no approach that enables to secure a generic assembly program in order to make it fault-tolerant to instruction skip attacks has been formally proven yet. In this paper, we provide a fault-tolerant replacement sequence for almost all the instructions of the Thumb-2 instruction set and provide a formal verification for this fault tolerance. This simple transformation enables to add a reasonably good security level to an embedded program and makes practical fault injection attacks much harder to achieve

Nilpotent operators and weighted projective lines

We show a surprising link between singularity theory and the invariant subspace problem of nilpotent operators as recently studied by C. M. Ringel and M. Schmidmeier, a problem with a longstanding history going back to G. Birkhoff. The link is established via weighted projective lines and (stable) categories of vector bundles on those. The setup yields a new approach to attack the subspace problem. In particular, we deduce the main results of Ringel and Schmidmeier for nilpotency degree p from properties of the category of vector bundles on the weighted projective line of weight type (2,3,p), obtained by Serre construction from the triangle singularity x^2+y^3+z^p. For p=6 the Ringel-Schmidmeier classification is thus covered by the classification of vector bundles for tubular type (2,3,6), and then is closely related to Atiyah's classification of vector bundles on a smooth elliptic curve. Returning to the general case, we establish that the stable categories associated to vector bundles or invariant subspaces of nilpotent operators may be naturally identified as triangulated categories. They satisfy Serre duality and also have tilting objects whose endomorphism rings play a role in singularity theory. In fact, we thus obtain a whole sequence of triangulated (fractional) Calabi-Yau categories, indexed by p, which naturally form an ADE-chain.Comment: More details added. 33 page

Some aspects of the SD-world

We survey a few of the many results now known about the self-distributivity law and selfdistributive structures, with a special emphasis on the associated word problems and the algorithms solving them in good cases

Path sets in one-sided symbolic dynamics

Path sets are spaces of one-sided infinite symbol sequences associated to pointed graphs (G_v_0), which are edge-labeled directed graphs G with a distinguished vertex v_0. Such sets arise naturally as address labels in geometric fractal constructions and in other contexts. The resulting set of symbol sequences need not be closed under the one-sided shift. this paper establishes basic properties of the structure and symbolic dynamics of path sets, and shows they are a strict generalization of one-sided sofic shifts.Comment: 16 pages, 6 figures; v2, 22pages, 6 figures; title change, adds a new Theorem 1.5, and a second Appendix, v3, 21 pages, revisions to exposition; v4 revised introduction; v5, 22 pages, changed title, revised introductio

Software integration testing based on communication coverage criteria and partial model generation

This paper considers the problem of integration testing the components of a timed distributed software system. We assume that communication between the components is specified using timed interface automata and use computational tree logic (CTL) to define communication-based coverage criteria that refer to send- and receive-statements and communication paths. The proposed method enables testers to focus during component integration on such parts of the specification, e.g. behaviour specifications or Markovian usage models, that are involved in the communication between components to be integrated. A more specific application area of this approach is the integration of test-models, e.g. a transmission gear can be tested based on separated models for the driver behaviour, the engine condition, and the mechanical and hydraulical transmission states. Given such a state-based specification of a distributed system and a concrete coverage goal, a model checker is used in order to determine the coverage or generate test sequences that achieve the goal. Given the generated test sequences we derive a partial test-model of the components from which the test sequences are derived. The partial model can be used to drive further testing and can also be used as the basis for producing additional partial models in incremental integration testing. While the process of deriving the test sequences could suffer from a combinatorial explosion, the effort required to generate the partial model is polynomial in the number of test sequences and their length. Thus, where it is not feasible to produce test sequences that achieve a given type of coverage it is still possible to produce a partial model on the basis of test sequences generated to achieve some other criterion. As a result, the process of generating a partial model has the potential to scale to large industrial software systems. While a particular model checker, UPPAAL, was used, it should be relatively straightforward to adapt the approach for use with other CTL based model checkers. A potential additional benefit of the approach is that it provides a visual description of the state-based testing of distributed systems, which may be beneficial in other contexts such as education and comprehension