Electrical modeling of the photoelectric effect induced by a pulsed laser applied to an SRAM cell

International audienceThis abstract presents an electrical model of an SRAM cell exposed to a pulsed Photoelectrical Laser Stimulation (PLS), based on our past model of MOS transistor under laser illumination. The validity of our model is assessed by the very good correlation obtained between measurements and electrical simulation. These simulations are capable to explain some specific points. For example, in theory, a SRAM cell under PLS have four sensitive areas. But in measurements only three areas were revealed. A hypothesis was presented in this paper and confirm by electrical simulation. The specific topology of the cell masks one sensitive area. Therefore the electrical model could be used as a tool of characterization of a CMOS circuits under PLS

Electrical model of an NMOS body biased structure in triple-well technology under photoelectric laser stimulation

International audience— This study is driven by the need to optimize failure analysis methodologies based on laser/silicon interactions with an integrated circuit using a triple-well process. It is therefore mandatory to understand the behavior of elementary devices to laser illumination, in order to model and predict the behavior of more complex circuits. This paper presents measurements of the photoelectric currents induced by a pulsed-laser on an NMOS transistor in triple-well Psubstrate/DeepNwell/Pwell structure dedicated to low power body biasing techniques. This evaluation compares the triple-well structure to a classical Psubstrate-only structure of an NMOS transistor. It reveals the possible activation change of the bipolar transistors. Based on these experimental measurements, an electrical model is proposed that makes it possible to simulate the effects induced by photoelectric laser stimulation

Succinct Representations for Abstract Interpretation

Abstract interpretation techniques can be made more precise by distinguishing paths inside loops, at the expense of possibly exponential complexity. SMT-solving techniques and sparse representations of paths and sets of paths avoid this pitfall. We improve previously proposed techniques for guided static analysis and the generation of disjunctive invariants by combining them with techniques for succinct representations of paths and symbolic representations for transitions based on static single assignment. Because of the non-monotonicity of the results of abstract interpretation with widening operators, it is difficult to conclude that some abstraction is more precise than another based on theoretical local precision results. We thus conducted extensive comparisons between our new techniques and previous ones, on a variety of open-source packages.Comment: Static analysis symposium (SAS), Deauville : France (2012

Laser Fault Injection into SRAM cells: Picosecond versus Nanosecond pulses

International audience—Laser fault injection into SRAM cells is a widely used technique to perform fault attacks. In previous works, Roscian and Sarafianos studied the relations between the layout of the cell, its different laser-sensitive areas and their associated fault model using 50 ns duration laser pulses. In this paper, we report similar experiments carried out using shorter laser pulses (30 ps duration instead of 50 ns). Laser-sensitive areas that did not appear at 50 ns were observed. Additionally, these experiments confirmed the validity of the bit-set/bit-reset fault model over the bit-flip one. We also propose an upgrade of the simulation model they used to take into account laser pulses in the picosecond range. Finally, we performed additional laser fault injection experiments on the RAM memory of a microcontroller to validate the previous results

A Simplex-Based Extension of Fourier-Motzkin for Solving Linear Integer Arithmetic

International audienceThis paper describes a novel decision procedure for quantifier-free linear integer arithmetic. Standard techniques usually relax the initial problem to the rational domain and then proceed either by projection (e.g. Omega-Test) or by branching/cutting methods (branch-and-bound, branch-and-cut, Gomory cuts). Our approach tries to bridge the gap between the two techniques: it interleaves an exhaustive search for a model with bounds inference. These bounds are computed provided an oracle capable of finding constant positive linear combinations of affine forms. We also show how to design an efficient oracle based on the Simplex procedure. Our algorithm is proved sound, complete, and terminating and is implemented in the Alt-Ergo theorem prover. Experimental results are promising and show that our approach is competitive with state-of-the-art SMT solvers

A Reduction from Unbounded Linear Mixed Arithmetic Problems into Bounded Problems

We present a combination of the Mixed-Echelon-Hermite transformation and the Double-Bounded Reduction for systems of linear mixed arithmetic that preserve satisfiability and can be computed in polynomial time. Together, the two transformations turn any system of linear mixed constraints into a bounded system, i.e., a system for which termination can be achieved easily. Existing approaches for linear mixed arithmetic, e.g., branch-and-bound and cuts from proofs, only explore a finite search space after application of our two transformations. Instead of generating a priori bounds for the variables, e.g., as suggested by Papadimitriou, unbounded variables are eliminated through the two transformations. The transformations orient themselves on the structure of an input system instead of computing a priori (over-)approximations out of the available constants. Experiments provide further evidence to the efficiency of the transformations in practice. We also present a polynomial method for converting certificates of (un)satisfiability from the transformed to the original system

New results on rewrite-based satisfiability procedures

Program analysis and verification require decision procedures to reason on theories of data structures. Many problems can be reduced to the satisfiability of sets of ground literals in theory T. If a sound and complete inference system for first-order logic is guaranteed to terminate on T-satisfiability problems, any theorem-proving strategy with that system and a fair search plan is a T-satisfiability procedure. We prove termination of a rewrite-based first-order engine on the theories of records, integer offsets, integer offsets modulo and lists. We give a modularity theorem stating sufficient conditions for termination on a combinations of theories, given termination on each. The above theories, as well as others, satisfy these conditions. We introduce several sets of benchmarks on these theories and their combinations, including both parametric synthetic benchmarks to test scalability, and real-world problems to test performances on huge sets of literals. We compare the rewrite-based theorem prover E with the validity checkers CVC and CVC Lite. Contrary to the folklore that a general-purpose prover cannot compete with reasoners with built-in theories, the experiments are overall favorable to the theorem prover, showing that not only the rewriting approach is elegant and conceptually simple, but has important practical implications.Comment: To appear in the ACM Transactions on Computational Logic, 49 page

solc-verify: A Modular Verifier for Solidity Smart Contracts

We present solc-verify, a source-level verification tool for Ethereum smart contracts. Solc-verify takes smart contracts written in Solidity and discharges verification conditions using modular program analysis and SMT solvers. Built on top of the Solidity compiler, solc-verify reasons at the level of the contract source code, as opposed to the more common approaches that operate at the level of Ethereum bytecode. This enables solc-verify to effectively reason about high-level contract properties while modeling low-level language semantics precisely. The contract properties, such as contract invariants, loop invariants, and function pre- and post-conditions, can be provided as annotations in the code by the developer. This enables automated, yet user-friendly formal verification for smart contracts. We demonstrate solc-verify by examining real-world examples where our tool can effectively find bugs and prove correctness of non-trivial properties with minimal user effort.Comment: Authors' manuscript. Published in S. Chakraborty and J. A. Navas (Eds.): VSTTE 2019, LNCS 12031, 2020. The final publication is available at Springer via https://doi.org/10.1007/978-3-030-41600-3_1

Square root and division elimination in PVS

International audienceIn this paper we present a new strategy for PVS that imple- ments a square root and division elimination in order to use automatic arithmetic strategies that were not able to deal with these operations in the ﰁrst place. This strategy relies on a PVS formalization of the square root and division elimination and deep embedding of PVS expressions inside PVS. Therefore using computational reﰂection and symbolic com- putation we are able to automatically transform expressions into division and square root free ones before using these decision procedures

Formalising the Continuous/Discrete Modeling Step

Formally capturing the transition from a continuous model to a discrete model is investigated using model based refinement techniques. A very simple model for stopping (eg. of a train) is developed in both the continuous and discrete domains. The difference between the two is quantified using generic results from ODE theory, and these estimates can be compared with the exact solutions. Such results do not fit well into a conventional model based refinement framework; however they can be accommodated into a model based retrenchment. The retrenchment is described, and the way it can interface to refinement development on both the continuous and discrete sides is outlined. The approach is compared to what can be achieved using hybrid systems techniques.Comment: In Proceedings Refine 2011, arXiv:1106.348