Formal verification of a software countermeasure against instruction skip attacks

Fault attacks against embedded circuits enabled to define many new attack paths against secure circuits. Every attack path relies on a specific fault model which defines the type of faults that the attacker can perform. On embedded processors, a fault model consisting in an assembly instruction skip can be very useful for an attacker and has been obtained by using several fault injection means. To avoid this threat, some countermeasure schemes which rely on temporal redundancy have been proposed. Nevertheless, double fault injection in a long enough time interval is practical and can bypass those countermeasure schemes. Some fine-grained countermeasure schemes have also been proposed for specific instructions. However, to the best of our knowledge, no approach that enables to secure a generic assembly program in order to make it fault-tolerant to instruction skip attacks has been formally proven yet. In this paper, we provide a fault-tolerant replacement sequence for almost all the instructions of the Thumb-2 instruction set and provide a formal verification for this fault tolerance. This simple transformation enables to add a reasonably good security level to an embedded program and makes practical fault injection attacks much harder to achieve

Experimental evaluation of two software countermeasures against fault attacks

Injection of transient faults can be used as a way to attack embedded systems. On embedded processors such as microcontrollers, several studies showed that such a transient fault injection with glitches or electromagnetic pulses could corrupt either the data loads from the memory or the assembly instructions executed by the circuit. Some countermeasure schemes which rely on temporal redundancy have been proposed to handle this issue. Among them, several schemes add this redundancy at assembly instruction level. In this paper, we perform a practical evaluation for two of those countermeasure schemes by using a pulsed electromagnetic fault injection process on a 32-bit microcontroller. We provide some necessary conditions for an efficient implementation of those countermeasure schemes in practice. We also evaluate their efficiency and highlight their limitations. To the best of our knowledge, no experimental evaluation of the security of such instruction-level countermeasure schemes has been published yet.Comment: 6 pages, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), Arlington : United States (2014

Modeling a Cache Coherence Protocol with the Guarded Action Language

We present a formal model built for verification of the hardware Tera-Scale ARchitecture (TSAR), focusing on its Distributed Hybrid Cache Coherence Protocol (DHCCP). This protocol is by nature asynchronous, concurrent and distributed, which makes classical validation of the design (e.g. through testing) difficult. We therefore applied formal methods to prove essential properties of the protocol, such as absence of deadlocks, eventual consensus, and fairness.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

Fault attacks on two software countermeasures

Short version of the article "Experimental evaluation of two software countermeasures against fault attacks" presented at the 2014 IEEE Symposium on Hardware-Oriented Security and Trust (HOST) in May 2014.International audienceInjection of transient faults can be used as a way to attack embedded systems. On embedded processors such as microcontrollers, several studies showed that such a transient fault injection could corrupt either the data loads from the memory or the assembly instructions executed by the circuit. Some countermeasure schemes which rely on temporal redundancy have been proposed to handle this issue. Among them, several schemes add this redundancy at assembly instruction level. In this paper, we perform a practical evaluation for two of those countermeasure schemes by using a pulsed electromagnetic fault injection process on a 32-bit microcontroller

Mutation based Feature Localization

The complexity of modern chip designs is rapidly increasing. More and more blocks from old designs are reused and third party IP is licensed to fulfill strict time-to-market constraints. Often, poor documentation of such blocks makes improvements and extensions of the blocks a difficult time consuming task. In this paper we propose a technique for automatically localizing the parts of the code which are relevant for a feature. With this a developer can better understand the design and, consequently, can adjust the design more efficiently. The proposed approach uses mutants changing the code of the design at a certain location. The code changed by a mutant is considered to be related to a feature if the mutant is killed while the feature is used. The use cases are generated using an automatic approach. This approach is based on a description specifying how the different features are used

Utilisation de Diagrammes de Décision de Données pour la Vérification Fonctionnelle de Systèmes Matériels

National audienceDans cet article nous montrons comment vérifier des propriétés CTL sur des systèmes décrits en langage ProMeLa par vérification de modèle symbolique. La représentation symbolique est basée sur les Diagrammes de décision de données (DDD), qui sont des arbres n-aires partagés. Après avoir décrit les principaux composants nécessaires à la vérification des programmes ProMeLa, nous comparons les performances de notre approche avec celle de model-checker SPIN en mettant en évidence les classes de systèmes pour lesquels SPIN est plus performant, et celles pour lesquelles l’outil que nous présentons a de meilleurs résultats

CTL May Be Ambiguous When Model Checking Moore Machines

International audienceThe model checking problem is defined over Kripke structures. However, hardware designers often handle other models, such as Moore machines. When model checking their designs using CTL as a logic, they must translate them into Kripke structures. A given CTL property may be believed to be true (conversely false) over the Moore machine and in fact be false (conversely true) on the derived Kripke structure. This may lead to ambiguities if the designer does not fully understand the translation scheme he uses, which may be the case if he uses automatic tools. We present iCTL, a logic specifically designed to work with Moore machines, which extends CTL to help the designer removing possible ambiguities when model checking Moore machines. We show that it is strictly more expressive than CTL

Formalizing the incremental design and verification process of a pipelined protocol converter

International audience; This work studies the relations between pipeline architectures and their specification expressed in CTL. We propose a method to build pipeline structures incrementally from a simple one (already verified) to a more complex one. Moreover, we show how each increment can be integrated in a CTL specification. We define increments to model treatment delay and treatment abortion of a pipeline flow, and we formalize the composition of the different increments. In order to represent the increments added to an architecture, we derive a set of CTL formulae transformations. Finally we model a control flow of a protocol converter by composition of these increments. We show how CTL properties of the complex architecture are built by applying automatic transformations on the set of CTL properties of the simplest architecture

Time Separation of Events: An Inverse Method

The problem of “time separation” can be stated as follows: Given a system made of several connected components, each one entailing a local delay known with uncertainty, what is the maximum time for traversing the global system? This problem is useful, e.g. in the domain of digital circuits, for determining the global traversal time of a signal from the knowledge of bounds on the component propagation delays. The uncertainty on each component delay is given under the form of an interval. The general problem is NP-complete. We focus here on the inverse problem: we seek intervals for component delays for which the global traversal time is guaranteed to be no greater than a specified maximum. We give a polynomial time method to solve it. As a typical application, we show how to use the method in order to relax some specified local delays while preserving the maximum traversal time. This is especially useful, in the area of digital circuits, for optimizing “setup” timings of input signals (minimum timings required for stability)

Using CTL formulae as component abstraction in a design and verification flow

International audienceIn the context of component-based design, the verification of global properties (involving several components) is difficult to achieve, due to combinatorial explosion problem, while the verification of each component is easier to perform. Following the idea of [24], we propose to build an abstraction of a component already verified, starting from a subset of its specification described as CTL formulae. This abstraction replaces the concrete component and alleviates the state-space explosion problem for checking global properties expressed in ACTL