





## ANR-ASTRID SERTIF : Simulation for the Evaluation of Robustness of embedded Applications against Fault injection ANR-14-ASTR-0003-01 http://sertif-projet.forge.imag.fr/

Marie-Laure Potet<sup>1</sup>, Jessy Cledière<sup>2</sup>, Thanh-Ha Le<sup>3</sup>

(1) Laboratoire VERIMAG, Université de Grenoble-Alpes
 (2) CEA-LETI
 (3) SAFRAN IDENTITY AND SECURITY

11 octobre 2016





### Context

 $\Rightarrow$  Secure components (Hardware and Software) providing security services (authentification, cryptography) and secure storage of information.







- Attractive targets for attackers
- Can be physically attacked

 $\Rightarrow$  Must be protected against high level attack potential (AVA-VAN.5)





## Fault injection

• Perturbation attacks (EM or laser)  $\implies$  fault injection.

Fault injection modifies the control and data flows.

```
1 int verify(char buffer[4]) {
                                        1 \parallel MOV RO, #00h : i = 0
                                         MOV R3, #01h ; authenticated = 1
       int i;
                                        2
2
3
       int authenticated = 1:
                                        3
                                          JMP WHILE
      // comparison loop
                                          DO:
4
      for(i = 0; i < 4; i++) {
                                         MOV R2, [buffer+i]
5
           if(buffer[i] != pin[i]) { 6 || MOV A, [pin+i]
6
                authenticated = 0;
                                        7
                                          CMP A, R2
7
           }
                                           JE ITER ; buffer[i] == pin[i]?
8
                                        8
       }
                                          MOV R3, #00h ; authenticated = 0
9
                                        Q
10
       // CM: redundant check
                                       10 || ITER :
       if (i != 4) { // CM
                                          INC RO : i++
11
           muteCard():
                                          WHILE:
12
       }
                                         MOV A, RO
13
       return authenticated:
                                          CMP A, #04h
14
                                       14
15 }
                                          JB DO ; i < 4?
                                       15
                                       16 MOV A, RO
                                          CMP A. #04h
                                          JNE muteCard ; i != 4?
                                       18
                                          MOV A. R3
                                       10
                                          RET
                                       20
```





## Fault injection

• Perturbation attacks (EM or laser)  $\implies$  fault injection.

Fault injection modifies the control and data flows.

```
int verify(char buffer[4]) {
                                          MOV RO, #00h ; i = 0
1
                                        2 || MOV R3, #01h ; authenticated = 1
       int i;
2
       int authenticated = 1;
                                          JMP WHILE
3
                                          DO:
                                        4
       goto ATTACK:
4
                                          MOV R2. [buffer+i]
                                        5
       for(i = 0; i < 4; i++) {</pre>
5
                                          MOV A, [pin+i]
           if(buffer[i] != pin[i])
6
                                          CMP A, R2
                authenticated = 0:
7
                                          JE ITER ; buffer[i] == pin[i]?
                                        8
           }
8
                                          MOV R3, \#00h; authenticated = 0
                                        9
9
       }
                                          ITER:
                                       10
                                          INC RO : i++
       ATTACK:
10
                                          WHILE:
       if (i != 4) { // CM
                                       12
11
                                          MOV A. RO
           muteCard():
12
                                          CMP A, #04h
                                       14
       }
13
       return authenticated:
14
15 }
                                       16 MOV A, RO
                                       17 CMP A, #04h
                                       18 JNE muteCard : i != 4?
                                       19 | MOV A, R3
```

20 | RET



## Fault injection

• Perturbation attacks (EM or laser)  $\implies$  fault injection.

Fault injection modifies the control and data flows.

```
1 || MOV RO, #04h; i = 0
1 int verify(char buffer[4]) {
       int i;
2
                                         2 \parallel MOV R3, #01h : authenticated = 1
3
      int authenticated = 1;
                                         3
                                           JMP WHILE
       // comparison loop
4
                                          DO:
                                         4
       for(i = 4; i < 4; i++) {</pre>
                                          | MOV R2, [buffer+i]
                                         5
5
                                           MOV A, [pin+i]
           if(buffer[i] != pin[i]) {
                                         6
6
                                           CMP A, R2
                authenticated = 0;
7
                                           JE ITER ; buffer[i] == pin[i]?
                                         8
            }
8
                                           MOV R3, \#00h; authenticated = 0
                                         q
       }
9
                                          || ITER:
10
       // CM: redundant check
                                           INC RO ; i++
       if (i != 4) { // CM
11
                                           WHILE:
           muteCard();
12
                                           MOV A, RO
       }
                                        13
13
                                           CMP A, #04h
                                        14
       return authenticated:
14
                                           JB DO ; i < 4?
                                        15
15
  }
                                          MOV A, RO
                                        16
                                          CMP A. #04h
                                        18 JNE muteCard ; i != 4?
                                           MOV A, R3
                                          || RET
                                        20
```





## Assessing Robustness Against Fault Injection

#### Is an embedded application robust against fault injection?

- Penetration Testing: Physical perturbation attacks on the application under test to inject faults.
  - Look for successful attacks (=compromising security).
  - Factors for Attack Potential Calculation
- Code Analysis: Detect vulnerabilities in the application with a code review.
  - Look for attack paths using a given fault model.
  - Originally manual process, now with automatic tools

Success rate 
$$\mathcal{T} = \frac{\mathcal{F}_{S}}{\mathcal{F}}$$



Figure: The 2 processes



Table: Factors of Attack Potential



## Sertif objectives

### Consortium:

- ► CEA-LETI: J. Clédière, L. Dureuil, Ph. de Choudens, C. Dumas
- SAFRAN Identity and Security: Thanh-Ha Le, Ch. Cachelou, A. Crohen, L. Rivière
- ▶ Vérimag: ML Potet, L. Mounier, G. Petiot

Main objective: rationalize and automate as much as possible the robustness assessment process (for evaluator and developer) w.r.t. the state-of-the-art (spatial and temporal multiple faults) including reproductivity and re-evaluation.

#### More concretely:

- Combination between physical attacks and code review
- Simulation tools evaluation (including robustness criteria)
- Evaluation of countermeasure relevance







### Open problems ... and some results

- ► A better articulation between code review and penetration testing
  - How to link code vunerabilities with penetration test and vice versa?
  - how to be confident in the used fault model?

 $\Rightarrow$  Cardis 15, Lionel Rivière PhD thesis, Louis Dureuil PhD thesis (next talk)  $\Rightarrow \dots$ 

- Code analysis by tools
  - Automatisation: a reproductible, complete and timeless process
  - Generally a combinatorial process producing a lot of attacks
  - Measures of robustness?

 $\Rightarrow$  3 types of tools: Lazart (Vérimag), CELTIC (CEA), EFS (SAFRAN) and the FISSC benchmark  $\Rightarrow \ldots$ 







# Lazart (Vérimag)

 $\Rightarrow$  C code robustness evaluation against fault injection using symbolic execution



- Fault model: condition inversion, skip call, data modification
- Goal: Reach or avoid a CFG block or a logical formula
- Possibility of multiple fault injection scenarios







# Lazart (2)

 $\Rightarrow$  a high-level tool dedicated to logical weakness in the algorithms.

- An interactive tool (to play with fault injection): symbolic inputs, oracles and fault models
- Based on Klee, a concolic tool for LLVM. Potentially activates all possible paths and fault injections.
- A notion of redundant attacks (fault injection points)
- Scenario representation in terms of graphs

| #fault injection | <i>#attacks</i> | <i>#non redundant attacks</i> |
|------------------|-----------------|-------------------------------|
| 1                | 2               | 2                             |
| 2                | 9               | 1                             |
| 3                | 19              | 0                             |
| 4                | 21              | 1                             |





# EFS (SAFRAN Identity and Security)

Embedded Fault Simulator: An embedded tool within the target device (e.g. smartcard), running at Hardware Abstraction Layer.



- Fault mechanism: a subroutine with a high priority level, granting read/write access to all the component registers and memories.
- ► Fault models: allows arbitrary code to be executed in an interruption (e.g. register value modification, RAM modification, instruction skipping/replacement, arbitrary jumps...).
- Advantages:
  - fault injections on physical component.
  - side-channel observations.







# EFS (2)

Results obtained with the EFS:

- For each of the execution cycle of the targeted routine(s), we collect:
  - The routine(s) response
  - The address of the attacked instruction
- An externalized Oracle analyses the responses
- ▶ Results on AES last round with fault model  $PC \leftarrow PC + 2$

|                                      | Fault rate |          |
|--------------------------------------|------------|----------|
| Fault type                           | without CM | with CM  |
| No attack                            | 4.683 %    | 4.683 %  |
| Board reboot                         | 5.785 %    | 6.336 %  |
| Coutermeasure activated              | 0.0 %      | 88.430 % |
| One byte difference on output        | 76.309 %   | 0.0 %    |
| 2 to 15 bytes differencies on output | 0.275 %    | 0.0 %    |
| Random output                        | 9.091 %    | 0.551 %  |





# CELTIC (by CEA-LETI)

Native smartcard binaries simulation with fault injection.



- ► Custom Architecture Description Language for retargetability.
- Exhaustive injection campaign at the binary level
- Fault models: base library extensible with scripts (fault model composition)
- User-defined victory oracles.
- JIT-enabled simulation for improved performance







### CELTIC (2) CELTIC Outputs:

- Execution trace for the Golden Run
- The list  $\mathcal{F}_S$  of successful attacks.
- For each successful attack:
  - Characteristics of the fault (address, instant, type of fault)
  - Faulty execution trace









## FISSC: our secure collection

 $\Rightarrow$  a Fault Injection and Simulation Secure Collection Objectives:

- Evaluation of simulation tools
- Evaluation of (hardened) implementations

Difficulties:

- No available collected examples
- Tools dedicated to various fault models and levels of code
- How to compare results? Attacks?

#### Our proposal:

- A collection of (extensible) examples
- High level attack scenarios with regard to success oracles
- Matching criteria between results (by address or by fault model)







### Contents

| Examples:    |                                                                        |
|--------------|------------------------------------------------------------------------|
| Example      | Oracle                                                                 |
| VerifyPIN    | g_authenticated == 1                                                   |
| VerifyPIN    | g_ptc >= 3                                                             |
| AES KeyCopy  | ! equal(key, keyCpy)                                                   |
| GetChallenge | equal(challenge, prevChallenge)                                        |
| CRT-RSA      | (g_cp == pow(m,dp) % p && g_cq != pow(m,dq) % q)                       |
|              | <pre>   (g_cp != pow(m,dp) % p &amp;&amp; g_cq == pow(m,dq) % q)</pre> |

**Countermeasures:** hardened booleans, virtual stack, double arguments, step counter, loop counter, data redundancy, double calls, double tests, control flow integrity

Programming Features: Explicit call, Fixed Time Loops, inlining





### Results









### Using the benchmark

- Get http://sertif-projet.forge.imag.fr/
- Analyze C sources, asm listings
- Compare your results against the archived results
- Contribute your examples, countermeasures and results

 $\Rightarrow$  An example with results using CELTIC and EFS: <code>http://sertif-projet.forge.imag.fr/pages/example.html</code>

A first piece...







## HL scenario coverage



Figure: Matching HL and LL attacks



DGA



An open problem: Fault Injection Code Metrics

 $\Rightarrow$  How results can be evaluated?

- Identify sensitive points in a code
- Propose a vulnerability rate (evaluator's point of view). For instance:

successful attack |realized attacks|

Determine how to harden the code (developer's point of view): regroup "equivalent" attacks

Metrics difficulties:

- Attacker's model
- sensibility to the size of code







## An open problem: Countermeasures analysis

### Objectives:

- How to choose adapted countermeasures ?
  - depend on the fault model
  - could be costly
  - complexity due to multiple fault injection (CM can be attacked)

#### Open problems:

- Define and test metrics against various hardened examples
- Cost and comparison between classical countermeasures
- Dedicated analysis to establish dependency between contermeasures and assets to be protected

▶ ...







An open problem: a process mixing code analysis and penetration testing

With a good knowledge of possible attacker's parameter for a given device is it possible to mainly use simulation tools?

▶ How to determine precisely an attacker model for a given device?

- component characterization against EM, laser, FBBI...
- how to reveal only flash modification, registers modifications from RAM modifications, during data transfer or its storage ...

A more reproductible and automatic process compatible with a certification process?







### References

Louis Dureuil: Analyse de code et processus d'évaluation des composants sécurisés contre l'injection de fautes. PhD thesis, October 2016

L. Dureuil, G. Petiot, M-L. Potet, T-H. Le, A. Crohen and P. de Choudens. FISSC: a Fault Injection and Simulation Secure Collection SAFECOMP 2016.

L. Dureuil, M-L. Potet, P. de Choudens, C. Dumas and J. Clédière. From Code Review to Fault Injection Attacks: Filling the Gap using Fault Model Inference. Cardis 2015.

Lionel Rivière. Securing software implementations against fault injection attacks on embedded systems. PhD thesis, TELECOM ParisTech, Paris, September 2015.

L. Rivière, M-L. Potet, T-H. Le, J. Bringer, H. Chabanne and M. Puys. Combining High-Level and Low-Level Approaches to Evaluate Software Implementations Robustness Against Multiple Fault Injection Attacks. FPS 2014

L. Rivière, Z. Najm, P. Rauzy, J-L. Danger, J. Bringer, Laurent Sauvage: High precision fault injections on the instruction cache of ARMv7-M architectures. HOST 2015

M-L. Potet, L. Mounier, M. Puys and L. Dureuil. Lazart: a symbolic approach to evaluate the impact of fault injections by test inverting. ICST 2014, International Conference on Software Testing.

M. Berthier, J. Bringer, H. Chabanne, T-H. Le, L. Rivière, V. Servant. Idea: Embedded Fault Injection Simulator on Smartcard. ESSoS 2014



