“Control Flow Integrity verification scheme based on the RISC-V Trace Encoder” by Olivier Potin (Mines Saint-Etienne, centre CMP – Gardanne)

Date : 24 november 2023
Place : Room Petri/Turing

The increasingly complex nature of embedded systems is accompanied by a strong security requirement: the security level of systems must grow to counter new attacks that exploit hardware and/or software vulnerabilities. Among these threats, the so-called ‘physical’ attacks are considered particularly serious and potent in targeting the confidentiality, integrity, and authenticity of systems. Traditionally, research on side-channel analysis and fault injection has focused on cryptographic primitives. However, recently, fault attacks have been used to compromise the integrity of program execution, broadening the spectrum of applications susceptible to such attacks (bootloaders, firmware updates, etc.). The countermeasures exposed during the presentation enable the verification of whether a program is executed correctly and remains not tampered by these attacks. Their designs are approached using a co-design strategy that involves both software and hardware, taking into account potential interactions between the open micro-architecture of the RISC-V processor and the flexibility of software development (dedicated code, compilation strategy, etc.). The effectiveness of these countermeasures verifying the integrity of the control flow, the code integrity, and the execution integrity of program instructions on a RISC-V processor against fault injections will be detailed. These solutions are based on a module designed by the RISC-V community, known as the Trace Encoder. Several solutions with different levels of granularity and characteristics have been proposed. In comparison to existing solutions in the state of the art, our solutions require no modifications to the RISC-V compilation toolchain or user code.



“Timing-based Power Side-Channels in FPGAs and beyond” by Dennis Gnad (Karlsruhe Institute of Technology (KIT))

Date : 24 november 2023
Place : Room Petri/Turing

FPGAs are getting more widely used for computing accelerators, even in the cloud, where sharing between multiple users is interesting for efficiency reasons. Of course, such setups also ask for new security evaluations. We show how a new class of internal attacks uses standard FPGA primitives to measure or manipulate on-chip voltage, and how that can be used for various side-channel attacks inside the FPGA, FPGA-SoCs, or even other chips on the same PCB. In detail, these attacks use very fine measurement of transistor delay as an indirect measurement of voltage. We show how these measurements can even be used for side channel attacks on devices behind galvanically isolated communication channels by measuring their signal jitter. In the end, there will be a demo presenting one of these attacks on real hardware.


JUNE 2022

“Ghosting the Spectre: fine-grained control over speculative execution” by Allison RANDAL (University of Cambridge)

Date : 3 june 2022
Place : Room Aurigny

A series of vulnerabilities related to speculative execution rose to attention in 2018. The techniques behind these vulnerabilities were not new, but the combined application of the techniques was more sophisticated, and the security impact more severe, than previously considered possible. Current mitigations for the speculative execution vulnerabilities only offer partial protection, have prohibitive performance penalties, and apply globally so mitigations must be chosen during hardware manufacture or data center deployment. Infrastructure, operating system, and application developers have little or no control over which mitigations are deployed, and therefore no choice in whether they endure the risk of speculation or suffer the performance penalty of mitigations. This talk considers three approaches that partially or completely eliminate speculative execution from modern hardware architectures, as a finer-grained approach to mitigating the speculative execution vulnerabilities.

MAY 2022

Security challenges and opportunities in emerging device technologies: a case study on flexible electronics by Nele Mentens (Leiden University, The Netherlands​, and KU Leuven, Belgium)

Date : 6 may 2022
Place : Room Pétri/Turing

While traditional chips in bulk silicon technology are widely used for reliable and highly efficient systems, there are applications that call for devices in other technologies. On the one hand, novel device technologies need to be re-evaluated with respect to potential threats and attacks, and how these can be faced with existing and novel security solutions and methods. On the other hand, emerging device technologies bring opportunities for building the secure systems of the future. This talk gives an overview of the minimal hardware resources that are needed to build secure systems and discusses a case study on flexible electronics on plastics.

MAY 2022

Side Channel Analysis: Instruction extraction and Information estimation by Valence Cristiani (CEA-LETI; Université de Montpellier, LIRMM)

Date : 6 may 2022
Place : Room Pétri/Turing

Side-channel usually aims at extracting cryptographic secrets from electronic devices through their physical leakages. However, these channels can leak other sensitive information. The first part of this talk will present a study of side channel-based disassembling (SCBD) that aims to recover instructions executed by a microcontroller. The main threat represented by SCBD is that it potentially allows to find a vulnerability in the executed code or to extract protected software IP.
In the second part, we take a step back and aboard the generic topics of the amount of information leaked by a system. Indeed, whatever the target variable (secret key, instructions.) and the utilized strategy, the amount of information one could gain from a side-channel trace is always bounded by the Mutual Information (MI) between the secret and the trace. This makes it, all punning aside, a key quantity for leakage evaluation. Unfortunately, traces are usually of too high dimension for existing statistical estimators to stay sound when computing the MI over full traces. However, recent works from the machine learning community have shown that it is possible to evaluate the MI in high dimensional space thanks to newest deep learning techniques. We will explore how this new estimator could impact the side-channel domain both for leakage assessment and for unsupervised mutual information-based attacks.

APRIL 2022

Bridging Deep Learning and Classical Profiled Side-Channel Attacks by Gabriel Zaid (Thales ITSEF, Toulouse)

Date : 8 april 2022
Place : Room Pétri/Turing

Over the recent years, the cryptanalysis community leveraged the potential of research on Deep Learning to enhance attacks. In particular, several studies have recently highlighted the benefits of Deep Learning based Side-Channel Attacks (DLSCA) to target real-world cryptographic implementations. While this new research area on applied cryptography provides impressive result to recover a secret key even when countermeasures are implemented (e.g. desynchronization, masking schemes), the lack of theoretical results make the construction of appropriate models a notoriously hard problem. In this talk, we propose to investigate a new research axis in order to bridge Deep Learning and Side-Channel Attacks. In particular, we explain the similarities between the generative models and the classical profiled attack (i.e. template attacks, stochastic attacks), and we develop the first DLSCA model that can be fully explained from side-channel theoretical results. This model reduces the black-box property of DL and eases the architecture design for every real-world crypto-system. Finally, a discussion is provided to define the benefits and the limitations of this new solution and a new perspective is proposed for DLSCA models.


“Implémentations sécurisées et évaluation pré-silicium contre les attaques physiques.” by Sofiane Takarabt (Secure-IC)

Date: 4 february 2022
Place : Web-conference

Side-channel attacks remain a permanent threat against embedded systems, thus reliable protections should be implemented and must be minutely evaluated. In this presentation, we study different possible ways to evaluate against such threats. We show how an evaluation can be carried out to validate a security level of a protected hardware implementation. This approach allows us to estimate in advance the expected security level on a real circuit. We explore an efficient and more exhaustive way to test a masked implementation against vulnerabilities induced by glitches. We took advantage in this approach to setup a better model for this phenomenon, and to explain the form of the generated leakage based on a spectral characterization that can be applied also to real acquisitions. This allows us to explain why standard leakage models are ineffective, and why a prior characterization is required to be able to exploit this kind of flaw. With this better understanding of the leakage, we can design more compact and robust functions, that we validate on simulated and real electromagnetic traces.

APRIL 2018

“Masked Proofs and Their Physical Assumptions”
by Vincent Grosso (Radboud Univeriteit, Nijmegen)

Date: 20 april 2018
Rooms: Petri/Turing

Les attaques par canaux auxiliaires sont des menaces majeures contre les mises en uvre cryptographiques. Pour contrer ces attaques, le masquage est une contre-mesure populaire. Un de ces principaux avantages est de pouvoir prouver la sécurité apportée par cette contre-mesure. Ces preuves se basent sur un certain nombre d’hypothèses sur le matériel qui met en uvre le masquage. Dans cette présentation, nous allons nous intéresser à plusieurs effets mettant à mal ces hypothèses et voir leurs impacts sur la sécurité obtenue. Nous nous intéresserons aux problèmes des transitions, des glitches, du coupling et du bruit.

MAY 2018

Cryptographie légère intrinsèquement résistante aux attaques physiques pour l’Internet des Objets
by Benjamin Lac (CEA-Tech, Laboratoire Systèmes et Architectures Sécurisés (LSAS))

Date: 25 may 2018
Rooms: Petri/Turing

Avec des applications telles que les smart phones , compteurs intelligents, capteurs et autres systèmes industriels de type SCADA, le nombre d objets connectés à Internet atteindrait les 20 milliards d ici 2020. Les contraintes de taille, coût et consommation ainsi que les problématiques de sécurité liées au déploiement de ces objets à si grande échelle ont mené à la conception de systèmes de chiffrement efficaces et ayant une faible empreinte matérielle, assurant la confidentialité, l authenticité et l intégrité des données contenues et manipulées par ces objets. Cependant, ces systèmes de chiffrement dits ‘légers’ sont déployés au sein d objets qui sont généralement en milieu hostile, à portée de main de tout type d attaquant et ce sur des durées souvent indéterminées . Ainsi, la vulnérabilité de ces objets face aux attaques physiques est une autre problématique de sécurité aujourd’hui au centre des débats.
Au cours de cette présentation, nous caractériserons les besoins en sécurité des objets connectés et nous étudierons des cas concrets d’attaques physiques que nous avons introduites et menées en laboratoire sur une famille récente de systèmes de chiffrement légers, les LS-Designs, dont la structure permet d’implémenter plus efficacement le masquage. Nous analyserons ensuite une contremesure efficace et adaptée aux besoins de l’Internet des Objets que nous avons proposée pour se prémunir des injections de fautes et que nous avons nommée l’IRC pour “Internal Redundancy Countermeasure”. L’IRC permet de détecter ou corriger spatialement et temporellement les injections de fautes, et se combine efficacement avec le masquage afin de proposer une résistance contre la plupart des attaques physiques. Cependant, le coût de l’IRC dépend principalement du système de chiffrement ciblé, et c’est pourquoi nous avons introduit GARFIELD, un nouveau système de chiffrement que nous avons conçu pour diminuer le surcoût d’une sécurisation par l’IRC. Après avoir présenté les spécifications de GARFIELD, nous conclurons cette présentation par une analyse détaillée de la sécurité et des performances de ce nouveau système de chiffrement.

Biographie : Titulaire d’un Master CRYPTIS, parcours Mathématiques, Cryptologie, Codage et Applications, obtenu à la Faculté des Sciences et Techniques de Limoges, Benjamin Lac travaille aujourd’hui au sein du département Systèmes et Architectures Sécurisées (SAS) localisé à Gardanne (13) dans le cadre d’un doctorat Mines Saint-Étienne issu d’une collaboration entre le CEA, la DGA et l’Inria.
Son étude porte sur la définition des besoins en matière de sécurité et performances pour la cryptographie légère dans le contexte de l Internet des Objets, l analyse de la résistance de divers systèmes de chiffrement légers face aux attaques physiques et la conception et l analyse de solutions pour se prémunir de ces attaques.

JUNE 2018

“HardBlare, a hardware/software co-design approach for Information Flow Control”
by Guillaume Hiet – Pascal Cotret (Centrale-Supelec)

Date: 22 june 2018
Rooms: Petri/Turing

One way to increase the security level of computer systems is to rely on both software and hardware mechanisms. In this context, the HardBlare project proposes a software hardware co-design methodology to ensure that security properties are preserved all along the execution of the system but also during file storage. The HardBlare project is a multidisciplinary project between CentraleSupélec IETR SCEE research team, Centrale-Supélec Inria CIDRE research team and UBS Lab-STICC laboratory. Our approach is based on Dynamic Information Flow Tracking (DIFT) that generally consists in attaching marks to denote the type of information that are saved or generated within the system. These marks are then propagated when the system evolves and information flow control is performed in order to guarantee a safe execution and storage within the system.

Existing solutions based on hardware modifications are hardly adopted in industry. This is for a large part due to the cost of these hardware modifications but also to the cost induced by the redevelopment of the whole software stack to be adapted to the specific hardware. To tackle this problem, the HardBlare project builds on top of a standard software and hardware platform. The goal is to make no modification of the main processor core and to implement hardware DIFT in a dedicated coprocessor using FPGA. The main challenge in such approach is to narrow the semantic gap between the main processor and the co-processor. To address this issue, we take profit of ARM CoreSight debug components and static analysis to reduce instrumentation time overhead. We developed an end-to-end system including a dedicated DIFT co-processor on FPGA, a modified Linux kernel with DIFT support for file system and a modified LLVM compiler to perform the static analysis of monitored software.

“Security of Hardware/Software Interfaces : Research Chair of the Cybersecurity Research Cluster”
by Guillaume Hiet (Centrale-Supelec)

Date: 22 june 2018
Rooms: Petri/Turing

We proposed to host a thematic semester on attacks based on the interaction between software and hardware. The goal would be to host one workshop, one summer school for young researchers, as well as multiple seminars and longer stays for researchers, spanning September 2019 to March or April 2020. This thematic semester will be funded by the DGA in the context of the Cybersecurity Research Cluster. The subject of the talk will be to present the organisation of this semester, the different research axes that will be covered as well as the possible interactions with people interested in that subject.


“Schindler-Itoh/Wiemers revisited: recovering full RSA/ECC private key from noisy side-channel observations ”
by Victor Lomné et Thomas Roche (NinjaLab)

Date: 28 september 2018
Room: Métivier

Side-channel attacks on public-key cryptography (i.e. modular exponentiation for RSA or scalar multiplication for ECC) often boils down to distinguishing the 0s from the 1s in the binary representation of the secret exponent (resp. secret scalar).
When state-of-the-art countermeasures are implemented, this detection must be errorless: thanks to masking techniques, erroneous masked exponents (resp. masked scalars) are useless.
In 2011, Schindler and Itoh tackle this issue and propose an algorithm to recover the unmasked exponent (resp. scalar) from many erroneous masked exponents (resp. masked scalars). Schindler and Wiemers improve these results in 2014 and then in 2017.
In our talk we will introduce the context of side-channel attacks over public-key cryptography, present the results of Schindler et al. and propose improvements.



“Étude des cellules oscillantes pour la génération d’aléa dans les circuits électroniques numériques”
by Ugo Mureddu (Univ Lyon, UJM-Saint-Etienne, CNRS, Laboratoire Hubert Curien)

Date: 14 december 2018
Room: Métivier

Les objets connectés sont omniprésents dans notre société actuelle (ex : véhicules, transports en commun, santé, domotique, smartphone, moyen de paiement, etc.). La connexion et l’accès à distance des appareils d’usage quotidien améliore considérablement notre confort et notre efficacité dans notre vie professionnelle comme personnelle. Cependant, cela peut également nous confronter à des problèmes de sécurité sans précédent. Les risques liés à la large expansion des systèmes embarqués et de l’internet des objets sont double :
L’accès d’une personne non autorisée aux données pour la lecture, la copie, l’écriture ou l’effacement complet. L’utilisation de l’objet connecté pour une action non prévue par celui-ci, sa mise hors service du système ou bien sa destruction.
Pour répondre à de tels risques, il est nécessaire de mettre en place des mécanismes de sécurité permettant le chiffrement des données sensibles, ainsi qu’une authentification et une autorisation pour chaque appareil de l’internet des objets. Fort heureusement, les fonctions cryptographiques permettent de répondre à ces besoins en garantissant confidentialité, authenticité, intégrité et non-répudiation.
Dans ce contexte, les générateurs physiques d’aléa sont essentiels puisqu’ils assurent le bon fonctionnement des fonctions cryptographiques. En effet, ils exploitent des sources de bruit analogique présentes dans les circuits électroniques pour générer : des clés secrètes permettant de chiffrer les données, ou encore, des identifiants uniques permettant l’authentification des circuits. La sécurité des fonctions cryptographiques repose sur la qualité des clés et identifiant générés par ces générateurs d’aléa. Les nombres produits par ces générateurs doivent être imprévisibles. A défaut, les clés utilisées pour chiffrer les données pourraient être cassées et les identifiants recopiés.
C’est pourquoi il est d’une extrême nécessité d’étudier les générateurs physiques d’aléa et vérifier leur résistance aux attaques. Dans cette présentation, nous discuterons de la sensibilité du cœur de la plupart des générateurs physiques d’aléa, les cellules oscillantes, à deux types de menaces physiques: le phénomène de verrouillage et l’analyse électromagnétique. Nous dresserons ensuite une liste de recommandations pour aider les futurs designers de générateurs physiques d’aléa à réduire au maximum leur sensibilité à ces deux types de vulnérabilités.

“Une approche pour l’accélération matérielle pour le chiffrement homomorphe”
by Joël Cathebras (CEA List)

Date : 14 december 2018
Room : Métivier

Le chiffrement homomorphe est un outil cryptographique permettant la manipulation de données en aveugle. Son utilisation généralisée permettrait de proposer des solutions de calcul déporté impliquant des données confidentielles, par exemple des données génomiques pour la médecine personnalisée. Cependant, le chiffrement homomorphe doit faire face à de grandes complexités mémoires et calculatoires. La taille d’une donnée chiffrée est environ 10^5 fois plus importante que la donnée réelle, et une opération sur chiffré est environ 10^6 fois plus lourde que l’opération claire équivalente. Dans cet exposé, nous présenterons d’abord succinctement les problématiques d’accélération matérielle pour le chiffrement homomorphe et les différentes approches existantes. Nous exposerons ensuite plus particulièrement une approche couplant le système de représentation non-positionnel RNS et la multiplication de polynômes par transformée de Fourier sur corps-finis (NTT). Nous nous intéresserons notamment à la question du passage à l’échelle au regard de la grande dynamique des paramètres. Les perspectives d’implémentation apportées par cette approche viendront conclure cet exposé.

MARCH 2019

“True Random Number Generators enabled hardware security ”
by Bohan Yang (Hardware Security and Cryptographic Processor Lab, Institute of Microelectronics, Tsinghua University, China)

Date: 29 march 2019
Room: Métivier

True randomness is all about unpredictability, which can neither be qualified nor quantified by examining statistics of a sequence of digits. Unpredictability is a property of random phenomena, which is measured in bits of information entropy. Application of randomness spans from art to numerical computing and system security. Random numbers enable various cryptographic algorithms, protocols and secured implementations by providing secret keys, initialization vectors, random challenges and masks. As embedded electronics continue to be integrated into our daily lives, security becomes an indispensable requirement for an embedded system. According to the renowned Kerckhoffs’ principle, a cryptographic system should be secure even if the attacker knows everything about the system, except the key. In modern computers and embedded systems, this key is usually generated by executing a True Random Number Generator. Therefore, it is essential that unpredictable random numbers are available in secure embedded systems. Unfortunately, designing a TRNG is not trivial and different from conventional digital circuit design, since most digital circuits are primarily developed to behave in a deterministic digital manner. Instead of pursuing a stable and predictable behavior of the circuit, the TRNG design aims for a stable and robust unpredictability. Producing unpredictable output is usually undesired for an integrated circuit, and is sometimes regarded as a design failure. Having mistakes or being careless at any step of the TRNG design and fabrication procedure may lead to insufficient entropy or/and a malfunctioned TRNG. A True Random Number Generator (TRNG) circuit is designed to be sensitive to a particular physical phenomenon when it is in use, and to be resistant to process variations and other unwanted random physical phenomena. In order to tackle the lack of compact and efficient TRNGs on FPGAs, we proposed a novel TRNG based on edge sampling.

APRIL 2019

“TRAITOR : a multi clock-glitch attack platform reproducing EMI effects at low-cost”
by Ludovic Claudepierre (INRIA)

Date: 05 april 2019
Rooms: Pétri/Turing

Electromagnetic injection (EMI) is a common and non-invasive technique used to perform fault attacks. In that case, an electromagnetic wave is radiated by an antenna in the close vicinity of the targeted microcontroller (STM32 in our case).
The clock signal is generated thanks to a Phase-Locked-Loop (PLL). The PLL is highly sensitive to EMI and then induces severe disruption on the clock signal just after the injection. It appears that these clock glitches are the cause of faults observed at the software level.
TRAITOR is a light and highly configurable platform which can reproduce, using FPGA, a clock signal with the same disruptions than obtained by EMI. The signal generated replaces the clock source of the STM32.
User can then perform several glitches at different time in order to fault a program at run-time and induce vulnerabilities. It can especially be applied to code with counter-measure to only one injection fault and then bypass this counter-measure. At the end, multiple fault injection could completely transform an innocent piece of code and make it malicious.

“Improved Blind Side-Channel Analysis by Exploitation of Joint Distributions of Leakages”
by Léo Reynaud (Faculté des sciences de Limoges)

Date: 05 april 2019
Rooms: Pétri/Turing

Les attaques side channel classiques nécessitent généralement la connaissance du clair (ou du chiffré) afin de calculer des données internes qui seront comparées à des fuites. Des attaques permettent cependant de s’affranchir de ces connaissances, les attaques par distributions jointes. Ces attaques supposent un attaquant capable d’inverser le modèle de consommation, mais aucune connaissance sur les entrées et les sorties du chiffrement. Un autre effet de ces attaques est qu’il est possible de les appliquer en milieu de chiffrement, ce qui peut s’avérer utile lorsque des protections sont appliquées uniquement aux extrémités pour des raisons de coût. Le principe réside dans le fait que la distribution des poids de Hamming (pour un modèle de consommation en poids de Hamming) d’une variable en début puis en fin de tour n’est pas uniforme, elle est même fonction de la clé utilisée. L’étude de ces distributions permet donc de discriminer la clé. Aujourd’hui le maximum de vraisemblance est l’outil qui semble être le plus approprié pour déduire la clé. Cette attaque peut aussi être menée dans certains cas d’implémentations protégées par du masquage booléen. Dans certains cas plus robustes, il est possible d’adapter cette attaque pour qu’elle fonctionne quand même. Pour cela, on utilise des distributions qui sont dites quadrivariées. La présentation aura donc pour but l’introduction à l’attaque de base, ainsi qu’à son adaptation contre des protections de type masquage d’ordre 1.

MAY 2019

“Title: Do Not Trust Modern System-on-Chips
Subtitle: Electromagnetic fault injection against a System-on-Chip”
by Ronan Lashermes (INRIA)

Date: 10 may 2019
Rooms: Pétri/Turing

Electromagnetic fault injection (EMFI) is a well known technique to disturb the behavior of a chip and weaken its security. These attacks are still mostly done on simple microcontrollers since the fault effects is relatively simple and understood.
Unlocking EMFI on modern System-on-Chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of the faults. In this paper, we target the BCM2837 SoC with four Cortex-A53 cores from ARM. We propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the micro-architecture.
The observed behaviors are radically different to what was previously obtained on microcontrollers. Subsystems (L1 caches, L2 cache, memory management unit (MMU)) can be individually targeted leading to new fault models. We highlight the differences in the fault impact with or without an Operating system (OS), therefore showing the importance of the software layers in the exploitation of a fault. The complexity and speed of a SoC does not protect them against hardware attackers, quite the contrary.
After describing the effect of faults on SoC caches and MMU, we propose countermeasures to protect the system against EMFI attacks.

“Automated software protection for the masses against side-channel attacks”
by Nicolas Belleville (Univ Grenoble Alpes, CEA, List)

Date: 10 may 2019
Rooms: Pétri/Turing

This presentation will present an approach and a tool that answer the need for effective, generic, and easily applicable protections against side-channel attacks. The protection mechanism is based on code polymorphism, so that the observable behaviour of the protected component is variable and unpredictable to the attacker. Our approach combines lightweight specialized runtime code generation with the optimization capabilities of static compilation. It is extensively configurable. Experimental results show that programs secured by our approach present strong security levels and meet the performance requirements of constrained systems.

JUNE 2019

“Challenges related to random number generation for cryptographic applications”
by Elie Noumon Allini (Laboratoire Hubert Curien)

Date: 7 june 2019
Rooms: Pétri/Turing

The main purpose of cryptography is to ensure secure communication. In order to achieve this goal, cryptographic schemes make an intensive use of random numbers. Given that the security of these schemes highly depends on these numbers, it is important to produce high-quality random numbers. Knowing that most cryptographic modules are nowadays implemented in logic devices, we investigated True Random Number Generators (TRNGs) that can be implemented in this kind of technology. Because of the critical nature of TRNGs in cryptographic schemes, their source and their quality must be evaluated in details.
Historically, TRNGS were considered as black boxes which produce sequences of random numbers. There were therefore solely evaluated using statistical tests. However, this consideration turns out to be not acceptable for security. Modern approaches (e.g. AIS 31) consist in characterizing sources of randomness and randomness extraction mechanisms.
In this talk, we will highlight the main challenges and modern approaches in TRNG security evaluation. One of these challenges is the characterization of the source of randomness. It leads us to consider various electronic noises that need to be characterized and for which, the contribution to the overall entropy need to be assessed.

“Laser-Based Attacks Against FPGA Bitstream Encryption”
by Heiko Lohrke (Technische Universität Berlin)

Date: 7 june 2019
Rooms: Pétri/Turing

Field programmable gate arrays (FPGAs) use encryption to protect the configuration data or “bitstream” containing the design to be run on the device. This encryption aims at protecting the intellectual property and other secrets contained in the bitstream and preventing e.g. cloning or tampering with an FPGA implementation.
This talk will demonstrate how attackers can use failure analysis equipment, namely laser scanning microscopes (LSMs), to break the bitstream security on recent FPGAs. Two attacks will be presented: one for decryption key readout, and one for extraction of the plaintext data. Both attacks do not require any device preparation or silicon polishing, which technically makes them non-invasive attacks.
The attack against the decryption key makes use of thermal laser stimulation (TLS). TLS is a failure analysis technique which can be deployed by an adversary to read out stored secrets in the SRAM of a chip. As the attack target, the so-called battery-backed SRAM (BBRAM) key storage inside a 20 nm technology Xilinx Kintex UltraScale FPGA is chosen. It is demonstrated that an attacker is able to extract the stored 256-bit AES key by conducting just a single measurement. The required effort to develop the attack is shown to be less than 7 hours.
The attack for plaintext data extraction applies optical contactless probing techniques. Optical contactless probing, again a failure analysis technique, allows attackers to localize and probe secret data on a chip with a laser beam. The attack is conducted on the decryption ASIC of a 28 nm technology Xilinx Kintex 7 FPGA. It is demonstrated that the adversary is able to extract the plaintext data containing sensitive design information and intellectual property. Less than 10 working days are needed to conduct the optical analysis and reverse-engineer the security-related parts of the hardware.


“One Fault Can Go A Long Way”
by Shivam Bhasin (Nanyang Technological University)

Date: 15 november 2019
Room: Métivier

*Abstract:* Fault attacks are considered among critical threat to embedded cryptography. This talk will be divided into in two parts. The first part of the talk will explore application of faults on advanced security primitives. We present persistent fault analysis introduced at CHES 2017 and its capability to bypass state of the art fault countermeasures as well as higher-order masking with one and only one fault injection. Further, we present novel exploits in lattice based post-quantum cryptographic primitives with one (or few) faults. The second part of the talk will present, to our knowledge, the first practical combined side-channel and differential fault attacks. With application to bit permutation based ciphers like PRESENT and GIFT, practical attacks exploiting laser fault injection with power side-channel will be presented.
*Biography :* Shivam Bhasin is a Senior Research Scientist and Programme manager (Cryptographic engineering) Centre for Hardware Assurance in Temasek laboratories, Nanyang Technical University (TL@NTU), Singapore since 2015. His research interests include embedded security, trusted computing and secure designs. He received his PhD from Telecom Paristech in 2011, Master’s from Mines Saint-Etienne, France in 2008. Before NTU, Shivam held position of Research Engineer in Institut Mines-Telecom, France. He was also a visiting researcher at UCL, Belgium (2011) and Kobe University, Japan (2013). Shivam also taught hardware security as an Adjunct Professor in IIT, Kharagpur, India (2018). He regularly publishes at top peer reviewed journals and conferences. Some of his research now also forms a part of ISO/IEC 17825 standard.


Vers une meilleure compréhension de l’apprentissage profond appliqué aux attaques par observation.
by Loïc Masure (CEA)
Date: 10 january 2020
Room: Métivier

Les attaques par observation (SCA) exploitent les failles d’une primitive cryptographique embarquée sur un composant (type carte à puce, IoT, …), en mesurant des grandeurs physiques qui dépendent indirectement de la valeur de la clé secrète. C’est pourquoi il est primordial pour les développeurs de proposer des contre-mesures adaptées et d’évaluer leur efficacité face à un attaquant potentiel.
Au cours de la dernière décennie, les progrès effectués en apprentissage profond ont permis de bouleverser de nombreux domaines de l’informatique, dont les attaques par observation.
Malgré les récents progrès en apprentissage profond et leur application pour les attaques par observation, la communauté scientifique reste sceptique quant à l’intérêt de ces techniques, du fait de leur aspect « boîte-noire ». Cette absence d’explication, non propre à ce domaine d’application, est pourtant cruciale du point de vue de l’évaluateur ou du développeur pour identifier la faille dans l’implémentation.
Cette présentation a pour but de dresser une meilleure compréhension de l’apprentissage profond dans un contexte d’attaques par observation. Nous montrerons comment l’entraînement de tels estimateurs peut être analysé, de façon à estimer a priori la complexité d’une attaque à base de réseaux de neurones. Nous observerons également sur des simulations que ces modèles entraînés sans connaissance a priori des contre-mesures peuvent atteindre les bornes de sécurité théoriques prévues par la littérature, validant la pertinence de certaines contre-mesures comme le masquage ou la permutation aléatoire (shuffling) contre les réseaux de neurones.
Par ailleurs, nous verrons comment exploiter un réseau entraîné pour effectuer une caractérisation des traces efficace, même en présence de contre-mesures rendant d’autres techniques classiques inopérantes. Cela permet une meilleure compréhension des fuites d’information exploitées par le réseau et d’affiner le diagnostic de l’évaluateur ou du développeur, afin de proposer des corrections.

libecc: a flexible open-source ECC library for embedded devices
by Ryad Benadjila and Arnaud Ebalard (ANSSI)
Date: 14 february 2020
Room: Pétri/Turing

libecc is a software library for elliptic curves based cryptography (ECC), with an API supporting signature algorithms specified in the ISO14888-3 standard.
Advanced usages of this library also include the possible implementation of elliptic curve based Diffie-Hellman protocols as well as any algorithm on top of prime fields based elliptic curves (or prime fields, or rings of integers).
The presentation will introduce the rationale behind the development of libecc, as well as its architecture. Compared to other cryptographic libraries providing similar features, the differentiating points are a focus on code simplicity, portability, and auditability (self-contained and pure C99 code); a clean layer separation for all needed mathematical abstractions and operations; and a security over performance motivation (with endeavour to offer decent throughput in addition to moderate RAM and ROM memory footprints).
Though some efforts have been made to have (most of) the core algorithms constant time, turning libecc into a library shielded against side-channel attacks (SCA) is still a work in progress. The choices that have been made to resist against SPA and DPA will be contextualized and discussed.
Finally, concrete examples of libecc integration in both internal and external projects will be examined.

MARCH 2021

“SideLine and the advent of software-induced hardware attacks”
by Joseph Gravellier (Mines Saint-Etienne – Thales )

Date: 19 march 2021
Place: Web-conference

In this talk, we will discuss software-induced hardware attacks and their impact for IoT, cloud and mobile security. More specifically, I will introduce SideLine, a new power side-channel attack vector that can be triggered remotely to infer cryptographic secrets. SideLine is based on the intentional misuse of delay-lines components embedded in SoCs that use external memory. I will explain how we exploit the delay-line relationship with on-chip power consumption to capture side-channel leakage, how we collect and store this information and how we use it to conduct power side-channel attacks. Different scenarios will be discussed along with the feasibility of remote hardware attacks in various scenarios.

“Calibration Done Right: Noiseless Flush+Flush Attacks”
by Guillaume Didier (DGA-IRISA)

Date: 19 march 2021
Place: Web-conference

Caches leak information through timing measurements and so-called side-channel attacks. Several primitives exist with different requirements and trade-offs. Flush+Flush is a stealthy and fast cache attack primitive that uses the timing of the clflush instruction depending on the presence of a line in the cache. However, the CPU interconnect plays a bigger role than thought in these timings, and therefore in the error rate of Flush+Flush.
In this paper, we show that a naive implementation that does not take into account the topology of the interconnect yields very important error rates, especially on modern CPUs as the number of cores increases. We, therefore, reverse-engineer this topology and revisit the calibration phase of Flush+Flush for different attacker models to determine the correct threshold for clflush hits and misses. We evaluate that our method yields noiseless side-channel attacks by attacking the AES T-tables implementation of OpenSSL, and by building a covert channel. We obtain a maximal capacity of 3.15 Mbit/s with our improved method, compared to 1.4 Mbit/s with a naive implementation of Flush+Flush on an Intel Core i9-9900 CPU.


APRIL 2021

“Lattice-based NIST candidates: abstractions and ninja tricks”
by Thomas Prest (PQShield – United Kingdom)

Date: 23 april 2021
Place: Web-conference

I will present the remaining lattice-based candidates for standardization by NIST (2 signature schemes, 5 encryption schemes). At a high level, these can all be interpreted as straightforward instantiations of decades-old paradigms. But when we look under the hood, all of them make design choices which impact their security, efficiency and portability in distinct manners; we will discuss these. Finally, we will look at ninja tricks that can be pulled off with specific lattice-based schemes; in *some* contexts, these allow, with minimal changes to the schemes, to greatly decrease their communication overhead.

“Code-based postquantum cryptography : candidates to standardization”
by Nicolas Sendrier (INRIA)

Date: 23 april 2021
Place: Web-conference

At the third round of the NIST standardization process, three candidates remain with a security based on error correcting codes, all are key exchange mechanisms. We will explore them according to their security assumptions and properties. Among them, we find an historical scheme (Classic McEliece), as well as schemes using sparse and quasi-cyclic matrices (BIKE and HQC). We will examine pros and cons, as well as, for some of them, aspects of their implementation through possible use cases.

“Post-Quantum Cryptography Hardware: Monolithic Implementations vs. Hardware-Software Co-Design”
by Markku-Juhani Saarinen(PQShield – United Kingdom)

Date: 23 april 2021
Place: Web-conference

At PQShield, we’ve developed dedicated coprocessor(s) for lattice schemes, hash-based signatures, and code-based cryptography. These cryptographic modules are commercial rather than academic and designed to meet customer specifications such as a specific performance profile or Common Criteria and FIPS security certification requirements.
Hardware implementations of legacy RSA and Elliptic Curve cryptography were generally just “big integer” engines. Post-quantum algorithms use a much broader range of primitive operations and are generally more complex.
Monolithic hardware implementations are self-contained modules implementing the entire algorithm. A monolithic implementation has a clear security boundary but will lead to inflexibility and a relatively large area. On the other hand, a co-design approach will offload only those computations to special memory-mapped peripherals or custom instructions that benefit from it the most, e.g., SHAKE or large polynomial/vector/matrix circuitry. We discuss our experiences with both of these approaches, drawing from our engineering experience.

JUNE 2021

” Unique CAD-compatible SCA-security mechanisms, externally amplified coupling (EAC) attacks and (some) connection” by Itamar Levi (Bar-Ilan University (BIU))

Date : 25 june 2021
Place : Web-Conference

In this seminar I will first discuss unique computer aided design (CAD) compatible SCA security mechanisms. I will present an approach which can significantly increase the physical security-level of a design, be implemented with conventional design-tools and which does not require any special technological-support. The method consists with a correct by-design utilization of power-management libraries and tools; it embeds special and ultra low-cost randomization mechanisms in a local fashion into the RTL of a design. Therefore, making it mature and easy to master by any backend/frontend digital designer. This method is ideally suited for high security levels when used as a building block to reduce the SNR and amplify the noise in the leakage with mathematical solutions (e.g. masking). Theoretically, a limitation of the construction as a stand-alone is security-energy scaling, i.e. for very high security levels its energy cost is exponential. I will present a glimpse of our current work answering this challenge with an alternative construction which provide linear cost.
In the second part of the talk, I will discuss the threat of externally amplified coupling (EAC) attacks. A type of attack which is very dangerous for masked designs as it merges shares leakage which are otherwise supposed to be independent (weather hardware or software). I will review some of our work on the topic and will discuss the scalability of EAC attacks to high order masking designs, its dominance as compared to inherent (intra device) coupling and I will show some results from current experimentation with a dedicated ASIC test bad. Interestingly, the first and second part of the talk share a link which will be discussed.



” Rank metric cryptography and its implementations” by Nicolas Aragon (XLIM – Université de Limoges)

Date : 08 october 2021
Place : Room Petri/Turing

In 2017, the NIST (National Institute for Standards and Technology) started astandardization process in order to select post-quantum encryption and digital signature schemes. Among the proposed solutions, two rank-metric based encryption schemes were selected for the second round of the standardization process: ROLLOand RQC.
This raised questions about both the performance and the security of the implementations of rank-metric cryptography. While the performance has been significantly improved recently, the question of the resistance to side-channel attacks needs to be studied more deeply.
This talk will present an overview of the existing primitives in rank-based cryptography and the challenges of making a secure implementation of these primitives.


When Electromagnetic Signals Reveal Obfuscated Malware: Deep and Machine Learning Use cases
by Duy-Phuc Pham and Damien Marion (Univ Rennes, CNRS, Inria, IRISA Rennes)

Date: 22 october 2021
Place : Room Petri/Turing

The Internet of Things (IoT) is constituted of devices that are expo-nentially growing in number and in complexity. They use plentiful customized firmware and hardware, ignoring potential security issues, which make them a perfect victim for cybercriminals, especially malware authors.
We will describe a new usage of side channel information to identify threats that are targeting the device. Using our approach, a malware analyst is able to accuracy know about malware type and identity, even in the presence of obfuscation techniques which may avoid static or symbolic binary analysis. We captured 100,000 leakage traces from an IoT device infected by a miscellaneous and representative in-the-wild malware samples and realistic benign activity. Our technique does not need to modify the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors.
In our experiments, we were able to classify three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, we show that our solution permits to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts.

Comments are closed.