Publications

Below is a list of my publications. You can find my main publications on the DBLP database. For most papers, a link to the online version is provided. Alternatively, I would be happy to send you a copy upon request.

Book Chapters

  1. La Sécurité Logique

    Guillaume Barbu, Guillaume Bouffard, and Julien Iguchy-Cartigny - Les Cartes à puce (2013)
  2. Guillaume Bouffard, and Jean-Louis Lanet - Cryptography and Security: From Theory to Applications - Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday (2012)

    Java Card is a kind of smart card that implements one of the two editions, “Classic Edition” or “Connected Edition”, of the standard Java Card 3.0 [7]. Such a smart card embeds a virtual machine which interprets codes already romized with the operating system or downloaded after issuance. Due to security reasons, the ability to download code into the card is controlled by a protocol defined by Global Platform. This protocol ensures that the owner of the code has the necessary authorization to perform the action. Java Card is an open platform for smart cards, i.e. able of loading and executing new applications after issuance. Thus, different applications from different providers run in the same smart card. Thanks to type verification, byte codes delivered by the Java compiler and the converter (in charge of giving a compact representation of class files) are safe, i.e. the loaded application is not hostile to other applications in the Java Card. Furthermore, the Java Card firewall checks permissions between applications in the card, enforcing isolation between them.

Journal Articles

  1. Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - Journal of Cryptographic Engineering (JCEN) (2021)

    The last years have seen the emergence offault attacks targeting modern Central Processing Units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the Electromagnetic Fault Injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the Memory Management Unit (MMU). To validate our fault model, we realize a persistent fault analysis toretrieve an AES key.

  2. Noreddine El Janati El Idrissi, Guillaume Bouffard, Jean- Louis Lanet, and Said El Hajji - Journal of Cryptographic Engineering (JCEN) (2017)

    Retrieving assets inside a secure element is a challenging task. The most attractive assets are the cryptographic keys stored into the non volatile memory (NVM) area. Most of the researches try to obtain cryptographic keys through side channel attacks or fault injection attacks. Such cryptographic objects are stored into secure containers. We demonstrate in this paper how one can use some characteristics of the Java Card platform to gain access to these assets. Such a smart card embeds a Firewall that provides isolation between applets from different clients (using the notion of security contexts). We exploit the client/server architecture of the intra platform communication to lure a client application to execute within its security context, a hostile code written and called from another security context: the server security context. This attack shows the possibility for a trusted application to execute within its security context some hostile code uploaded previously by the server.

  3. Guillaume Bouffard, and Jean-Louis Lanet - Computers and Security (2015)

    Recently, researchers published several attacks on smart cards. Among these, software attacks are the most affordable, they do not require specific hardware (laser, EM probe, etc.). Such attacks succeed to modify a sensitive system element which offers access to the smart card assets. To prevent that, smart card manufacturers embed dedicated countermeasures that aim to protect the sensitive system elements. We present a generic approach based on a Control Flow Transfer (CFT) attack to modify the Java Card program counter. This attack is built on a type confusion using the couple of instructions jsr/ret. Evaluated on different Java Cards, this new attack is a generic CFT exploitation that succeeds on each attacked cards. We present several countermeasures proposed by the literature or implemented by smart card designers and for all of them we explain how to bypass them. Then, we propose to use Attack Countermeasure Tree to develop an effective and affordable countermeasure for this attack.

  4. Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - International Journal of Trust Management in Computing and Communications (IJTMCC) (2014)

    Security and attacks are two sides of the same coin in smart card industry. Smart cards are subjected to different types of attacks to gain the assets stored in it and can cause security issues. It is necessary to identify and exploit these attacks and implement appropriate countermeasures to mitigate their effects. Fault attacks are one among them and can introduce abnormal behaviour on the smart card environment. Some redundancies are necessary to recognise this problem. In this work we propose an automatic method to obtain control flow redundancy using a security automaton to mitigate laser based fault attacks and hence implement a smart card countermeasure based on the combination of static analysis and dynamic monitoring method. This is a very cost effective approach which can identify and mitigate the effects of fault attacks in a more efficient way.

  5. Guillaume Bouffard, and Jean-Louis Lanet - Journal Computer Virology and Hacking Techniques (2014)

    Attacks on smart cards can only be based on a black box approach where the code of cryptographic primitives and operating system are not accessible. To perform hardware or software attacks, a white box approach providing access to the binary code is more effi- cient. In this paper, we propose a methodology to discover the romized code whose access is protected by the virtual machine. It uses a hooked code in an indirection table. We gained access to real processor, thus allowing us to run a shell code written in 8051 assembler language. As a result, this code has been able to dump completely the ROM of a Java Card operating system. One of the issues is the possibility to reverse the cryptographic algorithm and all the embedded countermeasures. Finally, our attack is evaluated on different cards from distinct manufacturers.

  6. Guillaume Bouffard, and Tiana Razafindralambo - Multi-System & Internet Security (MISC) (2014)

    L’année 2013 a été une année assez « riche » en termes de découverte et d’exploitation de 0-day dans la nature en ce qui concerne la famille Java. Java Card fait tout aussi bien partie de cette famille. Néanmoins, son processus d’évaluation suit un tout autre chemin et les attaques découvertes jusqu’à maintenant n’en sont pas moins intéressantes.

  7. Jean Dubreuil, Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - International Journal of Secure Software Engineering (IJSSE) (2013)

    One of the challenges for smart card deployment is the security interoperability. A smart card resistant to an attack on a given platform should be able to guarantee the same behavior on another platform. But the current implementations do not comply with this requirement. In order to improve such standardization we propose a framework based on annotations with an external pre-processing to switch the Java Card Virtual Machine (JCVM) into a secure mode by activating a set of countermeasures. An example has been proposed in this paper for implementing a countermeasure against type confusion with a fault attack. Smart cards are often the target of software, hardware or combined attacks. In recent days most of the attacks are based on fault injection which can modify the behavior of applications loaded onto the card, changing them into mutant applications. This countermeasure requires a transformation of the original program byte codes which remain semantically equivalent. It needs a modification of the JCVM which stays backward compatible and a dedicated framework to deploy these applications. Thus, the proposed platform can resist to a fault enabled mutant.

International Conferences with Review and Proceeding

  1. Amélie Marotta, Ronan Lashermes, Guillaume Bouffard, Olivier Sentieys, and Rachid Dafali - Proceedings of the 15th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE) (2024)

    In the realm of fault injection (FI), electromagnetic fault injection (EMFI) attacks have garnered significant attention, particularly for their effectiveness against embedded systems with minimal setup. These attacks exploit vulnerabilities with ease, underscoring the im- portance of comprehensively understanding EMFI. Recent studies have highlighted the impact of EMFI on phase-locked loops (PLLs), uncov- ering specific clock glitches that induce faults. However, these studies lack a detailed explanation of how these glitches translate into a specific fault model. Addressing this gap, our research investigates the physical fault model of synchronous clock glitches (SCGs), a clock glitch injec- tion mechanism likely to arise from EMFI interactions within the clock network. Through an integrated approach combining experimental and simulation techniques, we critically analyze the adequacy of existing fault models, such as the Timing Fault Model and the Sampling Fault Model, in explaining SCGs. Our findings reveal specific failure modes in D flip-flops (DFFs), contributing to a deeper understanding of EMFI effects and aiding in the development of more robust defensive strategies against such attacks.

  2. Vincent Giraud, and Guillaume Bouffard - IEEE European Workshops on Symposium on Security and Privacy (EuroS&P) (2023)

    Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process [17], a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks [7] while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation [18]. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

  3. PhiAttack - Rewriting the Java Card Class Hierarchy

    Jean Dubreuil, and Guillaume Bouffard - Proceedings of the 20th International Conference on Smart Card Research and Advanced Applications (CARDIS) (2021)
  4. Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédi\‘ ere - Proceedings of the 18th Workshop on Fault Detection and Tolerance in Cryptography (FDTC) (2021)

    Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Few works try to characterize at the Instruction Set Architecture (ISA) level. In this article, we apply a state-of-the-art faults model characterization approach on modern CPU. We evaluate the fault model on two different CPUs from different architectures with the same injection mediums. We target the CPU of Raspberry Pi 3 (ARM) and an Intel Core i3 (x86) and perturb them with ElectroMagnetic Fault Injection (EMFI). From the ISA point of view, we disclose a similar fault model on each component. Additionally, we evaluate a widely used complex software, OpenSSL , against this fault model.

  5. Thomas Trouchkine, Guillaume Bouffard, and Jessy Clediere - Proceedings of the 13th International Conference Information Security Theory and Practice (WISTP) (2019)
    Best student paper award

    Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have been emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on modern CPU. For that, we introduce the first approach to characterize the fault model on modern CPU from the Instruction Set Architecture (ISA) level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. Our fault model aims at finding original attack paths and designed efficient countermeasures. To confront our approach to real modern CPUs, we apply our approach on ARM and x86 architectures CPUs, mainly on the BCM2837 (the Raspberry Pi model B CPU) and an Intel Core i3.

  6. Julien Lancia, and Guillaume Bouffard - Proceedings of the 14th International Conference Smart Card Research and Advanced Applications (CARDIS) (2015)

    The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.

  7. Guillaume Bouffard, Michael Lackner, Jean-Louis Lanet, and Johannes Loinig - Proceedings of the 13th International Conference Smart Card Research and Advanced Applications (CARDIS) (2014)

    Several logical attacks against Java based smart card have been published recently. Most of them are based on the hypothesis that the type verification was not performed, thus allowing to obtain dynamically a type confusion. To mitigate such attacks, typed stack have been introduced on recent smart card. We propose here a new attack path for performing a type confusion even in presence of a typed stack. Then we propose using a Fault Tree Analysis a way to design efficiently counter measure in a top down approach. These counter measures are then evaluated on a Java Card virtual machine.

  8. Jean-Louis Lanet, Guillaume Bouffard, Rokia Lamrani, Ranim Chakra, Afef Mestiri, Mohammed Monsif, and Abdellatif Fandi - Proceedings of the 13th International Conference Smart Card Research and Advanced Applications (CARDIS) (2014)

    Nowadays several papers have shown the ability to dump the EEPROM area of several Java Cards leading to the disclosure of already loaded applet and data structure of the card. Such a reverse engineering process is costly and prone to errors. Currently no tool are available to help this process. We propose here an approach to find in the raw data obtained after a dump, the area containing the code and the data. Then, once the code area has been identified, we propose to rebuilt the original binary Cap file in order to be able to obtain the source code of the applet stored in the card.

  9. Guillaume Bouffard, Tom Khefif, Jean-Louis Lanet, Ismael Kane, and Sergio Casanova Salvia - Proceedings of the International Conference on Risks and Security of Internet and Systems (CRiSIS) (2013)

    Java Card specification allows to load applications after the post-issuance. Each application to be installed into the card is verified by a Byte Code Verifier which ensures that the application is in compliance with the Java security rules. The Java Card linking process is divided in to two steps. The first one is done off-card by the Java Card toolchain. The second one is realized during the appli- cation installation to resolve each token by an internal reference. In this paper, we focus on the off-card linker, espe- cially the conversion part between a Java-Class item and a Java Card-Cap token. For that, we provide mali- cious export files which will be used by the converter. This malicious API provides the same behavior as the original one for the user. With this attack, we are able to confuse the Java Card linker.

  10. Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Proceedings of the 32nd International Conference on Computer Safety, Reliability, and Security (SAFECOMP) (2013)

    In smart card domain, attacks and countermeasures are advancing at a fast rate. In order to have a generic view of all the attacks, we propose to use a Fault Tree Analysis. This method used in safety analysis helps to understand and implement all the desirable and undesirable events existing in this domain. We apply this method to Java Card vulnerability analysis. We define the properties that must be ensured: integrity and confidentiality of smart card data and code. By modeling the conditions, we discovered new attack paths to get access to the smart card contents. Then we introduce a new security api which is proposed to mitigate the undesirable events defined in the tree models.

  11. Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Proceedings of the International Symposium on Security in Computing and Communications (SSCC) (2013)

    Security and interoperability issues are increasing in smart card domain and it is important to analyze these issues carefully and implement appropriate countermeasures to mitigate them. Security issues involve attacks on smart cards which can lead to their abnormal behavior. Fault attacks are the most important among them and they can affect the program execution, smart card memory, etc. Detecting these abnormalities requires some redundancies, either by another code execution or by an equivalent representation. In this paper, we propose an automatic method to provide this redundancy using a security automaton as the main detection mechanism. This can enforce some trace properties on a smart card application, by using the combination of a static analysis and a dynamic monitoring. The security officer specifies the fragments of the code that must be protected against fault attacks and a program transformer produces an equivalent program that mesh a security automaton into the code according to the security requirements.

  12. Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Proceedings of the International Conference on Recent Trends in Computer Networks and Distributed Systems Security (SNDS) (2012)

    Off late security problems related to smart cards have seen a significant rise and the risks of the attack are of deep concern for the industries. In this context, smart card industries try to overcome the anomaly by implementing various countermeasures. In this paper we discuss and present a powerful attack based on the vulnerability of the linker which could change the correct byte code into malicious one. During the attack, the linker interprets the instructions as tokens and are able to resolve them. Later we propose a countermeasure which scrambles the instructions of the method byte code with the Java Card Program Counter (jpc). Without the knowledge of jpc used to decrypt the byte code, an attacker cannot execute any malicious byte code. By this way we propose security interoperability for different Java Card platforms.

  13. Jean Dubreuil, Guillaume Bouffard, Jean-Louis Lanet, and Julien Cartigny - Proceedings of the 7th International Conference on Availability, Reliability and Security (ARES) (2012)

    Smart card are often the target of software or hardware attacks. For instance the most recent attacks are based on fault injection which can modify the behavior of applications loaded in the card, changing them as mutant application. In this paper, we propose a new protection mechanism which makes application to be less prone to mutant generation. This countermeasure requires a transformation of the original program byte codes which remains semantically equivalent. It requires a modification of the Java Virtual Machine which remains backward compatible and a dedicated framework to deploy the applications. Hence, our proposition improves the ability of the platform to resist to Fault Enabled Mutant.

  14. Tiana Razafindralambo, Guillaume Bouffard, and Jean-Louis Lanet - Proceedings of the 26th Annual Conference on Data and Applications Security and Privacy XXVI (DBSec) (2012)

    Smart cards are the safer device to execute cryptographic algorithms. Applications are verified before being loaded into the card. Recently, the idea of combined attacks to bypass byte code verification has emerged. Indeed, correct and legitimate Java Card applications can be dynamically modified on-card using a laser beam to become mutant applications or fault enabled viruses . We propose a framework for manipulating binary applications to design viruses for smart cards. We present development, experimentation and an example of this kind of virus.

  15. Guillaume Bouffard, and Jean-Louis Lanet - Cryptography and Security: From Theory to Applications - Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday (2012)

    Java Card is a kind of smart card that implements one of the two editions, “Classic Edition” or “Connected Edition”, of the standard Java Card 3.0 [7]. Such a smart card embeds a virtual machine which interprets codes already romized with the operating system or downloaded after issuance. Due to security reasons, the ability to download code into the card is controlled by a protocol defined by Global Platform. This protocol ensures that the owner of the code has the necessary authorization to perform the action. Java Card is an open platform for smart cards, i.e. able of loading and executing new applications after issuance. Thus, different applications from different providers run in the same smart card. Thanks to type verification, byte codes delivered by the Java compiler and the converter (in charge of giving a compact representation of class files) are safe, i.e. the loaded application is not hostile to other applications in the Java Card. Furthermore, the Java Card firewall checks permissions between applications in the card, enforcing isolation between them.

  16. Guillaume Bouffard, Julien Iguchi-Cartigny, and Jean-Louis Lanet - Proceedings of the 10th International Conference on Smart Card Research and Advanced Applications (CARDIS) (2011)

    The Java Card uses two components to ensure the security of its model. On the one hand, the byte code verifier (BCV) checks, during an applet installation, if the Java Card security model is ensured. This mechanism may not be present in the card. On the other hand, the firewall dynamically checks if there is no illegal access. This paper describes two attacks to modify the Java Card control flow and to execute our own malicious byte code. In the first attack, we use a card without embedded security verifier and we show how it is simple to change the return address of a current function. In the second attack, we consider the hypothesis that the card embeds a partial implementation of a BCV. With the help of a laser beam, we are able to change the execution flow.

  17. Guillaume Bouffard, Jean-Louis Lanet, Jean-Baptiste Machemie, Jean-Yves Poichotte, and Jean-Philippe Wary - Proceedings of the 10th International Conference on Smart Card Research and Advanced Applications (CARDIS) (2011)

    The ability of Java Cards to withstand attacks is based on software and hardware countermeasures, and on the ability of the Java platform to check the correct behavior of Java code (by using byte code verification). Recently, the idea of combining logical attacks with a physical attack in order to bypass byte code verification has emerged. For instance, correct and legitimate Java Card applications can be dynamically modified on-card using a laser beam. Such applications become mutant applications, with a different control flow from the original expected behaviour. This internal change could lead to bypass controls and protections and thus offer illegal access to secret data and operations inside the chip. This paper presents an evaluation of the application ability to become mutant and a new countermeasure based on the runtime checks of the application control flow to detect the deviant mutations.

National Conferences with Review and Proceeding

  1. Guillaume Bouffard, and Léo Gaspard - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC) (2018)

    In the world of Java Cards, the Firewall guarantees the segregation of applet data and ensures the integrity and confidentiality of each application. In order to be independent from the microcontroller, most Java Card Virtual Machine (JCVM) implementations are not designed to use hardware-based mechanisms. In this article, we describe how the Memory Protection Unit (MPU) can be used to segregate each Java Card applet from the Operating System and device drivers. Even if our contribution is designed to fit a specific hardware-based mechanism, our JCVM architecture can be reused for a microcontroller without MPU.

  2. Julien Lancia, and Guillaume Bouffard - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC) (2016)

    The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. At the CARDIS 2015 conference, we disclosed a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smart cards. In this article, we present how this vulnerability had be found and our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This attack was evaluated on several Java Card implementations with black box approach. As we cannot evaluate the effect of the control flow transfer, we develop a generic function which can be executed from any bytes which compound itself.

  3. Guillaume Bouffard, and Jean-Louis Lanet - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC) (2014)

    La carte à puce est aujourd’hui considérée comme étant un système sécurisé. Toutefois, il est possible, via certains types d’attaques, d’obtenir de l’information. Dans cet article, nous pré sentons comment ces informations ont permis de découvrir l’implémentation utilisée par une carte à puce pour appeler du code natif depuis le monde Java Card. Une fois ce mécanisme appréhendé, nous l’avons exploit\’e pour exécuter notre propre code natif. Ce code, exé cuté avec les droits du système d’exploitation, nous a permis de lire la mémoire ROM et ainsi obtenir tous les secrets de la carte attaquée. Une évaluation de cette attaque sur des cartes de modèles différents est pr ésentée en conclusion.

  4. Guillaume Bouffard, Mathieu Lassale, Sergio Ona Domene, Hanan Tadmori, and Jean-Louis Lanet - Proceedings of the 8th Conference on Network and Information Systems Security (SAR-SSI) (2013)

    La carte à puce est un objet contenant des informations sensibles. Les attaques par injection de faute sont les plus difficiles à se prémunir. La surveillance du flot d’exécution par la machine virtuelle est un des mé canisme permettant de s’en protéger. Nous intégrons dans l’interpréteur Java Card un automate de sécurit é permettant de garantir une politique de sécurit\’e . Nous montrons comment une optimisation permet d’obtenir une solution efficace tant dans son utilisation mémoire que dans la surcharge de calcul.

  5. Samiya Hamadouche, Guillaume Bouffard, Jean-Louis Lanet, Bruno Dorsemaine, Bastien Nouhant, Alexandre Magloire, and Arnaud Reygnaud - Proceedings of the 7th Conference on Network and Information Systems Security (SAR-SSI) (2012)

    Smart card is the safest device to execute cryptographic algorithms. Recent cards have the ability to download programs after issuance. These applications are verified before being loaded in the card. Recently, the idea of combining logical attacks with a physical attack in order to bypass byte code verification has emerged. For instance, correct and legitimate Java Card applications can be dynamically modified inside the card using a laser beam. Such applications become mutant applications. We propose here to go a step further in designing explicit viruses for smart cards. In order to generate efficient viruses we need to retrieve information concerning the linking process in the card. We have developed and experimented on most of the Java Card publicly available this generic attack. We present an example of virus using the result of this attack.

  6. Agnès Cristèle Noubissi, Ahmadou Al Khary Sere, Julien Iguchi-Cartigny, Jean-Louis Lanet, Guillaume Bouffard, and Julien Boutet - Majecstic (2009)

    We present in this article our research dealing with faults attacks and logical attacks on smart cards, especially on Java Card. We introduce by presenting Java Card and its security mechanisms, then we present the types of attacks carried out on smart cards and we present some countermeasures for these attacks and in particular those faults attacks. And we finish with the presentation of our work on the tool of manipulation of a file format of Java Card and other proposals for countermeasures on faults attacks.

Conferences without Proceeding

  1. Gwenn Le Gonidec, Maria Méndez Real, Guillaume Bouffard, and Jean-Christophe Prévotet - Journée thématique sur les attaques par injection de fautes (JAIF) (2024)

    De plus en plus d’opérations sensibles sont réalisées sur des systèmes-sur-puce (SoC) qui présentent une large surface d’attaque. Depuis une quinzaine d’années, des attaques matérielles contre ce type de système sont publiées. Elles transposent des techniques d’attaques développées pour des composants sécurisés, où l’état de l’art est bien établi. Toutefois, ces attaques nécessitent un accès physique au système cible. En 2017, Tang et al. ont démontré avec l’attaque ClkScrew que les modules matériels de gestion de l’énergie, accessibles depuis le logiciel, constituent un nouveau vecteur d’attaque. Ils ont réussi à provoquer une injection de fautes en exploitant malicieusement les régulateurs de tension d’alimentation, leur donnant accès aux ressources autrement inaccessibles de l’environnement d’exécution de confiance (TEE). Ce type d’attaque basé sur l’énergie a été étendu et perfectionné dans des publications ultérieures. Contrairement aux attaques matérielles traditionnelles, ce nouveau type d’attaque ne nécessite pas d’accès physique à la cible. Des contre-mesures à ces attaques ont été mises en œuvre dans les principaux TEEs, tels qu’Intel SGX et ARM TrustZone. Cependant, ces contre-mesures restreignent le contrôle de la tension d’alimentation, empêchant ainsi l’utilisation des mécanismes de gestion de l’énergie à leur plein potentiel. De nouvelles contre-mesures sont proposées dans la littérature, mais elles réduisent les performances du système ou manquent d’implémentations concrètes. De plus, ces dernières années, de nombreux concepts innovants de TEEs matériels pour RISC-V ont été proposés. Cependant, ces TEEs ne prennent à ce jour pas en compte ce type d’attaques, malgré leur inclusion dans le modèle d’attaquant défini par le profil de protection de Global Platform. Dans cette présentation, nous aborderons la problématique des attaques matérielles par injection de fautes qui exploitent les modules de gestion de l’énergie depuis le logiciel. Nous décrirons l’importance de ces attaques, les contre-mesures existantes et les nouvelles solutions potentielles , avec un focus sur les nouvelles implémentations de TEEs sur processeurs utilisant RISC-V.

  2. Alexandre Iooss, Thomas Trouchkine, and Guillaume Bouffard - (2023)

    Les attaques par faute constituent un vecteur d’attaque semi-invasif puissant et difficile à prévenir contre les applications logicielles si l’environnement d’exécution matérielle n’embarque pas de mécanismes de protection. Néanmoins ces attaques sont difficile à mettre en place et les réussir nécessite trois étapes: caractériser les effets de la faute sur un échantillon du composant exécutant l’application cible, utiliser ce modèle de faute sur l’application sensible (en simulation par exemple) afin de déterminer les chemins d’attaques possibles et exploiter l’effet de la faute injectée sur le composant cible. Dans la littérature, ce travail reste principalement porté sur la sécurité des implémentations cryptographiques implémenté sur des micro-contrôleurs. Cependant, avec la démocratisation des appareils portables et mobiles tels que les smartphones, la menace des attaques semi-invasives devient crédible pour des applications plus variées. Nous pensons que pour protéger efficacement ces systèmes il est nécessaire d’avoir une méthodologie d’analyse de la réponse de ce type d’applications, des effets d’une faute sur le matériel jusqu’à sa manifestation sur les logiciels haut niveau. Dans cette présentation, nous aborderons une analyse complète allant de la caractérisation des effets d’une faute électromagnétique à l’exploitation sur une application complexe sensible. Pour ce faire, nous examinerons la sécurité de l’implémentation de l’application sudo intégrée dans la distribution Linux Raspberry Pi OS Lite (https://www.raspberrypi.com/software/) pour Raspberry Pi4. Dans ce travail, nous montrons comment il est possible de transposer une caractérisation de la sensibilité à une application logicielle complexe, et comment, en l’absence de protections, il est possible de réaliser efficacement une attaque permettant d’accéder aux informations sensibles. En complément de l’approche présentée dans, notre méthode est suffisamment efficace pour forcer l’authentification via l’application sudo sans la modifier au préalable.

  3. Amélie Marotta, Ronan Lashermes, Olivier Sentieys, Rachid Dafali, and Guillaume Bouffard - (2023)

    Fault injection techniques are numerous, including laser, electromagnetic fault injection (EMFI), power glitch, and clock glitch. The physical effects that are caused from fault injection result in fault models that can be interpreted at three different abstraction levels: physical (impact on logic gates and flip-flop), register-transfer (bit-set, bit-reset) and microarchitectural (impact on the execution of programs). To fully characterize the effects of fault injection, it is important to know all three abstractions levels and how they are linked to each other. In this work, we focus on a particular type of clock glitch fault injection. We use TRAITOR, a many-fault injection platform, which uses a specific pertubation on the clock signal to induce incorrect behaviors in the target. Some observations of these behaviours at a microarchitectural level have been made, but until now, lower level fault models haven’t been proposed. We observe that the sampling process of registers can be compromised by TRAITOR’s glitched clock. While some fault models already exist, they do not explain this behaviour. Simulation- based investigations were done to characterize precisely when a register would latch or not depending on the glitched clock cycle shape. They revealed that the issue arises due to an insufficient energy supply on the clock port of the register. Besides, experiments were done on registers in FPGAs, to highlight that the hardware environment of the target system influences the fault results. During our presentation, we will introduce our approach to characterize the impact of TRAITOR on registers. We will present a new physical fault model which explains its effects

  4. Vincent Giraud, and Guillaume Bouffard - (2022)

    To perform sensitive operations, it is common to to use secure components: thanks to their various protections, they can protection, they can act as a root of trust. However, one may be forced to use alternative solutions as they are not available in all information systems. in all information systems. The industry deploy an approach based on software obfuscation, which is less software, which is less secure than those based on a hardware component. component. White-box cryptography is one of them: each intermediate step is precomputed and hidden, while the global semantics. Although it is purely software, hardware attacks could be transposed to it. be transposed to it. By instrumenting a program, one can by creating unexpected states in the program. unexpected states. As the needs of the industry are becoming more industry, research is now focusing on features such as such as resistance to quantum attacks and asymmetric and the asymmetric possibilities of cryptographic schemes. cryptographic schemes. These aspects are leading to the resurgence of specifications such as McEliece’s. In our work, we study the security of a cryptographic white box implementing implementing the McEliece algorithm and its resistance to attacks. In this talk, we will also also question the applicability in the software world of existing world of existing countermeasures used in hardware components. hardware components.

  5. Guillaume Bouffard, Valentin Houchouas, José Lopes-Esteves, and Thomas Trouchkine - 3rd URSI AT-AP-RASC (2022)

    Most of our daily electronic objects store our personal data. One method used by attackers to retrieve this data consists in disrupting the operation of the component during the execution of a sensitive program [2]. For example, electromagnetic perturbation can disturb the electronic of a component and infer errors during the execution of the program and thus leak or modify sensitive information, which can jeopardize the system security [5]. To generate effective electromagnetic perturbations , the state-of-the-art fault injection community uses small hand- made antennas placed within a few millimeters to the target component [1]. These antennas are connected to a pulse generator of several hundred volts and tens of nanoseconds pulse. By moving the antenna over the compo- nent, an attacker goal is to determine the parameters (i.e. (x, y) positions and pulse amplitude) that maximize the probability of obtaining exploitable faults. The fact that these antennas are handmade [4, 3] complicates the reproducibility of studies due to the geometry and the constitutive material variability. Furthermore, the input impedance of antennas is never indicated in fault injection related publications. As antennas are placed in the near vicinity of the component under test (CUT), and because antenna far field prop- erties are different from near field ones, it could be relevant to determine the input impedance of the antenna/target couple which can be computed from the reflection coefficient (S11) measured by a vector network analyzer. In our work, we aim at comparing the probability to obtain a fault at a given position (x, y) with the frequency dependent absorbed power by the antenna/CUT couple. By doing so, we expect to be able to get information related to the sensitive frequencies of the CUT which might pave the way to narrowband (or continuous wave) injections.

  6. Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - CEM France (2020)

    Recently, several Fault Attacks (FAs) targeting modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on a modern CPU. For that, we explain an approach to characterize the fault model on modern CPU from the assembly instruction level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. The fault model determination aims at finding original attack paths and design efficient countermeasures. To confront our approach to real mod- ern CPUs, we apply our approach on a Raspberry Pi 3 CPU on which the determined fault model is reused to corrupt an AES implementation.

  7. Fault attacks on System On Chip

    Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - (2018)
  8. Anis Bkakria, Guillaume Bouffard, Julien Iguchy-Cartigny, and Jean-Louis Lanet - e-Smart (2011)

    In the smart card world, Java Card plays an important role. To communicate with this type of card, which complies to the ISO7816 specification you should use a specific library. Indeed, this kind of library must implement high level functions, which follows the Global Platform (GP) specification (authentication protocols, applet installation process, etc.), and should be interfaced with another library to handle CAP files like the Cap File Manipulator Java-library. Therefore, we developed an open-source Java-library: OPAL, for Open Platform Access Library, which complies with the Global Platform specification. This library provides the full-support of the Java Card applets life cycle and smart card management. Moreover, to exchange data with a Java Card, we must implement Secure Channel Protocols (SCP) to pass the authentication step. GP defines three secure channels: SCP01, SCP02 and SCP03. These protocols provide a secure communication channel between a card and an entity which manages it. SCP01 is deprecated but still used. It uses a challenge-response authentication. When this challenge is a success, three security levels are used to exchange data (no security level, signed data or cypher and signed data). In order to improve the SCP01 security, SCP02 uses a mutual authentication , different computation methods and a new security level. The host ensures integrity of the received card data. Finally, the last improvement is SCP03 which reuses the SCP01 and SCP02 security levels in addition to a new security level which guarantees that the exchanged data are confidential. With OPAL, we would like to provide a Java-library which is fully compliant with GP. Futhermore, GP has defined a new authentication protocol , named Remote Application Management over HTTP. This draft uses an application provider which manages the applet and smart card life cycle using the HTTP protocol. Indeed, OPAL can receive a HTTP POST request sent by the Remote Administration Server and extract the included APDU command. Afterwards, OPAL sends the APDU command via the SCP02 protocol to the card and receives its response. Thus, the response is encapsulated in a HTTP POST request in order to send it to the Remote Administration Server.

  9. Matthieu Barreaud, Guillaume Bouffard, Julien Iguchy-Cartigny, and Jean-Louis Lanet - Crypto’puces (2011)

    The emergence of web servers embedded in smart cards cards facilitates the development of applications. These applications are close to servlets (applications with a web server) and are based on the based on the HTTP model known by many developers. The server can be used externally, via the phone connection (GSM, 3G, etc.) connection (GSM, 3G, etc.), for all phases of administration or administration or, via the phone interface, to provide user provide user services. Here we will focus on the the Java Card 2.2 WebServer Edtion model. In order to communicate with this web server, a service provider can send HTTP frames to the cell phone – or any other interface other interfaces between the card and the service provider. These frames are then encapsulated via the BIP 2 protocol to be sent to the (U)SIM card. The study and validity of this protocol has been one of our previous research topics. In the continuity of this work, we have chosen to verify the HTTP protocol. The implementation of this type of server must be secured in order to guarantee the execution of sensitive sensitive commands. However, the specific constraints of the world of embedded systems forces to have a complete system of the order of a few kilobytes. As a result, the optimizations may contribute to the presence of vulnerabilities. To verify the conformity and the robustness of the implementation , we have chosen to use fuzzing which is an error which is a technique of searching for errors in the software implementation by injecting invalid data. This method uses a data model representing the grammar and a model symbolizing the model symbolizing the state machine of the protocol to be fuzzed. Our analysis tool allows to characterize the web server embedded in the card and thus to reduce the tree of of the data model of the HTTP protocol. This tool is a solution for anyone wishing to verify the security of the security of the embedded HTTP protocol. The first experimental results results will be presented during the conference.

Tutorials

  1. Guillaume Bouffard - Worskshop on the Security of Software/Hardware Interfaces, November 21st, 2019 Rennes, France (2019)

    Modern CPUs are daily use in our smartphone and several IoT devices. These components compute more and more sensitive data. However, they are only designed to prevent software attacks. Recently, few publications focus on breaking modern CPUs from hardware layout. In this presentation, we will see how hardware security in modern CPU is also important than software security and why should be take in account.

  2. Attacks against the Java Card Platform

    Guillaume Bouffard - CryptoBG International Summer School, July 20th, 2015, Oriahovitza, Bulgaria (2015)

Posters

  1. Caractérisation d’antennes pour l’injection de fautes sur composants électroniques

    Guillaume Bouffard, Valentin Houchouas, José Lopes-Esteves, and Thomas Trouchkine - GDR Ondes (2021)
  2. Combined Attacks on Java Card Smart Cards

    Guillaume Bouffard, and Jean-Louis Lanet - PHISIC workshop (2011)

Theses

  1. Guillaume Bouffard - PhD thesis - University of Limoges (2014)
    Award Prix de thèse de l’action du CNRS Objets intelligents sécurisés et Internet des objets

    Smart cards are the keystone of various applications which we daily use: pay money for travel, phone, etc. To improve the security of this device with a friendly development environment, the Java technology has been designed to be embedded in a smart card. Introduce in the mid-nineties, this technology becomes nowadays the leading application platform in the world. As a smart card embeds critical information, evil-minded people are interested to attack this device. In smart card domain, attacks and countermeasures are advancing at a fast rate. In order to have a generic view of all the attacks, we propose to use the Fault Tree Analysis. This method used in safety analysis helps to understand and implement all the desirable and undesirable events existing in this domain. We apply this method to Java Card vulnerability analysis. We define the properties that must be ensured: integrity and confidentiality of smart card data and code. During this thesis, we focused on the integrity property, especially on the code integrity. Indeed, a perturbation on this element can break each other properties. By modelling the conditions, we discovered new attack paths to get access to the smart card contents. We introduce new countermeasures to mitigate the undesirable events defined in the tree models.

  2. Guillaume Bouffard - Master thesis - Technicolor & University of Limoges (2010)

    This document describes the work done during the internship for my master degree Information Technologies Security and Cryptography at the University of Limoges, France, carried out with Technicolor at the Technicolor Security and Content Protection Laboratories at Rennes, France. This internship aims to protect the sensitive piece of code of a binary exe- cutable without application source code knowledge. A sensitive piece of code of a binary application is a set of the most uses instructions. In order to protect this binary part, I extracted this sensitive piece of code of the binary application and I replaced with that provides a way to communicate to a dongle. On this dongle, the extracted protected instructions are putted and executed. Thus, to correctly execute a protected application, the user needs a dongle which con- tains the missed part of the executed application. After a short presentation of the context and the company, I will present each step to my internship. In a first time, I will describe how to find the sensitive binary part of an executable program. When this part is found, I will try to translate this piece of code in another language to protect it. Next, I will modify the binary application, without the source code, to change the protected piece of code by a set of instructions designed to communicate to the dongle containing the extracted piece of code. That will take us to a proof of concept. To conclude, I will sum up the completed objectives, the possible improvements and the difficulties I have encountered.

Preprints

  1. Guillaume Bouffard Vincent Giraud - arXiv (2024)

    Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process, a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

  2. Gwenn Le Gonidec, Maria Méndez Real, Guillaume Bouffard, and Jean-Christophe Prévotet - arXiv (2024)

    Over the past few years, several research groups have introduced innovative hardware designs for Trusted Execution Environments (TEEs), aiming to secure applications against potentially compromised privileged software, including the kernel. Since 2017, Tang et al. introduced a new class of software-enabled hardware attacks, which leverages energy management mechanisms. These attacks aim at bypassing TEE security guarantees and exposing sensitive information like cryptographic keys. They have increased in prevalence over the past few years. Despite that, current RISC-V TEE architectures have yet to incorporate them into their threat models. Proprietary implementations, such as Arm TrustZone and Intel SGX, embed countermeasures. However, these countermeasures are not viable in the long term and hinder the capabilities of energy management mechanisms. This article presents the first comprehensive knowledge survey of these attacks, along with an evaluation of literature countermeasures. Our analysis highlights a substantial security gap between assumed threat models and the actual ones, presenting considerable threats in modern systems-on-chip that can undermine even the security guarantees provided by TEEs. We advocate for the enhancement of the next generation of RISC-V TEEs to address these attacks within their threat models, and we believe this study will spur further community efforts in this direction.

  3. Guillaume Bouffard, Vincent Giraud, and Léo Gaspard - arXiv (2021)

    The Java Card Virtual Machine (JCVM) platform is widely deployed on security-oriented components. JCVM implementations are mainly evaluated under security schemes. However, existing implementation are close-source without detail. We believe studying how to design JCVM will improve them and it can be reused by the community to improve Java Card security. In 2018, Bouffard et al. [6] introduced an Operating System (OS) which aims at running JCVM compatible implementation. This OS is compatible with several Commercially available Off-The-Shelf (COTS) components. This is a first step to design a secure JCVM platform. However, some important details are missing to design a secure-oriented Java Card platform. In this article, we focus on the JCVM memory. This memory contains everything required to run JCVM and applets. Currently, JCVM memory is out of the Java Card specification and each JCVM developer use his own approach. Based on the existing tools and documentation, we explain how to extract from the Java Card toolchain every data required by applets and JCVM. When data to store in memory are identified, this article introduces how to organize required data onto JCVM memory.

  4. Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - arXiv (2019)

    Electromagnetic fault injection (EMFI) is a well known technique used to disturb the behaviour of a chip for weakening its security. These attacks are mostly done on simple microcontrollers. On these targets, the fault effects are relatively simple and understood. Exploiting EMFI on modern system-on-chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of such faults. In this paper, we propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the SoC micro-architecture. On our targeted SoC (a BCM2837), the observed behaviours are radically different to what were obtained with state-of-the-art fault injection attacks on microcontrollers. SoC subsystems (L1 caches, L2 cache, memory management unit (MMU)) can be individually targeted leading to new fault models. We also highlight the differences in the fault impact with and without an operating system (OS). This shows the importance of the software layers in the exploitation of a fault. With this work, we demonstrate that the complexity and the speed of SoCs do not protect them against hardware fault attacks. To conclude our work , we introduce countermeasures to protect the SoC caches and MMU against EMFI attacks based on the disclosed faults effects.