Publications
Below is a list of my publications. You can find my main publications on the
DBLP database. For most papers, a
link to the online version is provided. Alternatively, I would be happy to send
you a copy upon request.
Book Chapters
La Sécurité Logique
Guillaume Barbu,
Guillaume Bouffard,
and Julien Iguchy-Cartigny
-
Les Cartes à puce
(2013)
|
|
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Cryptography and Security: From Theory to Applications -
Essays Dedicated to Jean-Jacques Quisquater on the Occasion of
His 65th Birthday
(2012)
|
|
Java Card is a kind of smart card that implements one of the two
editions, “Classic Edition” or “Connected Edition”, of the
standard Java Card 3.0 [7]. Such a smart card embeds a virtual
machine which interprets codes already romized with the operating
system or downloaded after issuance. Due to security reasons, the
ability to download code into the card is controlled by a
protocol defined by Global Platform. This protocol ensures that
the owner of the code has the necessary authorization to perform
the action. Java Card is an open platform for smart cards, i.e.
able of loading and executing new applications after issuance.
Thus, different applications from different providers run in the
same smart card. Thanks to type verification, byte codes
delivered by the Java compiler and the converter (in charge of
giving a compact representation of class files) are safe, i.e.
the loaded application is not hostile to other applications in
the Java Card. Furthermore, the Java Card firewall checks
permissions between applications in the card, enforcing isolation
between them.
|
Journal Articles
Thomas Trouchkine,
Sébanjila Kevin Bukasa,
Mathieu Escouteloup,
Ronan Lashermes,
and Guillaume Bouffard
-
Journal of Cryptographic Engineering (JCEN)
(2021)
|
|
The last years have seen the emergence offault attacks targeting
modern Central Processing Units (CPUs). These attacks are
analyzed at a very high abstraction level and, due to the modern
CPUs complexity, the underlying fault effect is usually unknown.
Recently, a few articles have focused on characterizing faults on
modern CPUs. In this article, we focus on the Electromagnetic
Fault Injection (EMFI) characterization on a bare-metal
implementation. With this approach, we discover and understand
new effects on micro-architectural subsystems. We target the
BCM2837 where we successfully demonstrate persistent faults on L1
instruction cache, L1 data cache and L2 cache. We also show that
faults can corrupt the Memory Management Unit (MMU). To validate
our fault model, we realize a persistent fault analysis
toretrieve an AES key.
|
Noreddine El Janati El Idrissi,
Guillaume Bouffard,
Jean- Louis Lanet,
and Said El Hajji
-
Journal of Cryptographic Engineering (JCEN)
(2017)
|
|
Retrieving assets inside a secure element is a challenging task.
The most attractive assets are the cryptographic keys stored into
the non volatile memory (NVM) area. Most of the researches try to
obtain cryptographic keys through side channel attacks or fault
injection attacks. Such cryptographic objects are stored into
secure containers. We demonstrate in this paper how one can use
some characteristics of the Java Card platform to gain access to
these assets. Such a smart card embeds a Firewall that provides
isolation between applets from different clients (using the
notion of security contexts). We exploit the client/server
architecture of the intra platform communication to lure a client
application to execute within its security context, a hostile
code written and called from another security context: the server
security context. This attack shows the possibility for a trusted
application to execute within its security context some hostile
code uploaded previously by the server.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Computers and Security
(2015)
|
|
Recently, researchers published several attacks on smart cards.
Among these, software attacks are the most affordable, they do
not require specific hardware (laser, EM probe, etc.). Such
attacks succeed to modify a sensitive system element which offers
access to the smart card assets. To prevent that, smart card
manufacturers embed dedicated countermeasures that aim to protect
the sensitive system elements. We present a generic approach
based on a Control Flow Transfer (CFT) attack to modify the Java
Card program counter. This attack is built on a type confusion
using the couple of instructions jsr/ret. Evaluated on different
Java Cards, this new attack is a generic CFT exploitation that
succeeds on each attacked cards. We present several
countermeasures proposed by the literature or implemented by
smart card designers and for all of them we explain how to bypass
them. Then, we propose to use Attack Countermeasure Tree to
develop an effective and affordable countermeasure for this
attack.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
International Journal of Trust Management in Computing and
Communications (IJTMCC)
(2014)
|
|
Security and attacks are two sides of the same coin in smart
card industry. Smart cards are subjected to different types of
attacks to gain the assets stored in it and can cause security
issues. It is necessary to identify and exploit these attacks and
implement appropriate countermeasures to mitigate their effects.
Fault attacks are one among them and can introduce abnormal
behaviour on the smart card environment. Some redundancies are
necessary to recognise this problem. In this work we propose an
automatic method to obtain control flow redundancy using a
security automaton to mitigate laser based fault attacks and
hence implement a smart card countermeasure based on the
combination of static analysis and dynamic monitoring method.
This is a very cost effective approach which can identify and
mitigate the effects of fault attacks in a more efficient way.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Journal Computer Virology and Hacking Techniques
(2014)
|
|
Attacks on smart cards can only be based on a black box approach
where the code of cryptographic primitives and operating system
are not accessible. To perform hardware or software attacks, a
white box approach providing access to the binary code is more
effi- cient. In this paper, we propose a methodology to discover
the romized code whose access is protected by the virtual
machine. It uses a hooked code in an indirection table. We gained
access to real processor, thus allowing us to run a shell code
written in 8051 assembler language. As a result, this code has
been able to dump completely the ROM of a Java Card operating
system. One of the issues is the possibility to reverse the
cryptographic algorithm and all the embedded countermeasures.
Finally, our attack is evaluated on different cards from distinct
manufacturers.
|
Guillaume Bouffard,
and Tiana Razafindralambo
-
Multi-System & Internet Security (MISC)
(2014)
|
|
L’année 2013 a été une année assez « riche » en termes de
découverte et d’exploitation de 0-day dans la nature en ce qui
concerne la famille Java. Java Card fait tout aussi bien partie
de cette famille. Néanmoins, son processus d’évaluation suit un
tout autre chemin et les attaques découvertes jusqu’à maintenant
n’en sont pas moins intéressantes.
|
Jean Dubreuil,
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
International Journal of Secure Software Engineering (IJSSE)
(2013)
|
|
One of the challenges for smart card deployment is the security
interoperability. A smart card resistant to an attack on a given
platform should be able to guarantee the same behavior on another
platform. But the current implementations do not comply with this
requirement. In order to improve such standardization we propose
a framework based on annotations with an external pre-processing
to switch the Java Card Virtual Machine (JCVM) into a secure mode
by activating a set of countermeasures. An example has been
proposed in this paper for implementing a countermeasure against
type confusion with a fault attack. Smart cards are often the
target of software, hardware or combined attacks. In recent days
most of the attacks are based on fault injection which can modify
the behavior of applications loaded onto the card, changing them
into mutant applications. This countermeasure requires a
transformation of the original program byte codes which remain
semantically equivalent. It needs a modification of the JCVM
which stays backward compatible and a dedicated framework to
deploy these applications. Thus, the proposed platform can resist
to a fault enabled mutant.
|
International Conferences with Review and Proceeding
Amélie Marotta,
Ronan Lashermes,
Guillaume Bouffard,
Olivier Sentieys,
and Rachid Dafali
-
Proceedings of the 15th International Workshop on Constructive
Side-Channel Analysis and Secure Design (COSADE)
(2024)
|
|
In the realm of fault injection (FI), electromagnetic fault
injection (EMFI) attacks have garnered significant attention,
particularly for their effectiveness against embedded systems
with minimal setup. These attacks exploit vulnerabilities with
ease, underscoring the im- portance of comprehensively
understanding EMFI. Recent studies have highlighted the impact of
EMFI on phase-locked loops (PLLs), uncov- ering specific clock
glitches that induce faults. However, these studies lack a
detailed explanation of how these glitches translate into a
specific fault model. Addressing this gap, our research
investigates the physical fault model of synchronous clock
glitches (SCGs), a clock glitch injec- tion mechanism likely to
arise from EMFI interactions within the clock network. Through an
integrated approach combining experimental and simulation
techniques, we critically analyze the adequacy of existing fault
models, such as the Timing Fault Model and the Sampling Fault
Model, in explaining SCGs. Our findings reveal specific failure
modes in D flip-flops (DFFs), contributing to a deeper
understanding of EMFI effects and aiding in the development of
more robust defensive strategies against such attacks.
|
Vincent Giraud,
and Guillaume Bouffard
-
IEEE European Workshops on Symposium on Security and Privacy
(EuroS&P)
(2023)
|
|
Private and public actors increasingly encounter use cases where
they need to implement sensitive operations on mass-market
peripherals for which they have little or no control. They are
sometimes inclined to attempt this without using
hardware-assisted equipment, such as secure elements. In this
case, the white-box attack model is particularly relevant and
includes access to every asset, retro-engineering, and binary
instrumentation by attackers. At the same time, quantum attacks
are becoming more and more of a threat and challenge traditional
asymmetrical ciphers, which are treasured by private and public
actors. The McEliece cryptosystem is a code-based public key
algorithm introduced in 1978 that is not subject to well-known
quantum attacks and that could be implemented in an uncontrolled
environment. During the NIST post-quantum cryptography
standardization process [17], a derived candidate commonly refer
to as classic McEliece was selected. This algorithm is however
vulnerable to some fault injection attacks [7] while a priori,
this does not apply to the original McEliece. In this article, we
thus focus on the original McEliece cryptosystem and we study its
resilience against fault injection attacks on an ARM reference
implementation [18]. We disclose the first fault injection based
attack and we discuss on how to modify the original McEliece
cryptosystem to make it resilient to fault injection attacks.
|
PhiAttack - Rewriting the Java Card Class Hierarchy
Jean Dubreuil,
and Guillaume Bouffard
-
Proceedings of the 20th International Conference on Smart Card
Research and Advanced Applications (CARDIS)
(2021)
|
|
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédi\‘
ere
-
Proceedings of the 18th Workshop on Fault Detection and
Tolerance in Cryptography (FDTC)
(2021)
|
|
Recently, several Fault Attacks (FAs) which target modern
Central Processing Units (CPUs) have emerged. These attacks are
studied from a practical point of view and, due to the modern
CPUs complexity, the underlying fault effect is usually unknown.
Few works try to characterize at the Instruction Set Architecture
(ISA) level. In this article, we apply a state-of-the-art faults
model characterization approach on modern CPU. We evaluate the
fault model on two different CPUs from different architectures
with the same injection mediums. We target the CPU of Raspberry
Pi 3 (ARM) and an Intel Core i3 (x86) and perturb them with
ElectroMagnetic Fault Injection (EMFI). From the ISA point of
view, we disclose a similar fault model on each component.
Additionally, we evaluate a widely used complex software, OpenSSL
, against this fault model.
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clediere
-
Proceedings of the 13th International Conference Information
Security Theory and Practice (WISTP)
(2019)
Best student paper award
|
|
Recently, several Fault Attacks (FAs) which target modern
Central Processing Units (CPUs) have been emerged. These attacks
are studied from a practical point of view and, due to the modern
CPUs complexity, the underlying fault effect is usually unknown.
In this article, we focus on the characterization of a
perturbation (the fault model) on modern CPU. For that, we
introduce the first approach to characterize the fault model on
modern CPU from the Instruction Set Architecture (ISA) level to
the micro-architectural level. This fault model helps at
determining which micro-architecture elements are disrupted and
how. Our fault model aims at finding original attack paths and
designed efficient countermeasures. To confront our approach to
real modern CPUs, we apply our approach on ARM and x86
architectures CPUs, mainly on the BCM2837 (the Raspberry Pi model
B CPU) and an Intel Core i3.
|
Julien Lancia,
and Guillaume Bouffard
-
Proceedings of the 14th International Conference Smart Card
Research and Advanced Applications (CARDIS)
(2015)
|
|
The Byte Code Verifier (BCV) is one of the most important
security element in the Java Card environment. Indeed, embedded
applets must be verified prior installation to prevent ill-formed
applet loading. In this article, we disclose a flaw in the Oracle
BCV which affects the applet linking process and can be exploited
on real world Java Card smartcards. We describe our exploitation
of this flaw on a Java Card implementation that enables injecting
and executing arbitrary native malicious code in the
communication buffer from a verified applet. This native
execution allows snapshotting the smart card memory with OS
rights.
|
Guillaume Bouffard,
Michael Lackner,
Jean-Louis Lanet,
and Johannes Loinig
-
Proceedings of the 13th International Conference Smart Card
Research and Advanced Applications (CARDIS)
(2014)
|
|
Several logical attacks against Java based smart card have been
published recently. Most of them are based on the hypothesis that
the type verification was not performed, thus allowing to obtain
dynamically a type confusion. To mitigate such attacks, typed
stack have been introduced on recent smart card. We propose here
a new attack path for performing a type confusion even in
presence of a typed stack. Then we propose using a Fault Tree
Analysis a way to design efficiently counter measure in a top
down approach. These counter measures are then evaluated on a
Java Card virtual machine.
|
Jean-Louis Lanet,
Guillaume Bouffard,
Rokia Lamrani,
Ranim Chakra,
Afef Mestiri,
Mohammed Monsif,
and Abdellatif Fandi
-
Proceedings of the 13th International Conference Smart Card
Research and Advanced Applications (CARDIS)
(2014)
|
|
Nowadays several papers have shown the ability to dump the
EEPROM area of several Java Cards leading to the disclosure of
already loaded applet and data structure of the card. Such a
reverse engineering process is costly and prone to errors.
Currently no tool are available to help this process. We propose
here an approach to find in the raw data obtained after a dump,
the area containing the code and the data. Then, once the code
area has been identified, we propose to rebuilt the original
binary Cap file in order to be able to obtain the source code of
the applet stored in the card.
|
Guillaume Bouffard,
Tom Khefif,
Jean-Louis Lanet,
Ismael Kane,
and Sergio Casanova Salvia
-
Proceedings of the International Conference on Risks and
Security of Internet and Systems (CRiSIS)
(2013)
|
|
Java Card specification allows to load applications after the
post-issuance. Each application to be installed into the card is
verified by a Byte Code Verifier which ensures that the
application is in compliance with the Java security rules. The
Java Card linking process is divided in to two steps. The first
one is done off-card by the Java Card toolchain. The second one
is realized during the appli- cation installation to resolve each
token by an internal reference. In this paper, we focus on the
off-card linker, espe- cially the conversion part between a
Java-Class item and a Java Card-Cap token. For that, we provide
mali- cious export files which will be used by the converter.
This malicious API provides the same behavior as the original one
for the user. With this attack, we are able to confuse the Java
Card linker.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Proceedings of the 32nd International Conference on Computer
Safety, Reliability, and Security (SAFECOMP)
(2013)
|
|
In smart card domain, attacks and countermeasures are advancing
at a fast rate. In order to have a generic view of all the
attacks, we propose to use a Fault Tree Analysis. This method
used in safety analysis helps to understand and implement all the
desirable and undesirable events existing in this domain. We
apply this method to Java Card vulnerability analysis. We define
the properties that must be ensured: integrity and
confidentiality of smart card data and code. By modeling the
conditions, we discovered new attack paths to get access to the
smart card contents. Then we introduce a new security api which
is proposed to mitigate the undesirable events defined in the
tree models.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Proceedings of the International Symposium on Security in
Computing and Communications (SSCC)
(2013)
|
|
Security and interoperability issues are increasing in smart
card domain and it is important to analyze these issues carefully
and implement appropriate countermeasures to mitigate them.
Security issues involve attacks on smart cards which can lead to
their abnormal behavior. Fault attacks are the most important
among them and they can affect the program execution, smart card
memory, etc. Detecting these abnormalities requires some
redundancies, either by another code execution or by an
equivalent representation. In this paper, we propose an automatic
method to provide this redundancy using a security automaton as
the main detection mechanism. This can enforce some trace
properties on a smart card application, by using the combination
of a static analysis and a dynamic monitoring. The security
officer specifies the fragments of the code that must be
protected against fault attacks and a program transformer
produces an equivalent program that mesh a security automaton
into the code according to the security requirements.
|
Tiana Razafindralambo,
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Proceedings of the International Conference on Recent Trends
in Computer Networks and Distributed Systems Security (SNDS)
(2012)
|
|
Off late security problems related to smart cards have seen a
significant rise and the risks of the attack are of deep concern
for the industries. In this context, smart card industries try to
overcome the anomaly by implementing various countermeasures. In
this paper we discuss and present a powerful attack based on the
vulnerability of the linker which could change the correct byte
code into malicious one. During the attack, the linker interprets
the instructions as tokens and are able to resolve them. Later we
propose a countermeasure which scrambles the instructions of the
method byte code with the Java Card Program Counter (jpc).
Without the knowledge of jpc used to decrypt the byte code, an
attacker cannot execute any malicious byte code. By this way we
propose security interoperability for different Java Card
platforms.
|
Jean Dubreuil,
Guillaume Bouffard,
Jean-Louis Lanet,
and Julien Cartigny
-
Proceedings of the 7th International Conference on
Availability, Reliability and Security (ARES)
(2012)
|
|
Smart card are often the target of software or hardware attacks.
For instance the most recent attacks are based on fault injection
which can modify the behavior of applications loaded in the card,
changing them as mutant application. In this paper, we propose a
new protection mechanism which makes application to be less prone
to mutant generation. This countermeasure requires a
transformation of the original program byte codes which remains
semantically equivalent. It requires a modification of the Java
Virtual Machine which remains backward compatible and a dedicated
framework to deploy the applications. Hence, our proposition
improves the ability of the platform to resist to Fault Enabled
Mutant.
|
Tiana Razafindralambo,
Guillaume Bouffard,
and Jean-Louis Lanet
-
Proceedings of the 26th Annual Conference on Data and
Applications Security and Privacy XXVI (DBSec)
(2012)
|
|
Smart cards are the safer device to execute cryptographic
algorithms. Applications are verified before being loaded into
the card. Recently, the idea of combined attacks to bypass byte
code verification has emerged. Indeed, correct and legitimate
Java Card applications can be dynamically modified on-card using
a laser beam to become mutant applications or fault enabled
viruses . We propose a framework for manipulating binary
applications to design viruses for smart cards. We present
development, experimentation and an example of this kind of
virus.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Cryptography and Security: From Theory to Applications -
Essays Dedicated to Jean-Jacques Quisquater on the Occasion of
His 65th Birthday
(2012)
|
|
Java Card is a kind of smart card that implements one of the two
editions, “Classic Edition” or “Connected Edition”, of the
standard Java Card 3.0 [7]. Such a smart card embeds a virtual
machine which interprets codes already romized with the operating
system or downloaded after issuance. Due to security reasons, the
ability to download code into the card is controlled by a
protocol defined by Global Platform. This protocol ensures that
the owner of the code has the necessary authorization to perform
the action. Java Card is an open platform for smart cards, i.e.
able of loading and executing new applications after issuance.
Thus, different applications from different providers run in the
same smart card. Thanks to type verification, byte codes
delivered by the Java compiler and the converter (in charge of
giving a compact representation of class files) are safe, i.e.
the loaded application is not hostile to other applications in
the Java Card. Furthermore, the Java Card firewall checks
permissions between applications in the card, enforcing isolation
between them.
|
Guillaume Bouffard,
Julien Iguchi-Cartigny,
and Jean-Louis Lanet
-
Proceedings of the 10th International Conference on Smart Card
Research and Advanced Applications (CARDIS)
(2011)
|
|
The Java Card uses two components to ensure the security of its
model. On the one hand, the byte code verifier (BCV) checks,
during an applet installation, if the Java Card security model is
ensured. This mechanism may not be present in the card. On the
other hand, the firewall dynamically checks if there is no
illegal access. This paper describes two attacks to modify the
Java Card control flow and to execute our own malicious byte
code. In the first attack, we use a card without embedded
security verifier and we show how it is simple to change the
return address of a current function. In the second attack, we
consider the hypothesis that the card embeds a partial
implementation of a BCV. With the help of a laser beam, we are
able to change the execution flow.
|
Guillaume Bouffard,
Jean-Louis Lanet,
Jean-Baptiste Machemie,
Jean-Yves Poichotte,
and Jean-Philippe Wary
-
Proceedings of the 10th International Conference on Smart Card
Research and Advanced Applications (CARDIS)
(2011)
|
|
The ability of Java Cards to withstand attacks is based on
software and hardware countermeasures, and on the ability of the
Java platform to check the correct behavior of Java code (by
using byte code verification). Recently, the idea of combining
logical attacks with a physical attack in order to bypass byte
code verification has emerged. For instance, correct and
legitimate Java Card applications can be dynamically modified
on-card using a laser beam. Such applications become mutant
applications, with a different control flow from the original
expected behaviour. This internal change could lead to bypass
controls and protections and thus offer illegal access to secret
data and operations inside the chip. This paper presents an
evaluation of the application ability to become mutant and a new
countermeasure based on the runtime checks of the application
control flow to detect the deviant mutations.
|
National Conferences with Review and Proceeding
Guillaume Bouffard,
and Léo Gaspard
-
Symposium sur la sécurité des technologies de l’information et
des communications (SSTIC)
(2018)
|
|
In the world of Java Cards, the Firewall guarantees the
segregation of applet data and ensures the integrity and
confidentiality of each application. In order to be independent
from the microcontroller, most Java Card Virtual Machine (JCVM)
implementations are not designed to use hardware-based
mechanisms. In this article, we describe how the Memory
Protection Unit (MPU) can be used to segregate each Java Card
applet from the Operating System and device drivers. Even if our
contribution is designed to fit a specific hardware-based
mechanism, our JCVM architecture can be reused for a
microcontroller without MPU.
|
Julien Lancia,
and Guillaume Bouffard
-
Symposium sur la sécurité des technologies de l’information et
des communications (SSTIC)
(2016)
|
|
The Byte Code Verifier (BCV) is one of the most important
security element in the Java Card environment. Indeed, embedded
applets must be verified prior installation to prevent ill-formed
applet loading. At the CARDIS 2015 conference, we disclosed a
flaw in the Oracle BCV which affects the applet linking process
and can be exploited on real world Java Card smart cards. In this
article, we present how this vulnerability had be found and our
exploitation of this flaw on a Java Card implementation that
enables injecting and executing arbitrary native malicious code
in the communication buffer from a verified applet. This attack
was evaluated on several Java Card implementations with black box
approach. As we cannot evaluate the effect of the control flow
transfer, we develop a generic function which can be executed
from any bytes which compound itself.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Symposium sur la sécurité des technologies de
l’information et des communications (SSTIC)
(2014)
|
|
La carte à puce est aujourd’hui considérée
comme étant un système sécurisé.
Toutefois, il est possible, via certains types d’attaques,
d’obtenir de l’information. Dans cet article, nous pré
sentons comment ces informations ont permis de découvrir
l’implémentation utilisée par une carte à puce
pour appeler du code natif depuis le monde Java Card. Une fois ce
mécanisme appréhendé, nous l’avons exploit\’e
pour exécuter notre propre code natif. Ce code, exé
cuté avec les droits du système d’exploitation, nous
a permis de lire la mémoire ROM et ainsi obtenir tous les
secrets de la carte attaquée. Une évaluation de cette
attaque sur des cartes de modèles différents est pr
ésentée en conclusion.
|
Guillaume Bouffard,
Mathieu Lassale,
Sergio Ona Domene,
Hanan Tadmori,
and Jean-Louis Lanet
-
Proceedings of the 8th Conference on Network and Information
Systems Security (SAR-SSI)
(2013)
|
|
|
Samiya Hamadouche,
Guillaume Bouffard,
Jean-Louis Lanet,
Bruno Dorsemaine,
Bastien Nouhant,
Alexandre Magloire,
and Arnaud Reygnaud
-
Proceedings of the 7th Conference on Network and Information
Systems Security (SAR-SSI)
(2012)
|
|
|
Agnès Cristèle Noubissi,
Ahmadou Al Khary Sere,
Julien Iguchi-Cartigny,
Jean-Louis Lanet,
Guillaume Bouffard,
and Julien Boutet
-
Majecstic
(2009)
|
|
We present in this article our research dealing with faults
attacks and logical attacks on smart cards, especially on Java
Card. We introduce by presenting Java Card and its security
mechanisms, then we present the types of attacks carried out on
smart cards and we present some countermeasures for these attacks
and in particular those faults attacks. And we finish with the
presentation of our work on the tool of manipulation of a file
format of Java Card and other proposals for countermeasures on
faults attacks.
|
Conferences without Proceeding
Gwenn Le Gonidec,
Maria Méndez Real,
Guillaume Bouffard,
and Jean-Christophe Prévotet
-
Journée thématique sur les attaques par injection de fautes
(JAIF)
(2024)
|
|
De plus en plus d’opérations sensibles sont réalisées sur des
systèmes-sur-puce (SoC) qui présentent une large surface
d’attaque. Depuis une quinzaine d’années, des attaques
matérielles contre ce type de système sont publiées. Elles
transposent des techniques d’attaques développées pour des
composants sécurisés, où l’état de l’art est bien établi.
Toutefois, ces attaques nécessitent un accès physique au système
cible. En 2017, Tang et al. ont démontré avec l’attaque ClkScrew
que les modules matériels de gestion de l’énergie, accessibles
depuis le logiciel, constituent un nouveau vecteur d’attaque. Ils
ont réussi à provoquer une injection de fautes en exploitant
malicieusement les régulateurs de tension d’alimentation, leur
donnant accès aux ressources autrement inaccessibles de
l’environnement d’exécution de confiance (TEE). Ce type d’attaque
basé sur l’énergie a été étendu et perfectionné dans des
publications ultérieures. Contrairement aux attaques matérielles
traditionnelles, ce nouveau type d’attaque ne nécessite pas
d’accès physique à la cible. Des contre-mesures à ces attaques
ont été mises en œuvre dans les principaux TEEs, tels qu’Intel
SGX et ARM TrustZone. Cependant, ces contre-mesures restreignent
le contrôle de la tension d’alimentation, empêchant ainsi
l’utilisation des mécanismes de gestion de l’énergie à leur plein
potentiel. De nouvelles contre-mesures sont proposées dans la
littérature, mais elles réduisent les performances du système ou
manquent d’implémentations concrètes. De plus, ces dernières
années, de nombreux concepts innovants de TEEs matériels pour
RISC-V ont été proposés. Cependant, ces TEEs ne prennent à ce
jour pas en compte ce type d’attaques, malgré leur inclusion dans
le modèle d’attaquant défini par le profil de protection de
Global Platform. Dans cette présentation, nous aborderons la
problématique des attaques matérielles par injection de fautes
qui exploitent les modules de gestion de l’énergie depuis le
logiciel. Nous décrirons l’importance de ces attaques, les
contre-mesures existantes et les nouvelles solutions potentielles
, avec un focus sur les nouvelles implémentations de TEEs sur
processeurs utilisant RISC-V.
|
Alexandre Iooss,
Thomas Trouchkine,
and Guillaume Bouffard
-
(2023)
|
|
Les attaques par faute constituent un vecteur d’attaque
semi-invasif puissant et difficile à prévenir contre les
applications logicielles si l’environnement d’exécution
matérielle n’embarque pas de mécanismes de protection. Néanmoins
ces attaques sont difficile à mettre en place et les réussir
nécessite trois étapes: caractériser les effets de la faute sur
un échantillon du composant exécutant l’application cible,
utiliser ce modèle de faute sur l’application sensible (en
simulation par exemple) afin de déterminer les chemins d’attaques
possibles et exploiter l’effet de la faute injectée sur le
composant cible. Dans la littérature, ce travail reste
principalement porté sur la sécurité des implémentations
cryptographiques implémenté sur des micro-contrôleurs. Cependant,
avec la démocratisation des appareils portables et mobiles tels
que les smartphones, la menace des attaques semi-invasives
devient crédible pour des applications plus variées. Nous pensons
que pour protéger efficacement ces systèmes il est nécessaire
d’avoir une méthodologie d’analyse de la réponse de ce type
d’applications, des effets d’une faute sur le matériel jusqu’à sa
manifestation sur les logiciels haut niveau. Dans cette
présentation, nous aborderons une analyse complète allant de la
caractérisation des effets d’une faute électromagnétique à
l’exploitation sur une application complexe sensible. Pour ce
faire, nous examinerons la sécurité de l’implémentation de
l’application sudo intégrée dans la distribution Linux Raspberry
Pi OS Lite (https://www.raspberrypi.com/software/) pour Raspberry
Pi4. Dans ce travail, nous montrons comment il est possible de
transposer une caractérisation de la sensibilité à une
application logicielle complexe, et comment, en l’absence de
protections, il est possible de réaliser efficacement une attaque
permettant d’accéder aux informations sensibles. En complément de
l’approche présentée dans, notre méthode est suffisamment
efficace pour forcer l’authentification via l’application sudo
sans la modifier au préalable.
|
Amélie Marotta,
Ronan Lashermes,
Olivier Sentieys,
Rachid Dafali,
and Guillaume Bouffard
-
(2023)
|
|
Fault injection techniques are numerous, including laser,
electromagnetic fault injection (EMFI), power glitch, and clock
glitch. The physical effects that are caused from fault injection
result in fault models that can be interpreted at three different
abstraction levels: physical (impact on logic gates and
flip-flop), register-transfer (bit-set, bit-reset) and
microarchitectural (impact on the execution of programs). To
fully characterize the effects of fault injection, it is
important to know all three abstractions levels and how they are
linked to each other. In this work, we focus on a particular type
of clock glitch fault injection. We use TRAITOR, a many-fault
injection platform, which uses a specific pertubation on the
clock signal to induce incorrect behaviors in the target. Some
observations of these behaviours at a microarchitectural level
have been made, but until now, lower level fault models haven’t
been proposed. We observe that the sampling process of registers
can be compromised by TRAITOR’s glitched clock. While some fault
models already exist, they do not explain this behaviour.
Simulation- based investigations were done to characterize
precisely when a register would latch or not depending on the
glitched clock cycle shape. They revealed that the issue arises
due to an insufficient energy supply on the clock port of the
register. Besides, experiments were done on registers in FPGAs,
to highlight that the hardware environment of the target system
influences the fault results. During our presentation, we will
introduce our approach to characterize the impact of TRAITOR on
registers. We will present a new physical fault model which
explains its effects
|
Vincent Giraud,
and Guillaume Bouffard
-
(2022)
|
|
To perform sensitive operations, it is common to to use secure
components: thanks to their various protections, they can
protection, they can act as a root of trust. However, one may be
forced to use alternative solutions as they are not available in
all information systems. in all information systems. The industry
deploy an approach based on software obfuscation, which is less
software, which is less secure than those based on a hardware
component. component. White-box cryptography is one of them: each
intermediate step is precomputed and hidden, while the global
semantics. Although it is purely software, hardware attacks could
be transposed to it. be transposed to it. By instrumenting a
program, one can by creating unexpected states in the program.
unexpected states. As the needs of the industry are becoming more
industry, research is now focusing on features such as such as
resistance to quantum attacks and asymmetric and the asymmetric
possibilities of cryptographic schemes. cryptographic schemes.
These aspects are leading to the resurgence of specifications
such as McEliece’s. In our work, we study the security of a
cryptographic white box implementing implementing the McEliece
algorithm and its resistance to attacks. In this talk, we will
also also question the applicability in the software world of
existing world of existing countermeasures used in hardware
components. hardware components.
|
Guillaume Bouffard,
Valentin Houchouas,
José Lopes-Esteves,
and Thomas Trouchkine
-
3rd URSI AT-AP-RASC
(2022)
|
|
Most of our daily electronic objects store our personal data.
One method used by attackers to retrieve this data consists in
disrupting the operation of the component during the execution of
a sensitive program [2]. For example, electromagnetic
perturbation can disturb the electronic of a component and infer
errors during the execution of the program and thus leak or
modify sensitive information, which can jeopardize the system
security [5]. To generate effective electromagnetic perturbations
, the state-of-the-art fault injection community uses small hand-
made antennas placed within a few millimeters to the target
component [1]. These antennas are connected to a pulse generator
of several hundred volts and tens of nanoseconds pulse. By moving
the antenna over the compo- nent, an attacker goal is to
determine the parameters (i.e. (x, y) positions and pulse
amplitude) that maximize the probability of obtaining exploitable
faults. The fact that these antennas are handmade [4, 3]
complicates the reproducibility of studies due to the geometry
and the constitutive material variability. Furthermore, the input
impedance of antennas is never indicated in fault injection
related publications. As antennas are placed in the near vicinity
of the component under test (CUT), and because antenna far field
prop- erties are different from near field ones, it could be
relevant to determine the input impedance of the antenna/target
couple which can be computed from the reflection coefficient
(S11) measured by a vector network analyzer. In our work, we aim
at comparing the probability to obtain a fault at a given
position (x, y) with the frequency dependent absorbed power by
the antenna/CUT couple. By doing so, we expect to be able to get
information related to the sensitive frequencies of the CUT which
might pave the way to narrowband (or continuous wave) injections.
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédière
-
CEM France
(2020)
|
|
Recently, several Fault Attacks (FAs) targeting modern Central
Processing Units (CPUs) have emerged. These attacks are studied
from a practical point of view and, due to the modern CPUs
complexity, the underlying fault effect is usually unknown. In
this article, we focus on the characterization of a perturbation
(the fault model) on a modern CPU. For that, we explain an
approach to characterize the fault model on modern CPU from the
assembly instruction level to the micro-architectural level. This
fault model helps at determining which micro-architecture
elements are disrupted and how. The fault model determination
aims at finding original attack paths and design efficient
countermeasures. To confront our approach to real mod- ern CPUs,
we apply our approach on a Raspberry Pi 3 CPU on which the
determined fault model is reused to corrupt an AES
implementation.
|
Fault attacks on System On Chip
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédière
-
(2018)
|
|
|
Anis Bkakria,
Guillaume Bouffard,
Julien Iguchy-Cartigny,
and Jean-Louis Lanet
-
e-Smart
(2011)
|
|
In the smart card world, Java Card plays an important role. To
communicate with this type of card, which complies to the ISO7816
specification you should use a specific library. Indeed, this
kind of library must implement high level functions, which
follows the Global Platform (GP) specification (authentication
protocols, applet installation process, etc.), and should be
interfaced with another library to handle CAP files like the Cap
File Manipulator Java-library. Therefore, we developed an
open-source Java-library: OPAL, for Open Platform Access Library,
which complies with the Global Platform specification. This
library provides the full-support of the Java Card applets life
cycle and smart card management. Moreover, to exchange data with
a Java Card, we must implement Secure Channel Protocols (SCP) to
pass the authentication step. GP defines three secure channels:
SCP01, SCP02 and SCP03. These protocols provide a secure
communication channel between a card and an entity which manages
it. SCP01 is deprecated but still used. It uses a
challenge-response authentication. When this challenge is a
success, three security levels are used to exchange data (no
security level, signed data or cypher and signed data). In order
to improve the SCP01 security, SCP02 uses a mutual authentication
, different computation methods and a new security level. The
host ensures integrity of the received card data. Finally, the
last improvement is SCP03 which reuses the SCP01 and SCP02
security levels in addition to a new security level which
guarantees that the exchanged data are confidential. With OPAL,
we would like to provide a Java-library which is fully compliant
with GP. Futhermore, GP has defined a new authentication protocol
, named Remote Application Management over HTTP. This draft uses
an application provider which manages the applet and smart card
life cycle using the HTTP protocol. Indeed, OPAL can receive a
HTTP POST request sent by the Remote Administration Server and
extract the included APDU command. Afterwards, OPAL sends the
APDU command via the SCP02 protocol to the card and receives its
response. Thus, the response is encapsulated in a HTTP POST
request in order to send it to the Remote Administration Server.
|
Matthieu Barreaud,
Guillaume Bouffard,
Julien Iguchy-Cartigny,
and Jean-Louis Lanet
-
Crypto’puces
(2011)
|
|
The emergence of web servers embedded in smart cards cards
facilitates the development of applications. These applications
are close to servlets (applications with a web server) and are
based on the based on the HTTP model known by many developers.
The server can be used externally, via the phone connection (GSM,
3G, etc.) connection (GSM, 3G, etc.), for all phases of
administration or administration or, via the phone interface, to
provide user provide user services. Here we will focus on the the
Java Card 2.2 WebServer Edtion model. In order to communicate
with this web server, a service provider can send HTTP frames to
the cell phone – or any other interface other interfaces between
the card and the service provider. These frames are then
encapsulated via the BIP 2 protocol to be sent to the (U)SIM
card. The study and validity of this protocol has been one of our
previous research topics. In the continuity of this work, we have
chosen to verify the HTTP protocol. The implementation of this
type of server must be secured in order to guarantee the
execution of sensitive sensitive commands. However, the specific
constraints of the world of embedded systems forces to have a
complete system of the order of a few kilobytes. As a result, the
optimizations may contribute to the presence of vulnerabilities.
To verify the conformity and the robustness of the implementation
, we have chosen to use fuzzing which is an error which is a
technique of searching for errors in the software implementation
by injecting invalid data. This method uses a data model
representing the grammar and a model symbolizing the model
symbolizing the state machine of the protocol to be fuzzed. Our
analysis tool allows to characterize the web server embedded in
the card and thus to reduce the tree of of the data model of the
HTTP protocol. This tool is a solution for anyone wishing to
verify the security of the security of the embedded HTTP
protocol. The first experimental results results will be
presented during the conference.
|
Tutorials
Guillaume Bouffard
-
Worskshop on the Security of Software/Hardware Interfaces, November 21st, 2019 Rennes, France
(2019)
|
|
Modern CPUs are daily use in our smartphone and several IoT
devices. These components compute more and more sensitive
data. However, they are only designed to prevent software
attacks. Recently, few publications focus on breaking modern
CPUs from hardware layout. In this presentation, we will see
how hardware security in modern CPU is also important than
software security and why should be take in account.
|
Attacks against the Java Card Platform
Guillaume Bouffard
-
CryptoBG International Summer School, July 20th, 2015, Oriahovitza, Bulgaria
(2015)
|
|
|
Posters
Caractérisation d’antennes pour l’injection de fautes sur
composants électroniques
Guillaume Bouffard,
Valentin Houchouas,
José Lopes-Esteves,
and Thomas Trouchkine
-
GDR Ondes
(2021)
|
|
|
Combined Attacks on Java Card Smart Cards
Guillaume Bouffard,
and Jean-Louis Lanet
-
PHISIC workshop
(2011)
|
|
|
Theses
Guillaume Bouffard
- PhD thesis
-
University of Limoges
(2014)
Award Prix de thèse de l’action du CNRS Objets intelligents
sécurisés et Internet des objets
|
|
Smart cards are the keystone of various applications which we
daily use: pay money for travel, phone, etc. To improve the
security of this device with a friendly development environment,
the Java technology has been designed to be embedded in a smart
card. Introduce in the mid-nineties, this technology becomes
nowadays the leading application platform in the world. As a
smart card embeds critical information, evil-minded people are
interested to attack this device. In smart card domain, attacks
and countermeasures are advancing at a fast rate. In order to
have a generic view of all the attacks, we propose to use the
Fault Tree Analysis. This method used in safety analysis helps to
understand and implement all the desirable and undesirable events
existing in this domain. We apply this method to Java Card
vulnerability analysis. We define the properties that must be
ensured: integrity and confidentiality of smart card data and
code. During this thesis, we focused on the integrity property,
especially on the code integrity. Indeed, a perturbation on this
element can break each other properties. By modelling the
conditions, we discovered new attack paths to get access to the
smart card contents. We introduce new countermeasures to mitigate
the undesirable events defined in the tree models.
|
Guillaume Bouffard
- Master thesis
-
Technicolor & University of Limoges
(2010)
|
|
This document describes the work done during the internship for
my master degree Information Technologies Security and
Cryptography at the University of Limoges, France, carried out
with Technicolor at the Technicolor Security and Content
Protection Laboratories at Rennes, France. This internship aims
to protect the sensitive piece of code of a binary exe- cutable
without application source code knowledge. A sensitive piece of
code of a binary application is a set of the most uses
instructions. In order to protect this binary part, I extracted
this sensitive piece of code of the binary application and I
replaced with that provides a way to communicate to a dongle. On
this dongle, the extracted protected instructions are putted and
executed. Thus, to correctly execute a protected application, the
user needs a dongle which con- tains the missed part of the
executed application. After a short presentation of the context
and the company, I will present each step to my internship. In a
first time, I will describe how to find the sensitive binary part
of an executable program. When this part is found, I will try to
translate this piece of code in another language to protect it.
Next, I will modify the binary application, without the source
code, to change the protected piece of code by a set of
instructions designed to communicate to the dongle containing the
extracted piece of code. That will take us to a proof of concept.
To conclude, I will sum up the completed objectives, the possible
improvements and the difficulties I have encountered.
|
Preprints
Guillaume Bouffard Vincent Giraud
-
arXiv
(2024)
|
|
Private and public actors increasingly encounter use cases
where they need to implement sensitive operations on mass-market
peripherals for which they have little or no control. They are
sometimes inclined to attempt this without using
hardware-assisted equipment, such as secure elements. In this
case, the white-box attack model is particularly relevant and
includes access to every asset, retro-engineering, and binary
instrumentation by attackers. At the same time, quantum attacks
are becoming more and more of a threat and challenge traditional
asymmetrical ciphers, which are treasured by private and public
actors. The McEliece cryptosystem is a code-based public key
algorithm introduced in 1978 that is not subject to well-known
quantum attacks and that could be implemented in an uncontrolled
environment. During the NIST post-quantum cryptography
standardization process, a derived candidate commonly refer to as
classic McEliece was selected. This algorithm is however
vulnerable to some fault injection attacks while a priori, this
does not apply to the original McEliece. In this article, we thus
focus on the original McEliece cryptosystem and we study its
resilience against fault injection attacks on an ARM reference
implementation. We disclose the first fault injection based
attack and we discuss on how to modify the original McEliece
cryptosystem to make it resilient to fault injection attacks.
|
Gwenn Le Gonidec,
Maria Méndez Real,
Guillaume Bouffard,
and Jean-Christophe Prévotet
-
arXiv
(2024)
|
|
Over the past few years, several research groups have
introduced innovative hardware designs for Trusted Execution
Environments (TEEs), aiming to secure applications against
potentially compromised privileged software, including the
kernel. Since 2017, Tang et al. introduced a new class of
software-enabled hardware attacks, which leverages energy
management mechanisms. These attacks aim at bypassing TEE
security guarantees and exposing sensitive information like
cryptographic keys. They have increased in prevalence over the
past few years. Despite that, current RISC-V TEE architectures
have yet to incorporate them into their threat models.
Proprietary implementations, such as Arm TrustZone and Intel SGX,
embed countermeasures. However, these countermeasures are not
viable in the long term and hinder the capabilities of energy
management mechanisms. This article presents the first
comprehensive knowledge survey of these attacks, along with an
evaluation of literature countermeasures. Our analysis highlights
a substantial security gap between assumed threat models and the
actual ones, presenting considerable threats in modern
systems-on-chip that can undermine even the security guarantees
provided by TEEs. We advocate for the enhancement of the next
generation of RISC-V TEEs to address these attacks within their
threat models, and we believe this study will spur further
community efforts in this direction.
|
Guillaume Bouffard,
Vincent Giraud,
and Léo Gaspard
-
arXiv
(2021)
|
|
The Java Card Virtual Machine (JCVM) platform is widely
deployed on security-oriented components. JCVM implementations
are mainly evaluated under security schemes. However, existing
implementation are close-source without detail. We believe
studying how to design JCVM will improve them and it can be
reused by the community to improve Java Card security. In 2018,
Bouffard et al. [6] introduced an Operating System (OS) which
aims at running JCVM compatible implementation. This OS is
compatible with several Commercially available Off-The-Shelf
(COTS) components. This is a first step to design a secure JCVM
platform. However, some important details are missing to design a
secure-oriented Java Card platform. In this article, we focus on
the JCVM memory. This memory contains everything required to run
JCVM and applets. Currently, JCVM memory is out of the Java Card
specification and each JCVM developer use his own approach. Based
on the existing tools and documentation, we explain how to
extract from the Java Card toolchain every data required by
applets and JCVM. When data to store in memory are identified,
this article introduces how to organize required data onto JCVM
memory.
|
Thomas Trouchkine,
Sébanjila Kevin Bukasa,
Mathieu Escouteloup,
Ronan Lashermes,
and Guillaume Bouffard
-
arXiv
(2019)
|
|
Electromagnetic fault injection (EMFI) is a well known
technique used to disturb the behaviour of a chip for weakening
its security. These attacks are mostly done on simple
microcontrollers. On these targets, the fault effects are
relatively simple and understood. Exploiting EMFI on modern
system-on-chips (SoCs), the fast and complex chips ubiquitous
today, requires to understand the impact of such faults. In this
paper, we propose an experimental setup and a forensic process to
create exploitable faults and assess their impact on the SoC
micro-architecture. On our targeted SoC (a BCM2837), the observed
behaviours are radically different to what were obtained with
state-of-the-art fault injection attacks on microcontrollers. SoC
subsystems (L1 caches, L2 cache, memory management unit (MMU))
can be individually targeted leading to new fault models. We also
highlight the differences in the fault impact with and without an
operating system (OS). This shows the importance of the software
layers in the exploitation of a fault. With this work, we
demonstrate that the complexity and the speed of SoCs do not
protect them against hardware fault attacks. To conclude our work
, we introduce countermeasures to protect the SoC caches and MMU
against EMFI attacks based on the disclosed faults effects.
|