Thomas Trouchkine’s PhD thesis, titled SoC Physical Security Evaluation, was conducted at the ANSSI hardware security labs. His thesis was co-supervised by Jessy Clédière (CEA/LETI) and Guillaume Bouffard (ANSSI & ENS Paris), and it commenced in October 2017.
Thomas defended his PhD thesis on March 24, 2021, via Zoom. The replay of his PhD defense is available on YouTube:
The jury members were:
Jessy Clédière | Dr. Engineer, HDR | Grenoble-Alpes University | Doctoral Advisor |
Marie-Laure Potet | Professor | ENSIMAG | President |
Karine Heydemann | Associate Professor, HDR | Laboratoire d’Informatique de Paris 6, Sorbonne University | Reviewer |
Philippe Maurine | Associate Professor, HDR | Laboratoire d’Informatique, de Robotique et de Microélectronique de Montpellier (LIRMM), University of Montpellier | Reviewer |
Clémentine Maurice | CNRS Full-time Researcher | University of Lille, CRIStAL team | Examiner |
Jean-Max Dutertre | Professor | École des Mines de Saint Étienne | Examiner |
Patrick Schaumont | Professor-Engineering | Worcester Polytechnic Institute | Examiner |
Lilian Bossuet | Professor | University of Saint-Etienne | Examiner |
Patrick Haddad | Dr. Engineer | STMicroelectronics | Guest |
Guillaume Bouffard | Doctor | ANSSI & ENS Paris | Guest, Co-Supervisor |
Since the democratization of mobile devices, sensitive operations like payment, identification or healthcare, usually done using security evaluated smartcards, are handled by these devices. However, mobile devices neither are designed for security nor security evaluated. Therefore, their resistance against powerful attacks, like physical attacks is questionable.
In this thesis, we aim at evaluating the security of mobile devices against physical attacks, in particular perturbation attacks. These attacks aims at modifying the execution environment of the device to induce bugs during its computation. These bugs are called faults. These faults can compromise the security of a device by allowing the cryptanalysis of its secret or forcing an unauthorized authentication for instance.
Mobile devices are powered by modern processors, which are the heart of this work, and are never evaluated against fault attacks. However, our knowledge about fault attacks on smartcards is not relevant as the processors powering smartcards are way less complex, in terms of the number of modules, technology node and optimization mechanisms, than modern processors.
Regarding this situation, we aim at providing rationals on the security of modern processors against fault attacks by defining a fault characterization method, using it on representative modern processors and analysing classical security mechanisms against the characterized faults.
We characterized three devices, namely the BCM2837, BCM2711b0 and the Intel Core i3-6100T against fault attacks using two different injection mediums: electromagnetic perturbations and a laser. We determined that these devices, despite having different architecture and using different mediums are faulted in similar ways. Most of the time, a perturbation on these devices modify their executed instructions. As this is a powerful fault, we also analysed classical security mechanisms embedded in such devices. We successfully realized a differential fault analysis on the AES implementation of the OpenSSL library, which is used in every Linux-based operating system. We also analysed the Linux user authentication process involved in the sudo program. This work highlights the lack of tools to efficiently analyse Linux programs, which are rather complex with dynamic linking mechanisms, against fault attacks.
SoC Physical Security Evaluation- PhD thesis - University of Grenoble-Alpes (2021) | |
Since the democratization of mobile devices, sensitive operations like payment, identification or healthcare, usually done using security evaluated smartcards, are handled by these devices. However, mobile devices neither are designed for security nor security evaluated. Therefore, their resistance against powerful attacks, like physical attacks is questionable. In this thesis, we aim at evaluating the security of mobile devices against physical attacks, in particular perturbation attacks. These attacks aims at modifying the execution environment of the device to induce bugs during its computation. These bugs are called faults. These faults can compromise the security of a device by allowing the cryptanalysis of its secret or forcing an unauthorized authentication for instance. Mobile devices are powered by modern processors, which are the heart of this work, and are never evaluated against fault attacks. However, our knowledge about fault attacks on smartcards is not relevant as the processors powering smartcards are way less complex, in terms of the number of modules, technology node and optimization mechanisms, than modern processors. Regarding this situation, we aim at providing rationals on the security of modern processors against fault attacks by defining a fault characterization method, using it on representative modern processors and analysing classical security mechanisms against the characterized faults. We characterized three devices, namely the BCM2837, BCM2711b0 and the Intel Core i3-6100T against fault attacks using two different injection mediums: electromagnetic perturbations and a laser. We determined that these devices, despite having different architecture and using different mediums are faulted in similar ways. Most of the time, a perturbation on these devices modify their executed instructions. As this is a powerful fault, we also analysed classical security mechanisms embedded in such devices. We successfully realized a differential fault analysis on the AES implementation of the OpenSSL library, which is used in every Linux-based operating system. We also analysed the Linux user authentication process involved in the sudo program. This work highlights the lack of tools to efficiently analyse Linux programs, which are rather complex with dynamic linking mechanisms, against fault attacks. |
EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model- In 18th Workshop on Fault Detection and Tolerance in Cryptography, FDTC, Milan, Italy (2021) | |
Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Few works try to characterize at the Instruction Set Architecture (ISA) level. In this article, we apply a state-of-the-art faults model characterization approach on modern CPU. We evaluate the fault model on two different CPUs from different architectures with the same injection mediums. We target the CPU of Raspberry Pi 3 (ARM) and an Intel Core i3 (x86) and perturb them with ElectroMagnetic Fault Injection (EMFI). From the ISA point of view, we disclose a similar fault model on each component. Additionally, we evaluate a widely used complex software, OpenSSL, against this fault model. |
Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models- Journal of Cryptographic Engineering (JCEN) (2021) | |
The last years have seen the emergence offault attacks targeting modern Central Processing Units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the Electromagnetic Fault Injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the Memory Management Unit (MMU). To validate our fault model, we realize a persistent fault analysis toretrieve an AES key. |
EM Injection Vs Modern CPU – Fault Characterization And AES Differential Fault Analysis- CEM France, Lyon, France (2020) | |
Recently, several Fault Attacks (FAs) targeting modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on a modern CPU. For that, we explain an approach to characterize the fault model on modern CPU from the assembly instruction level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. The fault model determination aims at finding original attack paths and design efficient countermeasures. To confront our approach to real mod- ern CPUs, we apply our approach on a Raspberry Pi 3 CPU on which the determined fault model is reused to corrupt an AES implementation. |
Fault Injection Characterization on modern CPUs – From the ISA to the Micro-Architecture- In Information Security Theory and Practice - 13th IFIP WG 11.2 International Conference, WISTP, Paris, France (2019)Best student paper award | |
Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have been emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on modern CPU. For that, we introduce the first approach to characterize the fault model on modern CPU from the Instruction Set Architecture (ISA) level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. Our fault model aims at finding original attack paths and designed efficient countermeasures. To confront our approach to real modern CPUs, we apply our approach on ARM and x86 architectures CPUs, mainly on the BCM2837 (the Raspberry Pi model B CPU) and an Intel Core i3. |
Fault attacks on System On Chip- PHISIC workshop, Gardanne, France (2018) | |
|
Modern System On Chips Security Against Physical Attacks- Journées Nationales du GDR Sécurité Informatique (2021) | |
|
Perturbation attacks on modern CPU – from the fault model to the exploitation- Journée thématique sur les attaques par injection de fautes (JAIF) (2020) | |
|
Radically secure computing- SILM seminar 2020 (2020) | |
|
Do Not Trust Modern System-on-Chips – Electromagnetic fault injection against a System-on-Chip- PHISIC Workshop (2019) | |
|
How modern System-on-Chips are vulnerable to fault attacks- Journée thématique sur les attaques par injection de fautes (JAIF) (2019) | |
Electromagnetic fault injection (EMFI) is a well known technique to disturb the behavior of a chip and weaken its security. Yet these attacks are mostly done on simple microcontrollers since the fault effect is relatively simple and understood. Unlocking EMFI on modern System-on-Chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of the faults. In this paper we target the BCM2837 SoC, with four Cortex-A53 cores from ARM. We propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the micro-architecture. The observed behaviors are radically differentv to what was previously obtained on microcontrollers. Subsystems (L1 caches, L2 cache, MMU) can be individually targeted leading to new fault models. We highlight the differences in the fault impact with or without an Operation System, therefore showing the importance of the software layers in the exploitation of a fault. The complexity and speed of a SoC does not protect them against hardware attackers, quite the contrary. We advocate for the design of secure generic cores with a stronger security model to run all security related code (which emcompass all priviledged code). |
Fault attacks on System On Chip- GDR SoC2 research group (2018) | |
|
Electromagnetic fault injection against a System-on-Chip, toward new micro-architectural fault models- arXiv (2019) | |
Electromagnetic fault injection (EMFI) is a well known technique used to disturb the behaviour of a chip for weakening its security. These attacks are mostly done on simple microcontrollers. On these targets, the fault effects are relatively simple and understood. Exploiting EMFI on modern system-on-chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of such faults. In this paper, we propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the SoC micro-architecture. On our targeted SoC (a BCM2837), the observed behaviours are radically different to what were obtained with state-of-the-art fault injection attacks on microcontrollers. SoC subsystems (L1 caches, L2 cache, memory management unit (MMU)) can be individually targeted leading to new fault models. We also highlight the differences in the fault impact with and without an operating system (OS). This shows the importance of the software layers in the exploitation of a fault. With this work, we demonstrate that the complexity and the speed of SoCs do not protect them against hardware fault attacks. To conclude our work, we introduce countermeasures to protect the SoC caches and MMU against EMFI attacks based on the disclosed faults effects. |