Thomas Trouchkine's PhD Thesis - SoC Physical Security Evaluation

Thomas Trouchkine’s PhD thesis, entitled “SoC physical security evaluation”, is in progress at the ANSSI hardware security labs. His thesis is co-supervised with Jessy Clédière, CEA/LETI and Guillaume Bouffard, ANSSI & ENS Paris. His PhD thesis was started on October 2017.

Thomas defenced his PhD thesis on 2021, March 24th on Zoom. The replay of his PhD defence is:

The jury was composed of:

Jessy CLEDIERE Dr. Engineer Grenoble-Alpes University Doctoral advisor
Marie-Laure POTET Professor ENSIMAG President
Karine HEYDEMANN Associate Professor Laboratoire d’Informatique de Paris 6, Sorbonne University Reviewer
Philippe MAURINE Associate Professor Laboratoire d’Informatique, de Robotique et de Microélectronique de Montpellier (LIRMM), University of Montpellier Reviewer
Clémentine MAURICE CNRS full-time researcher University of Lille – CRIStAL Examiner
Jean-Max DUTERTRE Professor École des Mines de Saint Étienne Examiner
Patrick SCHAUMONT Professor Worcester Polytechnic Institute Examiner
Lilian BOSSUET Professor University of Saint-Etienne Examiner
Patrick HADDAD Dr. Engineer STmicroelectonics Guest
Guillaume BOUFFARD Doctor ANSSI & ENS Paris Guest, co-supervisor

Abstract

Since the democratization of mobile devices, sensitive operations like payment, identification or healthcare, usually done using security evaluated smartcards, are handled by these devices. However, mobile devices neither are designed for security nor security evaluated. Therefore, their resistance against powerful attacks, like physical attacks is questionable.

In this thesis, we aim at evaluating the security of mobile devices against physical attacks, in particular perturbation attacks. These attacks aims at modifying the execution environment of the device to induce bugs during its computation. These bugs are called faults. These faults can compromise the security of a device by allowing the cryptanalysis of its secret or forcing an unauthorized authentication for instance.

Mobile devices are powered by modern processors, which are the heart of this work, and are never evaluated against fault attacks. However, our knowledge about fault attacks on smartcards is not relevant as the processors powering smartcards are way less complex, in terms of the number of modules, technology node and optimization mechanisms, than modern processors.

Regarding this situation, we aim at providing rationals on the security of modern processors against fault attacks by defining a fault characterization method, using it on representative modern processors and analysing classical security mechanisms against the characterized faults.

We characterized three devices, namely the BCM2837, BCM2711b0 and the Intel Core i3-6100T against fault attacks using two different injection mediums: electromagnetic perturbations and a laser. We determined that these devices, despite having different architecture and using different mediums are faulted in similar ways. Most of the time, a perturbation on these devices modify their executed instructions. As this is a powerful fault, we also analysed classical security mechanisms embedded in such devices. We successfully realized a differential fault analysis on the AES implementation of the OpenSSL library, which is used in every Linux-based operating system. We also analysed the Linux user authentication process involved in the sudo program. This work highlights the lack of tools to efficiently analyse Linux programs, which are rather complex with dynamic linking mechanisms, against fault attacks.

Thesis

  1. Thomas Trouchkine - University of Grenoble-Alpes (2021)

    Since the democratization of mobile devices, sensitive operations like payment, identification or healthcare, usually done using security evaluated smartcards, are handled by these devices. However, mobile devices neither are designed for security nor security evaluated. Therefore, their resistance against powerful attacks, like physical attacks is questionable. In this thesis, we aim at evaluating the security of mobile devices against physical attacks, in particular perturbation attacks. These attacks aims at modifying the execution environment of the device to induce bugs during its computation. These bugs are called faults. These faults can compromise the security of a device by allowing the cryptanalysis of its secret or forcing an unauthorized authentication for instance. Mobile devices are powered by modern processors, which are the heart of this work, and are never evaluated against fault attacks. However, our knowledge about fault attacks on smartcards is not relevant as the processors powering smartcards are way less complex, in terms of the number of modules, technology node and optimization mechanisms, than modern processors. Regarding this situation, we aim at providing rationals on the security of modern processors against fault attacks by defining a fault characterization method, using it on representative modern processors and analysing classical security mechanisms against the characterized faults. We characterized three devices, namely the BCM2837, BCM2711b0 and the Intel Core i3-6100T against fault attacks using two different injection mediums: electromagnetic perturbations and a laser. We determined that these devices, despite having different architecture and using different mediums are faulted in similar ways. Most of the time, a perturbation on these devices modify their executed instructions. As this is a powerful fault, we also analysed classical security mechanisms embedded in such devices. We successfully realized a differential fault analysis on the AES implementation of the OpenSSL library, which is used in every Linux-based operating system. We also analysed the Linux user authentication process involved in the sudo program. This work highlights the lack of tools to efficiently analyse Linux programs, which are rather complex with dynamic linking mechanisms, against fault attacks.

Publications

  1. Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - Journal of Cryptographic Engineering (JCEN) (2021)

    The last years have seen the emergence offault attacks targeting modern Central Processing Units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the Electromagnetic Fault Injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the Memory Management Unit (MMU). To validate our fault model, we realize a persistent fault analysis toretrieve an AES key.

  2. Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - CEM France 2020 (2020)

    Recently, several Fault Attacks (FAs) targeting modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on a modern CPU. For that, we explain an approach to characterize the fault model on modern CPU from the assembly instruction level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. The fault model determination aims at finding original attack paths and design efficient countermeasures. To confront our approach to real mod- ern CPUs, we apply our approach on a Raspberry Pi 3 CPU on which the determined fault model is reused to corrupt an AES implementation.

  3. Electromagnetic fault injection against a System-on-Chip, toward new micro-architectural fault models

    Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - arXiv (2019)
  4. Thomas Trouchkine, Guillaume Bouffard, and Jessy Clediere - In Information Security Theory and Practice - 13th IFIP WG 11.2 International Conference, WISTP 2019, Paris, France, December 10-11, 2019 (2019) - Best student paper award

    Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have been emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on modern CPU. For that, we introduce the first approach to characterize the fault model on modern CPU from the Instruction Set Architecture (ISA) level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. Our fault model aims at finding original attack paths and designed efficient countermeasures. To confront our approach to real modern CPUs, we apply our approach on ARM and x86 architectures CPUs, mainly on the BCM2837 (the Raspberry Pi model B CPU) and an Intel Core i3.

  5. Problems and state of the art of faults injection on Systems on Chip

    Thomas Trouchkine, Guillaume Bouffard, David El Baze, and Jessy Clédière - PHISIC 2018 workshop (2018)

Talks

  1. Perturbation attacks on modern CPU – from the fault model to the exploitation

    Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - Journée thématique sur les attaques par injection de fautes (JAIF) (2020)
  2. Radically secure computing

    Guillaume Bouffard, Kevin Bukasa Sébanjila, Mathieu Escouteloup, Alexandre Gonzalvez, Jean-Louis Lanet, Ronan Lashermes, Hélène Le Bouder, Gaël Thomas, and Thomas Trouchkine - SILM seminar 2020 (2020)
  3. Do Not Trust Modern System-on-Chips – Electromagnetic fault injection against a System-on-Chip

    Thomas Trouchkine, Kevin Bukasa Sébanjila, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - PHISIC Workshop (2019)
  4. Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - Journée thématique sur les attaques par injection de fautes (JAIF) (2019)

    Electromagnetic fault injection (EMFI) is a well known technique to disturb the behavior of a chip and weaken its security. Yet these attacks are mostly done on simple microcontrollers since the fault effect is relatively simple and understood. Unlocking EMFI on modern System-on-Chips (SoCs), the fast and complex chips ubiquitous today, requires to understand the impact of the faults. In this paper we target the BCM2837 SoC, with four Cortex-A53 cores from ARM. We propose an experimental setup and a forensic process to create exploitable faults and assess their impact on the micro-architecture. The observed behaviors are radically differentv to what was previously obtained on microcontrollers. Subsystems (L1 caches, L2 cache, MMU) can be individually targeted leading to new fault models. We highlight the differences in the fault impact with or without an Operation System, therefore showing the importance of the software layers in the exploitation of a fault. The complexity and speed of a SoC does not protect them against hardware attackers, quite the contrary. We advocate for the design of secure generic cores with a stronger security model to run all security related code (which emcompass all priviledged code).

  5. Fault attacks on System On Chip

    Thomas Trouchkine, Guillaume Bouffard, David El Baze, and Jessy clédière - GDR SoC2 research group (2018)