Vincent Giraud's PhD Thesis - Application security on uncontrolled systems

Vincent Giraud’s PhD thesis, titled “Application security on uncontrolled systems: Study of the risks, protections, stakes and interests around trust in off-the-shelf computer products”, is currently in progress at Ingénico hardware security labs. His thesis is co-supervised by David Naccache from ENS Paris, and it commenced in September 2020.

Vincent defended his PhD thesis on September 26, 2024.

The jury members were:

Aurélien Francillon Professor Networking and security department, EURECOM President
Pascal Lafourcade Professor Université Clermont Auvergne Reviewer
Clémentine Maurice CNRS Full-time Researcher, HDR University of Lille – CRIStAL Reviewer
Sophie Quinton Research scientist SPADES group, INRIA Grenoble Examiner
David Naccache Professor DIENS, Ecole Normale Supérieure (ENS) Paris Doctoral Advisor
Guillaume Bouffard Doctor ANSSI & ENS Paris Co-Supervisor
Tania Richmond Associate professor Institute of Exact and Applied Sciences, University of New Caledonia Guest

Abstract

Service providers from a wide variety of domains, whether it is payments, identification, transportation, or others, are increasingly digitizing the assets they provide to end users. In practice, this results in a strong concentration of sensitive content (both data and executables) on people’s personal smartphones, for their private and work life simultaneously.

These types of systems, often called Commercial Off-The-Shelf devices (COTS), are under the control of end users. Industrial and state actors seeking trustworthy, stable execution environments thus face many challenges when trying to deploy solutions on them, as they do not necessarily have the possibility to exploit hardware security mechanisms, if any. Consequently, they sometimes try to develop software operating in the white-box security model, where everything has to operate under open scrutiny.

In this thesis, the general limits of such a paradigm are addressed. First, it is shown how the McEliece cryptosystem, and its asymmetrical algorithm with various advantages today, can be vulnerable in such a context by demonstrating an attack based on fault injection against it. Secondly, a focus is provided on the confidentiality guarantees provided by Android platforms. Specifically, by inspecting the implementation of power management in these platforms, it is demonstrated how a malicious application can spy on a legitimate one. A concrete example is given, focusing on the recovery of Personal Identification Numbers (PIN) codes entered in other software contexts. In both of these subjects, possible improvements and adjustments are nevertheless described.

These works intend to question the way security is envisioned on people’s COTS devices. These devices are under the responsibility of end users but can contain private parts based on secrets as roots of trust. The robustness of sensitive software thus depends on unfair parameters such as who is the developer, what the end users can afford, and what technical and personal choices they have made. A new distribution of security responsibilities is finally proposed.

Thesis

  1. Vincent Giraud - PhD thesis - University of Grenoble-Alpes (2024)

    Services providers from a wide variety of domains (whether it is payments, identification, trans- port, or others) more and more digitalized the assets they provide to end users. In practice, this results in a strong concentration of sensitive contents (both data and executables) on people’s personal smartphones, for their private and work life simultaneously. This type of systems, often called Commercial Off-The-Shelf (COTS) devices, are under the control of end users. Industrial and state actors seeking trustable, stable execution environments thus face many challenges when trying to deploy solutions on them, as they do not necessarily have the possibility to exploit the hardware security mechanisms, if any. In consequence, they sometimes try to develop software operating in the white-box security model, where everything has to operate under open scrutiny. In this thesis, the general limits of such a paradigm are addressed. First, it is showed how the McEliece cryptosystem, and its asymmetrical algorithm with varied advantages today, can be vulnerable in such a context by demonstrating an attack based on fault injection against it. Secondly, a focus is provided on the confidentiality guarantees provided by Android platforms. Specifically, by inspecting the implementation of power management in these, it is demonstrated how a malicious application can spy on a legitimate one. A concrete given example is focused on the recovery of Personal Identification Numbers codes entered in other software contexts. In both of these subjects, possible improvements and adjustments are nevertheless described. These works intend to question the way security is envisioned on people’s COTS devices. These are under the responsibility of end users, but can contain private parts based on secrets as roots of trust. The robustness of sensitive software thus depends on unfair parameters such as who is the developer, what can afford the end users, and what technical and personal choices has he made. A new distribution of security responsibilities is finally proposed.

Publications

  1. Vincent Giraud, and David Naccache - In Proceedings of the 18th International Workshop on Advances in Information and Computer Security (IWSEC) (2023)

    Efficient power management is critical for embedded devices, both for extending their lifetime and ensuring safety. However, this can be a challenging task due to the unpredictability of the batteries commonly used in such devices. To address this issue, dedicated Integrated Circuits (ICs) known as “fuel gauges” are often employed outside of the System- on-Chip (SoC). These devices provide various metrics about the available energy source and are highly accurate. However, their precision can also be exploited by malicious actors to compromise platform confidentiality if the Operating System (OS) fails to intervene. Depending on the fuel gauge and OS configuration, several attack scenarios are possible. In this article, we focus on Android and demonstrate how it is possible to bypass application isolation to recover Personal Identification Numbers (PINs) entered in other processes.

  2. Vincent Giraud, and Guillaume Bouffard - In IEEE European Workshops on Symposium on Security and Privacy (EuroS&P) (2023)

    Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process [17], a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks [7] while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation [18]. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

  3. Vincent Giraud, and David Naccache - In Symposium sur la sécurité des technologies de l’information et des communications (SSTIC) (2023)

    La gestion de l’alimentation est cruciale pour les périphériques embarqués. Cette tâche est complexe en raison des incertitudes liées aux batteries qui les alimentent. Elle est souvent confiée à des circuits intégrés dédiés, appelés jauges de carburant, qui sont précis et efficaces, mais peuvent également être utilisés pour des activités malveillantes qui mettent en danger la confidentialité de la plateforme. Dans cet article, nous montrons comment l’isolation inter-applications peut être contournée sur Android, en nous concentrant sur la récupération d’un code personnel d’identification entré sur un autre processus.

  4. Vincent Giraud, and Guillaume Bouffard - (2022)

    To perform sensitive operations, it is common to to use secure components: thanks to their various protections, they can protection, they can act as a root of trust. However, one may be forced to use alternative solutions as they are not available in all information systems. in all information systems. The industry deploy an approach based on software obfuscation, which is less software, which is less secure than those based on a hardware component. component. White-box cryptography is one of them: each intermediate step is precomputed and hidden, while the global semantics. Although it is purely software, hardware attacks could be transposed to it. be transposed to it. By instrumenting a program, one can by creating unexpected states in the program. unexpected states. As the needs of the industry are becoming more industry, research is now focusing on features such as such as resistance to quantum attacks and asymmetric and the asymmetric possibilities of cryptographic schemes. cryptographic schemes. These aspects are leading to the resurgence of specifications such as McEliece’s. In our work, we study the security of a cryptographic white box implementing implementing the McEliece algorithm and its resistance to attacks. In this talk, we will also also question the applicability in the software world of existing world of existing countermeasures used in hardware components. hardware components.

Patents

  1. White-box cryptographic keys

    Vincent Giraud - Patent number WO2024083855A1 (2023)
  2. White box encoding

    Vincent Giraud - Patent number WO2024083849A1 (2023)
  3. Method for protecting a terminal against a side channel attack

    Vincent Giraud - Patent number FR3142818A1 (2023)

Preprint

  1. Guillaume Bouffard Vincent Giraud - arXiv (2024)

    Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process, a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

  2. Bypassing Android isolation with fuel gauges: new risks with advanced power ICs

    Vincent Giraud, and David Naccache - Cryptology ePrint Archive, Paper 2023/1078 (2023)
  3. Guillaume Bouffard, Vincent Giraud, and Léo Gaspard - arXiv (2021)

    The Java Card Virtual Machine (JCVM) platform is widely deployed on security-oriented components. JCVM implementations are mainly evaluated under security schemes. However, existing implementation are close-source without detail. We believe studying how to design JCVM will improve them and it can be reused by the community to improve Java Card security. In 2018, Bouffard et al. [6] introduced an Operating System (OS) which aims at running JCVM compatible implementation. This OS is compatible with several Commercially available Off-The-Shelf (COTS) components. This is a first step to design a secure JCVM platform. However, some important details are missing to design a secure-oriented Java Card platform. In this article, we focus on the JCVM memory. This memory contains everything required to run JCVM and applets. Currently, JCVM memory is out of the Java Card specification and each JCVM developer use his own approach. Based on the existing tools and documentation, we explain how to extract from the Java Card toolchain every data required by applets and JCVM. When data to store in memory are identified, this article introduces how to organize required data onto JCVM memory.