Gwenn Le Godinec's PhD Thesis - Securing RISC-V System-on-Chip against Energy-based Attacks

Gwenn Le Gonidec is currently pursuing her PhD, entitled Securing RISC-V System-on-Chip against Energy-based Attacks, at Lab-STICC. Her research, which started in October 2023, is co-supervised by Maria Méndez Real from Lab-STICC and Jean-Christophe Prévotet from IETR/INSA Rennes.

Publications

1. A Lightweight Embedded Detection System against Voltage Drop Fault Attacks in Multi-Tenant FPGAs Gwenn Le Gonidec, Guillaume Bouffard, Jean-Christophe Prévotet, and Maria Méndez Real - In Proceedings of the 2nd International Workshop on Constructive Approaches for SeCurity Analysis and Design of Embedded systems (CASCADE) (2026)

   Voltage drop fault attacks pose a new security threat to FPGAs, especially in a multi-tenant context where several users share the same hardware space. An increasing amount of research shows that attackers can implement voltage plundering circuits to inject timing faults in surrounding hardware modules. In recent years, various countermeasures against such attacks have been proposed. Many of these rely on embedded sensors to detect voltage drops during runtime. These can be effective in disabling the attacker, pinpointing their location or limiting the impact of faults on the victim module. However, the voltage drop detection methods they use are either unsuitable for real-world use as they rely on static thresholds on the sensor’s output, or use a significant amount of memory resources. In addition, some lack concrete implementations to prove their effectiveness and to accurately estimate their impact on the targeted system. In this work, we introduce a fast, lightweight and efficient method based on arithmetic calculations for detecting voltage drop attacks. Experiments on a real implementation demonstrate its effectiveness in detecting voltage drops in contexts where methods based on static thresholds would be unsuitable due to noise and uncertainty regarding the sensors’ location. Moreover, this new detection method does not require extensive use of memory resources to compute long-term metrics. Its simplicity and versatility makes it easy to integrate into existing countermeasure schemes.

2. Do Not Trust Power Management: A Survey on Internal Energy-based Attacks Circumventing Trusted Execution Environments Security Properties Gwenn Le Gonidec, Guillaume Bouffard, Jean-Christophe Prévotet, and Maria Méndez Real - ACM Transactions on Embedded Computing Systems (2025)

   Over the past few years, several research groups have introduced innovative hardware designs for Trusted Execution Environments (TEEs), aiming to secure applications against potentially compromised privileged software, including the kernel. Since 2015, a new class of software-enabled hardware attacks leveraging energy management mechanisms has emerged. These internal energy-based attacks comprise fault, side-channel and covert channel attacks. Their aim is to bypass TEE security guarantees and expose sensitive information such as cryptographic keys. They have increased in prevalence in the past few years. Popular TEE implementations, such as ARM TrustZone and Intel SGX, incorporate countermeasures against these attacks. However, these countermeasures either hinder the capabilities of the power management mechanisms or have been shown to provide insufficient system protection. This article presents the first comprehensive knowledge survey of these attacks, along with an evaluation of literature countermeasures. We believe that this study will spur further community efforts towards this increasingly important type of attacks.

3. Developments in the security of energy management modules against remote fault injection attacks Gwenn Le Gonidec, Maria Méndez Real, Guillaume Bouffard, and Jean-Christophe Prévotet - Journée thématique sur les attaques par injection de fautes (JAIF) (2024)

   De plus en plus d’opérations sensibles sont réalisées sur des systèmes-sur-puce (SoC) qui présentent une large surface d’attaque. Depuis une quinzaine d’années, des attaques matérielles contre ce type de système sont publiées. Elles transposent des techniques d’attaques développées pour des composants sécurisés, où l’état de l’art est bien établi. Toutefois, ces attaques nécessitent un accès physique au système cible. En 2017, Tang et al. ont démontré avec l’attaque ClkScrew que les modules matériels de gestion de l’énergie, accessibles depuis le logiciel, constituent un nouveau vecteur d’attaque. Ils ont réussi à provoquer une injection de fautes en exploitant malicieusement les régulateurs de tension d’alimentation, leur donnant accès aux ressources autrement inaccessibles de l’environnement d’exécution de confiance (TEE). Ce type d’attaque basé sur l’énergie a été étendu et perfectionné dans des publications ultérieures. Contrairement aux attaques matérielles traditionnelles, ce nouveau type d’attaque ne nécessite pas d’accès physique à la cible. Des contre-mesures à ces attaques ont été mises en œuvre dans les principaux TEEs, tels qu’Intel SGX et ARM TrustZone. Cependant, ces contre-mesures restreignent le contrôle de la tension d’alimentation, empêchant ainsi l’utilisation des mécanismes de gestion de l’énergie à leur plein potentiel. De nouvelles contre-mesures sont proposées dans la littérature, mais elles réduisent les performances du système ou manquent d’implémentations concrètes. De plus, ces dernières années, de nombreux concepts innovants de TEEs matériels pour RISC-V ont été proposés. Cependant, ces TEEs ne prennent à ce jour pas en compte ce type d’attaques, malgré leur inclusion dans le modèle d’attaquant défini par le profil de protection de Global Platform. Dans cette présentation, nous aborderons la problématique des attaques matérielles par injection de fautes qui exploitent les modules de gestion de l’énergie depuis le logiciel. Nous décrirons l’importance de ces attaques, les contre-mesures existantes et les nouvelles solutions potentielles , avec un focus sur les nouvelles implémentations de TEEs sur processeurs utilisant RISC-V.

Poster

1. Internal Power-Management-based Fault Attacks Gwenn Le Gonidec, Maria Méndez Real, Guillaume Bouffard, and Jean-Christophe Prévotet - Journée thématique sur les attaques par injection de fautes (JAIF) (2024)

Preprint

1. Do Not Trust Power Management: Challenges and Hints for Securing Future Trusted Execution Environments Gwenn Le Gonidec, Maria Méndez Real, Guillaume Bouffard, and Jean-Christophe Prévotet - arXiv (2024)

   Over the past few years, several research groups have introduced innovative hardware designs for Trusted Execution Environments (TEEs), aiming to secure applications against potentially compromised privileged software, including the kernel. Since 2017, Tang et al. introduced a new class of software-enabled hardware attacks, which leverages energy management mechanisms. These attacks aim at bypassing TEE security guarantees and exposing sensitive information like cryptographic keys. They have increased in prevalence over the past few years. Despite that, current RISC-V TEE architectures have yet to incorporate them into their threat models. Proprietary implementations, such as Arm TrustZone and Intel SGX, embed countermeasures. However, these countermeasures are not viable in the long term and hinder the capabilities of energy management mechanisms. This article presents the first comprehensive knowledge survey of these attacks, along with an evaluation of literature countermeasures. Our analysis highlights a substantial security gap between assumed threat models and the actual ones, presenting considerable threats in modern systems-on-chip that can undermine even the security guarantees provided by TEEs. We advocate for the enhancement of the next generation of RISC-V TEEs to address these attacks within their threat models, and we believe this study will spur further community efforts in this direction.