Efficient Design and Evaluation of Countermeasures against Fault Attacks Using Formal Verification

Goubet, Lucien; Heydemann, Karine; Encrenaz, Emmanuelle; Keulenaer, Ronald De

doi:10.1007/978-3-319-31271-2_11

Cited by 8 publications

(7 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Goubet et al [22] aimed at formal verification of countermeasures by using automata and SMT solver. Such approach required a decomposition of a code into pieces, while analyzing each piece separately.…”

Section: Countermeasure Evaluation Methodsmentioning

confidence: 99%

On Evaluating Fault Resilient Encoding Schemes in Software

Breier¹,

Hou²,

Liu

2021

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Cryptographic implementations are often vulnerable against physical attacks, fault injection analysis being among the most popular techniques. On par with development of attacks, the area of countermeasures is advancing rapidly, utilizing both hardware-and software-based approaches. When it comes to software encoding countermeasures for fault protection and their evaluation, there are very few proposals so far, mostly focusing on single operations rather than cipher as a whole. In this paper we propose an evaluation framework that can be used for analyzing the effectivity of software encoding countermeasures against fault attacks. We first formalize the encoding schemes in software, helping us to define what properties are required when designing a fault protection. Based on these findings, we develop an evaluation metric that can be used universally to determine the robustness of a software encoding scheme against bit flip faults and instruction skips. We provide a way to select a code according to user criteria and also a dynamic code analysis method to estimate the level of protection of assembly implementations using encoding schemes. Finally, we verify our findings by implementing a block cipher PRESENT, protected by encoding scheme based on anticodes, and provide a detailed evaluation of this implementation using different codes.

show abstract

Section: Countermeasure Evaluation Methodsmentioning

confidence: 99%

On Evaluating Fault Resilient Encoding Schemes in Software

Breier¹,

Hou²,

Liu

2021

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…For example [5] searches for vulnerable spots for DFA based on a data flow graph extracted from Assembly. A similar approach is presented in [33], but instead, the extracted set of equations is fed to an SMT solver to find a distinguisher. Abstracting further, [6], [34] operate on a mathematical description of a cryptographic operation to find a possible attack in the first place.…”

Section: B Fault Simulation and Assessmentmentioning

confidence: 99%

ARMORY: Fully Automated and Exhaustive Fault Simulation on ARM-M Binaries

Hoffmann

Schellenberg

Paar

2021

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Embedded systems are ubiquitous. However, physical access of users and likewise attackers makes them often threatened by fault attacks: a single fault during the computation of a cryptographic primitive can lead to a total loss of system security. This can have serious consequences, e.g., in safetycritical systems, including bodily harm and catastrophic technical failures. However, countermeasures often focus on isolated fault models and high layers of abstraction. This leads to a dangerous sense of security, because exploitable faults that are only visible at machine code level might not be covered by countermeasures. In this work we present ARMORY, a fully automated open source framework for exhaustive fault simulation on binaries of the ubiquitous ARM-M class. It allows engineers and analysts to efficiently scan a binary for potential weaknesses against arbitrary combinations of multi-variate fault injections under a large variety of fault models. Using ARMORY, we demonstrate the power of fully automated fault analysis and the dangerous implications of applying countermeasures without knowledge of physical addresses and offsets. We exemplarily analyze two case studies, which are highly relevant for practice: a DFA on AES (cryptographic) and a secure bootloader (non-cryptographic). Our results show that indeed numerous exploitable faults found by ARMORY which occur in the actual implementations are easily missed in manual inspection. Crucially, most faults are only visible when taking machine code information, i.e., addresses and offsets, into account. Surprisingly, we show that a countermeasure that protects against one type of fault can actually largely increase the vulnerability to other fault models. Our work demonstrates the need for countermeasures that, at least in their evaluation, are not restricted to isolated fault models and consider low-level information during the design process.

show abstract

“…Still in an evaluation context, formal verification can be used. For instance Lucien Goubet et al [14] have submitted a tool that helps to formally evaluate fault attack countermeasures thanks to an SMT solver. Thomas Given-Wilson et al [13] developed a formal way to find fault injection vulnerabilities using a model.…”

Section: Fault Attacksmentioning

confidence: 99%