



Une école de l'IMT

Code Encryption for Confidentiality and Execution Integrity down to Control Signals

Théophile Gousselot Ph.D. Student SemSecuElec - Rennes, Inria Oct 18, 2024





1 Who am I?

- 2 Context for execution integrity
- 3 Proposed scheme
- 4 Validation and characterization
- 5 Conclusion



Une école de l'IMT



github.com/theophile-gousselot





# Master's Degree in Microelectronics and Computer Science

- Embedded system security
- Final year internship at STMicroelectronics: Control Flow Integrity





github.com/the ophile-goussel ot





#### Master's Degree in Microelectronics and Computer Science

- Embedded system security
- Final year internship at STMicroelectronics: Control Flow Integrity





github.com/theophile-gousselot

#### PhD Student: Harden RISC-V cores

- → Secure Architectures and Systems department (Gardanne)
- Linear Code Extraction
- Execution Integrity





#### Master's Degree in Microelectronics and Computer Science

- Embedded system security
- Final year internship at STMicroelectronics: Control Flow Integrity





github.com/theophile-gousselot

#### PhD Student: Harden RISC-V cores

→ Secure Architectures and Systems department (Gardanne)











# Context for execution integrity

#### 1 Who am I?

#### 2 Context for execution integrity

- Microcontroller as our main embedded system to protect
- Abstraction hierarchy
- Threat model
- Goal
- Control Flow and Instruction Integrity
- Control Signal Integrity
- State-of-the-art execution integrity
- 3 Proposed scheme
- 4 Validation and characterization
- 5 Conclusion





# **Context for execution integrity** Microcontroller as our main embedded system to protect

Microntroller: one die...

- Processor
- RAM
- ROM



/biwook/153062318 photos ww.flick 5 / 47



# **Context for execution integrity** Microcontroller as our main embedded system to protect

#### Microntroller: one die...

- Processor
- RAM
- ROM

### **Program:**

- ✗ Operating System<sup>1</sup>
- ✓ Bare-metal (specialized task)



# no memory management unit



# **Context for execution integrity** Microcontroller as our main embedded system to protect

### Microntroller: one die...

- Processor
- RAM
- ROM

#### **Program:**

- ✗ Operating System<sup>1</sup>
- ✓ Bare-metal (specialized task)





no memory management unit



ácolo do PIM

"The essence of abstraction is preserving information that is relevant in a given context, and forgetting information that is irrelevant in that context." John V. Guttag



Abstraction











Abstraction

Une école de l'IMT



### Context for execution integrity Threat model

#### Une école de l'IMT

#### Threat model

- Read instructions in memory
- Write new instructions in memory





### **Context for execution integrity** Threat model

#### Uno ócolo do PIM

#### Threat model

- Read instructions in memory
- Write new instructions in memory
- FIA on instruction memory

FIA: Fault Injection Attacks





#### Context for execution integrity Threat model

Yuce [12] LAURENT [7]

#### Threat model

- Read instructions in memory
- Write new instructions in memory
- FIA on instruction memory
- FIA on processor control logic

FIA: Fault Injection Attacks





Une école de l'IM

#### **Security properties**

- → Integrity of Control Flow, Instructions and Control Signals
- → Confidentiality of Instructions





# Instructions

• Sequential execution







# Instructions

- Sequential execution
- Non-sequential execution







- Sequential execution
- One entry point (first instruction)
- One exit point (last instruction)







- Sequential execution
- One entry point (first instruction)
- One exit point (last instruction)







- Sequential execution
- One entry point (first instruction)
- One exit point (last instruction)







- Sequential execution
- One entry point (first instruction)
- One exit point (last instruction)



















# **Control Flow Integrity**

Tamper with:

- PC
- data
- microarchiteture







# **Control Flow Integrity**

**Instruction Integrity** 







Control Flow Integrity

Instruction Integrity





#### **Context for execution integrity** Control Flow and Instruction Integrity Bibliography





#### **Context for execution integrity** Control Flow and Instruction Integrity Bibliography





#### **Context for execution integrity** Control Flow and Instruction Integrity Bibliography









#### **Context for execution integrit** Control Flow and Instruction Integrity Bibliography

Mechanisms for Control Flow Integrity Control Flow Integrity Link basic blocks BB PC previous BB successors Masking List addresses mask<sub>0</sub> from of BB successors from previous BB previous PC Address comparison Masking Masking CCEL-CACHE CONFIDAENT Sofia CIFER FIA generates random instruction at decryption or at unmasking **BB** successors are Invalid instruction monitoring not in the list







#### **Context for execution integrit** Control Flow and Instruction Integrity Bibliography

Mechanisms for Control Flow Integrity









#### **Context for execution integrity** Control Flow and Instruction Integrity Bibliography









#### Context for execution integrity Control Signal Integrity

## Threat model

- Read instructions in memory
- Write new instructions in memory
- FIA in instruction memory
- FIA in processor control logic

FIA: Fault Injection Attacks





## Context for execution integrity Control Signal Integrity

Program execution in a pipeline







Data path







## Control path







# Control path

























# **Context for execution integrity** State-of-the-art execution integrity

| Name           | Instru       | contro<br>Contro | ifidentiali<br>51 Flow In<br>Instru | ty<br>ntegrity<br>ction Inte<br>Contro | egrity<br>J Signal<br>Fine-g | Integrity<br>Tained CFI<br>No clock | No memory overhead |
|----------------|--------------|------------------|-------------------------------------|----------------------------------------|------------------------------|-------------------------------------|--------------------|
| INSTR. ENC.[5] | $\checkmark$ |                  | $\checkmark$                        |                                        |                              | $\checkmark$                        | $(\checkmark)$     |
| Confidaent [9] | $\checkmark$ | $\checkmark$     | $\checkmark$                        |                                        |                              |                                     |                    |
| Sofia [4]      | $\checkmark$ | $\checkmark$     | $\checkmark$                        |                                        | $\checkmark$                 |                                     |                    |
| CCFI-CACHE [3] |              | $\checkmark$     | $\checkmark$                        |                                        | $\checkmark$                 | $\checkmark$                        |                    |
| Cifer $[13]$   |              | $\checkmark$     | $\checkmark$                        | $(\checkmark)$                         |                              | $\checkmark$                        |                    |
| Soft-Only [1]  |              | $\checkmark$     | $\checkmark$                        |                                        |                              |                                     |                    |
| SecDec [8]     |              | $\checkmark$     | $\checkmark$                        | $(\checkmark)$                         |                              |                                     |                    |
| Hapei [6]      | $\checkmark$ | $\checkmark$     | $\checkmark$                        |                                        | $\checkmark$                 |                                     |                    |
| Scfp [10]      | $\checkmark$ | $\checkmark$     | $\checkmark$                        |                                        |                              |                                     |                    |
| GPSA-CSM [11]  |              | $\checkmark$     | $\checkmark$                        |                                        |                              |                                     |                    |
| Mafia [2]      |              | $\checkmark$     | $\checkmark$                        | $\checkmark$                           |                              |                                     |                    |
| This work      | $\checkmark$ | $\checkmark$     | $\checkmark$                        | $\checkmark$                           | $\checkmark$                 | $\checkmark$                        |                    |



#### **Context for execution integrity** State-of-the-art execution integrity

| Name           |              | Contr        | J Flow In    | tegrity<br>tion Int<br>Contr | eerity<br>ol Signal | nt <sup>egrity</sup> |                   |
|----------------|--------------|--------------|--------------|------------------------------|---------------------|----------------------|-------------------|
| INSTR. ENC.[5] | $\checkmark$ |              | $\checkmark$ |                              |                     | $\checkmark$         | (√)               |
| Confidaent [9] | $\checkmark$ | $\checkmark$ | $\checkmark$ |                              |                     |                      |                   |
| Sofia [4]      | $\checkmark$ | $\checkmark$ | $\checkmark$ |                              | $\checkmark$        |                      |                   |
| CCFI-CACHE [3] |              | $\checkmark$ | $\checkmark$ |                              | $\checkmark$        | $\checkmark$         |                   |
| CIFER $[13]$   |              | $\checkmark$ | $\checkmark$ | $(\checkmark)$               | *                   | $\checkmark$         |                   |
| Soft-Only [1]  |              | $\checkmark$ | $\checkmark$ |                              |                     | >Only                | signals in decode |
| SecDec [8]     |              | $\checkmark$ | $\checkmark$ | (√)                          | -                   |                      | 0                 |
| HAPEI [6]      | $\checkmark$ | $\checkmark$ | $\checkmark$ | , í                          | $\checkmark$        |                      |                   |
| Scfp [10]      | $\checkmark$ | $\checkmark$ | $\checkmark$ |                              |                     |                      |                   |
| Gpsa-Csm [11]  |              | $\checkmark$ | $\checkmark$ |                              |                     |                      |                   |
| Mafia [2]      |              | $\checkmark$ | $\checkmark$ | $\checkmark$                 | ←                   | – Control            | signal redundancy |
| This work      | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$                 | $\checkmark$        | $\checkmark$         |                   |



## Proposed scheme



#### Who am I?

#### 2 Context for execution integrity

#### 3 Proposed scheme

- Impact on the state of the Art
- Our mecanism
- Implementation
- Need for patches
- Patch policy
- Solution flow
- Software model of control signal propagation
- cv32e40p deterministic control signals

#### 4 Validation and characterization

#### 5 Conclusion





#### **Security properties**

- → Integrity of Control Flow, Instructions and Control Signals
- → Confidentiality of Instructions





#### **Security properties**

- → Integrity of Control Flow, Instructions and Control Signals
- → Confidentiality of Instructions

#### Constraints

- → Zero clock cycle penalty
- $\rightarrow$  No inserted instruction
- $\rightarrow$  No recompilation needed





#### **Security properties**

→ Integrity of Control Flow, Instructions and Control Signals

16 / 47

→ Confidentiality of Instructions

#### Constraints

- → Zero clock cycle penalty
- $\rightarrow$  No inserted instruction
- $\rightarrow$  No recompilation needed

#### Assumptions (microcontroller):

- ➔ No memory cache
- → Cycle-per-instruction does not depend on data
- → Indirect jump destinations are considered known











## **Chained Instruction Encryption with Associated Control Signals**





## **Chained Instruction Encryption with Associated Control Signals**

- Confidentiality of Instructions
- Integrity of Control Flow
- Integrity of Instructions
- Integrity of Control Signals









## **Chained Instruction Encryption with Associated Control Signals**



Chained Encryption of Instructions (before programming memory)
On-the-fly Decryption





## **Chained Instruction Encryption with Associated Control Signals**



Chained Encryption of Instructions (before programming memory)
On-the-fly Decryption





## **Chained Instruction Encryption with Associated Control Signals**



Chained Encryption of Instructions (before programming memory)
On-the-fly Decryption





CV32E40P: RISC-V core





#### CV32E40P: RISC-V core

- → Embedded system
- 32-bit
- 4-stage
- In-order
- Forwarding





#### ASCON: cipher suite, which provides Authenticated Encryption with Associated Data



ASCON: cipher suite, which provides Authenticated Encryption with Associated Data

- Winner of CAESAR Authenticated Encryption Lightweight Cryptography (2019)
- Winner of NIST Lightweight Cryptography (2023)  $\Rightarrow$  standardize the ASCON family
- Lightweight (better Throughput per Area than AES [1])
- Highly tested
- Large security margins













#### Proposed scheme Implementation Authenticated Encryption: ASCON



Ciphertext





MINES

Hardware decryption and Software encryption (symmetric)









Hardware decryption and Software encryption (symmetric)





















































25 / 47

Patch  $(I_4) = State (I_1) xor State (I_4)$ 





25 / 47

Patch  $(I_4) = State (I_1) xor State (I_4)$ 





25 / 47

Patch  $(I_4) = State (I_1) xor State (I_4)$ 



"Sequential encryption for sequential instructions"



Control Flow Graph





"Sequential encryption for sequential instructions"



Chain sequential instr.

Control Flow Graph





"Sequential encryption for sequential instructions"



### **Patches**

(for non-sequential control transfer)

Control Flow Graph





- Patches stored in external memory
- Patches addressed by Program Counter
  - → No need for custom instructions

 $\Rightarrow$  zero clock cycle overhead





Table: Control transfer instruction characteristics in RISC-V.

| Instruction        | ${\it Pseudoinstruction}$ | Successor addresses |
|--------------------|---------------------------|---------------------|
| Direct Jump        | $jal \ rd, imm$           | pc + imm            |
| Conditional Branch | $b \qquad rs1, rs2, imm$  | $pc+4 \ / \ pc+imm$ |
| Indirect jump      | $jalr \ rd, rs1, imm$     | rs1 + imm           |





#### Table: Patch address of Control transfer instructions.

| Control transfer instruction      | Patch address                  |
|-----------------------------------|--------------------------------|
| Direct Jump                       | $@_{jal} = P_{jal \to dest}$   |
| Conditional Branch Taken          | $@_{br} = P_{br \to dest}$     |
| Conditional Branch Not Taken      | no need for patch              |
| Indirect jump                     | $@_{dest} = P_{jalr \to dest}$ |
| Indirect jump (patch reallocated) | $@_{free} = P_{jalr \to dest}$ |





(a) Patch allocation







(a) Conflict at address 80







(a) Conflict at address 80







(a) Conflict at address 80



(b) Reallocation for jalr patches





(a) Conflict at address 80



(b) Reallocation for jalr patches



## **Soft**(no need for recompilation):

Hard:













- **Soft**(no need for recompilation):
  - 1 Encrypt instructions sequentially
  - 2 Build CFG

Uno ócolo do PIM

3 Generate patches

### Hard:

- 1 Patch memory
- **2** ASCON decryption (+ FSM)





- **Soft**(no need for recompilation):
  - 1 Encrypt instructions sequentially
  - 2 Build CFG

Una ágala da PIMI

3 Generate patches

## Hard:

- Patch memory
- **2** ASCON decryption (+ FSM)

31 / 47

3 Control Signal routing





**Soft**(no need for recompilation):

Una ágala da PIMI

- Encrypt instructions sequentially #
- 2 Build CFG Control signal values?
- 3 Generate patches 🗱

## Hard:

- 1 Patch memory
- **2** ASCON decryption (+ FSM)

31 / 47

3 Control Signal routing





## **Proposed scheme** Software model of control signal propagation

Instructions (machine code)

Microarchitecture netlist

→ Infer control signal values





## **Proposed scheme** Software model of control signal propagation

Instructions (machine code)

Microarchitecture netlist

→ Infer control signal values

# Software model of control signal propagation





## **Proposed scheme** Software model of control signal propagation

Instructions (machine code)

Microarchitecture netlist

→ Infer control signal values

# Software model of control signal propagation

- → Encrypt and model signals for sequential executions
- → Generate patches





# **Proposed scheme** Software model of control signal propagation 4-stage pipeline

-instr-

Decode





## **Proposed scheme** Software model of control signal propagation 4-stage pipeline



# Decode

Extracted
Decoded
Combinational







# Decode

① Extracted ② Decoded ③ Combinational





# Decode

① Extracted ② Decoded ③ Combinational





### Decode

Extracted
Decoded
Combinational







### Decode

① Extracted ② Decoded ③ Combinational





① Extracted ② Decoded ③ Combinational



1



## Decode

Execute

Extracted ② Decoded ③ Combinational







Decode

Execute

① Extracted ② Decoded ③ Combinational







① Extracted ② Decoded ③ Combinational







#### **Proposed scheme** Software model of control signal propagation 4-stage pipeline

#### Deterministic control signals: depend only on instructionS (not data)





#### **Proposed scheme** Software model of control signal propagation 4-stage pipeline

Deterministic control signals: depend only on instructionS (not data)



### Decode

① Extracted ② Decoded ③ Combinational





| cyc | MEM  | IF    | ID  | EX      | WB  |
|-----|------|-------|-----|---------|-----|
| 0   | 82C  | 828   | 18  | 03      |     |
| 1   | 830  | 82C   | 0C  | 18      |     |
| 2   | 834  | 830   | 18  | 0C      |     |
| 3   | 838  | 834   | 18  | 18      |     |
|     | addr | esses | alı | ı_opera | tor |





| cyc | MEM  | IF    | ID              | EX      | WB  |
|-----|------|-------|-----------------|---------|-----|
| 0   | 82C  | 828   | 18              | 03      |     |
| 1   | 830  | 82C   | <sup>▲</sup> oc | 18      |     |
| 2   | 834  | 830   | 18              | 0C      |     |
| 3   | 838  | 834   | 18              | 18      |     |
|     | addr | esses | alu             | ı_opera | tor |







| cyc | MEM  | IF    | ID              | EX      | WB  |
|-----|------|-------|-----------------|---------|-----|
| 0   | 82C  | 828   | 18              | 03      |     |
| 1   | 830  | 82C   | <sup>™</sup> oc | 18      |     |
| 2   | 834  | 830   | 18              | 0C      |     |
| 3   | 838  | 834   | 18              | 18      |     |
|     | addr | esses | alu             | ı_opera | tor |







| сус | MEM  | IF    | ID              | EX      | WB  |
|-----|------|-------|-----------------|---------|-----|
| 0   | 82C  | 828   | 18              | 03      |     |
| 1   | 830  | 82C   | <sup>●</sup> 0C | 18      |     |
| 2   | 834  | 830   | 18              | 0C      |     |
| 3   | 838  | 834   | 18              | 18      |     |
|     | addr | esses | alı             | ı_opera | tor |

- ✓ Stall due to multi-cycle instructions
- Stall due to data dependancies



**Proposed scheme** Software model of control signal propagation Control transfer: adapt patches







**Proposed scheme** Software model of control signal propagation Control transfer: adapt patches

→ Generate patches

| cyc | MEM  | IF    | ID  | EX      | WB  |                |
|-----|------|-------|-----|---------|-----|----------------|
| 0   | 82C  | 828   | 18  | 03      |     |                |
| 1   | 830  | 82C   | 0C  | 18      |     |                |
| 2   | 834  | 830   | 18  | 0C      |     |                |
| 3   | 838  | 834   | 18  | 18      |     |                |
| 4   | 83C  | 838   | 18  | 18      |     | branch fetched |
| 5   | 840  | 83C   | 0D  | 18      |     | branch decoded |
| 6   | 82C  | 840   | 18  | 0D      |     | branch taken   |
| 7   | 830  | 82C   | 18  | 03      |     |                |
| 8   | 834  | 830   | 18  | 03      |     |                |
|     | addr | esses | alı | ı_opera | tor | 35 / 4         |



**Proposed scheme** Software model of control signal propagation Control transfer: adapt patches

#### → Generate patches



|     |      |       |     |         |     | _              |
|-----|------|-------|-----|---------|-----|----------------|
| cyc | MEM  | IF    | ID  | EX      | WB  |                |
| 0   | 82C  | 828   | 18  | 03      |     |                |
| 1   | 830  | 82C   | 0C  | 18      |     |                |
| 2   | 834  | 830   | 18  | OC      |     |                |
| 3   | 838  | 834   | 18  | 18      |     |                |
| 4   | 83C  | 838   | 18  | 18      |     | branch fetched |
| 5   | 840  | 83C   | 0D  | 18      |     | branch decoded |
| 6   | 82C  | 840   | 18  | 0D      |     | branch taken   |
| 7   | 830  | 82C   | 18  | 03      |     | Patch          |
| 8   | 834  | 830   | 18  | 03      |     |                |
|     | addr | esses | alı | ı_opera | tor | 35 / 4         |



#### **Proposed scheme**

Software model of control signal propagation Control transfer: adapt patches

#### → Generate patches



✓ Stall/flush due to *jump*, *branch* execution

| cyc | MEM   | IF    | ID           | EX | WB  |                |
|-----|-------|-------|--------------|----|-----|----------------|
| 0   | 82C   | 828   | 18           | 03 |     |                |
| 1   | 830   | 82C   | 0C           | 18 |     |                |
| 2   | 834   | 830   | 18           | 0C |     |                |
| 3   | 838   | 834   | 18           | 18 |     |                |
| 4   | 83C   | 838   | 18           | 18 |     | branch fetched |
| 5   | 840   | 83C   | 0D           | 18 |     | branch decoded |
| 6   | 82C   | 840   | 18           | 0D |     | branch taken   |
| 7   | 830   | 82C   | 18           | 03 |     | Patch          |
| 8   | 834   | 830   | 18           | 03 |     |                |
|     | addro | esses | alu_operator |    | tor | 35 / 47        |



#### **Proposed scheme**

Software model of control signal propagation Control transfer: adapt patches

#### → Generate patches



✓ Stall/flush due to *jump*, *branch* execution

| cyc | MEM  | IF    | ID  | EX      | WB  |                      |
|-----|------|-------|-----|---------|-----|----------------------|
| 0   | 82C  | 828   | 18  | 03      |     |                      |
| 1   | 830  | 82C   | 0C  | 18      |     |                      |
| 2   | 834  | 830   | 18  | 0C      |     |                      |
| 3   | 838  | 834   | 18  | 18      |     |                      |
| 4   | 83C  | 838   | 18  | 18      |     | branch fetched       |
| 5   | 840  | 83C   | 0D  | 18      |     | branch decoded       |
| 6   | 82C  | 840   | 18  | 0D      |     | branch taken         |
| 7   | 830  | 82C   | 18  | 03      |     |                      |
| 8   | 834  | 830   | 18  | 03      |     | Patch                |
|     | addr | esses | alı | ı_opera | tor | (extra bits) $_{47}$ |



#### **Proposed scheme**

Software model of control signal propagation Control transfer: adapt patches

#### → Generate patches



✓ Stall/flush due to *jump*, *branch* execution

|     |      |       |        |         |    | _                                                    |
|-----|------|-------|--------|---------|----|------------------------------------------------------|
| cyc | MEM  | IF    | ID     | EX      | WB |                                                      |
| 0   | 82C  | 828   | 18     | 03      |    |                                                      |
| 1   | 830  | 82C   | 0C     | 18      |    |                                                      |
| 2   | 834  | 830   | 18     | 0C      |    |                                                      |
| 3   | 838  | 834   | 18     | 18      |    |                                                      |
| 4   | 83C  | 838   | 18     | 18      |    | branch fetched                                       |
| 5   | 840  | 83C   | 0D     | 18      |    | branch decoded                                       |
| 6   | 82C  | 840   | 18     | 0D      |    | branch taken                                         |
| 7   | 830  | 82C   | 18     | 03      |    |                                                      |
| 8   | 834  | 830   | 18     | 03      |    |                                                      |
|     | addr | esses | alu_op | perator |    | $\operatorname{Patch}_{(\operatorname{extra bits})}$ |
|     |      |       |        |         |    | (                                                    |



Une école de l'IM

| Origin                 | Decode        | Execute       | Write-back | examples        |
|------------------------|---------------|---------------|------------|-----------------|
| Extracted <sup>①</sup> | 25 (47  bits) | 12 (23  bits) | 4 (6 bits) | $alu\_operator$ |
| Decoded <sup>2</sup>   | 4 (24 bits)   | 2 (12 bits)   | 1 (6 bits) | rs1, rs2, rd    |
| Combinational 3        | 2 (64 bits)   | 1 (1  bits)   |            | imm             |

Table: Deterministic Control Signals supported.





### Validation and characterization

#### 1 Who am I?

- 2 Context for execution integrity
- 3 Proposed scheme
- 4 Validation and characterization
  - core-v-verif-fpga environnement
  - Cycle-accurate simulations
  - FPGA
  - FPGA: Cross domain clocking
  - FPGA
  - Experimental validation
  - Probability of no-detection







#### Validation and characterization core-v-verif-fpga environnement

Makefile based:

Compilation (*Embench*) and software encryption flow





#### Validation and characterization core-v-verif-fpga environnement

Makefile based:

- Compilation (*Embench*) and software encryption flow
- **Cycle-accurate** simulation and verification (*Verilator*)





# Validation and characterization core-v-verif-fpga environnement

Makefile based:

- Compilation (*Embench*) and software encryption flow
- **Cycle-accurate** simulation and verification (Verilator)

- FPGA design flow (*Vivado*)
- **Timing** simulation and verification (*Modelsim*)
- Execution and validation on FPGA board



# Validation and characterization core-v-verif-fpga environnement

Makefile based:

- Compilation (*Embench*) and software encryption flow
- **Cycle-accurate** simulation and verification (Verilator)
- FPGA design flow (*Vivado*)
- **Timing** simulation and verification (*Modelsim*)
- Execution and validation on FPGA board
- **FIA**: on FPGA (memory only) and on simulations





#### Validation and characterization Cycle-accurate simulations

#### $\checkmark$ Valid execution for 23/25 programs

At each cycle: PC and instruction in the fetch are compared with those of an unprotected simulation

| PROGRAM_NAME | ENCRYPT | MODE  | TEST    | REASON END. | SIM_TIME | TIMESTAMP                |
|--------------|---------|-------|---------|-------------|----------|--------------------------|
| сгс32        | instr   | VERIF | SUCCESS | VALID EXEC  | 1149080  | Fri Sep 20 11:32:33 2024 |
| cubic        | instr   | VERIF | SUCCESS | VALID EXEC  | 1380282  | Fri Sep 20 11:32:40 2024 |
| dhrystone    | instr   | VERIF | SUCCESS | VALID EXEC  | 611550   | Fri Sep 20 11:32:43 2024 |
| edn          | instr   | VERIF | SUCCESS | VALID EXEC  | 642402   | Fri Sep 20 11:32:46 2024 |
| fibonacci    | instr   | VERIF | SUCCESS | VALID EXEC  | 187694   | Fri Sep 20 11:32:47 2024 |
| huffbench    | instr   | VERIF | SUCCESS | VALID EXEC  | 904196   | Fri Sep 20 11:32:51 2024 |
| matmult-int  | instr   | VERIF | SUCCESS | VALID EXEC  | 839262   | Fri Sep 20 11:32:54 2024 |
| md5sum       | instr   | VERIF | SUCCESS | VALID EXEC  | 681136   | Fri Sep 20 11:32:57 2024 |
| minver       | instr   | VERIF | SUCCESS | VALID EXEC  | 785076   | Fri Sep 20 11:33:00 2024 |
| mont64       | instr   | VERIF | SUCCESS | VALID EXEC  | 515094   | Fri Sep 20 11:33:03 2024 |
|              |         |       |         |             |          |                          |
| tarfind      | instr   | VERIF | SUCCESS | VALID EXEC  | 717312   | Fri Sep 20 11:33:51 2024 |
| ud           | instr   | VERIF | SUCCESS | VALID EXEC  | 588562   | Fri Sep 20 11:33:54 2024 |
| wikisort     | instr   | VERIF | SUCCESS | VALID EXEC  | 3579694  | Fri Sep 20 11:34:06 2024 |



#### Validation and characterization Cycle-accurate simulations

#### ✓ Valid execution for 23/25 programs

**X** Limitation of 12 successors of jalr for 2/25 programs

At each cycle: PC and instruction in the fetch are compared with those of an unprotected simulation

| PROGRAM_NAME | ENCRYPT | MODE  | TEST    | REASON END. | SIM_TIME | TIMESTAMP                |
|--------------|---------|-------|---------|-------------|----------|--------------------------|
|              | instr   | VERIF | SUCCESS | VALID EXEC  | 1149080  | Fri Sep 20 11:32:33 2024 |
| cubic        | instr   | VERIF | SUCCESS | VALID EXEC  | 1380282  | Fri Sep 20 11:32:40 2024 |
| dhrystone    | instr   | VERIF | SUCCESS | VALID EXEC  | 611550   | Fri Sep 20 11:32:43 2024 |
| edn          | instr   | VERIF | SUCCESS | VALID EXEC  | 642402   | Fri Sep 20 11:32:46 2024 |
| fibonacci    | instr   | VERIF | SUCCESS | VALID EXEC  | 187694   | Fri Sep 20 11:32:47 2024 |
| huffbench    | instr   | VERIF | SUCCESS | VALID EXEC  | 904196   | Fri Sep 20 11:32:51 2024 |
| matmult-int  | instr   | VERIF | SUCCESS | VALID EXEC  | 839262   | Fri Sep 20 11:32:54 2024 |
| md5sum       | instr   | VERIF | SUCCESS | VALID EXEC  | 681136   | Fri Sep 20 11:32:57 2024 |
| minver       | instr   | VERIF | SUCCESS | VALID EXEC  | 785076   | Fri Sep 20 11:33:00 2024 |
| mont64       | instr   | VERIF | SUCCESS | VALID EXEC  | 515094   | Fri Sep 20 11:33:03 2024 |
|              |         |       |         |             |          |                          |
| tarfind      | instr   | VERIF | SUCCESS | VALID EXEC  | 717312   | Fri Sep 20 11:33:51 2024 |
| ud           | instr   | VERIF | SUCCESS | VALID EXEC  | 588562   | Fri Sep 20 11:33:54 2024 |
| wikisort     | instr   | VERIF | SUCCESS | VALID EXEC  | 3579694  | Fri Sep 20 11:34:06 2024 |



#### Validation and characterization Cycle-accurate simulations

#### ✓ Valid execution for 23/25 programs

**\*** Limitation of 12 successors of jalr for 2/25 programs  $\Rightarrow$   $\checkmark$  Solved with NOPs (code and clock cycle overhead < 0.06%)

At each cycle: PC and instruction in the fetch are compared with those of an unprotected simulation

| PROGRAM_NAME | ENCRYPT | MODE  | TEST    | REASON END. | SIM_TIME | TIMESTAMP                |
|--------------|---------|-------|---------|-------------|----------|--------------------------|
| сгс32        | instr   | VERIF | SUCCESS | VALID EXEC  | 1149080  | Fri Sep 20 11:32:33 2024 |
| cubic        | instr   | VERIF | SUCCESS | VALID EXEC  | 1380282  | Fri Sep 20 11:32:40 2024 |
| dhrystone    | instr   | VERIF | SUCCESS | VALID EXEC  | 611550   | Fri Sep 20 11:32:43 2024 |
| edn          | instr   | VERIF | SUCCESS | VALID EXEC  | 642402   | Fri Sep 20 11:32:46 2024 |
| fibonacci    | instr   | VERIF | SUCCESS | VALID EXEC  | 187694   | Fri Sep 20 11:32:47 2024 |
| huffbench    | instr   | VERIF | SUCCESS | VALID EXEC  | 904196   | Fri Sep 20 11:32:51 2024 |
| matmult-int  | instr   | VERIF | SUCCESS | VALID EXEC  | 839262   | Fri Sep 20 11:32:54 2024 |
| md5sum       | instr   | VERIF | SUCCESS | VALID EXEC  | 681136   | Fri Sep 20 11:32:57 2024 |
| minver       | instr   | VERIF | SUCCESS | VALID EXEC  | 785076   | Fri Sep 20 11:33:00 2024 |
| mont64       | instr   | VERIF | SUCCESS | VALID EXEC  | 515094   | Fri Sep 20 11:33:03 2024 |
|              |         |       |         |             |          |                          |
| tarfind      | instr   | VERIF | SUCCESS | VALID EXEC  | 717312   | Fri Sep 20 11:33:51 2024 |
| ud           | instr   | VERIF | SUCCESS | VALID EXEC  | 588562   | Fri Sep 20 11:33:54 2024 |
| wikisort     | instr   | VERIF | SUCCESS | VALID EXEC  | 3579694  | Fri Sep 20 11:34:06 2024 |



Une école de l'IM1

→ Goals: Validation & Looking for maximal frequency and utilization

- **\*** core-v-mcu (F=10MHz)  $\rightarrow$  Homemade core-v-verif-fpga
- Vivado flow: Nexys Video (Artix 7)



Une école de l'IMT





Une école de l'IMT







Une école de l'IM





Une école de l'IM1







#### Validation and characterization FPGA MINES Saint-Étienne 8000 -Une école de l'IM +6 PUs 6000 3 PUs 2 PUs 1 PU LUT \_\_Unprotected 4000 # 2000 0 60 50 30 . 20 10 70 40 0 Frequency (MHz) # FFVersions Max. Freq. (MHz) # LUT Unprotected 67.45429820646 PUs 47.5 (-29.6%) 7218 (+67.9%) 3402 (+64.8%)3 PUs 34.0(-49.6%)6274 (+46.0%)3733 (+80.9%)5904 (+37.4%)2 PUs30.0(-55.5%)3733 (+80.9%)1 PU19.0(-71.8%)5541 (+28.9%) 3733 (+80.9%)





Une école de l'IM

| Name            | Memory | Cycles |
|-----------------|--------|--------|
| (Ascon 320bits) | 1047%  | 0%     |

#### **Configuration of control signals:**

- **5** bits from execute
- 5 bits from write-back





Une école de l'IMT

| Name                                          | Memory (%)    | Cycles $(\%)$ | Frequency (%) | Utilization (%)     |
|-----------------------------------------------|---------------|---------------|---------------|---------------------|
| Instr. Enc.                                   | 2 - 38        | 129 - 293*    | 0             | 26 Alm              |
| Confidaent                                    | 116 - 218*    | 151 - 276*    |               |                     |
| Sofia                                         | 110 - 437     | 36 - 438      | -23           | 12  LUT             |
| CCFI-CACHE                                    | 118 - 160     | 2 - 63        |               | 11 LUT 9 FF         |
| CIFER                                         | 16 - 68       | 0             | 0             | 35-55 Slice         |
| Soft-Only                                     | 9-3550*       | 92-3100*      | 0             | null                |
| SecDec                                        | 1 - 2         | 1 - 2         |               | $4{-}17 {\rm Ge}^*$ |
| Hapei                                         | $123 - 507^*$ |               |               |                     |
| $\mathbf{S}_{\mathbf{C}\mathbf{F}\mathbf{P}}$ | 15 - 26       | 4 - 15        |               | 47  Ge              |
| GPSA-CSM                                      | 88 - 118*     | $2 - 71^{*}$  |               | 6  Ge               |
| Mafia                                         | 7 - 55        | 3 - 44        |               | 7-24 GE             |
| This work                                     |               |               |               |                     |
| (Ascon 320bits)                               | 1047          | 0             | -30           | 29 LUT $81$ FF      |
| (64bits)                                      | 247           | 0             |               |                     |



### Validation and characterization Experimental validation





### Validation and characterization Probability of no-detection

### How many random instructions before detection?





1 Who am I?

- 2 Context for execution integrity
- 3 Proposed scheme
- 4 Validation and characterization
- 5 Conclusion





- Confidentiality of Instructions
- ✓ Integrity of Control Flow
- Integrity of Instructions
- Integrity of Deterministic Control Signals







- Confidentiality of Instructions
- ✓ Integrity of Control Flow
- Integrity of Instructions
- Integrity of Deterministic Control Signals
- Zero clock cycle penalty





github.com/theophile-gousselot/execution\_integrity\_down\_to\_control\_signals



- Confidentiality of Instructions
- ✓ Integrity of Control Flow
- Integrity of Instructions
- Integrity of Deterministic Control Signals
- Zero clock cycle penalty
- No cache
- Fetch instruction 1 cycle





github.com/theophile-gousselot/execution\_integrity\_down\_to\_control\_signals



- Conception
- $\checkmark$  Implementation  $\rightarrow$  cv32e40p
- ✓ Validation and Characterization
- ✓ Submission: HOST 2025
- ✓ Open-source: Github







- Conception
- $\checkmark$  Implementation  $\rightarrow$  cv32e40p
- ✓ Validation and Characterization
- ✓ Submission: HOST 2025
- ✓ Open-source: Github



### In progress:

- Reduce patch size: Memory overhead \\_
- Hardware demo
- → Manuscript



github.com/theophile-gousselot/execution\_integrity\_down\_to\_control\_signals



# Bibliography

Une école de l'IMT





# **Bibliography**

Une école de l'IMT

- [1] François Bonnal, Vincent Dupaquis, Olivier Potin, and Jean-Max Dutertre. Software-only control-flow integrity against fault injection attacks. In 2023 26th Euromicro Conference on Digital System Design (DSD), pages 269-277, IEEE, 2023.
- Thomas Chamelot, Damien Couroussé, and Karine Hevdemann. [2] Mafia: Protecting the microarchitecture of embedded systems against fault injection attacks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2023.
- [3] Jean-Luc Danger, Adrien Facon, Sylvain Guilley, Karine Hevdemann, Ulrich Kühne, Abdelmalek Si Merabet, and Michaël Timbert. Ccfi-cache: A transparent and flexible hardware protection for code and control-flow integrity. In 2018 21st Euromicro Conference on Digital System Design (DSD), pages 529–536, IEEE, 2018.
- Ruan De Clercq, Johannes Götzfried, David Übler, Pieter Maene, and Ingrid Verbauwhede. [4] Sofia: Software and control flow integrity architecture. Computers & Security, 68:16-35, 2017.
- [5] Thomas Hiscock, Olivier Savry, and Louis Goubin. Lightweight instruction-level encryption for embedded processors using stream ciphers. Microprocessors and Microsystems, 64:43-52, 2019.
- [6] Ronan Lashermes, Hélène Le Bouder, and Gaël Thomas. Hardware-assisted program execution integrity: Hapei. In Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23, pages 405-420, Springer, 2018,

2 / 16

Johan Laurent, Vincent Beroulle, Christophe Deleuze, Florian Pebay-Peyroula, and Athanasios Papadimitriou. Cross-layer analysis of software fault models and countermeasures against hardware fault attacks in a risc-y processor. Microprocessors and Microsystems, 71:102862, 2019.



# **Bibliography**

Una ágala da PIMI

Gaëtan Leplus, Olivier Savry, and Lilian Bossuet. [8] Secdec: Secure decode stage thanks to masking of instructions with the generated signals. In 2022 25th Euromicro Conference on Digital System Design (DSD), pages 556-563. IEEE, 2022.

- [9] Olivier Savry, Mustapha El-Maiihi, and Thomas Hiscock. Confidaent: Control flow protection with instruction and data authenticated encryption. In 2020 23rd Euromicro Conference on Digital System Design (DSD), pages 246-253, IEEE, 2020.
- Mario Werner, Thomas Unterluggauer, David Schaffenrath, and Stefan Mangard. Sponge-based control-flow protection for iot devices. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pages 214–226. IEEE, 2018.
- Mario Werner, Erich Wenger, and Stefan Mangard. Protecting the control flow of embedded processors against fault attacks. In Smart Card Research and Advanced Applications: 14th International Conference, CARDIS 2015, Bochum, Germany, November 4-6, 2015, Revised Selected Papers 14, pages 161-176, Springer, 2016,
- [12] Bilgiday Yuce, Patrick Schaumont, and Marc Witteman. Fault attacks on secure embedded software: Threats, design, and evaluation, Journal of Hardware and Systems Security, 2:111-130, 2018.
- [13] Anthony Zgheib, Olivier Potin, Jean-Baptiste Rigaud, and Jean-Max Dutertre. Cifer: Code integrity and control flow verification for programs executed on a risc-v core. In 2023 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 100–110, IEEE, 2023.





## **Extra slides**

Une école de l'IMT





Fault injection Fault injection PROGRAM -PCFault injection Write Memory -cipher-Fetch Decrypt Decode Execute ≻ Back Read • Write (Ciphered instructions) **(**: No access to plain instructions **\Color:** No access to decryption internal state



### **OpenHW group:**

Une école de l'IMT

- cv32e40p 4 stages core rv32imc
- core-v-verif RTL simulation
- core-v-mcu microcontroller FPGA



Une école de l'IMT

# **Chained Instruction Encryption with Associated Control Signals**



Chained Encryption of Instructions (before programming memory)
On-the-fly Decryption





### ASCON: cipher suite, which provides Authenticated Encryption with Associated Data





ASCON: cipher suite, which provides Authenticated Encryption with Associated Data

- Winner of CAESAR Authenticated Encryption Lightweight Cryptography (2019)
- Winner of NIST Lightweight Cryptography (2023)  $\Rightarrow$  standardize the ASCON family
- Lightweight (better Throughput per Area than AES [1])
- Highly tested
- Large security margins



Una ágala da PIMI

**ASCON:** Authenticated Encryption provided from Tag (T)





### ASCON: Use-case of restricted set of valid data







Une école de l'IMT

ASCON: Authenticated Encryption provided from restricted set of valid instructions







Uno ócolo do PIM

ASCON: Authenticated Encryption provided from restricted set of valid instructions







Une école de l'IMT







Une école de l'IMT



Every state can reach "wait Control Transfer" except "jump in ID (stall)".







## TABLE A.1 – Primitives cryptographiques offrant un service donné

| Service          |            | Cryptographie symétrique                     | Cryptographie asymétrique          |  |
|------------------|------------|----------------------------------------------|------------------------------------|--|
| Confidentialité  |            | Chiffrement conventionnel par bloc (A.1.1.1) | Chiffrement à clé publique (A.2.1) |  |
|                  |            | ou par flot (A.1.1.2)                        | Échange de clé (A.2.3)             |  |
| Intégrité        |            | Code d'authentification de message (A.1.3)   |                                    |  |
| Authentification | de données | code d'admentineation de message (mms)       | Signature numérique (A.2.2)        |  |
| Mathematication  | d'entités  | Défi-réponse (A.1.4)                         |                                    |  |
| Non-répudiation  |            | Aucune primitive                             |                                    |  |





Saint-Étienne

Une école de l'IMT

Code Encryption for Confidentiality and Execution Integrity down to Control Signals

Théophile Gousselot Ph.D. Student SemSecuElec - Rennes, Inria Oct 18, 2024

