Understanding and fighting fault injections with programming languages

Sébastien MICHELLAND (UGA/LCIS, Valence) SemSécuÉlec seminar — September 27th, 2024

FRANCE DE RECHERCHE CYBERSECURITE



agence nationale de la recherche





Context and plan

Modeling faults

Rising in abstractio

Fetch skips

The countermeasure

Implementation

Conclusion

# **O** Context and plan

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 1/31

Context and plan ●000 Modeling faults

Rising in abstrac

Fetch ski

The countermeasure

Implementation

Conclusior

#### Who are we ?



Laboratoire de Conception et d'Intégration des Systèmes



- ▶ Public research lab: Université Grenoble Alpes, in Valence.
- ▶ 3 teams (60+ researchers): computer science, automatics, electronics.

Rising in abstraction

hskips The co ooooo

The countermeasure

Implementation

Conclusion

#### CTSYS team

#### Safety and security of embedded and distributed systems



Fetch skips

#### Your (second) speaker of the day



Sébastien Michelland

- ▶ Master's in theoretical C.S.; languages, compilers, formal proofs
- ... also a lot of embedded (kernel) programming
- ▶ Now 3rd-year Ph.D student at LCIS (with L. Gonnord and C. Deleuze)

#### delighted to be here e

Modeling faults

Rising in abstraction

Fetch skips

#### Outline

With a paper as running example [MDG24]: (https://hal.science/hal-04438994)



#### From low-level fault modeling (of a pipeline attack) to a proven hardening scheme

sebastien michelland@lcis.grenobleinp.fr UGA Grenoble INP LCIS Valence France

Christophe Deleuze christophe.deleuze@grenoble-inp.fr UGA. Grenoble INP. LCIS Valence France

#### Abstract

Fault attacks present unique safety and security challenges that require dedicated countermeasures, even for bug-free programs. Models of these complex attacks are made workable by approximating their effects to a suitable level of abstraction. The common practice of targeting the Instruction Set Architecture (ISA) level isn't ideal because it discards important micro-architectural information, leading to weaker security marantees. Conversely, including microarchitectural details makes countermeasures harder to model and reason about, creating a new challenge in validating and trusting protections.

We show that a semantic approach to modeling faults makes micro-architectural models workable, and enables nrecise cooperation between software and hardware in the design of countermeasures. We demonstrate the approach by designing and implementing a compiler/hardware countermeasure, which protects against a state-of-the-art pipeline fetch attack that generalizes multi-fault instruction skips. Crucially, we provide a formal security proof that guarantees faults are detected by the end of every basic block. This result shows that carefully embracing the complexity of lowloud automa anablas formanang int comprisity of the

laure connord@grenoble-inp.fr UGA. Grenoble INP. LCIS Valence France

faults' effects to a desired level of abstraction. These span from hit flins in RTL (Register Transfer Level) latches [Tollec et al. 2022] to failures in nineline forwarding [Laurent 2020] to committed ISA perinters [Barthe et al. 2014] and branch inversion directly in source code [Potet et al. 2014]. Countermeasures are then based on these models, so in a sense secure programs resist fault models rather than faults. The clear trade-off is one of accuracy versus simplicity: low-level descriptions are more true to practical attacks, but high-level approximations make it practical (in many cases possible) to reason about and protect against them

In practice, most existing works study faults at the ISA level, based on mis-executions of assembler programs (instruction skips, wrong jumps, corrupted registers, etc. [Höller et al. 2015]), with countermeasures as transformations of assembler programs. This is a natural choice as assembler is the lowest software abstraction, and dealing with software has henefits such as ease of deployment, hoard, independence compiler automation, and the ability to protect only critical sections of programs (compared to fixed costs in e.g. die surface). Hardware protections [Lashermes et al. 2018] are less common, but better equipped to deal with local and remote side-channel attacks [Tillich et al. 2007], which share many

#### Context

- "Fault attacks" are super complicated
- Must approximate with "fault models"
- By comparison, software is pure math

#### The difficulty

- Eaults break software abstractions
- Must work around existing technology

#### **Flements of solutions**

- Modding semantics for security
- Software/hardware collaborations

 $\underset{0000}{\text{Context and plan}}$ 

Modeling faults

Rising in abstraction

Fetch skips

The countermeasure

Implementation

Conclusion



### Faults and fault models

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 5/31



#### Fault injections

Fault: abnormal condition leading to incorrect behavior

```
2+2 \rightarrow briefly short-circuit the right pins \rightarrow 5
```

Fault injection: creating a fault on purpose



Electromagnetic fault injection [Sol+21]

Power/clock glitches, lasers, EM pulses...

**A** Challenges

- Can hardly predict outcomes
- Some consistent behaviors
- Many very rare and very weird behaviors



#### Fault models

Fault model: approximate description of common fault behaviors

Examples:

Invert an if()
 Corrupt program values
 Skip instructions
 Cancel pipeline forwarding [Lau20]
 Cancel pipeline forwarding [Lau20]
 Micro-arch

#### Inherent tension

Fault models are always a compromise between accuracy and simplicity.

# So how bad is it for security? VERY.

Well-known attack on RSA [Bar+06]:



General vibe: by default you assume that everything will break.

It won't always, but the reasons why are subtle.

 $\underset{0000}{\text{Context and plan}}$ 

Modeling faults

Rising in abstraction

Fetch skips

The countermeasure

Implementation

Conclusion



## **Rising in abstraction**

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 8/31



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

```
Compile with LLVM -01 for RISC-V:
```

mac: mul a1, a2, a1 add a0, a0, a1 ret



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with LLVM -01 for RISC-V:



Equivalent C code if we...

Skip mul: return a + b



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with LLVM -01 for RISC-V:



- Skip mul: return a + b
- Skip add: return a



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with gcc -01 for SuperH:

mac: mul.l r6, r5 sts macl, r0 rts add r4, r0



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with gcc -01 for SuperH:

mac:



Equivalent C code if we...

Skip mul.1: return a + <old\_macl>



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with gcc -01 for SuperH:



- Skip mul.1: return a + <old\_macl>
- Skip sts: return a + <old\_r0>



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with gcc -01 for SuperH:

| mac:  |                     |
|-------|---------------------|
| mul.l | r6, r5              |
| sts   | macl, r0            |
| rts   |                     |
| add   | <del>- r4, r0</del> |

- Skip mul.1: return a + <old\_macl>
- Skip sts: return a + <old\_r0>
- Skip add: return b \* c



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compile with gcc -01 for SuperH:

| mac:  |                     |
|-------|---------------------|
| mul.l | r6, r5              |
| sts   | macl, r0            |
| rts   |                     |
| add   | <del>- r4, r0</del> |

```
Normal C
```

- Skip mul.1: return a + <old\_macl>
- Skip sts: return a + <old\_r0>
- Skip add: return b \* c



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

```
Compile with gcc -01 for SuperH:
```

| mac:  |                     |
|-------|---------------------|
| mul.l | r6, r5              |
| sts   | macl, r0            |
| rts   |                     |
| add   | <del>- r4, r0</del> |

Normal C compileNormal asm  $\xrightarrow{fault}$  Faulted asm Equivalent C code if we...

- Skip mul.1: return a + <old\_macl>
- Skip sts: return a + <old\_r0>
- Skip add: return b \* c



Fault model: instruction skip

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

```
Compile with gcc -01 for SuperH:
```

| mac:  |                     |
|-------|---------------------|
| mul.l | r6, r5              |
| sts   | macl, r0            |
| rts   |                     |
| add   | <del>- r4, r0</del> |



```
Equivalent C code if we...
```

- Skip mul.1: return a + <old\_macl>
- Skip sts: return a + <old\_r0>
- Skip add: return b \* c

Context and plan Modeling faults Rising in abstraction Fetch skips The 0000 0000 0000 0000 0000

The countermeasure

Implementation

Conclusion

#### At the core of the software stack: abstractions

Why is "return a + <old\_r0>" not a valid C program?

 Context and plan
 Modeling faults
 Rising in abstraction
 Fetch skips
 The countermeasure
 Implementation

 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 0000
 <

#### At the core of the software stack: abstractions

Why is "return a + <old\_r0>" not a valid C program?

Abstraction: act of simplifying notions by hiding irrelevant details

- 1. Abstraction hides system details from you
- 2. Abstraction controls these details for you

Conclusion

#### At the core of the software stack: abstractions

Modeling faults

Why is "return a + <old\_r0>" not a valid C program?

ഫെറ്ററ

Abstraction: act of simplifying notions by hiding irrelevant details

Rising in abstraction

Fetch skips

- 1. Abstraction hides system details from you
- 2. Abstraction controls these details for you
- e.g. assembly registers become integer variables in C
  - C allocates variables to registers/memory, you can't choose
  - C variables can (almost) never be used uninitialized

Context and plan

Modeling faults

Context and plan

Why is "return a + <old\_r0>" not a valid C program?

ഫെറ്ററ

Abstraction: act of simplifying notions by hiding irrelevant details

Rising in abstraction

- 1. Abstraction hides system details from you
- 2. Abstraction controls these details for you
- e.g. assembly registers become integer variables in C
  - C allocates variables to registers/memory, you can't choose
  - C variables can (almost) never be used uninitialized

#### Fundamental problem

C only describes *some* CPU behaviors and "return a +  $<old_r0>$ " isn't one of them.

Fetch skips

Reversing abstraction descent is *approximate* 

Rising in abstraction

Modeling faults

Coverage (fictional)



Context and plan

 Context and plan
 Modeling faults
 Rising in abstraction
 Fetch skips
 The countermediation

 Reversing abstraction descent is approximate

#### Coverage (fictional)

| C source code     |                        |      |
|-------------------|------------------------|------|
|                   |                        |      |
| Many compiler IRs | Skip an IR instruction | 85%  |
|                   | ↑                      |      |
| ISA/Assembly      | Skip an instruction    | 100% |

Context and plan Modeling faults Rising in abstraction Fetch skips The countermeasure Implementa 0000 0000 0000 0000 0000 0000

#### Reversing abstraction descent is *approximate*

Coverage (fictional)

| C source code     | Skip a C statement     | 10% 🙏 |
|-------------------|------------------------|-------|
|                   | ↑                      |       |
| Many compiler IRs | Skip an IR instruction | 85%   |
|                   | ↑                      |       |
| ISA/Assembly      | Skip an instruction    | 100%  |

| <b>Context and plan</b> | <b>Modeling faults</b><br>000 | Rising in abstraction<br>00●000 | Fetch skips<br>0000 | The countermeasure | Implementatio | n Conclusion |
|-------------------------|-------------------------------|---------------------------------|---------------------|--------------------|---------------|--------------|
| Reversing               | abstraction of                | descent is app                  | roximate            |                    |               |              |
|                         |                               |                                 |                     | Coverage (         | fictional)    |              |
|                         | C source cod                  |                                 | C statement         | 10%                | <b>A</b>      |              |
| Ma                      | ny compiler IR                |                                 | IR instructio       | n 859              | %             |              |
|                         | ISA/Assembly                  | y Skip an                       | instruction         | 100                | % (sc         | oftware)     |
| Mie                     | cro-architectur               | e                               |                     |                    | (ha           | rdware)      |

Gates/RTL

#### Electrical signals

SemSécuÉlec Seminar (Rennes, 2024-09-27)

| <b>Context and plan</b><br>0000 | Modeling faults | Rising in abstraction | Fetch skips<br>0000 | The countermeasure | Implementation | Conclusio<br>00 |
|---------------------------------|-----------------|-----------------------|---------------------|--------------------|----------------|-----------------|
| Reversing                       | abstraction     | descent is <i>app</i> | roximate            |                    |                |                 |
|                                 |                 |                       |                     | Coverage           | (fictional)    |                 |
|                                 | C source cod    | -                     | C statement         | 10%                | ó 🔔            |                 |
| Ma                              | ny compiler IR  | ۰.<br>۱               | IR instructio       | n 85               | %              |                 |
|                                 | ISA/Assembl     | y Skip an             | instruction         | 100                | )% (soft       | ware)           |
| Mi                              | cro-architectur | e                     |                     |                    | (hard          | ware)           |
|                                 | Gates/RT        | L                     |                     |                    |                |                 |
|                                 |                 |                       |                     |                    |                |                 |

Electrical signals

Glitch clock cycle

SemSécuÉlec Seminar (Rennes, 2024-09-27)

| 0000        | 000                | 000000                | 0000          | 00000    | 0000        | 00       |
|-------------|--------------------|-----------------------|---------------|----------|-------------|----------|
| Reversing a | abstraction of     | descent is <i>app</i> | oroximate     |          |             |          |
|             |                    |                       |               | Coverage | (fictional) |          |
|             | C source cod       |                       | C statement   | 10%      | 6 🔔         |          |
| Mai         | ny compiler IR<br> | ۰.<br>۱               | IR instructio | on 85    | 5%          |          |
|             | ISA/Assembly       | y Skip an             | instruction   | 10       | 0% (s       | oftware) |
| Mic         | cro-architectur    | e                     |               |          | (ha         | ardware) |
|             | Gates/RTI          | - Fail to<br>∱        | latch in time |          |             |          |
| E           | lectrical signal   | s Glitch o            | clock cycle   |          |             |          |

Rising in abstraction

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Context and plan

Modeling faults

| 0000  | 000                 | 000000  | 0000                       | 00000 | 0000                          | 00         |
|-------|---------------------|---------|----------------------------|-------|-------------------------------|------------|
| Rever | sing abstraction of | descent | is approximate             |       |                               |            |
|       |                     |         |                            | Co    | overage <mark>(fiction</mark> | al)        |
|       | C source cod        |         | Skip a C statement<br>↑    |       | 10% 🔔                         |            |
|       | Many compiler IR    |         | Skip an IR instructio<br>↑ | n     | 85%                           |            |
|       | ISA/Assembly        | y       | Skip an instruction        |       | 100%                          | (software) |
|       | Micro-architectur   | е       | Skip memory fetch<br>↑     |       |                               | (hardware) |
|       | Gates/RTI           | _       | Fail to latch in time<br>↑ |       |                               |            |
|       | Electrical signal   | S       | Glitch clock cycle         |       |                               |            |
|       |                     |         |                            |       |                               |            |

Rising in abstraction

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Context and plan

The countermeasure

Conclusion

#### Reversing abstraction descent is *approximate*

Coverage (fictional)

| Skip a C statement     | 3%? 🚺                                                                                                                                                                                    |
|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ↑                      |                                                                                                                                                                                          |
| Skip an IR instruction | 25%?                                                                                                                                                                                     |
| ↑                      |                                                                                                                                                                                          |
| Skip an instruction    | 30%?                                                                                                                                                                                     |
| ↑                      |                                                                                                                                                                                          |
| Skip memory fetch      | 50%?                                                                                                                                                                                     |
| ↑                      |                                                                                                                                                                                          |
| Fail to latch in time  | 85%?                                                                                                                                                                                     |
| ↑                      |                                                                                                                                                                                          |
| Glitch clock cycle     | 100%                                                                                                                                                                                     |
|                        | <ul> <li>↑</li> <li>Skip an IR instruction</li> <li>↑</li> <li>Skip an instruction</li> <li>↑</li> <li>Skip memory fetch</li> <li>↑</li> <li>Fail to latch in time</li> <li>↑</li> </ul> |

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 11/31

#### Morality: the cost of rising in abstraction

Rising in abstraction is difficult and approximate.

Hence the simplicity/accuracy compromise for fault models

Approximating undermines security guarantees:

 Software protections for models at assembly level bypassed with micro-arch abuse. [Yuc+16]

#### Key target

We wish for models and countermeasures that *minimize* abstraction lifts.

#### Language semantics to the rescue

C source code ... Many compiler IRs ... ISA/Assembly

Micro-architecture

Gates/RTL

#### Electrical signals

SemSécuÉlec Seminar (Rennes, 2024-09-27)

(software) (hardware)



#### Language semantics to the rescue





(software)

(hardware)

Behavior defined by physical objects and physical equations

#### SemSécuÉlec Seminar (Rennes, 2024-09-27)

Micro-architecture

**Electrical signals** 

Gates/RTL



SemSécuÉlec Seminar (Rennes, 2024-09-27)





# In an ideal world... 🌈

We'd love to:

- 1. Stop fault models' approximations at assembly level or lower
- 2. Let software's math handle the complexity of generating secure code



# In an ideal world... 🌈

#### We'd love to:

- 1. Stop fault models' approximations at assembly level or lower
- 2. Let software's math handle the complexity of generating secure code

#### In practice, still:

- ► Theoretical foundations for secure code generation not yet complete
- The math works on C and not much lower
- Older tech (languages/compilers) is not helping

Context and plan

Modeling faults

Rising in abstraction

Fetch skips

The countermeasure

Implementation

Conclusion



Fetch skips

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 14/31

# What the paper's about

#### Study a low-level fault model

- "Fetch skips", more accurate than instruction skips
- Design a proven countermeasure, aware of low-level behaviors
  - Implemented in LLVM/Id. tested in QEMU
- Based on compiler/hardware collaboration

Novelties?

- NEW Countermeasure to low-level model.
- Semantic model for proof. NEW
- Multi-step hardening with compiler and linker. NEW



Context and planModeling faultsRising in abstractionFetch skipsThe countermeasureImplementationConclusion0000000000000000000000000000

## Mechanisms of a low-level fault model: *fetch skips*.

| c.addi sp,sp,−16     | c.sw ra,12(sp)                                         |  |  |  |  |
|----------------------|--------------------------------------------------------|--|--|--|--|
| call f               | (call <i>cont.)</i>                                    |  |  |  |  |
|                      |                                                        |  |  |  |  |
| c.addi a0,a0,1       | lw ra,12(sp)                                           |  |  |  |  |
| (lw cont.)           | addi sp,sp,16                                          |  |  |  |  |
| (addi <i>cont.</i> ) | c.ret                                                  |  |  |  |  |
| ,                    |                                                        |  |  |  |  |
| Aligned              | Unaligned                                              |  |  |  |  |
|                      | call f<br>c.addi a0,a0,1<br>(lw cont.)<br>(addi cont.) |  |  |  |  |

int g(int x) {
 return f(x) + 1;

}

16-bit instructions Aligned 32-bit instructions Unaligned 32-bit instructions 

# Mechanisms of a low-level fault model: *fetch skips*.



#### Microarchitectural-level

- Skip 32 bits: Skip a full row.
- Skip and repeat 32 bits: Replace a row with predecessor.



Found by Alshaer et al. [Als+22]

| g:    | c.addi sp,sp,−16     | c.sw ra,12(sp) |  |  |
|-------|----------------------|----------------|--|--|
| S32   | S32 call f (call con |                |  |  |
|       |                      |                |  |  |
| g+8:  | c.addi a0,a0,1       | lw ra,12(sp)   |  |  |
| g+12: | (lw cont.)           | addi sp,sp,16  |  |  |
| g+16: | (addi <i>cont.</i> ) | c.ret          |  |  |

- Skip one instruction
- Skip two instructions
- Corrupt parameters
- Craft a new instruction
- ► Craft multiple instructions (!)

| S32   | <del>c.addi sp, sp, -16</del> | <del>c.sw ra,12(sp)</del> |
|-------|-------------------------------|---------------------------|
| g+4:  | call f                        | (call cont.)              |
|       |                               |                           |
| g+8:  | c.addi a0,a0,1                | lw ra,12(sp)              |
| g+12: | (lw cont.)                    | addi sp,sp,16             |
| g+16: | (addi <i>cont.</i> )          | c.ret                     |

- Skip one instruction
- Skip two instructions
- Corrupt parameters
- Craft a new instruction
- ► Craft multiple instructions (!)

| g:    | c.addi sp,sp,−16      | c.sw ra,12(sp)             |
|-------|-----------------------|----------------------------|
| g+4:  | g+4: call f (call     |                            |
|       |                       |                            |
| g+8:  | c.addi a0,a0,1        | lw ra,12(sp)               |
| S32   | <del>(lw cont.)</del> | <del>addi sp, sp, 16</del> |
| g+16: | (addi <i>cont.</i> )  | c.ret                      |
|       |                       |                            |

→ lw ra, <mark>16</mark>(sp)

- ► Skip one instruction
- Skip two instructions
- Corrupt parameters
- Craft a new instruction
- ► Craft multiple instructions (!)

| g:   | c.addi sp,sp,−16 | c.sw ra,12(sp)       |
|------|------------------|----------------------|
| g+4: | call f           | (call <i>cont.</i> ) |



- ► Skip one instruction
- Skip two instructions
- Corrupt parameters
- Craft a new instruction
- ► Craft multiple instructions (!)

| g:   | c.addi sp,sp,-16 | c.sw ra,12(sp)       |
|------|------------------|----------------------|
| g+4: | call f           | (call <i>cont.</i> ) |



- ► Skip one instruction
- Skip two instructions
- Corrupt parameters
- Craft a new instruction
- Craft multiple instructions (!)

# We need to talk about security ... what is it?!

The countermeasure should make the program "secure".

#### Unresolved open problem

There is no single definition of security. It depends on the application.

Common examples: we may need that, in the event of a fault...

- The program operates as if not faulted
- ▶ The attack is detected and reported
- The program does not leak passwords

► ...

What security property can we achieve here?

- We inherently can't prevent the attack altogether.
- Ideally: recovery, clean detection
- Here: denial of exploitation

#### Fetch skips hardening property

After a fetch skip, the program will stop/crash before the end of the current block.

Conclusion

What security property can we achieve here?

- We inherently can't prevent the attack altogether. 44
  - Ideally: recovery, clean detection
- Here: denial of exploitation

#### Fetch skips hardening property

After a fetch skip, the program will stop/crash before the end of the current block.

#### How?

- 1. Hardware will compute a checksum of each executed block.
- 2. Software will compare with expected value.

Context and plan

Modeling faults

Rising in abstractio

Fetch skips

The countermeasure

Implementation

Conclusion



# The countermeasure

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 18/31

# The countermeasure: <u>software</u> / <u>hardware</u> opcode checksums.

Modeling faults

Original block, except jump

The countermeasure



Context and plan

The countermeasure: <u>software</u> / <u>hardware</u> opcode checksums.

Modeling faults

| g:    | c.addi sp,sp,−16 | c.sw ra,12(sp)          | ] Original block, except jump                                       |
|-------|------------------|-------------------------|---------------------------------------------------------------------|
| g+4:  | ccscall NEW      | (ccscall <i>cont.</i> ) | Checksum test (needed to jump )<br>Sum of lines computed by linker. |
| g+8:  | 0x354c           | 0xc606                  | Exception if mismatch at runtime.                                   |
| g+12: | call f           | (call cont.)            | ] Original jump                                                     |
| g+16: | c.ebreak         | c.ebreak                | Wall of trap instructions                                           |
|       |                  |                         | Added by compiler.<br>Prevents escape from block.                   |
| g+24: | c.ebreak         | c.ebreak                |                                                                     |

The countermeasure



SemSécuÉlec Seminar (Rennes, 2024-09-27)

The countermeasure: <u>software</u> / <u>hardware</u> opcode checksums.

Modeling faults

| g:    | c.addi sp,sp,−16 | c.sw ra,12(sp)          | Intuition for security:                                           |
|-------|------------------|-------------------------|-------------------------------------------------------------------|
| g+4:  | ccscall NEW      | (ccscall <i>cont.</i> ) | Hardware traps on jump                                            |
| g+8:  | 0x354c           | 0xc606                  | unless the previous instruction<br>was ccs/ccscall and it passed. |
| g+12: | call f           | (call <i>cont.</i> )    |                                                                   |
| g+16: | c.ebreak         | c.ebreak                |                                                                   |
|       |                  |                         | Too long to be jumped over (12 bytes)                             |
| g+24: | c.ebreak         | c.ebreak                |                                                                   |

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Implementation

The countermeasure

Conclusior

# Key design points

#### [Hardware] RISC-V ISA extension:

- Updates a checksum register for each instruction executed
- ▶ One instruction for checksum tests, required before a jump
- As tiny as it gets

#### [Software] Compiler and linker:

- Provides checksum code and walls
- Linker computes checksums and shuts down two attacks by avoiding values that decode as jumps or checksum instructions

# Key design points

#### [Hardware] RISC-V ISA extension:

- Updates a checksum register for each instruction executed
- One instruction for checksum tests, required before a jump
- As tiny as it gets

## [Software] Compiler and linker:

- Provides checksum code and walls
- Linker computes checksums and shuts down two attacks by avoiding values that decode as jumps or checksum instructions NEW

# Come on, hardware support?!

This is a reasonable proposition:

Security is in the hardware design process

- Industrials are seeking ways to improve their hardware
- RISC-V is uniquely extensible/modular
- These are tricky attacks with (currently) no other solutions
   There's a rich "compromise" space mostly unexplored

Conclusion

# Formalizing with semantics

Faulted executions are tricky: formal analysis is a necessity.

- Big idea: extend the semantics of assembler! NEW
  - Clears the abstraction gap
  - Pulls in only low-level details that are really needed

 $(\mathsf{PC}, \rho) \ a \Rightarrow [a] \ (\mathsf{PC}, [a])$   $\underbrace{\mathsf{S32}(k)} 1 < k \le N$   $(\mathsf{PC}, \rho) \ a \Rightarrow [a + 4k] \ (\mathsf{PC} + 4k, [a + 4k])$   $\underbrace{\mathsf{S\&R32}}_{(\mathsf{PC}, \rho)} \rho \neq [a]$   $\underbrace{\mathsf{PC}, \rho}_{(\mathsf{PC}, \rho)} a \Rightarrow \rho \ (\mathsf{PC}, [a])$ 

**Fetch rules** (left): describe the attack

Step rules (below): decoding and execution

ALIGNED-16  
PC aligned (PC, 
$$\rho$$
) PC  $\Rightarrow$   $d$  (PC<sub>F</sub>,  $\rho'$ )  
 $\sigma$ .CCSDS = 0 LSH( $d$ ) is a 16-bit instruction<sup>1</sup>  
 $\langle PC, \rho, \sigma, \alpha \rangle \rightarrow [LSH(d)](PC_F, \sigma, \alpha) \bullet \rho'$   
(...)

NOFAUL T

# Proof of security

#### Proven security guarantee

If you fetch skip, the program will stop/crash before the end of the current block. Same for multi-fault attacks (if no checksum collision).

- 1. Execution only leaves a protected block when the checksum is correct.
  - Cannot reach end of block due to trap wall.
  - Before jumping a ccs is needed, and it can't be forged.
  - ► The official ccs/jump widget detects attacks.
- 2. Single-fault case: correct checksum implies no fault.

Note: might crash before end of block.

Context and plan

Modeling faults

Rising in abstractio

Fetch skips

The countermeasure

Implementation

Conclusion



# Implementation

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 23/31

Conclusion

# Compilers don't know security (because C doesn't)

```
int mac(int a, int b, int c) {
  return a + b * c;
}
```

Compiled for RISC-V again:

mac: mul a1, a2, a1 add a0, a0, a1 ret Vulnerable to instruction skip

Context and planModeling faultsRising in abstractionFetch skipsThe countermeasureImplementation0000000000000000000000000000

# Compilers don't know security (because C doesn't)

mac:

| mul | a3, | a2, | a1 |
|-----|-----|-----|----|
| mul | а3, | a2, | a1 |
| mv  | а4, | a0  |    |
| mv  | а4, | a0  |    |
| add | a0, | a4, | a3 |
| add | a0, | a4, | a3 |
| ret |     |     |    |
| ret |     |     |    |

Vulnerable to instruction skip
 A countermeasure: duplicate instructions.

Now secure!

# Compilers don't know security (because C doesn't)

```
int mac(int a, int b, int c) {
  int x, y;
  x = b * c:
  x = b * c;
  v = a:
  y = a;
  a = y + x;
  a = y + x;
  return a:
  return a:
```

- Vulnerable to instruction skip
   A countermeasure: duplicate instructions.
  - Now secure!
  - ▶ Not expressible at source level 😟

# Compilers don't know security (because C doesn't)

| <pre>int mac(int a, in</pre> | nt b, int c) { |
|------------------------------|----------------|
| <pre>int x, y;</pre>         | Δ              |
| x = b * c;                   | ~              |
| x = b * c;                   |                |
| y = a;                       |                |
| y = a;                       |                |
| a = y + x;                   |                |
| a = y + x;                   |                |
| return a;                    |                |
| return a;                    |                |
| }                            |                |
|                              |                |
|                              | LIVM -01       |

- Vulnerable to instruction skip
   A countermeasure: duplicate instructions.
  - Now secure!
  - Not expressible at source level 😟
  - Compiler optimizes it away so



# Implementation: a multi-stage process



# Experimental validation by simulation

#### QEMU support for Xccs and fetch skip injection

```
% qemu-riscv32 -cpu rv32-fsh --riscv-faults '0x40000:s32' ./main qemu: unhandled CPU exception 0x18 -aborting [...]
```

0x18: Attack detected

- -cpu rv32-fsh selects an Xccs-capable CPU ;
- -riscv-faults '0x40000:s32' skips the first 4 bytes.

Rising in abstraction

The countermea

Fetch skips

Implementation

Conclusion

# Experimental validation by simulation

MiBench [Gut+01] benchmarks

- 1. Exhaustive skip
- 2. Exhaustive double-skip
- 3. Exhaustive skip-and-repeat
- R. 2000 random multi-faults



- ▶ 9 programs, 32'000 attacks reached, 0 bypass (0 checksum collision)
- ► Cost: ~10% time, average x2.46 space (similar work: x5 time and space)

These are very good because of the software/hardware combo!

Context and plan

Modeling faults

Rising in abstractio

Fetch skips

The countermeasure

Implementation

Conclusion



SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 27/31

| <b>Context and plan</b><br>0000 | Modeling faults  | Rising in abstraction | Fetch skips<br>0000 | The countermeasure |
|---------------------------------|------------------|-----------------------|---------------------|--------------------|
| Putting it a                    | ll together      |                       |                     |                    |
|                                 | C source code    | -                     |                     |                    |
| Mar                             | ny compiler IRs  |                       |                     |                    |
|                                 | <br>ISA/Assembly |                       |                     |                    |

Micro-architecture

Gates/RTL

#### Electrical signals

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Conclusion

| <b>Context and plan</b><br>0000 | <b>Modeling faults</b> | Rising in abstraction | Fetch skips<br>0000 | The countermeasure | Implementation | Conclusion<br>●○ |
|---------------------------------|------------------------|-----------------------|---------------------|--------------------|----------------|------------------|
| Putting it al                   | ll together            |                       |                     |                    |                |                  |
|                                 | C source code          | e                     |                     |                    |                |                  |
|                                 |                        |                       |                     |                    |                |                  |
| Man                             | y compiler IR          | S                     |                     |                    |                |                  |
|                                 |                        |                       |                     |                    |                |                  |
|                                 | ISA/Assembly           | /                     |                     |                    |                |                  |
|                                 |                        |                       |                     |                    |                |                  |

| Micro-architecture | Model: Skip memory fetch     |
|--------------------|------------------------------|
|                    | ↑                            |
| Gates/RTL          | Model: Fail to latch in time |
|                    | ↑                            |
| Electrical signals | Model: Glitch clock cycle    |
|                    |                              |

Fault analysis and modeling

| <b>Context and plan</b><br>0000 | <b>Modeling faults</b>  | Rising in abstraction | <b>Fetch skips</b><br>0000              | <b>The countermeasure</b><br>00000 | Implementation | Conclusion<br>●○        |  |  |
|---------------------------------|-------------------------|-----------------------|-----------------------------------------|------------------------------------|----------------|-------------------------|--|--|
| Putting it a                    | ll together             |                       |                                         |                                    |                |                         |  |  |
|                                 | C source code           | Security pr           | Security prop: true                     |                                    |                | Security specification, |  |  |
| Ma                              | <br>ny compiler IRs<br> | 1                     | op: (interna                            | al definitions)                    | hardenin       | g                       |  |  |
|                                 | ISA/Assembly            | Security pr           | Security prop: stop before end of block |                                    |                | compilation             |  |  |
|                                 |                         |                       |                                         |                                    |                |                         |  |  |
| Mi                              | cro-architecture        | Model: Ski<br>∱       | p memory                                | fetch                              | Equit on       | alveic                  |  |  |

Gates/RTL Electrical signals

Model: Skip memory fetch ↑ Model: Fail to latch in time ↑ Model: Glitch clock cycle

Fault analysis and modeling

| 0000 000                | 000000                 | 0000            | 00000              | 000 | ••                                         |
|-------------------------|------------------------|-----------------|--------------------|-----|--------------------------------------------|
| Putting it all together |                        |                 |                    |     |                                            |
| C source coo            | le Security p          | orop: true      |                    | )   | Security                                   |
| Many compiler IF        | Rs Security p<br>··· ↓ | orop: (interna  | al definitions)    | ł   | specification,<br>hardening<br>compilation |
| ISA/Assemb              | ly Security p          | prop: stop be   | efore end of block | J   | compliation                                |
| ISA + encoding + feto   | h Šecur                | ity proof wrt   | t model            |     |                                            |
| Micro-architectu        | ∙e Model: Sl           | kip memory      | fetch              |     |                                            |
| Gates/RT                | L Model: Fa            | ail to latch ir | n time             | ł   | Fault analysis<br>and modeling             |
| Electrical signa        | ls Model: G            | litch clock c   | ycle               | J   |                                            |

Modeling faults

Context and plan

Conclusion

 $\underset{0000}{\text{Context and plan}}$ 

Modeling faults Rising in a

sing in abstraction

skips The coun

Implementatio

Conclusion ○●

## Understanding and fighting fault injections with programming languages

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Understanding and fighting fault injections with programming languages 29/31

Context and plan Modeling faults

Rising in abstrac

Fetch skips TI

The countermeasure

Implementation

Conclusion

Understanding and fighting fault injections with programming languages

Understanding:

▶ All a matter of crossing abstractions the right way, with formal support

SemSécuÉlec Seminar (Rennes, 2024-09-27)

Context and plan Modeling faults

Rising in abstraction

Fetch skipsThe cou000000000

he countermeasure

Implementation

Conclusion

Understanding and fighting fault injections with programming languages

Understanding:

> All a matter of crossing abstractions the right way, with formal support

Fighting:

- ► Software fights for half the abstraction distance with hardening compilation
- Software/hardware combo has a lot to offer
- Deeper toolchain integration needed [Vu21]

Context and plan Modeling faults

Rising in abstraction

Fetch skips The c

The countermeasure

Implementation

Conclusion

Understanding and fighting fault injections with programming languages

Understanding:

> All a matter of crossing abstractions the right way, with formal support

Fighting:

- Software fights for half the abstraction distance with hardening compilation
- Software/hardware combo has a lot to offer
- Deeper toolchain integration needed [Vu21]

Thoughts?

## References I

- [Als+22] Ihab Alshaer et al. "Variable-Length Instruction Set: Feature or Bug?" In: Maspalomas, Spain. IEEE, 2022. ISBN: 978-1-6654-7405-4. DOI: 10.1109/DSD57027.2022.00068.
- [Bar+06] H. Bar-El et al. "The Sorcerer's Apprentice Guide to Fault Attacks". In: Proceedings of the IEEE 94.2 (2006), pp. 370–382. DOI: 10.1109/JPROC.2005.862424.
- [Gut+01] M.R. Guthaus et al. "MiBench: A free, commercially representative embedded benchmark suite". In: Austin, TX, USA. Austin, TX, USA: IEEE, 2001, pp. 3–14. ISBN: 0-7803-7315-4. DOI: 10.1109/WWC.2001.990739.
- [Lau20] Johan Laurent. "Modélisation de fautes utilisant la description RTL de microarchitectures pour l'analyse de vulnérabilité conjointe matérielle-logicielle". Theses. Université Grenoble Alpes, Nov. 2020. URL: https://tel.archives-ouvertes.fr/tel-03167493.

# References II

- [MDG24] Sébastien Michelland, Christophe Deleuze, and Laure Gonnord. "From Low-Level Fault Modeling (of a Pipeline Attack) to a Proven Hardening Scheme". In: Proceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction. CC 2024. , Edinburgh, United Kingdom, Association for Computing Machinery, 2024, pp. 174–185. ISBN: 9798400705076. DOI: 10.1145/3640537.3641570. URL: https://doi.org/10.1145/3640537.3641570.
- [Sol+21] Hadi Soleimany et al. "Practical multiple persistent faults analysis". In: *Cryptology ePrint Archive* (2021).
- [Vu21] Son Tuan Vu. "Optimizing Property-Preserving Compilation". 2021SORUS435. PhD thesis. 2021. URL: http://www.theses.fr/2021SORUS435/document.
- [Yuc+16] Bilgiday Yuce et al. "Software Fault Resistance is Futile: Effective Single-Glitch Attacks". In: Santa Barbara, CA, USA. Santa Barbara, CA, USA: IEEE, 2016, pp. 47–58. ISBN: 978-1-5090-1109-4. DOI: 10.1109/FDTC.2016.21.