research-article

Open access

Compiler-Assisted Loop Hardening Against Fault Attacks

Authors:

Karine Heydemann,

Alexandre Berzati,

Albert CohenAuthors Info & Claims

ACM Transactions on Architecture and Code Optimization (TACO), Volume 14, Issue 4

Article No.: 36, Pages 1 - 25

https://doi.org/10.1145/3141234

Published: 05 December 2017 Publication History

Abstract

Secure elements widely used in smartphones, digital consumer electronics, and payment systems are subject to fault attacks. To thwart such attacks, software protections are manually inserted requiring experts and time. The explosion of the Internet of Things (IoT) in home, business, and public spaces motivates the hardening of a wider class of applications and the need to offer security solutions to non-experts. This article addresses the automated protection of loops at compilation time, covering the widest range of control- and data-flow patterns, in both shape and complexity. The security property we consider is that a sensitive loop must always perform the expected number of iterations; otherwise, an attack must be reported. We propose a generic compile-time loop hardening scheme based on the duplication of termination conditions and of the computations involved in the evaluation of such conditions. We also investigate how to preserve the security property along the compilation flow while enabling aggressive optimizations. We implemented this algorithm in LLVM 4.0 at the Intermediate Representation (IR) level in the backend. On average, the compiler automatically hardens 95% of the sensitive loops of typical security benchmarks, and 98% of these loops are shown to be robust to simulated faults. Performance and code size overhead remain quite affordable, at 12.5% and 14%, respectively.

Supplementary Material

TACO1404-36 (taco1404-36.pdf)

Slide deck associated with this paper

Download
2.03 MB

References

[1]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In ACM Conference on Computer and Communication Security (CCS). 340--353.

Digital Library

[2]

G. Agosta, A. Barenghi, M. Maggi, and G. Pelosi. 2013. Compiler-based side channel vulnerability analysis and optimized countermeasures application. In 50th ACM/EDAC/IEEE Design Automation Conference (DAC). 1--6.

Digital Library

[3]

Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. 2011. An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 105--114.

Digital Library

[4]

H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. 2006. The sorcerer’s apprentice guide to fault attacks. Proc. of the IEEE 94, 2 (Feb. 2006), 370--382.

[5]

Alessandro Barenghi, Luca Breveglieri, Israel Koren, Gerardo Pelosi, and Francesco Regazzoni. 2010. Countermeasures against fault attacks on software implemented AES. In 5th Workshop on Embedded Systems Security (WESS’10). ACM, Article 7, 7:1--7:10 pages.

Digital Library

[6]

Thierno Barry, Damien Couroussé, and Bruno Robisson. 2016. Compilation of a countermeasure against instruction-skip fault attacks. In Proceedings of the Third Workshop on Cryptography and Security in Computing Systems (CS2’16). 1--6.

Digital Library

[7]

Gilles Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Jean-Christophe Zapalowicz. 2014. Synthesis of fault attacks on cryptographic implementations. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 1016--1027.

Digital Library

[8]

Ali Galip Bayrak, Francesco Regazzoni, David Novo, Philip Brisk, Francois-Xavier Standaert, and Paolo Ienne. 2015. Automatic application of power analysis countermeasures. IEEE Trans. Comp. 64, 2 (2015), 329--341.

[9]

S. Bhasin, P. Maistri, and F. Regazzoni. 2014. Malicious wave: A survey on actively tampering using electromagnetic glitch. In International Symposium on Electromagnetic Compatibility. 318--321.

[10]

I. Biehl, B. Meyer, and V. Müller. 2000. Differential fault attacks on elliptic curve cryptosystems. In Advances in Cryptology (CRYPTO 2000) (LNCS), M. Bellare (Ed.), Vol. 1880. Springer, 131--146.

Digital Library

[11]

Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. 2001. On the importance of eliminating errors in cryptographic computations. J. Cryptology 14 (2001), 101--119.

Digital Library

[12]

Common Criteria. Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5.

[13]

Jean-Luc Danger, Sylvain Guilley, Thibault Porteboeuf, Florian Praden, and Michal Timbert. 2014. HCODE: Hardware-enhanced real-time CFI. In PPREW@ACSAC. 6:1--6:11.

Digital Library

[14]

R. De Keulenaer, J. Maebe, K. De Bosschere, and B. De Sutter. 2015. Link-time smart card code hardening. International Journal of Information Security (2015), 1--20.

Digital Library

[15]

A. Dehbaoui, A.-P. Mirbaha, N. Moro, J.-M. Dutertre, and A. Tria. 2013. Electromagnetic glitch on the AES round counter. In COSADE.

Digital Library

[16]

Hüseyin Demirci and Ali Aydın Selçuk. 2008. A meet-in-the-middle attack on 8-round AES. In Fast Software Encryption: 15th International Workshop, FSE. 116--126.

Digital Library

[17]

Emmanuelle Dottax, Christophe Giraud, Matthieu Rivain, and Yannick Sierra. 2009. On second-order fault analysis resistance for CRT-RSA implementations. In Third IFIP WG 11.2 International Workshop on Information Security Theory and Practice. 68--83.

Digital Library

[18]

L. Dureuil, G. Petiot, M.-L. Potet, T.-H. Le, A. Crohen, and P. de Choudens. 2016. FISSC: A fault injection and simulation secure collection. In SAFECOMP. 3--11.

[19]

P. Dusart, G. Letourneux, and O. Vivolo. 2003. Differential fault analysis on AES. In Applied Cryptography and Network Security (ACNS’03) (LNCS), M. Yung, Y. Han, and J. Zhou (Eds.), Vol. 2846. Springer, 293--306.

[20]

Nadia El Mrabet. 2009. What About Vulnerability to a Fault Attack of the Miller’s Algorithm During an Identity Based Protocol? Springer, Berlin, 122--134.

[21]

H. Eldib and C. Wang. 2014. Synthesis of masking countermeasures against side channel attacks. In 26th International Conference on Computer Aided Verification. 114--130.

Digital Library

[22]

M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In IEEE (WWC’01). 3--14.

Digital Library

[23]

John L. Henning. 2006. SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News 34, 4 (Sept. 2006), 1--17.

Digital Library

[24]

G. Holloway and M. D. Smith. 2000. An Extender’s Guide to the Optimization Programming Interface and Target Descriptions. The Machine-SUIF documentation set. Technical Report. Harvard University.

[25]

Dusko Karaklajic, Jorn-Marc Schmidt, and Ingrid Verbauwhede. 2013. Hardware designer’s guide to fault attacks. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 21, 12 (2013), 2295--2306.

Digital Library

[26]

C. H. Kim and J.-J. Quisquater. 2007. How can we overcome both side channel analysis and fault attacks on RSA-CRT? In Fault Diagnosis and Tolerance in Cryptography (FDTC 2007). 21--29.

Digital Library

[27]

Paul Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential power analysis. In Advances in Cryptology — CRYPTO’99. LNCS, Vol. 1666. Springer, 388--397.

Digital Library

[28]

J.-F. Lalande, K. Heydemann, and P. Berthom. 2014. Software countermeasures for control flow integrity of smart card C codes. In Computer Security - ESORICS. LNCS, Vol. 8713. Springer, 200--218.

Digital Library

[29]

C. Lattner and V. Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization. 75--86.

Digital Library

[30]

Nicolas Moro. 2014. Sécurisation De Programmes Assembleur Face Aux Attaques Visant Les Processeurs Embarqués. Ph.D. Dissertation. UPMC, Paris, France.

[31]

Nicolas Moro, Amine Dehbaoui, Karine Heydemann, Bruno Robisson, and Emmanuelle Encrenaz. 2013. Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. In Workshop on Fault Diagnosis and Tolerance in Cryptography. 77--88.

Digital Library

[32]

N. Moro, K. Heydemann, E. Encrenaz, and B. Robisson. 2014. Formal verification of a software countermeasure against instruction skip attacks. Journal of Cryptographic Engineering 4, 3 (2014), 145--156.

[33]

Andrew Moss, Elisabeth Oswald, Dan Page, and Michael Tunstall. 2012. Compiler assisted masking. In Cryptographic Hardware and Embedded Systems -- CHES 2012. LNCS, Vol. 7428. Springer, 58--75.

Digital Library

[34]

Nadia El Mrabet. 2013. Side Channel Attacks against Pairing over Theta Functions. Cryptology ePrint Archive, Report 2013/386. (2013). http://eprint.iacr.org/2013/386.

[35]

S. S. Muchnick. 1997. Advanced Compiler Design & Implementation. Morgan Kaufmann.

Digital Library

[36]

Frédéric Muller. 2003. A New Attack against Khazad. Springer, Berlin, 347--358.

[37]

Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi, Junko Takahashi, Hitoshi Fuji, and Takafumi Aoki. 2016. Buffer overflow attack with multiple fault injection and a proven countermeasure. Journal of Cryptographic Engineering (2016).

[38]

Nahmsuk Oh, Philip P. Shirvani, and Edward J. McCluskey. 2002. Control-flow checking by software signatures. IEEE Trans. Reliability 1, 51 (2002), 111--122.

[39]

Nahmsuk Oh, Philip P. Shirvani, and Edward J. McCluskey. 2002. Error detection by duplicated instructions in super-scalar processors. IEEE Trans. Reliability 1, 51 (2002), 63--75.

[40]

S. Ordas, L. Guillaume-Sage, and P. Maurine. 2015. EM injection: Fault model and locality. 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) 00 (2015), 3--13.

Digital Library

[41]

S. Ordas, L. Guillaume-Sage, K. Tobich, J.-M. Dutertre, and P. Maurine. 2015. Evidence of a Larger EM-Induced Fault Model. Springer, 245--259.

[42]

D. Page and F. Vercauteren. 2006. A fault attack on pairing-based cryptography. IEEE Trans. Comp. 55, 9 (Sept. 2006), 1075--1080.

Digital Library

[43]

C. Patrick, B. Yuce, N. F. Ghalaty, and P. Schaumont. 2016. Lightweight fault attack resistance in software using intra-instruction redundancy. In Selected Areas in Cryptography (SAC).

[44]

G. Ramalingam. 1999. Identifying loops in almost linear time. ACM Trans. Program. Lang. Syst. 21, 2 (March 1999), 175--188.

Digital Library

[45]

G. A. Reis, J. Chang, N. Vachharajani, R. Rangan, and D. I. August. 2005. SWIFT: Software implemented fault tolerance. In International Symposium on Code Generation and Optimization. 243--254.

Digital Library

[46]

Jörn-Marc Schmidt and Michael Hutter. 2013. The temperature side channel and heating fault attacks. In CARDIS.

[47]

N. Timmers, A. Spruyt, and M. Witteman. 2016. Controlling PC on ARM using fault injection. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). 25--35.

[48]

M. Werner, E. Wenger, and S. Mangard. 2016. Protecting the control flow of embedded processors against fault attacks. In Smart Card Research and Advanced Applications: 14th International Conference, CARDIS. 161--176.

Digital Library

[49]

B. Yuce, N. F. Ghalaty, H. Santapuri, C. Deshpande, C. Patrick, and P. Schaumont. 2016. Software fault resistance is futile: Effective single-glitch attacks. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). 47--58.

Cited By

Pesin BBoulmé SMonniaux DPotet MStark KTimany ABlazy STabareau N(2025)Formally Verified Hardening of C Programs against Hardware Fault InjectionProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705880(140-155)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705880
Kim HIm WJeong SKim HSeo CKang C(2025)Recovery for secret key in CTIDH-512 through Fault Injection AttackComputers and Electrical Engineering10.1016/j.compeleceng.2024.110057123(110057)Online publication date: Apr-2025
https://doi.org/10.1016/j.compeleceng.2024.110057
DUTERTRE JCLÉDIÈRE JProuff ERenault GRivain MO'Flynn C(2025)An Introduction to Fault Injection AttacksEmbedded Cryptography 110.1002/9781394351879.ch9(213-276)Online publication date: 17-Jan-2025
https://doi.org/10.1002/9781394351879.ch9
Show More Cited By

Index Terms

Compiler-Assisted Loop Hardening Against Fault Attacks
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
  2. Software and application security
2. Software and its engineering
  1. Software notations and tools
    1. Compilers

Recommendations

Loop recreation for thread-level speculation on multicore processors

Inter-iteration dependences in loops can hinder loop-level parallelism. For some loops, existing thread-level speculation techniques fail to expose their inherent loop-level parallelism, because some inter-iteration dependences are too costly to ...
Compiler transformations for effectively exploiting a zero overhead loop buffer

A Zero Overhead Loop Buffer (ZOLB) is an architectural feature that is commonly found in DSP processors. This buffer can be viewed as a compiler managed cache that contains a sequence of instructions that will be executed a specified number of times ...
Natural instruction level parallelism-aware compiler for high-performance QueueCore processor architecture

This work presents a static method implemented in a compiler for extracting high instruction level parallelism for the 32-bit QueueCore, a queue computation-based processor. The instructions of a queue processor implicitly read and write their operands, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Architecture and Code Optimization

ACM Transactions on Architecture and Code Optimization Volume 14, Issue 4

December 2017

600 pages

ISSN:1544-3566

EISSN:1544-3973

DOI:10.1145/3154814

Editor:
Koen De Bosschere
Ghent University

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2017

Accepted: 01 September 2017

Revised: 01 August 2017

Received: 01 May 2017

Published in TACO Volume 14, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
1,243
Total Downloads

Downloads (Last 12 months)135
Downloads (Last 6 weeks)19

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pesin BBoulmé SMonniaux DPotet MStark KTimany ABlazy STabareau N(2025)Formally Verified Hardening of C Programs against Hardware Fault InjectionProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705880(140-155)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705880
Kim HIm WJeong SKim HSeo CKang C(2025)Recovery for secret key in CTIDH-512 through Fault Injection AttackComputers and Electrical Engineering10.1016/j.compeleceng.2024.110057123(110057)Online publication date: Apr-2025
https://doi.org/10.1016/j.compeleceng.2024.110057
DUTERTRE JCLÉDIÈRE JProuff ERenault GRivain MO'Flynn C(2025)An Introduction to Fault Injection AttacksEmbedded Cryptography 110.1002/9781394351879.ch9(213-276)Online publication date: 17-Jan-2025
https://doi.org/10.1002/9781394351879.ch9
SCHAUMONT PSINGH RProuff ERenault GRivain MO'Flynn C(2025)Fault CountermeasuresEmbedded Cryptography 110.1002/9781394351879.ch12(333-353)Online publication date: 17-Jan-2025
https://doi.org/10.1002/9781394351879.ch12
Nashimoto SUeno RHomma N(2024)Comparative Analysis and Implementation of Jump Address Masking for Preventing TEE Bypassing Fault AttacksProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664477(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664477
Michelland SDeleuze CGonnord LRodríguez GSadayappan PSukumaran-Rajam A(2024)From Low-Level Fault Modeling (of a Pipeline Attack) to a Proven Hardening SchemeProceedings of the 33rd ACM SIGPLAN International Conference on Compiler Construction10.1145/3640537.3641570(174-185)Online publication date: 17-Feb-2024
https://dl.acm.org/doi/10.1145/3640537.3641570
Calle Viera ABerzati AHeydemann K(2024)Fault Attacks Sensitivity of Public Parameters in the Dilithium VerificationSmart Card Research and Advanced Applications10.1007/978-3-031-54409-5_4(62-83)Online publication date: 23-Feb-2024
https://doi.org/10.1007/978-3-031-54409-5_4
Boespflug EMounier LPotet MBouguern A(2023)A Compositional Methodology to Harden Programs Against Multi-Fault Attacks2023 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)10.1109/FDTC60478.2023.00012(24-35)Online publication date: 10-Sep-2023
https://doi.org/10.1109/FDTC60478.2023.00012
Bonnal FDupaquis VPotin ODutertre J(2023)Software-Only Control-Flow Integrity Against Fault Injection Attacks2023 26th Euromicro Conference on Digital System Design (DSD)10.1109/DSD60849.2023.00046(269-277)Online publication date: 6-Sep-2023
https://doi.org/10.1109/DSD60849.2023.00046
Chamelot TCourousse DHeydemann K(2022)SCI-FI: Control Signal, Code, and Control Flow Integrity against Fault Injection Attacks2022 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE54114.2022.9774685(556-559)Online publication date: 14-Mar-2022
https://doi.org/10.23919/DATE54114.2022.9774685
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents