



## Thèse de doctorat de

## L'UNIVERSITÉ DE BRETAGNE SUD

ÉCOLE DOCTORALE Nº 644 Mathématiques et Sciences et Technologies de l'Information et de la Communication en Bretagne Océane Spécialité : Informatique et Architectures Numériques

Par

## William PENSEC

# Protection d'un processeur avec DIFT contre des attaques physiques

« Sous-titre de la thèse »

Thèse présentée et soutenue à Lorient, le //2024

Unité de recherche : Université Bretagne Sud, UMR CNRS 6285, Lab-STICC

Thèse Nº: « si pertinent »

## Rapporteurs avant soutenance:

Prénom NOM Fonction et établissement d'exercice Prénom NOM Fonction et établissement d'exercice Prénom NOM Fonction et établissement d'exercice

## **Composition du Jury:**

Attention, en cas d'absence d'un des membres du Jury le jour de la soutenance, la composition du jury doit être revue pour s'assurer qu'elle est conforme et devra être répercutée sur la couverture de thèse

Président : Prénom NOM Fonction et établissement d'exercice (à préciser après la soutenance)

Examinateurs : Prénom NOM Fonction et établissement d'exercice

Prénom NOM Fonction et établissement d'exercice
Prénom NOM Fonction et établissement d'exercice
Prénom NOM Fonction et établissement d'exercice

Dir. de thèse : Guy GOGNIAT Professeur des Universités (Lab-STICC, Université Bretagne Sud)
Co-dir. de thèse : Vianney LAPÔTRE Maitre de Conférence HDR (Lab-STICC, Université Bretagne Sud)

### Invité(s):

Prénom NOM Fonction et établissement d'exercice

 $\mathcal{A}\mathbf{d}$ mentes inquisitivas quae lucem futuri Scientiae accendunt.

Aux esprits curieux qui illuminent l'avenir de la Connaissance.

To the inquisitive minds that are lighting up the future of Knowledge.

# REMERCIEMENTS

Je tiens à remercier I would like to thank. my parents.. J'adresse également toute ma reconnaissance à  $\dots$ 

## **ABSTRACT**

Embedded systems are increasingly prevalent in critical infrastructures such as industries, smart cities, and biomedical devices, improving efficiency and addressing challenges like climate change and health. However, their widespread use also expands the attack surface, creating significant security risks. These systems, typically powered by low-energy processors handling sensitive data, are vulnerable to both software and physical attacks due to their network connectivity and proximity to potential attackers. Hence, addressing both threats during processor designing is essential.

Dynamic Information Flow Tracking (DIFT) techniques, which detect software attacks like buffer overflow and malware by attaching and propagating tags to data at runtime, are a key defence. Fault Injection Attacks (FIA) deliberately induce errors in a system's hardware to alter its normal operation, often bypassing security mechanisms. These faults can be introduced via physical methods (e.g., voltage, lasers), leading to potential data breaches or system disruptions. FIAs are particularly concerning in embedded systems and cryptographic devices, where low-level faults can compromise sensitive information. Many studies have shown different vulnerabilities due to FIAs on critical systems but none of them targetted a DIFT mechanism.

We focus on the D-RI5CY [1] processor, which implements a hardware-based in-core DIFT. Our primary objective is to assess the impact of FIA on the effectiveness of DIFT in the D-RI5CY processor. Through fault injection simulations, we evaluate the vulnerability of DIFT and identify critical hardware components requiring protection [2]. As a result of this evaluation, we implemented two lightweight countermeasures, considering constraints like area and performance: simple parity for error detection and Hamming Code for single-bit error detection and correction [3]. These were optimised by grouping registers to reduce parity/redundancy overhead. The sensitivity evaluation was conducted using FISSA, a tool developed to facilitate fault evaluation at the conceptual stage [4]. This tool allows the enabling of the principle of Security by Design. Finally, we evaluated the security of multiple register group compositions to enhance countermeasure effectiveness against complex fault models. We tested Hamming Code with five group configurations and developed a new version of the code capable of detecting two errors and correcting one (SECDED). This was compared across the same groups in terms of efficiency and area to find the optimal trade-off for embedded systems with strict energy and performance constraints.

# **TABLE OF CONTENTS**

| $\mathbf{A}$ | bstra | act                                             | vii       |
|--------------|-------|-------------------------------------------------|-----------|
| Ta           | able  | of Contents                                     | ix        |
| A            | crony | vms                                             | xii       |
| Li           | st of | Figures                                         | xiv       |
| Li           | st of | Tables                                          | xv        |
| Li           | st of | Listings                                        | xvi       |
| 1            | Inti  | roduction                                       | 1         |
|              | 1.1   | Context                                         | 1         |
|              | 1.2   | Objectives                                      | 4         |
|              | 1.3   | Manuscript outline                              | 5         |
| <b>2</b>     | Sta   | te of the Art                                   | 7         |
|              | 2.1   | Introduction                                    | 7         |
|              | 2.2   | Information Flow Tracking                       | 7         |
|              |       | 2.2.1 Different types of IFT                    | 7         |
|              |       | 2.2.2 Different levels of DIFT                  | 8         |
|              |       | 2.2.3 How hardware DIFT work                    | 15        |
|              | 2.3   | Physical Attacks                                | 16        |
|              |       | 2.3.1 Side-Channel Attacks                      | 16        |
|              |       | 2.3.2 Fault Injection Attacks                   | 19        |
|              | 2.4   | Countermeasures against FIA                     | 23        |
| 3            | D-F   | RI5CY - Vulnerability Assessment                | <b>25</b> |
|              | 3.1   | D-RI5CY                                         | 25        |
|              |       | 3.1.1 RISC-V Instruction Set Architecture (ISA) | 25        |
|              |       | 3.1.2 DIFT design                               | 26        |
|              |       | 3.1.3 Pedagogical case study                    | 29        |
|              | 3.2   | Use cases                                       | 30        |
|              |       | 3.2.1 First use case: Buffer Overflow           | 30        |
|              |       | 3.2.2 Second use case: Format String (WU-FTPd)  | 31        |
|              | 3.3   | Vulnerability assessment                        | 33        |

## TABLE OF CONTENTS

| 3.3.3 Second use case: Format string (WU-FTPd) 3.3.4 Third use case: Compare/Compute 3.4 Summary  4 FISSA - Fault Injection Simulation for Security Assessment 4.1 Simulation tools for Fault Injection 4.2 FISSA 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3.2 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually with 6.3.4 Implementation 3: Protection by pipeline stage 6.3.3 Implementation 4: Protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.4 Implementation 4: Protection of all registers individually with 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                              |   |     | 3.3.1 Fault model for vulnerability assessment                                       | 4 |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|-----|--------------------------------------------------------------------------------------|---|
| 3.3.4 Third use case: Compare/Compute 3.4 Summary  4 FISSA – Fault Injection Simulation for Security Assessment 4.1 Simulation tools for Fault Injection 4.2 FISSA 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually in 6.2.4 Implementation 4: Protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 1: Optimisation of redundancy bits 6.3.5 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 1: Optimisation of redundancy bits 6.3.5 Implementation 1: Optimisation of redundancy bits 6.3.6 Implementation 1: Optimisation of redundancy bits 6.3.7 Implementation 1: Optimisation of redundancy bits 6.3.8 Implementation 1: Optimisation of redundancy bits 6.3.9 Implementation 1: Optimisation of redundancy bits 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 1: Optimisation of pipeline stage 6.3.3 Implementation 1: Optimisation of pipeline stage 6.3.3 Implementation 1: Optimisation of pipeline stage 6.3.4 Implementation 1: Optimisation of pipeline stage |   |     | 3.3.2 First use case: Buffer overflow                                                | 4 |
| 4 FISSA – Fault Injection Simulation for Security Assessment 4.1 Simulation tools for Fault Injection 4.2 FISSA 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually in 6.2.4 Implementation 4: Protection of all registers individually with 6.3.4 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually with 6.3.4 Implementation 3: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                   |   |     | 3.3.3 Second use case: Format string (WU-FTPd)                                       | 6 |
| 4 FISSA – Fault Injection Simulation for Security Assessment 4.1 Simulation tools for Fault Injection 4.2 FISSA 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually with 6.3.4 Implementation 3: Protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |   |     | 3.3.4 Third use case: Compare/Compute                                                | 0 |
| 4.1 Simulation tools for Fault Injection 4.2 FISSA 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection of redundancy bits 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 3: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually 6.3.4 Implementation 3: Protection of all registers individually 6.3.5 Implementation 4: Protection of all registers individually 6.3.6 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 5: Protection of all registers individually 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |   | 3.4 | Summary                                                                              | 1 |
| 4.2 FISSA  4.2.1 Main software architecture  4.2.2 Supported fault models  4.2.3 TCL Generator  4.2.4 Fault Injection Simulator  4.2.5 Analyser  4.2.6 Extending FISSA  4.3 Use case example  4.3.1 FISSA's configuration  4.3.2 Experimental results  4.4 Discussion and Perspectives  4.5 Summary  5 Countermeasures Implementations  5.1 Fault models used in this chapter  5.2 Countermeasure 1: Simple Parity  5.3 Countermeasure 2: Hamming Code  5.3.1 Implementation 1: Optimisation of redundancy bits  5.4 Summary  6 Experimental setup and results  6.1 Fault models used in this chapter  6.2 Countermeasure 2: Hamming Code  6.2.1 Implementation 2: Protection by pipeline stage  6.2.2 Implementation 3: Protection of all registers individually with  6.2.4 Implementation 5: Smart protection by pipeline stage  6.3.1 Implementation 1: Optimisation of redundancy bits  6.3.2 Implementation 1: Optimisation of redundancy bits  6.3.3 Implementation 1: Optimisation of redundancy bits  6.3.4 Implementation 2: Protection by pipeline stage  6.3.3 Implementation 3: Protection of all registers individually  6.3.4 Implementation 3: Protection of all registers individually  6.3.5 Implementation 4: Protection of all registers individually  6.3.6 Implementation 5: Smart protection by pipeline stage  6.3.1 Implementation 5: Protection of all registers individually  6.3.4 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 4 | FIS | SA – Fault Injection Simulation for Security Assessment 49                           | 5 |
| 4.2.1 Main software architecture 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection by pipeline stage 6.3.1 Implementation 5: Smart protection by pipeline stage 6.3.2 Implementation 1: Optimisation of redundancy bits 6.3.3 Implementation 1: Optimisation of redundancy bits 6.3.4 Implementation 1: Optimisation of redundancy bits 6.3.5 Implementation 1: Optimisation of redundancy bits 6.3.6 Implementation 1: Optimisation of redundancy bits 6.3.7 Implementation 1: Optimisation of redundancy bits 6.3.8 Implementation 1: Optimisation of all registers individually 6.3.4 Implementation 3: Protection of all registers individually 6.3.5 Implementation 5: Smart protection by pipeline stage 6.3.6 Implementation 5: Smart protection by pipeline stage 6.3.8 Implementation 5: Smart protection by pipeline stage 6.3.9 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                         |   | 4.1 | Simulation tools for Fault Injection                                                 | 5 |
| 4.2.2 Supported fault models 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.4 Implementation 2: Protection by pipeline stage 6.3.5 Implementation 3: Protection of all registers individually 6.3.4 Implementation 3: Protection of all registers individually 6.3.5 Implementation 4: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |   | 4.2 | FISSA                                                                                | 8 |
| 4.2.3 TCL Generator 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.4 Implementation 2: Protection by pipeline stage 6.3.5 Implementation 3: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually 6.3.4 Implementation 4: Protection by pipeline stage 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |   |     | 4.2.1 Main software architecture                                                     | 8 |
| 4.2.4 Fault Injection Simulator 4.2.5 Analyser 4.2.6 Extending FISSA 4.3 Use case example 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually 6.3.4 Implementation 3: Protection of all registers individually 6.3.5 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.3 Implementation 5: Smart protection by pipeline stage 6.3.4 Implementation 5: Smart protection by pipeline stage 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   |     | 4.2.2 Supported fault models                                                         | 9 |
| 4.2.5 Analyser                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |   |     | 4.2.3 TCL Generator                                                                  | 0 |
| 4.2.6 Extending FISSA  4.3 Use case example                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |   |     | 4.2.4 Fault Injection Simulator                                                      | 2 |
| 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.4 Implementation 3: Protection of all registers individually 6.3.4 Implementation 3: Protection of all registers individually with 6.3.5 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   |     | 4.2.5 Analyser                                                                       | 3 |
| 4.3.1 FISSA's configuration 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 2: Protection by pipeline stage 6.3.4 Implementation 3: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage 6.3.6 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |   |     | 4.2.6 Extending FISSA                                                                | 4 |
| 4.3.2 Experimental results 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 4: Protection by pipeline stage 6.3.1 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |   | 4.3 | Use case example                                                                     | 4 |
| 4.4 Discussion and Perspectives 4.5 Summary  5 Countermeasures Implementations 5.1 Fault models used in this chapter 5.2 Countermeasure 1: Simple Parity 5.3 Countermeasure 2: Hamming Code 5.3.1 Implementation 1: Optimisation of redundancy bits 5.4 Summary  6 Experimental setup and results 6.1 Fault models used in this chapter 6.2 Countermeasure 2: Hamming Code 6.2.1 Implementation 2: Protection by pipeline stage 6.2.2 Implementation 3: Protection of all registers individually 6.2.3 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage 6.3.1 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |   |     | 4.3.1 FISSA's configuration                                                          | 5 |
| 5 Countermeasures Implementations 5.1 Fault models used in this chapter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |   |     | 4.3.2 Experimental results                                                           | 5 |
| 5 Countermeasures Implementations 5.1 Fault models used in this chapter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |   | 4.4 | Discussion and Perspectives                                                          | 9 |
| 5.1 Fault models used in this chapter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   | 4.5 | Summary                                                                              | 9 |
| 5.2 Countermeasure 1: Simple Parity                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 5 | Cou | intermeasures Implementations 6                                                      | 1 |
| 5.3 Countermeasure 2: Hamming Code                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |   | 5.1 | Fault models used in this chapter                                                    | 1 |
| 5.3.1 Implementation 1: Optimisation of redundancy bits                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |   | 5.2 | Countermeasure 1: Simple Parity                                                      | 1 |
| 5.4 Summary                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |   | 5.3 | Countermeasure 2: Hamming Code                                                       | 1 |
| 6.1 Fault models used in this chapter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   |     | 5.3.1 Implementation 1: Optimisation of redundancy bits                              | 1 |
| 6.1 Fault models used in this chapter                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   | 5.4 | Summary                                                                              | 1 |
| <ul> <li>6.2 Countermeasure 2: Hamming Code</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 6 | Exp | perimental setup and results 65                                                      | 3 |
| <ul> <li>6.2.1 Implementation 2: Protection by pipeline stage</li> <li>6.2.2 Implementation 3: Protection of all registers individually</li> <li>6.2.3 Implementation 4: Protection of all registers individually with 6.2.4 Implementation 5: Smart protection by pipeline stage</li> <li>6.3 Countermeasure 3: Hamming Code - SECDED</li> <li>6.3.1 Implementation 1: Optimisation of redundancy bits</li> <li>6.3.2 Implementation 2: Protection by pipeline stage</li> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |   | 6.1 | Fault models used in this chapter                                                    | 4 |
| <ul> <li>6.2.2 Implementation 3: Protection of all registers individually</li> <li>6.2.3 Implementation 4: Protection of all registers individually with</li> <li>6.2.4 Implementation 5: Smart protection by pipeline stage</li> <li>6.3 Countermeasure 3: Hamming Code - SECDED</li> <li>6.3.1 Implementation 1: Optimisation of redundancy bits</li> <li>6.3.2 Implementation 2: Protection by pipeline stage</li> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with</li> <li>6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |   | 6.2 | Countermeasure 2: Hamming Code                                                       | 4 |
| <ul> <li>6.2.3 Implementation 4: Protection of all registers individually with</li> <li>6.2.4 Implementation 5: Smart protection by pipeline stage</li> <li>6.3 Countermeasure 3: Hamming Code - SECDED</li> <li>6.3.1 Implementation 1: Optimisation of redundancy bits</li> <li>6.3.2 Implementation 2: Protection by pipeline stage</li> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with</li> <li>6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |   |     | 6.2.1 Implementation 2: Protection by pipeline stage 6                               | 4 |
| 6.2.4 Implementation 5: Smart protection by pipeline stage 6.3 Countermeasure 3: Hamming Code - SECDED 6.3.1 Implementation 1: Optimisation of redundancy bits 6.3.2 Implementation 2: Protection by pipeline stage 6.3.3 Implementation 3: Protection of all registers individually 6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   |     | 6.2.2 Implementation 3: Protection of all registers individually 6                   | 4 |
| <ul> <li>6.3 Countermeasure 3: Hamming Code - SECDED</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |   |     | 6.2.3 Implementation 4: Protection of all registers individually with CSRs slicing 6 | 4 |
| <ul> <li>6.3.1 Implementation 1: Optimisation of redundancy bits</li> <li>6.3.2 Implementation 2: Protection by pipeline stage</li> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with</li> <li>6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |   |     | 6.2.4 Implementation 5: Smart protection by pipeline stage 6                         | 4 |
| <ul> <li>6.3.2 Implementation 2: Protection by pipeline stage</li> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with</li> <li>6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   | 6.3 | Countermeasure 3: Hamming Code - SECDED                                              | 4 |
| <ul> <li>6.3.3 Implementation 3: Protection of all registers individually</li> <li>6.3.4 Implementation 4: Protection of all registers individually with</li> <li>6.3.5 Implementation 5: Smart protection by pipeline stage</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |   |     | 6.3.1 Implementation 1: Optimisation of redundancy bits                              | 4 |
| 6.3.4 Implementation 4: Protection of all registers individually with 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |   |     | 6.3.2 Implementation 2: Protection by pipeline stage 64                              | 4 |
| 6.3.5 Implementation 5: Smart protection by pipeline stage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |   |     | 6.3.3 Implementation 3: Protection of all registers individually 6                   | 4 |
| 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |   |     | 6.3.4 Implementation 4: Protection of all registers individually with CSRs slicing 6 | 4 |
| 6.4 Experimental setup                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |   |     | 6.3.5 Implementation 5: Smart protection by pipeline stage                           | 4 |
| or Experimental betap                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |   | 6.4 | Experimental setup                                                                   | 4 |

|    |            | Experimental results |    |  |  |
|----|------------|----------------------|----|--|--|
| 7  | Conclusion |                      |    |  |  |
|    | 7.1        | Synthesis            | 65 |  |  |
|    | 7.2        | Perspectives         | 65 |  |  |
| Bi | ibliog     | graphy               | 67 |  |  |

## **ACRONYMS**

AES Advanced Encryption Standard

ALU Arithmetic and Logical Unit

API Application Programming Interface

CABA Cycle Accurate and Bit Accurate

CPU Central Processing Unit

CSR Control and Status Registers

DDoS Distributed Denial of Service

DIFT Dynamic Information Flow Tracking

DUT Device Under Test

EM Electromagnetic

EMFI Electromagnetic Fault Injection

FIA Fault Injection Attack

FPGA Field Programmable Gate Array

GUI Graphical User Interface

HDL Hardware Description Language

IC Integrated Circuit

IIoT Industrial Internet of Things

IoT Internet of Things

ISA Instruction Set Architecture

LUT Look-Up Table

MMU Memory Management Unit

OS Operating System

PC Program Counter

RA Return Address

SCA Side Channel Attack

SoC System on Chip

TCR Tag Check Register

TPR Tag Propagation Register

# **LIST OF FIGURES**

| 1.1  | Number of IoT (IoT) devices worldwide 2022-2023, with forecasts to 2033 (from $[5]$ )     | 2  |
|------|-------------------------------------------------------------------------------------------|----|
| 1.2  | Internet of Things total annual revenue worldwide from 2020 to 2030 (from [6])            | 3  |
| 2.1  | Simplified representation of the different layers in an embedded system                   | 9  |
| 2.2  | Representation of a Hardware Off-Core DIFT (inspired by Figure 1 of $[44]$ )              | 13 |
| 2.3  | Representation of a Hardware Off-Loading DIFT (inspired by Figure 1 of $[44]$ )           | 14 |
| 2.4  | Representation of a Hardware In-Core DIFT (inspired by Figure 1 of $[44]$ )               | 15 |
| 2.5  | Representation of the DIFT mechanism from initialisation to checking                      | 16 |
| 2.6  | Taxonomy of the different methods of physical attacks (inspired by $[50]$ )               | 17 |
| 2.7  | Representation of the different methods of Side-Channel attacks $\dots \dots \dots \dots$ | 18 |
| 2.8  | Representation of the different methods of Fault Injection attacks                        | 20 |
| 2.9  | Three steps to decapsulate a die (from $[75]$ )                                           | 21 |
| 2.10 | Example of a laser fault injection setup (by Riscure Laser Station 2 $[16]$ )             | 22 |
| 3.1  | D-RI5CY processor architecture overview. DIFT-related modules are highlighted in red      | 26 |
| 3.2  | Representation of how the ROP attack works                                                | 32 |
| 3.3  | Tag propagation in a buffer overflow attack                                               | 35 |
| 3.4  | Logic description of the exception driving in a buffer overflow attack                    | 36 |
| 3.5  | Tag propagation in a format string attack                                                 | 39 |
| 3.6  | Logic description of the exception driving in a format string attack                      | 42 |
| 3.7  | Tag propagation in a computation case with the compare/compute use case                   | 43 |
| 3.8  | Logic representation of tag propagation in a computation case                             | 44 |
| 4.1  | Anatomy of a Fault Injection tool                                                         | 46 |
| 4.2  | Software architecture of FISSA                                                            | 48 |
| 4.3  | Software architecture of the TCL Generator module                                         | 52 |
| 4.4  | Fault Injection Simulator architecture                                                    | 53 |
| 4.5  | Analyser architecture                                                                     | 54 |
| 4.6  | Heatmap generated according to the single bit-flip in two targets at a given clock cycle  |    |
|      | fault model                                                                               | 56 |
| 4.7  | Heatmap generated according to the single bit-flip in two targets at two different clock  |    |
|      | cycles fault model                                                                        | 57 |
| 4.8  | Heatmap generated according to the exhaustive multi-bits faults in two targets at a given |    |
|      | clock cycle fault model                                                                   | 58 |
|      |                                                                                           |    |

# **LIST OF TABLES**

| 2.1 | Security policies for different data inputs                                  | 15 |
|-----|------------------------------------------------------------------------------|----|
| 3.1 | Instructions per category                                                    | 28 |
| 3.2 | Tag Propagation Register configuration                                       | 28 |
| 3.3 | Tag Check Register configuration                                             | 29 |
| 3.4 | Memory overwrite                                                             | 33 |
| 3.5 | Numbers of registers and quantity of bits represented                        | 34 |
| 3.6 | Buffer overflow: success per register, fault type and simulation time        | 34 |
| 3.7 | Format string attack: success per register, fault type and simulation time   | 38 |
| 3.8 | Compare/compute: number of faults per register, per fault type and per cycle | 40 |
| 4.1 | Fault Injection based methods for vulnerability assessment comparison        | 46 |
| 4.2 | Results of fault injection simulation campaigns                              | 57 |
| 4 3 | Buffer overflow: success per register fault type and simulation time         | 59 |

# **LIST OF LISTINGS**

| 3.1 | Compare/Compute C Code                                | 30 |
|-----|-------------------------------------------------------|----|
| 3.2 | Buffer overflow C code                                | 31 |
| 3.3 | WU-FTPd C code                                        | 33 |
| 4.1 | Example of a FISSA configuration file                 | 50 |
| 4.2 | Example of a FISSA target file                        | 51 |
| 4.3 | Extract of an example of a FISSA output log JSON file | 53 |

## INTRODUCTION

 $Io \ T \ without \ security \ means \ Internet \ of \ Threats$ 

Stéphane Nappo

### Contents

| 1.1 | Context            | 1 |
|-----|--------------------|---|
| 1.2 | Objectives         | 4 |
| 1.3 | Manuscript outline | 5 |

## 1.1 Context

An embedded system is a specialised computing system designed to perform dedicated functions or tasks within a larger mechanical or electrical system. Unlike general-purpose computers, embedded systems are optimised for specific control operations and are typically integrated into the hardware they manage. These systems are characterised by their compact size, low power consumption, and real-time performance constraints. They consist of microcontrollers or microprocessors, along with memory and input/output interfaces, tailored to meet the precise requirements of the application they serve. Embedded systems are ubiquitous in modern technology, powering a wide range of devices from household appliances and medical equipment to industrial machines and automotive systems, ensuring efficiency, reliability, and functionality in their operations.

The Internet of Things (IoT) has revolutionised the way we interact with technology, enabling seamless connectivity and communication between a myriad of devices. These devices are part of our daily lives, from the connected light bulb to autonomous cars. These devices collect and share data about how they are used and the environment in which they operate. Immense amounts of data are also being generated by connected cars, production, and transport applications. Today, Industrial IoT (IIoT) represents the largest and fastest-growing volume of data. To capture data, they rely on sensors embedded in every physical device, such as mobile phones, smartwatches, medical devices (pacemakers, cardiac defibrillators, etc.), but also in recent cars or in agriculture. These sensors generate data that are more or less critical, and as these data exist, they are subjects of cyberattacks. According to forecasts, the number of IoT devices in use worldwide is estimated to reach approximatively 40 billions in 2033 [5], as shown in Figure 1.1, while, today, in 2024, we are around 18 billions. The economic impact of IoT is substantial, with worldwide consumer IoT revenue expected to rise from \$181.5 billion in 2020 to 621.6 billion euros



Figure 1.1: Number of IoT (IoT) devices worldwide 2022-2023, with forecasts to 2033 (from [5])

by 2030 [6] as shown in Figure 1.2. As IoT continues to expand its reach, the importance of ensuring robust software security in these systems becomes increasingly critical. IoT devices, often characterised by limited resources and large-scale deployment, present unique security and privacy challenges.

Embedded systems, which form the backbone of IoT devices, are increasingly vulnerable to both software and hardware threats, as well as network-based threats, which can lead to data leaks or unauthorised access to essential system components. These systems are frequently deployed in environments where they are exposed to potential adversaries, making them attractive targets for various types of attack [7, 8].

Software security is a critical aspect of the development and deployment of software systems, encompassing measures and practices designed to protect applications from malicious attacks, vulnerabilities, and other security risks. It involves the implementation of protocols to ensure the confidentiality, integrity, and availability of software and data. This field addresses a wide range of threats, including but not limited to, code injection, malware, memory overflow attacks, SQL injection, and Cross-site scripting (XSS). Effective software security practices include rigorous code reviews, the use of secure coding standards, regular vulnerability assessments, and the deployment of encryption and authentication mechanisms. As software becomes increasingly integral to various aspects of daily life and business operations, ensuring its security is paramount to safeguarding sensitive information, maintaining user trust, and preventing financial and reputational damage.

Network attacks, such as Distributed Denial of Service (DDoS) attacks, can overwhelm an embedded system's network interface, rendering it inoperative, while man-in-the-middle attacks intercept and potentially alter communication between devices, Internet Protocol spoofing, jamming, and many others. These vulnerabilities can be exploited to leak confidential data, corrupt system functionality, or gain control over critical system operations, underscoring the urgent need for robust security mechanisms in



Figure 1.2: Internet of Things total annual revenue worldwide from 2020 to 2030 (from [6])

embedded systems.

On the hardware front, physical attacks refer to different techniques and methods aimed at compromising the security of embedded system. These attacks exploit vulnerabilities in the physical layer or implementation of the device's hardware to delete, modify, gain or prevent access to confidential data. The most common physical attacks are Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA).

Side-channel attacks [9] are passive physical attacks that primarily aim to exploit leakages of information from a device, such as power consumption, electromagnetic emissions, or timing information. By capturing and analysing these side-channel data, attackers can infer sensitive information, such as cryptographic keys [10].

Fault injection attacks [11–13] are active physical attacks, noninvasive or invasive, transient or permanent, where the attacker intentionally try to change the normal behaviour of a device during program execution by injecting one or more faults, then observing the erroneous behaviour that could be further exploited as a vulnerability. Boneh et al. [14] introduced fault injection attacks. They were able to break some cryptographic protocols by inducing faults into the computations.

In this dissertation, we only study and present fault injection attacks. Nowadays, these attacks are more and more easier to make. For example, NetSPI introduced, in the Black Hat conference in Las Vegas, in August 2024, a new laser hacking device called the RayV Lite [15]. The authors, Sam Beaumont and Larry "Patch" Trowell, presented their open-source tool that aims to let anyone achieve laser-based tricks to reverse engineer chips and trigger their vulnerabilities. There are already some tools such as Riscure Laser Station [16] who costs between \$10,000 and \$150,000. In the same way as NewAE [17] with their ChipWhisperer or ChipShouter that allow to realise clock glitching, voltage glitching or even electromagnetic injection at a lower cost and more accessible, RayV Lite allows people to perform laser-

based attacks for only \$500 which is more accessible and cheaper than any other tools available. M. S. Kelly and K. Mayes [18] have shown that with cheap components they are able to make a laser setup for around \$500. The low cost and relative ease of construction of their laser environment suggests that developers of IoT devices need to seriously consider this threat on their devices, because it must be assumed that these attack techniques are readily available to malicious attackers.

Many studies have shown the vulnerabilities of critical systems against FIAs. [19] demonstrates that it is possible to recover computed secret data using FIA in hidden registers on the RISC-V Rocket processor. Electromagnetic fault injection (EMFI) attack can be used to recover an AES key by targeting the cache hierarchy and the MMU, as shown in [20]. Laser fault injections (LFI) can allow the replay of instructions [21], that can lead to the overwriting of an entire section of a program. [22] shows the use of glitch injections on the power supply to control the program counter (PC). Voltage glitches can also lead to glitch TrustZone mechanisms, as shown in [23]. Finally, authors of [24] have shown that one can combine side-channel attacks (SCA) and FIAs to bypass the PMP mechanism in a RISC-V processor.

Thus, the main challenge of this work is how can we maintain maximum protection against software attacks in the presence of physical attacks?

## 1.2 Objectives

In this dissertation, we address a part of the threats that IoT devices faces, with a particular emphasis on security threats affecting the software and hardware layers of a device. The main objective is to provide a robust security mechanism against both software and physical threats, where the attacker performs a fault injection attack to bypass a software security mechanism in order to realise a software attack. We use a security mechanism called Dynamic Information Flow Tracking (DIFT) to protect the system against software attacks. This mechanism is presented in Chapter 2.2 in details with the state of the art around and a brief overview on how it works.

The first contribution of this dissertation is to show that this mechanism is vulnerable to fault injection attacks, using an HDL simulator tool to simulate the behaviour of a processor in the presence of fault injections inside the DIFT mechanism at runtime.

The second contribution is the development of a tool for automating the simulation process on a given processor design. This open-source tool is available on GitHub and can be used during the development process to find the vulnerabilities of an HDL design. Thanks to this tool, the designer is able to check his design right from the conceptual phase and have a robust design against fault injection attacks, enabling the notion of *Security by Design*.

The third contribution is the implementation of two lightweight countermeasures inside the DIFT mechanism to protect it against fault injection attacks. For the countermeasures, we take into account various constraints such as area, performance overhead and power consumption.

Finally, in our last contribution, we evaluate different implementations of lightweight countermeasures to protect the mechanism against stronger fault model.

## 1.3 Manuscript outline

This work is segmented in seven chapters, the first being this introduction.

Chapter 2 presents the state of the art of this dissertation with the different technical terms. Firstly, it presents Information Flow Tracking (IFT) by explaining how they work, and the different types of existing IFT. Secondly, this chapter presents the different types of physical attacks, the literature about it and presents the two mains types of physical attacks: Side-Channel Attacks and Fault Injection Attacks. Finally, the chapter presents an overview of the literature about countermeasures against Fault Injection Attacks, with a small discussion on their advantage and disadvantages for each.

Chapter 3 presents the background of this work with the presentation of the RISC-V Instruction Set Architecture (ISA), the architecture of the D-RI5CY core in detail. Then, the different use cases are presented in details to show what they do, and their software vulnerability is detected by the DIFT mechanism. Finally, a vulnerability assessment is done to show how the DIFT is vulnerable against FIA in these examples and where.

Chapter 4 introduces a new tool, FISSA, to automatise fault injection campaigns in simulation. This tool allows a designer to assess his design during the conception phase. This chapter presents how it works and how to use it, and compares it to others tools available in the literature.

```
Chapter 5 William \rightarrow TODO - TBD \blacktriangleleft Chapter 6 William \rightarrow TODO - TBD \blacktriangleleft
```

Chapter 7 is dedicated to the summary of this dissertation with a short discussion on the obtained results, identifying limitations, and discussing the challenges encountered in this thesis. We also explore future research perspectives at short and long terms, and suggest potential improvements.

7

8

16

16

19

 $\mathbf{23}$ 

## STATE OF THE ART

## 15

#### 2.1 Introduction

2.4

Contents

This chapter provides an overview of related work to contextualize the primary objectives of this thesis. Firstly, in Section 2.2, Information Flow Tracking (IFT) is introduced, detailing the different types and their respective purposes. We discuss the various levels of monitoring, from program behaviour to the detection of hardware trojans. Then in Section 2.3, Physical Attacks are examined, focusing on two main types: Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA). Finally in Section 2.4, as this work concentrate on FIA, we exclusively present countermeasures against Fault Injection Attacks.

#### 2.2**Information Flow Tracking**

Fault Injection Attacks

The concept of Information Flow Tracking has been introduced by the work of Bell and LaPadula [25] and by Denning [26] in 1976. This section introduces Information Flow Tracking mechanisms, explains how they work, and presents the various types of IFT with their different functional levels.

#### Different types of IFT 2.2.1

There are two distinct types of IFT approaches: static and dynamic, each with its own specific objectives.

#### 2.2.1.1 Static IFT

Static Information Flow Tracking (SIFT) is a security technique used to analyse and control the flow of information within a program or system without executing it, by examining the source code or compiled binary [27]. This method is particularly useful for identifying theoretical vulnerabilities, ensuring compliance with design principles, and preventing unauthorised information leaks before deployment. SIFT is comprehensive, covering all possible execution paths and detecting both explicit information flows (direct data assignments) and implicit flows (leaks through control flow structures). By performing checks at compile-time, SIFT helps developers address potential security issues early, enforcing principles like non-interference and data confidentiality through security policies. However, static analysis may generate false positives by flagging theoretical flows that might not occur in practice and may struggle with certain dynamic language features or runtime-dependent behaviours. SIFT is employed in various contexts, such as verifying secure information flow in operating systems, programming languages with built-in information flow controls, and hardware design for secure systems.

### 2.2.1.2 Dynamic IFT

Dynamic Information Flow Tracking (DIFT) is a powerful security technique that monitors and analyses, in real-time, the flow of information within a program during its execution [28]. DIFT operates by tagging or labelling input data from potentially untrusted sources and tracking how this data propagates through the system [29]. As the program executes, DIFT maintains metadata about the tagged information, updating it as operations are performed on the data. This allows the system to detect when tainted data is used in security-critical operations, such as modifying control flow or accessing sensitive resources. DIFT can be implemented at various levels, including hardware, software, or a combination of both. Hardware-based implementations often offer better performance but require specialized processor modifications, while software-based approaches provide more flexibility but may incur higher overhead [28]. DIFT has proven effective in detecting and preventing a wide range of security vulnerabilities, including buffer overflows, format string attacks, and code injection attacks [29]. However, DIFT also faces challenges, such as handling implicit information flows, managing performance overhead, and addressing over-tainting issues. This approach might not cover all potential data paths, as it is dependent on the specific conditions and inputs provided during the monitoring period. Despite these challenges, DIFT remains a valuable tool for software security, particularly for runtime attack detection in modern systems.

### 2.2.2 Different levels of DIFT

IFT can be implemented at various levels of abstraction in computing systems [27, 28, 30]. Each level presents unique trade-offs between precision, performance overhead, and ease of implementation, allowing designers to choose the most appropriate approach for their security requirements.

Software-based DIFT mechanisms benefit from close integration with the software context via binary code instrumentation and source code modifications, offering better flexibility, customisation, and scalability without altering hardware components. However, these software solutions often incur high performance overheads due to the extra instructions required. They operate at either the system level, monitoring OS-wide information flows, or the program level, focusing on specific applications. On the

other hand, hardware-assisted DIFT designs can efficiently enforce security rules by implementing DIFT-related operations as hardware logic, reducing performance overhead but at the expense of flexibility and scalability, making them challenging to deploy in modern commercial systems. They can be implemented within processor cores or as off-core designs. But they can also be at the lowest level, such as Gate-Level IFT who tracks information flow through logic gates. A hybrid hardware and software co-design offers a promising alternative, enabling fine-grained security checks by associating software context with hardware data, though it faces challenges such as balancing flexibility with hardware overhead and designing appropriate tags that support rule updates post-deployment.

Figure 2.1 represents the different levels of a simplified embedded system: application layer, system service layer, OS layer, and hardware layer. This figure is inspired by Figure 1.9 of [31]. Software-based IFTs work in the first three levels.

Positioned at the highest level of the software hierarchy, the application layer is responsible for implementing system functionalities and business logic. Functionally, all modules within this layer work together to execute the required system operations. Applications generally run in a less-privileged mode on the processor and utilise the OS-provided API scheduling to communicate with the operating system. The system service layer serves as the intermediary service interface offered by the OS to the application layer. This interface allows applications to access a variety of OS-provided services, essentially bridging the gap between the OS and applications. Typically, this layer encompasses components like the file system, Graphical User Interface (GUI), task manager. An Operating System (OS) is a software framework designed to manage hardware resources uniformly. It abstracts numerous hardware functions and offers them to applications as services. Common services provided by an OS include scheduling, file synchronisation, and networking. Operating systems are prevalent in both desktop and embedded systems. In the context of embedded systems, OSs possess distinct characteristics such as stability, customisability, modularity, and real-time processing capabilities. The hardware layer refers to the physical components and circuitry, including the microprocessor or microcontroller, memory, sensors, and input/output interfaces. This layer encompasses all the tangible electronic elements that interact directly with each other to perform the device's functions. It provides the essential infrastructure that supports and drives the embedded system's operations and connectivity.



Figure 2.1: Simplified representation of the different layers in an embedded system

Tracking information can be performed at various levels, from the application level to the hardware

level. Each level offers distinct advantages and disadvantages. For instance, application-level tracking might provide detailed insights and user-friendly interfaces, while hardware-level tracking offers more granular data and real-time monitoring but can be more complex and costly. The following subsections explore these different levels, highlighting their respective benefits and limitations.

#### 2.2.2.1 Software-based DIFT

Application level DIFT tracks information flows between application variables. The programmer has to integrate data tagging inside his program and use a modified compiler or analyse his program to check if no security violation happened. One application for DIFT at application level is language-based. Several security extensions have been proposed for existing programming languages. JFlow [32] is one of the first works that has described an extension of the Java language by adding statically-checked information flow annotations.

Multiples works introduce DIFT extensions for different languages, for example, such as JavaScript [33, 34]. Austin et al. [34] propose a method for tracking information flow in dynamically-typed languages, focusing on addressing issues with implicit paths through a dynamic check. This approach avoids the necessity for approximate static analyses while still ensuring non-interference. The method employs sparse information labelling, keeping flow labels implicit where possible and introducing explicit labels only for values crossing security domains.

Kemerlis et al. [35] provide a framework, *libdft*, which is fast and reusable and applicable to software and hardware. *libdft* provides an API for building DFT-enabled tools that work on unmodified binaries.

OS level and System-based DIFT track and tag files (read or written) used by the application. The main advantage of this approach is that it reduces the number of information flows, which lead to an improvement of the runtime overhead. In the other side, the main disadvantage of this approach is that it results in more false positives than the application-level approach.

TaintDroid [36] introduces an extension to the Android mobile phone platform designed to monitor the flow of privacy-sensitive data through third-party applications. Operating under the assumption that downloaded third-party applications are untrusted, TaintDroid tracks in real-time how these applications access and handle users' personal information. The primary objectives are to detect when sensitive data is transmitted out of the system by untrusted applications, and to enable phone users or external security services to analyse these applications. They store the data adjacent to data for spatial locality. This may cause large performance and storage overheads, as the tag fetching requires extra clock cycles for memory access. HiStar [37] is a new OS that has been designed to provide precise data specific security policies. The authors made the choice to assign tags to different objects in the operating system instead of data.

## 2.2.2.2 Software and Hardware Co-Design-Based DIFT

This type of design combines the features of both software DIFT and hardware DIFT. Using binary instrumentations and a modified compiler, the hardware and software co-design can provide the best of these two categories of DIFT: flexible security configuration and fine-grained protection with low impact on performances [28, 30].

One example of this type of DIFT is RIFLE [38], a runtime information-flow security system designed from the user's perspective, provides a practical means to enforce information-flow security policies on all programs by leveraging architectural support. RIFLE employs binary instrumentation and architectural support to enforce information flow security policies during runtime. The conventional Instruction Set Architecture (ISA) is transformed into an Information-Flow Security (IFS) ISA using a dedicated binary translator. Each instruction in the ISA corresponds to an instruction in the IFS ISA. In the IFS ISA, additional security registers are assigned to hold tags. To avoid the pitfalls dynamic mechanisms encountered while tracking implicit flows, the binary translation will convert all implicit flows to explicit flows. The RIFLE architecture is then responsible only for tracking explicit flows. The translated binary is executed within a modified processor supporting the IFS ISA, which is simulated within the Liberty Simulation Environment. RIFLE works with every programs that run on a system, and policy decisions are left to the user, not the programmer.

Townley et al. [39] presented LATCH, a generalizable architecture for optimizing DIFT. LATCH exploits the observation that information flows under DIFT exhibit strong spatial and temporal locality, with typical applications manipulating sensitive data during limited phases of computation. The main objective is to detect attacks on the integrity of the system. The architecture consists of a software-assisted hardware accelerator (S-LATCH) running on a single simulated core. The software component of S-LATCH propagates tags, while the hardware accelerator monitors the data accessed by the program to detect tags.

Porquet et al. [40] presented WHISK, a whole system DIFT architecture implemented within a hard-ware simulator. WHISK stores tags and data separately in memory locations to keep low area overhead and improve flexibility and to better accommodate the integration of hardware accelerators.. Tag insertion, storage, and access to the custom hardware are delegated. The software subsystem uses MutekH exokernel-based OS and provides support for tag page allocation, page table cache configuration, and interrupt handling concerning writes to untagged pages.

#### 2.2.2.3 Hardware-based DIFT

Dalton et al. [41] report that software DIFT solutions add significative runtime overhead, up to a slow-down of 37 times! Therefore, in order to improve the execution time to be more on-the-fly, the idea is to directly implement the DIFT into the hardware, but the trade-off is flexibility. This subsection discusses the hardware-based DIFT designs, including gate-level DIFT designs and micro-architecture-level DIFT designs. Surveys [27, 30] present an overview on all hardware DIFT techniques. They developed a taxonomy for them and use it to classify and differentiate hardware DIFT tools and techniques.

Gate-Level DIFT include gate-level netlist and also RTL designs. The goal is to protect against hardware trojans and unauthorized behaviours. To achieve that, during the creation of the circuit, additional logic is added for each gate used in the design.

GLIFT [42] is a well-established IFT technique. The goal is to protect against hardware trojans and unauthorized behaviours. All information flows, both explicit and implicit, are unified at the gate level. GLIFT employs a detailed initialisation and propagation policy to precisely track each bit of information flow, by adding additional logic for each gate used in the design. By analysing how inputs

influence outputs, GLIFT accurately measures true information flows and substantially reduces the false positives typically associated with conservative IFT techniques. Hu et al. [43] established the theoretical foundation for GLIFT. They introduced several algorithms for generating GLIFT logic in large digital circuits. Additionally, the authors identified the primary source of precision discrepancies in GLIFT logic produced by various methods as static logic hazards or variable correlation due to reconvergent fan-outs. Many other works have been done on GLIFT to attempt a decrease of the logic complexity.

Off-Core DIFT operations are performed on a dedicated coprocessor working in parallel of the main core. The main drawback is that this approach needs a support from the OS for the synchronisation between data computations and tags computations in order to stall one core if it needs to wait the other. But on the other hand, its advantage is that it does not require internal hardware modifications to the main kernel. Processor manufacturers do not prioritise this type of security, and as most processors are not open to the public, it is difficult to modify them.

Kannan et al. [44] described one of the first work using a coprocessor to improve tag computation runtime overhead. Traditional hardware DIFT systems require significant modifications to the processor pipeline, which increases complexity and design time. Figure 2.2 represent how an off-core DIFT would be implemented. Kannan et al. uses this idea for implementing their solution of DIFT. This coprocessor handles all DIFT functionalities, synchronizing with the main processor only during system calls. This design eliminates the need for changes to the processor's pipeline, logic, or caches, making it more attractive. The coprocessor is small, with an area footprint of about 8% of a simple RISC core, and introduces less than 1% runtime overhead for SPECint2000 applications benchmark. The paper demonstrates that the coprocessor provides the same security guarantees as integrated DIFT architectures, supporting multiple security policies and protecting various memory regions and binary types. This approach offers a balanced solution in terms of performance, cost, complexity, and practicality compared to existing DIFT implementations.

Wahab et al. [45, 46] developed a DIFT using the ARM CoreSight debug component to extract a trace. However, the debug component could only extract limited information about the application executing on the core. Therefore, some instrumentations have been required to recover the complete program trace. The information obtained from the trace is then sent to a dedicated DIFT coprocessor, which analyses the instruction trace and propagates tags according to a security policy. In terms of performance and area footprint, [46] gives around 5% communication overhead and an area overhead of 0.47% and a power consumption increased by 16%; while [45] gives a communication overhead of 335%, an area increased by 0.95% and a power consumption increased by 16.2%. These results can not be compared to the initial design, as they use a coprocessor without the ARM core results.

Off-Loading DIFT use a dedicated core of a multicore CPU [47–49]. Figure 2.3 represents how Off-Loading DIFT works with a core running the application and another, in parallel, run the DIFT analysis on the application trace. The application core is modified to create a trace and compress it. The trace includes executed instructions and packs main information such as PC address, register operands. This trace is then sent to the DIFT core via the L2 cache. Finally, the security core will decompress the trace and realizes tag computation in order to check whether an illegal information flow has been done. The



Figure 2.2: Representation of a Hardware Off-Core DIFT (inspired by Figure 1 of [44])

notion of illegal information flow is specified thanks to a DIFT security policy. The main advantage is that hardware does not need to know DIFT tags or policies and does not need a coprocessor with the management of the synchronisation between the two processors. But the main drawback is that it requires a multicore CPU but reduces the number of core available and doubles the energy consumption due to the application trace analysis. In an embedded system where consumption is a critical factor, this solution is difficult to consider.

In-Core DIFT rely on a deeply modified processor pipeline which need to integrate tag computations inside the main core in parallel of data computations. This approach is highly invasive, but does not require any additional cores or coprocessors to operate and introduces no overhead for intercore synchronisation. Overall, its performance impact in terms of clock cycles over native execution is minimal. On the other hand, the integrated approach requires significant modifications to the processor core. All pipeline stages must be modified to add tags, a dedicated register file and first level of caches must be added to store tags in parallel with the regular blocks into the processor core. Figure 2.4 shows the architecture of an In-Core hardware DIFT. When the processor fetches an instruction, its associated tag is sent in parallel. In the decode stage, the instruction is decoded while the security decode module decode the security policy to determine how the tag should be propagated and checked. When the instruction is executed, the tag is sent to a tag ALU to be checked. Then, if the tag is conforming to the security policy, the tag and the ALU output will be saved into the Data-Cache to be used again or stored in memory. Otherwise, if the tag is not conforming, the DIFT mechanism detects the security violation and can raise an exception, stop the application, depending on what is configured.

Suh et al. [29] proposed an approach in which the OS identifies a set of input channels as spurious, and the processor tracks all information flows from these inputs. Thanks to this tracking, the processor



Figure 2.3: Representation of a Hardware Off-Loading DIFT (inspired by Figure 1 of [44])

can detect various attacks such as attack targetting instructions or jump addresses. If the security policy detects something malicious in hardware, the OS will process the exception. They use a 1-bit tag, which means only two ways of representing security levels. They present two security policies that track differing sets of dependencies. Implementing the first policy incurs, on average, a memory overhead of 0.26% and a performance decrease of 0.02%. The second policy incurs, on average, a memory overhead of 4.48% and a performance decrease of 0.8%, and requires binary annotation unlike the first policy.

Dalton et al.[41] presented a DIFT architecture, Raksha, to support a flexible security configuration at runtime. They extended all storage locations including registers, caches and main memory with tags, they modified the ISA instruction to propagate and check tags. In this solution, they use 4-bits tags for each word. These tags represent the security policy and not the data state (e.g. trusted or untrusted). The authors provided two global sets of configuration registers, i.e., Tag Propagation Registers (TPR) and Tag Check Registers (TCR), to configure the security policy at runtime. There is one pair of TPR/TCR for each of the four security policies. The configuration register could be configured only in trusted mode. Moreover, the tag propagation and check could only be disabled in trusted mode. However, the security policy is difficult to update when the architecture is deployed. The Raksha prototype is based on the Leon SPARC V8 processor, a 32-bit open-source synthesizable core, and they mapped the design onto an FPGA board.

Palmiero et al. [1] implemented a DIFT framework, D-RI5CY, on a RISC-V processor and synthesized it on a Field Programmable Gate Array (FPGA) board with a focus on IoT applications. The proposed design tags every word in data memory with a 4-bits tag and every general register with a 1-bit tag. Similarly to [41], Palmiero et al. [1] also adopted global configuration registers to customise the rule of tag propagation and checking. Each type of instruction has its own rule and can be modified separately. This method provides a more fine-grain tracking than Raksha but lacks flexibility for security policy reconfiguration for different program contexts.



Figure 2.4: Representation of a Hardware In-Core DIFT (inspired by Figure 1 of [44])

### 2.2.3 How hardware DIFT work

DIFT is a technique used in computer security to monitor the flow of information through a system. It aims to prevent security breaches such as data leaks, unauthorised data manipulation, and execution of untrusted code. In DIFT, each data is associated with a tag that indicates its security level. For example, a tag might indicate whether data is 'trusted' or 'untrusted'. When data is input into the system, it is initially tagged based on its source.

As data moves through the system, these tags are tracked to ensure compliance with security policies and to ensure that sensitive information does not get exposed or manipulated improperly. For instance, if an operation involves both trusted and untrusted data, the result might be tagged as untrusted to ensure security.

An example of such security policy can be represented in Table 2.1. In this example, if the data comes from the network or if it's manipulated by a user, in the case of a scanf() function in C language for example, the data cannot be trusted, while if the data comes from a secure channel or is manipulated by the system itself, the data can be trusted.

Table 2.1: Security policies for different data inputs

| Data Input | Security Policy | Tag       |
|------------|-----------------|-----------|
| User Input | User-provided   | Untrusted |
| Network    | External source | Untrusted |
| Internal   | System-provided | Trusted   |

Figure 2.5 illustrates the three main steps of how DIFT works. Firstly, three data,  $C_1$ ,  $C_2$ , and  $C_3$ , with their associated tags in three different colours, are initialised on the left side of the figure.

In the second step, when the data is fetched by the core for computation, the associated tags are propagated inside the core and confronted with the propagation policy depending on the operations performed on the data.

Finally, in the last step, on the right side of the figure, there are two data outputs derived from the three initial data. Data  $C_4$  results from the combination of data  $C_2$  and  $C_3$ , while data  $C_5$  is derived from data  $C_1$ . Since data  $C_1$  has not been modified, its tag remains the same. However, the tag associated with  $C_4$  is a mix of tags from  $C_2$  and  $C_3$ . Depending on the security policy, if  $C_2$  was trusted and  $C_3$  was not, the output tag will be untrusted. Consequently, when the tags go through the final step of DIFT, they will be checked, and an exception may be raised or the application may be stopped due to the mixing of trusted and untrusted values.



Figure 2.5: Representation of the DIFT mechanism from initialisation to checking.

## 2.3 Physical Attacks

This section presents an overview of the state of the art on physical attacks. We present the different types of physical attacks and their methods to recover secret information. Firstly, we begin with Side-Channel Attacks, how to use information leakage to recover useful information and how to analyse them. Secondly, we introduce Fault Injection Attacks. We define the different possibilities of injection and how to achieve them.

Physical attacks are separated into two main categories: passive attacks and active attacks. Passive attacks are also called Side-Channel Attacks (SCA), and active attacks are often called Fault Injection Attacks (FIA). Figure 2.6 shows a representation of a taxonomy to classify the different method of physical attacks. Each type of attacks will be explained in this following subsections.

## 2.3.1 Side-Channel Attacks

Side-Channel Attacks exploit information leakages on the circuit behaviour such as power consumption, electromagnetic radiation or the execution time of an application. This type of attack does not call into question the theoretical integrity of the implementation, but aims to recover information by devious means. During data processing, the alternation between different states requires time and minimal energy dissipation, the variations of which can be analysed by the attacker. This information allows the attacker to access secret data such as a password, or cryptographic key. The origin of these attacks date back to the TEMPEST program from NSA [51]. They described the vulnerabilities of a cryptographic implementation from their electromagnetic emissions, depending on the input and data.

Figure 2.7 represents the different methods of SCA on a microprocessor. We will go into detail of these different methods in the following text. The main idea is to have an application running on the



Figure 2.6: Taxonomy of the different methods of physical attacks (inspired by [50])

processor and an attacker will use one method to trace the application multiple times to recover secret information (e.g. cryptographic key, password, private data, etc.).

Power analysis exploits time differences in target power consumption during sensitive executions. Modern systems contain billions of transistors (up to 146 billions transistors for AMD Instinct MI300A<sup>1</sup>). These transistors act as voltage switches and as they are continually switched on/off during execution, they cause voltage variations that can be observed and measured using equipments and devices (oscilloscope, voltmeter, etc.). These results data are analysed and from a certain number of data, an attacker can deduce secrets. Kocher et al. [52, 53] introduced this method of SCA to recover cryptographic key from the analysis of power consumption. They introduced the Simple Power Analysis method (SPA) and Differential Power Analysis (DPA) [54]. While SPA attacks mainly use visual inspection to identify relevant power variations, DPA attacks use statistical analysis and error correction techniques to extract information correlated to secret keys. Lipp et al. [55] present an attack, PLATYPUS, a software-based power side-channel attack on Intel server, desktop, and laptop CPU. They exploit unprivileged access to the Intel Running Average Power Limit (RAPL) interface. By observing variations in power consumption, they achieve to monitor the control flow of applications and also infer data and extract cryptographic keys.

Execution time analysis also known as timing attacks and first introduced by Kocher [10], takes advantage of the fact that some sensitive computational operations vary in time depending on their secret inputs. An attacker can learn information about these inputs by measuring the running time of the operation. Inherently, these attacks require the attacker to obtain responses from the target to measure its runtime. The works of Kocher [10], Brumley and Boneh [56] demonstrate attacks on many popular cryptosystems, including DSS, RSA, and OpenSSL.

**Electromagnetic analysis** exploits electromagnetic (EM) emissions signatures produced when conducting logic operations. Thus, EM emissions reflect the operations of the system. In 2001, Quisquater

<sup>1.</sup> https://www.amd.com/en/products/accelerators/instinct/mi300/mi300a.html



Figure 2.7: Representation of the different methods of Side-Channel attacks

and Samyde [57] extended SCA with EM analysis. EM SCA methods can be divided into Simple EM Attack (SEMA) and Differential EM Attack (DEMA) similarly to power attacks [58]. By observing different signal patterns of collected traces, SEMA can directly interpret cryptographic operations. DEMA extracts secret keys by comparing collected EM traces to hypothesised values and looking for peaks indicative of an accurate prediction [59]. The attacker collects EM radiation using an EM probe. The probe is placed near the electronic equipment. At this stage, the quality of the collected EM traces, and thus the effectiveness of EM SCA, is strongly affected by several measurement parameters such as EM probe, noise, trigger, sampling rate and frequency band. Recent work has shown that different EM probe characteristics (e.g. diameter, orientation) and spatial location significantly affect EM traces [60–62].

Temperature analysis exploit the temperature values induced by the activity of the system. This attack is linked to electromagnetic and power analysis, as they use traces from the system's execution. Aljuffri et al. [63] presented a study on thermal analysis where three different power-based SCAs were modified for thermal attacks and applied to a naive RSA implementation. Their experiments were able to retrieve the secret key with an accuracy of 100%. Another experiment attacked a protected implementation of RSA and completed the extraction of the key with only five traces. Hutter et al. [64] present results of data leakages of CMOS devices from temperature SCA. They study the leakage of processed data by measuring the dissipated heat of the devices.

Acoustic analysis takes advantage of the analysis of the sound emitted by the systems. This technology has been around for a long time and is used in many fields, such as sonar. The "golden ear" in a submarine listens to the sounds of the sea and is able to detect and distinguish a submarine, a warship, or a merchant vessel by the sound of its turbine alone. It is also able to determine its direction and nationality.

Computers emit high-pitched sounds when they are running. This is due to vibrations in some of their electronic components. These sounds are more than just a nuisance. They can convey information about the software running on the computer. In particular, they can reveal sensitive information about securityrelated calculations. People have shown that it is possible to recover RSA keys from their sound. Backes et al. [65] present an attack that retrieves what a dot-matrix printer is printing from a recording of the sound it makes. Their experiments show that they can recover up to 72% of the words printed, and up to 95% if they know the context of the text. For this experiment, they used a dictionary-based approach to printed English words. Genkin et al. [66] demonstrated that RSA key extraction using acoustic cryptanalysis was feasible against a Lenovo laptop from a smartphone nearby. The authors targeted GnuPG's RSA implementation using a laboratory microphone setup and a Samsung Note II, and showed that a 4096-bit key could be recovered within an hour using audible and ultrasonic sound emanations. Harrison et al. [67] present an implementation of a deep-learning model to classify laptop keystrokes using a microphone. They use the trained model to recognise the keystrokes, and they achieve an accuracy of 95%. They trained their model from a Zoom conference and this time they achieve an accuracy of 93%. Their results have shown that it is possible to recover password or other secret information of a victim from its keystrokes even without a physical presence.

## 2.3.2 Fault Injection Attacks

As early as the 1970s, with advances in the space industry, anomalies in the operation of electronic circuits were observed and possibly linked to cosmic radiation outside the Earth's atmosphere [68–70]. These disturbances were initially found to affect the performance of electronic systems in space environments, where high-energy particles could disrupt the normal functioning of circuits. However, as transistors became smaller and required less energy to operate, similar phenomena were observed in terrestrial environments and aircraft systems. These transient disturbances, commonly referred to as "soft errors", are now recognised as a critical issue in both space and ground electronics, affecting everything from memory chips to complex processors.

However, in addition to these induces cosmic faults, wanted faults exist and are known as Fault Injection Attacks (FIA). FIA involves deliberately introducing a fault into the system to observe its behaviour and identify potential vulnerabilities. If the error caused by the fault does not propagate and execution of the application completes normally, the fault is ineffective. On the other hand, if the fault affects the execution of the application, causing it to fail or behave differently than expected, then the fault is effective. These faults can impact the performance, functionality, and reliability of the circuit. These attacks can induce errors in internal electronic components, which can be utilised to recover cryptographic keys and other secret data. These attacks have been vastly studied since the first introduction of these attacks by Boneh et al. in 1997 [14, 71]. Multiple studies or surveys [11, 13, 50, 72–74] present the different sources of FIA. Figure 2.8 presents a summary of the different methods of FIA, the figure does not represent all possible methods. Each of these attacks requires equipment that is more or less expensive

and easy to acquire, ranging from a few hundred euros (clock glitches, voltage glitches) to several hundred thousand (Laser, X-Ray, Focused Ion Beam).

As shown in the Figure 2.6, these attacks are categorised as transient or permanent, and invasive or non-invasive. The effect of a transient fault lasts for a limited period of time. These faults rarely do any lasting damage to the component affected, although they can induce an erroneous state in the system. Their aim is to temporarily disrupt the program control flow or corrupt the results of an instruction to gain unauthorised access to sensitive code and data. By opposition, permanent faults or destructive faults, created by purposely inflicted defects to the chip's structure, have a permanent effect. Once inflicted, such destructions will affect the chip's behaviour permanently and persist irrespective of device restarts and resets.

Invasive attacks involve major alteration to the Device Under Test (DUT), such as decapping the System-on-Chip (SoC) to expose its internals and remove any protective layers. These processes risk irreparable damage or destruction of the target under evaluation, potentially leading to permanent data loss.

Non-invasive attacks require no tampering of the DUT. They are able to mask their presence as they have no effect on the system other than the faults they inject.



Figure 2.8: Representation of the different methods of Fault Injection attacks

#### 2.3.2.1 Invasive attacks

Invasive attacks need to decapsulate the chip or the Integrated Circuit (IC). Decapsulating a die or integrated circuit (IC) is a process used to expose the internal components of an IC, typically for failure analysis or reverse engineering. The goal is to carefully remove the protective encapsulation, which shields the silicon die and is typically made of epoxy or ceramic, without causing damage to the internal structures. There are several methods to achieve this, each suited to different packaging materials and levels of precision, ranging from chemical processes to advanced techniques like laser ablation and plasma etching.

The most common method is chemical decapsulation, which involves etching away the epoxy with concentrated acids such as nitric or sulphuric acid. This process requires safety precautions such as protective clothing and neutralisation of the acids after removal of the encapsulation. It is an effective but dangerous process and require careful control to avoid damaging the die, as over-etching can cause irreversible harm.

Another method is laser decapsulation, which uses a precision laser to remove the encapsulation material layer by layer. This technique is highly accurate and reduces the risk of damage to the die, but it is expensive and requires specialised equipment. Mechanical decapsulation involves physically grinding or cutting away the encapsulation, but has a high risk of damaging the die, especially when approaching the final layers.

Plasma etching is a more advanced technique that uses ionised gases to gradually etch away the encapsulation material. It offers high precision but is slower than other methods and is typically used in research or industrial environments. Whichever method is used, safety precautions are essential, especially when dealing with hazardous chemicals and sensitive materials.

Figure 2.9 shows three different steps to decapsulate a circuit. To be noted, this processor is the AMD Zen2 EPYC 7702 server processor which is not for embedded systems.



(a) Initial die from an AMD Zen 2 EPYC 7702 server processor



(b) AMD EPYC 7702 after delidding, with remains of solder thermal interface material (TIM)



(c) Die shot of the center die, after removal from processor package substrate and metallization etching

Figure 2.9: Three steps to decapsulate a die (from [75])

Camera flash/light source is a type of optical attack. The attacker needs to decapsulate the chip, and the strong radiation emitted by the flash directed at the silicon surface can cause the blanking of memory cells where constant values are stored for algorithms execution (e.g., the AES S-Boxes). These

attacks are inexpensive, but, in the other hand, they are not very accurate. Skorobogatov et al. [76] used a flashgun for \$30 while being able to change any bit of an SRAM array.

Schmidt and Hutter [77] present practical attacks on implementations of RSA that use Chinese Remainder Theorem (CRT). These attacks have been performed into a cryptographic device through optical and EM injections. They use a laser diode as a light source, the diode emitts a light beam of 100 mW with a wavelength of 785 nm. The light from the diode is guided thanks to a fibre-optic of 1 mm in diameter.

Guillen et al. [78] present a low-cost fault injection setup, around couple hundred euros, which is capable of producing localized faults in modern 8-bit and 32-bit microcontrollers. This setup does not require handling dangerous substances or wearing protection equipment. The fault produced by this setup are able to successfully attack real-world cryptographic implementations, such as the NSA's Speck lightweight block cipher [79].

**Laser beam** is another type of optical attacks. Using a laser beam, a single bit in a memory can be set (set to 1) or reset (set to 0) by attacking either front side or the back side of the chip.



Figure 2.10: Example of a laser fault injection setup (by Riscure Laser Station 2 [16])

**X-Rays** [80-82]

#### Focused ion beam

#### 2.3.2.2 Non-invasive attacks

Clock glitches | William | ▶ insérer image / schéma clock glitch◀

Voltage glitches | William | ▶insérer image / schéma voltage glitch◀

Heating attacks

Electromagnetic fault injections (EMFI)

#### 2.3.2.3 Summary

William ► Insérer tableau des différentes méthodes de FIA avec comparaisons comme dans article [50] + article de référence Berenghi 2012◀

#### 2.3.2.4 Fault models

## 2.4 Countermeasures against FIA

# D-RISCY - VULNERABILITY ASSESSMENT

#### Contents

| 3.1 D-RI5CY                                     | 25 |
|-------------------------------------------------|----|
| 3.1.1 RISC-V Instruction Set Architecture (ISA) | 25 |
| 3.1.2 DIFT design                               | 26 |
| 3.1.3 Pedagogical case study                    | 29 |
| 3.2 Use cases                                   | 30 |
| 3.2.1 First use case: Buffer Overflow           | 30 |
| 3.2.2 Second use case: Format String (WU-FTPd)  | 31 |
| 3.3 Vulnerability assessment                    | 33 |
| 3.3.1 Fault model for vulnerability assessment  | 34 |
| 3.3.2 First use case: Buffer overflow           | 34 |
| 3.3.3 Second use case: Format string (WU-FTPd)  | 36 |
| 3.3.4 Third use case: Compare/Compute           | 40 |
| 3.4 Summary                                     | 41 |

This chapter provides the background of this thesis and the vulnerability assessment. The first section offers a description of the RISC-V Instruction Set Architecture (ISA) and an overview of the specific RISC-V DIFT design under consideration. The second section details and describes the considered uses cases of this thesis. Finally, the third section assesses the vulnerabilities of the D-RI5CY, using these three cases.

## 3.1 D-RI5CY

In this section, we describe the RISC-V ISA and detail the DIFT design we have chosen to focus on. We choose to work on RISC-V core as they are open-source, and it means that we have the ability to access and modify the design according to our needs.

#### 3.1.1 RISC-V Instruction Set Architecture (ISA)

RISC-V is an open and free ISA, which was originally developed at University of California, Berkeley, in 2010, and now is managed and supported by the RISC-V Foundation, having more than 70 members



Figure 3.1: D-RI5CY processor architecture overview. DIFT-related modules are highlighted in red.

including companies such as Google, AMD, Intel, etc. The architecture was designed with a focus on simplicity and efficiency, embodying the Reduced Instruction Set Computer (RISC) principles. Unlike proprietary ISA, RISC-V is freely available for anyone to use without licensing fees, making it a popular choice for academic research, commercial products, and educational purposes.

Technically, RISC-V features a modular design, allowing developers to incorporate only the necessary components for their specific application, which can significantly reduce the processor's complexity and power consumption. It supports several base integer sets classified by width—mainly RV32I, RV64I, and RV128I for 32-bit, 64-bit, and 128-bit architectures respectively. Each base set can be extended with additional modules for applications requiring floating-point computations (e.g., RV32F, RV64F), atomic operations (e.g., RV32A, RV64A), and more. This modularity and the openness of RISC-V have spurred a wide range of innovations in processor design and applications in areas ranging from embedded systems to high-performance computing.

### 3.1.2 DIFT design

This thesis focus on the evaluation of a DIFT against fault injection attacks in order to protect it. We opted to not develop a Dynamic Information Flow Tracking (DIFT) system from scratch, as this would have required considerable time for implementation and testing, which was not within the scope of our objectives. Consequently, we decided to review the current state of the art and select an open-source DIFT system. As a result, we have selected the D-RI5CY [1, 83] design, which utilises the RI5CY core supported by PULPino and developed by ETH Zurich. This is a 4-stage, in-order, 32-bit RISC-V core optimised for low-power embedded systems and IoT applications. It fully supports the base integer instruction set (RV32I), compressed instructions (RV32C), and the multiplication instruction set extension (RV32M) of

the RISC-V ISA. Additionally, it includes a set of custom extensions (RV32XPulp) that support hardware loops, post-incrementing load and store instructions, and, ALU and MAC operations.

D-RI5CY has been developed by researchers of Columbia University, in the USA, in partnership with Politecnico di Torino, in Italy. D-RI5CY use the RI5CY processor, in which they implemented a hardware in-core DIFT.

Figure 3.1 presents an overview of the D-RI5CY processor's architecture. In red and dark red are represented the DIFT specific modules. These modules allow tags to be initialised, propagated and checked during the execution of a sensitive application. The Tag Update Logic module is used to initialize or update the tag in the register file according to the tagged data. Then, when a tag is propagated in the pipeline in parallel to its associated data, the Tag Propagation Logic module propagates it according to the security policy defined in the TPR. Once a tag has been propagated and its data has been sent out of the pipeline, the Tag Check Logic modules check that it conforms to the security policy defined in the TCR. If not, an exception is raised and the application is stopped to avoid accessing or executing corrupted data.

The authors of the D-RI5CY defined a library of routines to initialise the tags of the data coming from potentially malicious channels. At program startup, D-RI5CY initialises the tags of the registers, program counter and memory blocks to zero. The default 1-bit tag is " $\theta$ ", this means that the data is trusted, otherwise, the tag would be set to "1" which means that the data is untrusted. They extended the RI5CY ISA with memory and register tagging instructions. They have added four assembly instructions to initialise tags for user-supplied inputs:

- **p.set rd**: sets to untrusted the security tag of the destination register *rd* (you can check the register names in the ISA specification<sup>1</sup> at page 85),
- p.spsb x0, offset(rt): sets to untrusted the security tag of the memory byte at the address of the value stored in rt + offset,
- p.spsh x0, offset(rt): sets to untrusted the security tag of the memory half-word at the address of the value stored in rt + offset,
- **p.spsw x0**, **offset(rt)**: sets to untrusted the security tag of the memory word at the address of the value stored in rt + offset.

Moreover, they augmented the program counter with a tag of one bit and the register file with one tag per register's byte (marked as T in Figure 3.1). Finally, they added 4-bit tags to the data memory. Each data element is physically stored in memory with its associated tag.

It is worth noting that the D-RI5CY designers have chosen to rely on the *illegal instruction exception* already implemented in the original RI5CY processor to manage the DIFT exceptions. This choice minimizes the area overhead of the proposed solution.

In the Control and Status Registers (CSR), they added two additional 32-bits registers: Tag Propagation Register (TPR) and Tag Check Register (TCR). These registers are used to store the security policy for both tag propagation and tag check. These registers contain a default policy, and they can be modified during runtime with a simple csr write instruction, such as csrw csr, rs1. These policies

<sup>1.</sup> https://www2.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-54.pdf

Table 3.1: Instructions per category

| Class              | Instructions                                                  |
|--------------------|---------------------------------------------------------------|
| Load/Store         | LW, LH[U], LB[U], SW, SH, SB, LUI, AUIPC, XPulp Load/Store    |
| Logical            | AND, ANDI, OR, ORI, XOR, XORI                                 |
| Comparison         | SLTI, SLT                                                     |
| Shift              | SLL, SLLI, SRL, SRLI, SRA, SRAI                               |
| Jump               | $JAL,\ JALR$                                                  |
| Branch             | BEQ, BNE, BLT[U], BGE[U]                                      |
| Integer Arithmetic | $ADD,\ ADDI,\ SUB,\ MUL,\ MULH[U],\ MULHSU,\ DIV[U],\ REM[U]$ |

Table 3.2: Tag Propagation Register configuration

|                      | Load/Store<br>Enable | Load/Store<br>Mode | Logical Mode | Comparison Mode | Shift Mode | Jump Mode  | Branch Mode | Arith Mode |
|----------------------|----------------------|--------------------|--------------|-----------------|------------|------------|-------------|------------|
| Bit index            | 17 16 15             | 13 12              | 11 10        | 9 8             | 7 6        | 5 4        | 3 2         | 1 0        |
| Policy 1<br>Policy 2 | 0 0 1<br>1 1 1       | 1 0<br>1 0         | 1 0<br>1 0   | 0 0<br>1 0      | 1 0<br>1 0 | 1 0<br>1 0 | 0 0<br>1 0  | 1 0<br>1 0 |

consist of rules, which have fine-grain control over tag propagation and tag check for different classes of instructions. The rules specify how the tags of the instruction operands are combined and checked. Table 3.1 shows the different instructions for each category represented in both TPR and TCR.

Table 3.2 shows the TPR configurations for the security policies considered in our work. Each instruction type has a user-configurable 2-bit tag propagation policy field, except for Load/Store Enable, which has a 3-bit tag. The tag propagation policy determines how the instruction result tag is generated according to the instruction operand tags. For 2-bit fields, value '00' disables the tag propagation and the output tag keeps its previous value, value '01' stands for a logic AND on the 2 operand tags, value '10' stands for a logic OR on the 2 operand tags and value '11' sets the output tag to zero. The Load/Store Enable field provides a finer-granularity rule to enable/disable the input operands before applying the propagation rule specified in the Load/Store Mode field. This extra tag propagation policy is defined through 3 bits. These bits allow enabling the source, source-address, and destination-address tags, respectively.

Table 3.3 shows the TCR configurations considered in our work. Each instruction type has a user-configurable 3-bits tag control policy field, except for Execute Check, Branch Check and Load/Store Check which have 1, 2 and 4-bits tag control policy fields respectively. The tag control policy determines whether the integrity of the system is corrupted based on the tags of the instruction's operands. The default 3-bits field should be read as follows: the right bit corresponds to input operand 1, the middle bit corresponds to input operand 2 and the left bit corresponds to the output tag of the operation. For each bit set, the corresponding tag is checked to determine whether an exception must be raised. The Execute Check field is used to check the integrity of the PC. The Branch Check field is used to check both inputs during branch instructions. The right bit is used for input operand 1 and the left bit is used for input operand 2. Finally, the Load/Store Check field is used to enable/disable source or destination tags checking during a load or store instruction. These bits enable or disable the checking of the source tag, source address tag, destination tag and destination address tag.

To summarise, at first ①, D-RI5CY initialises the configuration registers (TPR and TCR) from the

|           | Execute<br>Check | Load/Store<br>Check | Logical Check | Comparison Check | Shift Check | Jump Check | Branch Check | Arith Check |
|-----------|------------------|---------------------|---------------|------------------|-------------|------------|--------------|-------------|
| Bit index | 21               | 20 19 18 17         | 16 15 14      | 13 12 11         | 10 9 8      | 7 6 5      | 4 3          | 2 1 0       |
| Policy 1  | 1                | 1010                | 0 0 0         | 0 0 0            | 0 0 0       | 0 0 0      | 0 0          | 0 0 0       |
| Policy 2  | 0                | 0.0.0               | 0.0.0         | 0.0.0            | 0.0.0       | 0.0.0      | 0.0          | 0.1.1       |

Table 3.3: Tag Check Register configuration

default security policy. Then at program startup ②, D-RI5CY initialises all the tags to *trusted* (i.e, set to 0). The tag propagation ③ and verification ④ happen in the D-RI5CY pipeline in parallel with the standard behaviour, without incurring any latency overhead.

### 3.1.3 Pedagogical case study

To present the use of the D-RISCY, we will introduce a use case to demonstrate how to use a new security policy and how the DIFT will detect the violation of different security policies. This use case has been developed for pedagogical purposes but does not involve a real software attack.

Listing 3.1 shows the C code used for this use case. Lines 2 to 4 initialize variables, lines 5 and 6 configure a security policy by writing in the TPR and TCR registers thanks to an assembly line. Line 7 tags the variable "a" as untrusted (tag is set to "1"). In line 8, variables "a" and "b" are compared to determine which arithmetic operation should be performed. Lines 9 to 21 detail the assembly code generated from the line 8 C statement. It executes the operations according to the values of "a" and "b" stored in the registers "a4" and "a5". The "(a>b)" condition and its associated branch is computed in line 9, the "(a-b)" subtraction in line 14 and the "a+b" addition in line 20.

The assembly line in C is constructed from keywords  $asm\ volatile$ . The template for this assembly line is: " $asm\ asm\-qualifiers\ (AssemblerTemplate: OutputOperands\ [:InputOperands\ [:Clobbers\ ]]$ )". So to explain briefly, line 7 in Listing 3.1 is composed of a custom assembly instruction "p.spsw", that takes the "x0" register as target and specifies an address mode using the placeholder "0(%0)". Finally, ":: "r" ( $\mathcal{E}a$ )" part specifies the input operand, with "r" indicating that a general-purpose register should be used to hold the address of the variable "a".

In terms of security policy, depending on which one we use in Table 3.2 and Table 3.3, we will have different results of exception. Security policy 1 propagates the tags with an OR logic for five modes (arithmetic, jump, shift, logical, and load/store mode) and enables the propagation of the tag from the source of a load/store. Security policy 1 checks the tags only for the *Execute Check* (i.e., PC instruction) and for the source address and destination address for a load/store instruction. In comparison, security policy 2 enables the propagation for all tags and checks tags only for both inputs of arithmetic instructions. To summarise from our application case, if we use security policy 1, the DIFT will detect the *load* instruction before executing the "a > b" comparison and raise an exception; whereas if we use security policy 2, the DIFT protection raises an exception when executing the instruction add a5,a4,a5 (i.e., the "a+b" C statement), since variable a is untrusted and b > a.

In the continuation of this work, this use case will be referred to as *Compare/Compute* and will be utilised as the third case, implementing security policy 2 from Table 3.2 and Table 3.3. The two other use cases will be presented in the following section 3.2.

Listing 3.1: Compare/Compute C Code

```
int main() {
    int a, b = 5, c;
    register int reg asm("x9");
    a = reg;
    asm volatile("csrw 0x700, tprValue");
    asm volatile("csrw 0x701, tcrValue");
    asm volatile("p.spsw x0, 0(\%0); ":: "r" (&a));
    c = (a > b); (a-b);

    //42c: ble a4, a5, 448

    //430: addi a5, s0, -16

    //438: addi a3, s0, -16

    //438: addi a3, s0, -16

    //440: sub a5, a4, a5

    //440: sub a5, a4, a5

    //444: lw a4, -12(a5)

    //448: addi a5, s0, -16

    //448: addi a3, s0, -16

    //448: addi a3, s0, -16

    //446: lw a4, -12(a5)

    //45c: sw a5, -4(a3)

    //450: sub a5, a4, a5

    //450: sw a5, -24(s0)
    return EXIT_SUCCESS;
}
```

#### 3.2 Use cases

This section details the considered use cases in our work. The first two use cases come from the original paper [1]. The third use case is a home-made case which is used to analyse the different DIFT part not studied in others use cases.

#### 3.2.1 First use case: Buffer Overflow

The first use case involves exploiting a buffer overflow, potentially leading to a Return-Oriented Programming (ROP) attack<sup>2</sup> and the execution of a shellcode. The attacker exploits the buffer overflow to access the return address (RA) register. When the function returns, the corrupted RA register is loaded into the PC via a jalr instruction. This hijacks the execution flow, causing the first shellcode instruction to be fetched from address (0x6fc). Due to the DIFT mechanism, the tag associated with the buffer data overwrites the RA register tag. As the buffer data is user-manipulated, it is tagged as untrusted (tag value = 1). Consequently, when the first shellcode instruction is fetched, the tag associated with the PC propagates through the pipeline until the DIFT mechanism detects a violation of the security policy and raises an exception. This attack demonstrates the behaviour of DIFT when monitoring the PC tag. This use case employs the first security policy from Table 3.2 and Table 3.3.

To illustrate the use of TCR and TPR registers, we assume that buffer data tags are set to 1 (i.e., untrusted) since the user manipulates the buffer. To detect this kind of attack, it is necessary to ensure the PC integrity by prohibiting the use of untrusted data for this register (i.e., Execute Check field of TCR set to 1). Regarding tag propagation configuration, load, and store input operand tags must be propagated to output. Thus, the TPR register Load/Store Mode field should be set to value 10 (i.e. destination tag = source tag) and the Load/Store Enable field must be set to 001 (i.e., Source tag enabled).

Listing 3.2 displays the C code for the buffer overflow scenario. The assembly code on line 22 of this listing represents the saving of the register x8, which is the saved register 0 or frame pointer register in the RISC-V ISA. Next, the source buffer is filled with A's characters and the shellcode address is appended to the end of this source buffer. Finally, lines 30-33 illustrate the tag initialisation on the source buffer.

<sup>2.</sup> https://github.com/sld-columbia/riscv-dift/blob/master/pulpino\_apps\_dift/wilander\_testbed/

Figure 3.2 represents the five steps from the source buffer initialisation to the first shellcode instruction being fetched. In Figure 3.2a, the source buffer, in yellow, is initialised with A's, and as it is manipulated by a user, it is tagged as untrusted (red). The destination buffer is empty, and both PC and RA register are trusted (green). In Figure 3.2b, the source buffer is copied into the destination buffer, the data and its tag are copied. In Figure 3.2c, the overflow occurs, and the ra register is compromised with the address of the shellcode function from the source buffer. Now, all the memory tags are untrusted. In Figure 3.2d, the PC loads the ra register along with its tag. The PC loses its integrity and became untrusted. In Figure 3.2e, the PC address is fetched, and the instruction is sent into the pipeline along with the tag. At this moment, the DIFT mechanism will detect the untrusted tag and as the security policy do not allow executing an untrusted PC, an exception will be raised and the application will be stopped.

Listing 3.2: Buffer overflow C code

```
#define BUSIZE 16
#define OVERFLOWSIZE 256

int base_pointer_offset;
long overflow_buffer[OVERRLOWSIZE];

int shellcode() {
    printf('Success !!\n');
    exit(0);
}

void vuln_stack_return_addr() {
    long *stack_buffer [BUFSIZE];
    char propolice_dummy|10|;
    int overflow;

/* Just a dummy pointer setup */
    stack_pointer = &stack_buffer[1];

/* Store in i the address of the stack frame section dedicated to function arguments */
    register int i asm('x8');

/* First set up overflow_buffer with 'A's and a new return address */
    overflow = (int)((long) + - (long)&stack_buffer);
    memset(overflow_buffer, 'A', overflow_a+);
    overflow_buffer[overflow/4-1] = (long)&shellcode;

/* TAG INITIALISATION */
    for(int j=0; j<overflow_buffer with overflow_buffer */
        mempy(stack_buffer, overflow_buffer, overflow_buffer, overflow);

return;

/* Then overflow stack_buffer with overflow_buffer */
    mempy(stack_buffer, overflow_buffer, overflow);

return;

/* Then overflow stack_buffer with overflow_buffer */
    mempy(stack_buffer, overflow_buffer, overflow);

return EXIT_SUCCESS;

}
```

### 3.2.2 Second use case: Format String (WU-FTPd)

The second use case is a format string attack<sup>3</sup> overwriting the return address of a function to jump to a shellcode and starts its execution. This use case uses the first security policy from Table 3.2 and Table 3.3. This attack exploits the printf() function from the C library. It uses the %u and %n formats (see Chapter 12, Section 12.14.3 in [84] for detailed information) to write the targeted address.

Listing 3.3 shows the C code of this use case. The echo function assign the x8 register to a variable 'i' which goes into another variable 'a'. The lines 13-14 are used to initialise the tag associated to the

<sup>3.</sup> https://github.com/sld-columbia/riscv-dift/tree/master/pulpino\_apps\_dift/wu-ftpd



Figure 3.2: Representation of how the ROP attack works

variable 'a'. This variable 'a' is user-defined, so it is tagged as untrusted for DIFT computation. The vulnerable statement is the printf statement in line 16. The format %u is used to print unsigned integer characters. The format %n is used to store in memory the number of characters printed by the printf() function, the argument it takes is a pointer to a signed int value.

The execution of the printf at line 16 leads to write in memory 224 (0xe0) at address (a-4), 224+35 so 259 (0x103) at address (a-3), and 512 (0x200) at addresses (a-2) and (a-1). The attacker's objective is to overwrite the return address with '0x3e0' which represent the address of the first function, called secretFunction in Listing 3.3. In this case, security policy prohibits the use of untrusted variables as store addresses. Since variable 'a' is untrusted, the DIFT protection raises an exception when storing a value at memory address (a-4). This use case has been chosen to activate the load/store modes of the DIFT policy.

Table 3.4 represents the different steps to overwrite the memory with the exact address of the malicious function. We can see that after each write and the right shift of the writing, the address appears. Finally, we have the address '000002000003E0' in memory from 'A+2' to 'A-4' but as an address is on 32-bits in

Listing 3.3: WU-FTPd C code

```
void secretFunction(){
    printf(*Congratulations!\n*);
    printf();

printf(*Congratulations!\n*);

printf(*Vougratulations!\n*);

exit(0);

void echo(){
    int a;
    register int i asm(*x8*);
    a = i;

asm volatile (*p.spsw x0, 0(%[a]);*
    ::[a] *r* (&a));

printf(*%224u%n%35u%n%253u%n%n*, 1, (int*) (a-4), 1, (int*) (a-3), 1, (int*) (a-2), (int*) (a-1));

return;

printf(*%224u%n%35u%n%253u%n%n*, 1, (int*) (a-4), 1, (int*) (a-3), 1, (int*) (a-2), (int*) (a-1));

return;

int main(int argc, char* argv[]){
    volatile int a = 1;
    if(a)
        echo();
    else
        secretFunction();

return 0;
```

Table 3.4: Memory overwrite

| Address | A-4  | A-3  | A-2  | A-1  | A    | A+1  | A+2  |
|---------|------|------|------|------|------|------|------|
| A-4     | 0xE0 | 0x00 | 0x00 | 0x00 |      |      |      |
| A-3     |      | 0x03 | 0x01 | 0x00 | 0x00 |      |      |
| A-2     |      |      | 0x00 | 0x02 | 0x00 | 0x00 |      |
| A-1     |      |      |      | 0x00 | 0x02 | 0x00 | 0x00 |
| Memory  | 0xE0 | 0x03 | 0x00 | 0x00 | 0x02 | 0x00 | 0x00 |

our architecture, the address fetched by the pipeline is only '000003E0'.

## 3.3 Vulnerability assessment

In order to analyse the behaviour of the processor at application runtime against Fault Injection Attacks, we have simulated some fault injections campaigns in which we inject fault inside the 55 registers associated to the DIFT, which correspond to 127 bits in total. For these campaigns, we use a tool, developed for this purpose. This tool is described in Chapter 4 and can generate the TCL code to automatise fault injections attacks campaigns at  $Cycle\ Accurate\ and\ Bit\ Accurate\ (CABA)\ level.$  Table 3.5 shows the repartition of these registers in every pipeline stage of the RI5CY core and the number of associated bits. This work has been published in ACM Sensors S&P [2].

We assess the design with fault injection campaigns. With their results associated, we can deduce which registers are vulnerable with the cycle associated and the fault model. This assessment is done for each use case for a more precise analysis and to understand how the tag is propagated and checked before the exception.

| HDL Module                   | Number of registers | Number of bits in registers |
|------------------------------|---------------------|-----------------------------|
| Instruction Fetch Stage      | 2                   | 2                           |
| Instruction Decode Stage     | 14                  | 19                          |
| Register File Tag            | 1                   | 32                          |
| Execution Stage              | 1                   | 1                           |
| Control and Status Registers | 2                   | 64                          |
| Load/Store Unit              | 4                   | 9                           |
| Total                        | 24                  | 127                         |

Table 3.6: Buffer overflow: success per register, fault type and simulation time

|                             | Cycle 3428   |              | (            | Cycle :      | ycle 3429    |              | Cycle :      | 3430 |              | Cycle 3431   |      | Cycle 3432   |              | 432  |              |
|-----------------------------|--------------|--------------|--------------|--------------|--------------|--------------|--------------|------|--------------|--------------|------|--------------|--------------|------|--------------|
|                             | set0         | set1         | bit-flip     | set0         | set1         | bit-flip     | set0         | set1 | bit-flip     | set0         | set1 | bit-flip     | set0         | set1 | bit-flip     |
| pc_if_o_tag                 |              |              |              |              |              |              |              |      |              | <b>√</b>     |      | ✓            |              |      |              |
| $rf\_reg[1]$                |              |              |              |              |              |              | $\checkmark$ |      | $\checkmark$ |              |      |              |              |      |              |
| $tcr\_q$                    | $\checkmark$ |              |              | $\checkmark$ |              |              | $\checkmark$ |      |              | $\checkmark$ |      |              | $\checkmark$ |      |              |
| $tcr\_q[21]$                |              |              | $\checkmark$ |              |              | $\checkmark$ |              |      | $\checkmark$ |              |      | $\checkmark$ |              |      | $\checkmark$ |
| $\mathrm{tpr}_{\mathbf{q}}$ | $\checkmark$ | $\checkmark$ |              | $\checkmark$ | $\checkmark$ |              |              |      |              |              |      |              |              |      |              |
| $tpr\_q[12]$                |              |              | $\checkmark$ |              |              | $\checkmark$ |              |      |              |              |      |              |              |      |              |
| $tpr\_q[15]$                |              |              | $\checkmark$ |              |              | $\checkmark$ |              |      |              |              |      |              |              |      |              |

#### 3.3.1 Fault model for vulnerability assessment

In this vulnerability assessment, we consider an attacker able to inject faults into DIFT-related registers leading to set to 0, set to 1, and single bit-flip in one register at a given clock cycle. To bypass the DIFT mechanism, the main attacker's goal is to prevent an exception being raised. To reach this objective, any DIFT-related register maintaining tag value, driving the tag propagation or the tag update process or maintaining the security policy configuration can be targeted.

#### 3.3.2 First use case: Buffer overflow

Table 3.6 shows that 22 fault injections in four different DIFT-related registers can lead to a successful attack despite the DIFT mechanism (i.e., DIFT protection is bypassed). For example, it shows that a fault injection targeting the  $pc\_if\_o\_tag$  register can defeat the DIFT protection if a fault is injected at cycle 3431 using a bit-flip or a set to 0 fault type. Furthermore, Table 3.6 shows that five different cycles can be targeted for the attack to succeed. In most cases, bit-flip leads to a successful injection with 11 successes over 22. Faults in  $tpr\_q$  and  $tcr\_q$  are successful, since these registers maintain the propagation rules and the security policy configuration (see Table 3.2 and Table 3.3 for more details about each bit position). Both  $pc\_if\_o\_tag$  and  $rf\_reg[1]$  are also critical registers for this use case. Indeed,  $pc\_if\_o\_tag$  allows the propagation of the PC tag while  $rf\_reg[1]$  stores the tag of the return address register ra.

Now that we have these results, we can analyse them and present an in-depth analysis of the simulation results leading to successful attacks. The aim is to understand why an attack succeeds. For that purpose, we study the propagation of the fault through both temporal and logical views. Most of the faults

targeting both TPR and TCR registers are not detailed in this section. Indeed, these faults mainly target the DIFT configuration and not the tag propagation and tag-checking computations. Faults targeting these registers can be performed in any cycle prior to their use.

Figure 3.3 presents the ra register tag propagation in the context of the first use case for a non-faulty execution. It focuses on three clock cycles from the decoding of a jalr instruction (i.e., returning from the called function) to the DIFT exception due to a security policy violation. In cycle 3430, this tag is extracted from the register file tag (i.e., from  $rf_reg[1]$ ). In cycle 3431, it is propagated to the  $pc_if_0$  o\_tag register. Then, in cycle 3432, it is propagated to the  $pc_id_0$  register and the first shellcode instruction is decoded. Since ra is tagged as untrusted and the security policy prohibits the use of tagged data in PC (Execute Check bit = 1 in Table 3.3), an exception is raised during the tag check process, which is performed in parallel of the first shellcode instruction decoding.

Figure 3.3 illustrates the reason behind the sensitivity of registers  $rf\_reg[1]$  and  $pc\_if\_o\_tag$  at cycles 3430, 3431 and 3432 highlighted in Table 3.6. We can note that  $pc\_id\_o\_tag$  register does not appear in Table 3.6 while Figure 3.3 shows its role during tag propagation. Actually, this register gets its value from  $pc\_if\_o\_tag$ , so a fault injection in this register only delays the exception.



Figure 3.3: Tag propagation in a buffer overflow attack

To further study the propagation of the fault, Figure 3.4 illustrates the logical relations between the DIFT-related registers (yellow boxes) and control signals or processor registers (grey boxes) driving the illegal instruction exception signal (red box). This figure does not describe the actual hardware architecture, but highlights the logic path leading to an exception raise. An attacker performing fault injections would like to drive the exception signal to '0' to defeat the D-RI5CY DIFT solution. Figure 3.4 shows that a single fault could lead to a successful injection, since all logic paths are built with AND

gates. For instance, if register  $rf\_reg[1]$  is set to 0, the tag will be propagated from  $gate\ 1$  to  $gate\ 4$ . Then,  $gate\ 5$  inputs are  $tcr\_q[21]$  (i.e., '1') and  $pc\_id\_o\_tag$  (i.e., '0',  $gate\ 4$  output). Thus,  $gate\ 5$  output is driven to '0', disabling the exception. From Figure 3.4, three fault propagation paths can be identified: from  $gate\ 1$  to  $gate\ 5$  if the fault is injected into  $rf\_reg[1]$ , from  $gate\ 4$  to  $gate\ 5$  if a fault is injected into  $pc\_if\_o\_tag$  and through  $gate\ 5$  if a fault is injected into either the  $tcr\_q$  or  $pc\_id\_o\_tag$ . Analysis of Figure 3.4 strengthens the results presented in Table 3.6 where  $set\ to\ 0$  and bit-flip fault types lead to successful attacks. The root cause is that the propagation paths consist entirely of AND gates.



Figure 3.4: Logic description of the exception driving in a buffer overflow attack

#### 3.3.3 Second use case: Format string (WU-FTPd)

Table 3.7 shows that 52 fault injections in 10 DIFT-related registers can lead to a successful attack. Furthermore, it shows that 8 different cycles can be targeted for the attack to succeed. 29 successes over

52 are obtained with the bit-flip fault type. alu\_operand\_a\_ex\_o\_tag, alu\_operand\_b\_ex\_o\_tag and alu\_operator\_o\_mode registers are critical during cycles 52477 and 52478 since they are used for tag propagation related to the C statement (a-4). alu\_operand\_a\_ex\_o\_tag and alu\_operand\_b\_ex\_o\_ tag sequentially store the tag associated to 'a' while alu\_operator\_o\_mode stores the propagation rule according to the TPR configuration (see Table 3.2). regfile alw waddr ex o tag stores the destination register index in which the tag resulting from tag propagation should be written. check\_s1\_o\_tag maintains the TCR value from the decode stage to the execution stage, it is compared to the value of the operand tag for tag checking. rf = reg/15 stores the tag associated with the 'a' variable. store = dest = addrex o tag maintains the tag of the destination address during a store instruction in the execute stage. use\_store\_ops\_ex\_o drives a multiplexer to propagate the value stored in store\_dest\_addr\_ex\_o\_tag register to the tag checking module. Finally, faults in tpr = q and tcr = q are successful, since these registers maintain the propagation rules and the security policy configuration. The last two registers,  $tpr\_q$  and  $tcr_q$  are critical when we fault the bit 12 of TPR because the load/store mode which is set to 10 but if we change it the propagation policy will change and then the tag will not be propagated as a mode set to 11 will clear the tag. A bit-flip at bit 15 will impact the behaviour as it stores the load/store enable source tag. Finally, bit 20 of TCR store the load/store check destination address tag, which is used when the program wants to store at the address (a-4).

Figure 3.5 details the tag propagation in the context of a format string attack case for a non-faulty execution and illustrates the reason behind the sensitivity of registers highlighted in Table 3.7. Figure 3.5 focuses on three clock cycles dedicated to the instruction sw a4,0(a5) decoding and execution, which should lead to the storage of the value 224 at address (a-4). In cycles 52482 and 52483, sw a4,0(a5) is decoded and the source operands tag are retrieved from the tag register file. Particularly, the store destination address is retrieved from rf\_reg[15] and stored in register store\_dest\_addr\_ex\_o\_tag. In cycle 52484, the destination address of the store operation is computed by the processor Arithmetic Logic Unit (ALU). In parallel, alu\_operator\_o\_mode, alu\_operand\_a\_ex\_o\_tag, alu\_operand\_b\_ex\_o\_tag, store\_dest\_addr\_ex\_o\_tag and check\_s1\_o\_tag registers drives the tag computation corresponding to the destination address. use store ops ex o drives a multiplexer to propagate the value stored in alu\_operand\_a\_ex\_o\_tag register to the tag checking module. alu\_operand\_a\_ex\_o\_tag and alu\_ operand\_b\_ex\_o\_tag sequentially store the tag associated to 'a' while alu\_operator\_o\_mode stores the propagation rule according to the TPR configuration (see Table 3.2). check s1 o tag maintains the TCR value from the decode stage to the execution stage, it is compared to the value of the operand tag for tag checking. Then, the store should be executed in the Execute stage. However, the tag associated with the store destination address is set to 1 due to tag propagation (since it is computed from variable 'a'). Since the security policy prohibits the use of data tagged as untrusted as a store instruction destination address (Load/Store Check field of TCR = 1010), an exception is raised. use store ops ex o, highlighted in Table 3.7 but not shown in Figure 3.5, drives a multiplexer leading to the propagation of register store  $dest\_addr\_ex\_o\_tag.$ 

Table 3.7: Format string attack: success per register, fault type and simulation time

|                                     | Cycle 52477       | Cycle 52478                                                                                                                                   | Cycle 52479        | Cycle 52480        | Cycle 52481        | Cycle 52482        | Cycle 52483        | Cycle 52484        |
|-------------------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|--------------------|--------------------|--------------------|--------------------|--------------------|--------------------|
|                                     | set0 set1 bit-fli | bit-flip set0 set1 bit-flip | set0 set1 bit-flip |
| alu_operand_a_ex_o_tag              | <i>&gt; &gt;</i>  |                                                                                                                                               |                    |                    |                    |                    |                    |                    |
| alu_operand_b_ex_o_tag              |                   | ` <u>`</u>                                                                                                                                    |                    |                    |                    |                    |                    |                    |
| alu_operator_o_mode                 | <i>&gt;</i>       | ` <u>`</u>                                                                                                                                    |                    |                    |                    |                    |                    |                    |
| alu_operator_o_mode[0]              | >                 | >                                                                                                                                             |                    |                    |                    |                    |                    |                    |
| $alu\_operator\_o\_mode[1]$         | >                 | >                                                                                                                                             |                    |                    |                    |                    |                    |                    |
| check_s1_o_tag                      |                   |                                                                                                                                               |                    |                    |                    |                    |                    | <i>&gt;</i>        |
| regfile_alu_waddr_ex_o_tag[1]       |                   |                                                                                                                                               |                    |                    | >                  |                    |                    |                    |
| rf_reg[15]                          |                   |                                                                                                                                               |                    |                    |                    | `>                 | `>                 |                    |
| store_dest_addr_ex_o_tag            |                   |                                                                                                                                               |                    |                    |                    |                    |                    | ` <u>`</u>         |
| $tcr_q$                             | >                 | >                                                                                                                                             | >                  | >                  | >                  | <b>&gt;</b>        | >                  |                    |
| $tcr_q[20]$                         | >                 | >                                                                                                                                             | >                  | >                  | >                  | >                  | >                  |                    |
| tpr_q                               | >                 | >                                                                                                                                             | >                  | >                  | >                  |                    |                    |                    |
| $^{\mathrm{tpr}}_{-\mathrm{q}[12]}$ | >                 | >                                                                                                                                             | >                  | >                  | >                  |                    |                    |                    |
| $\mathrm{tpr}_{-q[15]}$             | >                 | >                                                                                                                                             | >                  | >                  | >                  |                    |                    |                    |
| $use\_store\_ops\_ex\_o$            |                   |                                                                                                                                               |                    |                    |                    |                    |                    | `><br>`>           |



Figure 3.5: Tag propagation in a format string attack

To further study the propagation of the fault, Figure 3.6 illustrates the logical relations between the DIFT-related registers (yellow boxes) and control signals or processor registers (gray boxes) driving the illegal instruction exception signal (red box) for the second use case. Figure 3.6 shows that a single fault could lead to a successful injection, since all logic paths are built with AND gates. For instance, if register rf reg/15 is set to 0, this tag value will be propagated from gate 8 to gate 11 and to mux 12. Then, since mux 12 output drives one gate 3 input, gate 3 output is driven to '0', the exception is disabled. From Figure 3.6, seven fault propagation paths can be identified: from gate 1 to gate 3 if the fault is injected into  $tcr_{q}/20$ , through gate 3 if a fault is injected into  $check_{s1}o_{tag}$ , from gate 4 or gate 5 to gate 3 if a fault is injected into alu\_operand\_b\_ex\_o\_tag or alu\_operand\_a\_ex\_o\_tag, from mux 6 to gate 3 if a fault is injected into alu\_operator\_o\_mode, from mux 7 to gate 3 if a fault is injected into regfile\_alu\_waddr\_ex\_o\_tag, from gate 8 to gate 3 if a fault is injected in the tag register file (i.e., register rf\_reg[15]) and from mux 11 to gate 3 if a fault is injected in either store\_dest\_addr\_ex\_o\_tag or use store ops ex o. Analysis of Figure 3.6 reinforces the results presented in Table 3.7 where set to 0 and bit-flip fault types lead to successful attacks. As with the first use case, the main cause is that the propagation paths are fully made of AND gates. As shown in Table 3.7 alu\_operator\_o\_mode register is sensitive to set to 0 and set to 1 fault types. Indeed, this register determines the tag propagation according to TPR. The tag propagation is disabled when a TPR field is set to '00' and the output tag is set to 0 (i.e., trusted) when a TPR field is set to '11'.

|                          | Cycle 832    |              |              | (            | Cycle | 833          | (            | Cycle | 834          | (            | 335          |              |
|--------------------------|--------------|--------------|--------------|--------------|-------|--------------|--------------|-------|--------------|--------------|--------------|--------------|
|                          | set0         | set1         | bit-flip     | set0         | set1  | bit-flip     | set0         | set1  | bit-flip     | set0         | set1         | bit-flip     |
| alu_operand_a_ex_o_tag   |              |              |              |              |       |              |              |       |              | <b>√</b>     |              | ✓            |
| check_s1_o_tag           |              |              |              |              |       |              |              |       |              | $\checkmark$ |              | $\checkmark$ |
| $rf_{reg}[14]$           |              |              |              | $\checkmark$ |       | $\checkmark$ | $\checkmark$ |       | $\checkmark$ |              |              |              |
| $tcr\_q$                 | $\checkmark$ |              |              | $\checkmark$ |       |              | $\checkmark$ |       |              |              |              |              |
| $tcr\_q[0]$              |              |              | $\checkmark$ |              |       | $\checkmark$ |              |       | $\checkmark$ |              |              |              |
| tpr_q                    |              | $\checkmark$ |              |              |       |              |              |       |              |              |              |              |
| $tpr\_q[12]$             |              |              | $\checkmark$ |              |       |              |              |       |              |              |              |              |
| tpr_q[15]                |              |              | $\checkmark$ |              |       |              |              |       |              |              |              |              |
| $use\_store\_ops\_ex\_o$ |              |              |              |              |       |              |              |       |              |              | $\checkmark$ | $\checkmark$ |

Table 3.8: Compare/compute: number of faults per register, per fault type and per cycle

#### 3.3.4 Third use case: Compare/Compute

Table 3.8 shows that 19 fault injections in 6 DIFT-related registers can lead to a successful attack. Furthermore, it shows that 4 different cycles can be targeted for the attack to succeed. The highest success rate is obtained with the bit-flip fault type, with 10 successes over 19. Faults in  $rf\_reg[14]$  and  $alu\_operand\_a\_ex\_o\_tag$  are successful, since these registers store the tag associated to variable a during tag propagation.  $check\_s1\_o\_tag$  maintains one configuration bit from  $tcr\_q$  during tag checking.  $use\_store\_ops\_ex\_o$  drives a multiplexer to propagate the value stored in  $alu\_operand\_a\_ex\_o\_tag$  register to the tag checking module. For this case, the critical registers can be found in previous case,  $alu\_operand\_a\_ex\_o\_tag$  propagate the tag of the tagged variable in the code (variable a). Finally, observations for both  $tpr\_q$  and  $tcr\_q$  are similar than for previous case studies. Finally, faults in  $tpr\_q$  and  $tcr\_q$  are successful, since these registers maintain the propagation rules and the security policy configuration.

Figure 3.7 focuses on the three cycles, represented in red, corresponding to add a5,a4,a5 instruction (C statement (a+b)) decoding and execution in the context of the third use case. The instruction add a5,a4,a5 is in decode stage during cycles 833 and 834 and the tag associated to the untrusted variable a is retrieved from rf\_reg[14]. In cycle 835, this addition is executed. In parallel, variable a tag is propagated to the tag check logic unit, which behaviour is driven by check\_s1\_o\_tag through alu\_operand\_a\_ex\_o\_tag. Since the V2 security policy prohibits the use of untrusted data as a source operand of an arithmetic operation, an exception is raised.

Figure 3.7 illustrates the reason behind the sensitivity of registers  $rf\_reg[14]$ ,  $alu\_operand\_a\_ex\_o\_tag$  and  $check\_s1\_o\_tag$  highlighted in Table 3.8. Note that  $use\_store\_ops\_ex\_o$  does not appear in Figure 3.7. This register drives a multiplexer leading to tag propagation presented in Figure 3.7.

To further study the faults' propagation, Figure 3.8 illustrates the logical relations between the DIFT-related registers (yellow boxes) and control signals or processor registers (gray boxes) driving the illegal instruction exception signal (red box). Figure 3.8 shows that a single fault could lead to a successful injection, since all logic paths are built with AND gates. For instance, if register  $rf_reg[14]$  is set to 0, the tag will be propagated from gate 8 to gate 10 and to mux 12. Then, since mux 12 output drives one gate 3 output, the exception is disabled. From Figure 3.8, seven fault propagation paths can be identified. We won't go into detail here about the seven different paths, as they were mentioned in case 2, bearing in mind that colour differentiation must be taken into account (for example:  $alu_operand_a_ex_o_tag$ 

instead of  $store\_dest\_addr\_ex\_o\_tag$  from gate~1 to gate~3 if the fault is injected into  $tcr\_q[0]$ , through gate~3 if a fault is injected into  $check\_s1\_o\_tag$ , from gate~4 or gate~5 to gate~3 if a fault is injected into  $alu\_operand\_b\_ex\_o\_tag$  or  $alu\_operand\_a\_ex\_o\_tag$ , from mux~6 to gate~3 if a fault is injected into  $alu\_operator\_o\_mode$ , from mux~7 to gate~3 if a fault is injected into  $regfile\_alu\_waddr\_ex\_o\_tag$ , from gate~8 to gate~3 if a fault is injected into  $rf\_reg[14]$ , and from mux~11 to gate~3 if a fault is injected into either  $alu\_operand\_a\_ex\_o\_tag$  or  $use\_store\_ops\_ex\_o$ . Analysis of Figure 3.8 supports the results presented in Table 3.8 where set~to~0 and bit-flip fault types lead to successful attacks. As with first and second use cases, the main reason is that the propagation paths are built entirely from AND gates.

## 3.4 Summary

In this chapter, we described the processor we focus on, with its implementation of a hardware in-core DIFT. We described how it works and how to use the DIFT mechanism with the default configuration. Then, we described the different use cases we choose to work with, in order to analyse the DIFT behaviour and assess it against fault injection attacks. Finally, we presented the vulnerability assessment on these use cases using the D-RI5CY security mechanism. We have shown that this DIFT implementation is vulnerable to FIA within different registers depending on the fault model and depending on the application, as different paths are used and so different registers are going to be critical.



Figure 3.6: Logic description of the exception driving in a format string attack



Figure 3.7: Tag propagation in a computation case with the compare/compute use case



Figure 3.8: Logic representation of tag propagation in a computation case

# FISSA – FAULT INJECTION SIMULATION FOR SECURITY ASSESSMENT

#### Contents

| 4.1 Simulation tools for Fault Injection | 45        |
|------------------------------------------|-----------|
| 4.2 FISSA                                | 48        |
| 4.2.1 Main software architecture         | 48        |
| 4.2.2 Supported fault models             | 49        |
| 4.2.3 TCL Generator                      | 50        |
| 4.2.4 Fault Injection Simulator          | 52        |
| 4.2.5 Analyser                           | 53        |
| 4.2.6 Extending FISSA                    | 54        |
| 4.3 Use case example                     | <b>54</b> |
| 4.3.1 FISSA's configuration              | 55        |
| 4.3.2 Experimental results               | 55        |
| 4.4 Discussion and Perspectives          | 59        |
| 4.5 Summary                              | 59        |

This chapter introduces and presents a tool, called FISSA – Fault Injection Simulation for Security Assessment –, created to automate fault injection attacks campaigns in simulation. The first section presents the state of the art of existing tools for FIA campaigns in emulation, formal methods or even perform real world attacks. The second section presents the architecture and details how FISSA works and presents how to extend it depending on other needs. The third section presents an example to present how FISSA work in real conditions with a use case from Section 3.2. Finally, we will discuss and draw some perspectives for the tool's development and usability.

## 4.1 Simulation tools for Fault Injection

Addressing fault injection vulnerabilities is crucial. Historically, fault attacks have been conducted using physical equipment. Nonetheless, a modern approach has emerged that leverages simulators for fault testing. The main advantages of using simulators are they cost less money than physical setups, it is easier to make them work as they do not need specific skills, and they can be used during the conceptual stage.

|                | References       | Cost         | Control over fault scenarios | Scalability | Speed of execution | Realism   | Expertise |
|----------------|------------------|--------------|------------------------------|-------------|--------------------|-----------|-----------|
| Formal Methods | [85–88]          | Very low     | Very high                    | Very low    | Low                | Low       | Very high |
| Simulations    | [89-91]          | Very low     | Very high                    | Low         | Low/Moderate       | Moderate  | Low       |
| Emulations     | [92-95]          | High         | Moderate                     | High        | Very high          | High      | Moderate  |
| Actual FIA     | [11, 82, 96, 97] | 7] Very high | Very low                     | Very high   | Very high          | Very high | Very high |

Table 4.1: Fault Injection based methods for vulnerability assessment comparison

This section presents recent works related to methods and tools for vulnerability assessment when considering fault injection attacks. For such vulnerability assessment, main strategies include actual fault injections, emulations, formal methods and simulations.  $\boxed{\textbf{William}} \blacktriangleright Ajouter\ \acute{e}tat\ de\ l'art\ plus\ complet\ sur\ cette\ partie \blacktriangleleft$ 



Figure 4.1: Anatomy of a Fault Injection tool

The diagram presented in Figure 4.1 illustrates the process of a fault injection. The process begins with an *Application*, which represents the target system under test. This application is then passed to the *Mutate* state, where faults are introduced based on a predefined *Fault Model*. This fault model provides parameters such as the target to be attacked or the list of targets, the type of fault (set to 0/1, bit-flip, etc), and the clock cycle that guide the mutation process.

After the fault is injected, the faulted application is executed, the *Execute* state. The results of this execution are captured by the *Record* module, which logs the outcomes for further analysis.

Finally, the recorded data is saved in the *Save* module, completing the fault injection cycle. The dashed arrow from the *Record* module back to the *Mutate* module indicates a feedback loop, where the results of the execution can influence subsequent fault injections. This iterative process helps in thoroughly evaluating the resilience and fault tolerance of the application.

Actual FIAs involve physically injecting faults into the target hardware using techniques such as variations in supply voltage or clock signal [11, 96], laser pulses [11, 97], electromagnetic emanations [11] or X-Rays [82]. This approach offers valuable insights into the real impact of faults on hardware components. However, a significant drawback of actual fault injections is that they demand considerable expertise to prepare the target, involving intricate setup procedures. Additionally, this approach can only be executed once the physical circuit is available, potentially delaying the vulnerability assessment process until later stages of development.

Fault emulation can, for instance, rely on FPGA [92], or on an emulator such as QEMU [93, 94] to perform fault injection campaigns. This approach is four times faster than simulation-based techniques [95], and unlike simulation-based or formal method-based fault injections techniques, the size of the evaluated circuit has no major impact on the fault injection campaign timing performances. However, configuring

an emulation environment can be complex and time-consuming. Achieving an accurate representation of the target system may require detailed configuration and parameter tuning. The accuracy of emulation is contingent on the quality of the models used to replicate the target hardware. If the models are inaccurate or incomplete, the results of fault injections may not precisely reflect actual behaviour.

Formal methods provide an advantage with mathematical proofs, ensuring a rigorous verification of the system's behaviour during fault injection experiments. Formal methods approaches such as [85] allow the analysis of a circuit design in order to detect sensitive logic or sequential hardware elements. [86], [87] and [88] present formal verification methods to analyse the behaviour of HDL implementation. However, this type of tool usually suffers from restrictions limiting its actual usage on a complete processor. Conventional formal approaches encounter scalability challenges due to limitations in verification techniques. In particular, the circuit structure it can analyse is usually limited.

Fault Injections simulations can be performed at processor instructions level. Authors of [89] explore the impact of fault injection attacks on software security. They evaluate four open-source fault simulators, comparing their techniques and suggest enhancing them with AI methods inspired by advances in cryptographic fault simulation. [90] is an open-source deterministic fault attack simulator prototype utilising the Unicorn Framework and Capstone disassembler. [91] introduces VerFI, a gate-level granularity fault simulator for hardware implementations. For instance, it has been used to spot an implementation mistake in ParTI [98]. However, this tool has been developed to check if implemented countermeasures can really protect against fault injection on cryptographic implementations, but it cannot evaluate components such as registers or memories. In this paper, we focus on CABA simulations, which provides a controlled virtual environment for injecting faults. There are several solutions of simulations in an HDL simulator like Questasim, Vivado, etc. Behavioural simulation is used to detect functional issues and ensuring that the design behaves as expected. Post-synthesis simulation verifies that the synthesised netlist matches the expected functionality. Timed simulation is used to ensure that the design meets timing requirements and can operate at the specified clock frequency. And finally, post-implementation simulations are used to verify that the implemented design meets all requirements and constraints, including those related to the physical layout on the target. Simulation-based fault injection offers the advantage of enabling designers to test their system throughout the design cycle, providing valuable insights and uncovering potential vulnerabilities early in the development process. However, a limitation lies in the potential lack of absolute fidelity to actual conditions, as simulations might not perfectly replicate all hardware intricacies, introducing a slight risk of overlooking certain faults that could manifest in the actual hardware.

Table 4.1 shows a comparison between these four methods for vulnerability assessment when considering FIA regarding six metrics. These metrics are the financial cost of setting up the fault injection campaign, the control over fault scenarios (how configurable are the scenarios), scalability which refers to the method capacity to be applied to systems of different sizes or complexities, speed of execution of the campaign, realism of the fault injection campaign and the level of required expertise. Table 4.1 shows that no method is completely optimal. Each method has its own advantages and disadvantages and must be chosen by the designer according to the requirements and the available financial and human resources. Indeed, setting up an actual fault injection campaign requires much more expertise in this domain and also requires costly equipment, whereas setting up a simulation campaign can be easier for a circuit designer familiar with HDL simulation tools such as Questasim. Table 4.1 shows that CABA simulation

offers a good compromise to assess the security level of a circuit design. In particular, it provides an efficient solution for investigating security throughout the design cycle, enabling the concept of "Security by Design".

### 4.2 FISSA

This section presents our open-source tool, FISSA, available on GitHub [99] under the CeCILL-B licence.

#### 4.2.1 Main software architecture

FISSA is designed to help circuit designers to analyse, throughout the design cycle, the sensitivity to FIA of the developed circuit. Figure 4.2 presents the software architecture of FISSA. It consists of three different modules: *TCL generator*, *Fault Injection Simulator* and *Analyser*. The first and third modules correspond to a set of Python classes.

The TCL generator, detailed in Section 4.2.3, relies on a configuration file and a target file to create a set of parameterised TCL scripts. These scripts are tailored based on the provided configuration file and are used to drive the fault injection simulation campaign.

Fault Injection Simulator, detailed in Section 4.2.4, performs the fault injection simulation campaign based on inputs files from *TCL generator* for a circuit design described through HDL files and memory initialisation files. For that purpose it relies on an existing HDL simulator such as Questasim [100], Verilator [101], or Vivado [102] to simulate the design according to the TCL script and generates JSON files to log each simulation.

The Analyser, detailed in Section 4.2.5, evaluates the outcomes of the simulations and generates a set of files that allows the designers to examine fault injection effects on their designs through various information.



Figure 4.2: Software architecture of FISSA

Algorithm 1 shows a representation of a fault injection campaign. The algorithm requires a set of targets (i.e. hardware elements in which a fault should be injected), the fault model and the considered

injection window(s) which identifies the period(s), in number of clock cycles, in which fault injections are performed. Then, it runs a first simulation with no fault injected, which is used as a reference for comparison with the following simulations to determine end-of-simulation statuses. Then, for each target, each fault model and for each clock cycle within the injection window, the corresponding simulation is executed, and the corresponding logs are stored in a dedicated file.

Customising end-of-simulation statuses allows for adaptation to the specific requirements of each design assessment. To configure these statuses, adjustments need to be made either directly in FISSA's code or the HDL code. This process may involve evaluating factors such as:

- hardware element content (signals, registers, ...),
- simulation time (e.g. the simulation exceeds a reference number of clock cycles),
- simulation's end (e.g. an assert statement introduced in the HDL code is reached)

#### Algorithm 1 Simulated FIA campaign pseudo-code

```
Require: targets \leftarrow list(targets)
Require: faults \leftarrow list(fault\_model)
Require: windows \leftarrow list(injection\_windows)
 1: ref\_sims = simulate()
 2: for target \in targets do
 3:
       for fault \in faults do
           for cycle \in windows do
 4:
               logs = simulate(target, fault, cycle)
 5:
           end for
 6:
        end for
 7:
 8: end for
```

#### 4.2.2 Supported fault models

A set of fault models has already been integrated into FISSA for different needs. For a given fault injection campaign, the relevant fault model is defined in the input configuration file and is applied to targets during the simulation phase. Currently, supported fault models are:

- target set to 0/1: for each cycle of the injection window and for each target, we set them individually to 0 or 1, in turn exhaustively (nbSimulations = nbCycles \* nbTargets),
- single bit-flip in one target at a given clock cycle: for each cycle of the injection window, we do a bit-flip for each bit of every target exhaustively (nbSimulations = nbCycles \* nbBits),
- single bit-flip in two targets at a given clock cycle: we take one cycle and a couple of targets' bits (it can be the same target at two different bits) and we bit-flip these two bits ( $nbSimulations = nbCycles * C_2^k$ ; with k, the total number of bits in the attacked system),
- single bit-flip in two targets at two different clock cycles: we take two different cycles and a couple of targets' bits (it can be the same target at two different bits) and we bit-flip these two bits  $(nbSimulations = C_2^{nbCycles} * C_2^k;$  with k, the total number of bits in the attacked system),

- exhaustive multi-bits faults in one target at a given clock cycle: we take one cycle and one target, and we try exhaustively each combination of bits (for example for a 2 bits target, it would be: 00, 01, 10, 11) and we set the target at each value ( $nbSimulations = nbCycles * 2^{targetSize1}$ ). It is worth nothing that for this fault model, we only take targets between 1 and 16 bits to avoid very big numbers of simulations as  $2^{32}$  would be too long to simulate exhaustively,
- exhaustive multi-bits faults in two targets at a given clock cycle: we take one cycle and two targets, and we try exhaustively each combination of bits (for example for a 2 bits target, it would be: 00, 01, 10, 11) for each target and we set them to each value ( $nbSimulations = nbCycles*2^{targetSize1}*$  $2^{targetSize2}$ ). It is worth nothing that for this fault model, we only take targets between 1 and 10 bits to avoid very big numbers of simulations as  $2^{32}$  would be too long to simulate exhaustively.

#### 4.2.3 TCL Generator

Listing 4.1: Example of a FISSA configuration file

```
"name_simulator": "modelsim",
"path_tcl_generation": "PATH/",
"path_files_sim": "PATH/simu_files/",
"path_generated_sim": "PATH/simu_files/generated_simulations/",
"path_results_sim": "PATH/simu_files/results_simulations/",
"path_simulation": [ "PATH_SIMU/"],
"prot": "wop",
"version": 1,
"name_req_ff"
2 3 4 4 5 6 6 7 8 9 10 112 13 115 16 6 117 18 119 119 12 22 23 22 25 26 27 28 29 30 13 23 23 33 35 36 40 14 24 44 44 45 44 44 45 44 44 45 44 44 45 44 45 44 45 44 45 46 47
                            version ": 1,
name_reg_file_ext_wo_protect": "/faulted-reg.yaml",
application ": ["buffer_overflow", "secretFunction", "propagationTagV2"],
name_results": {
    "buffer_overflow": "Buffer Overflow",
    "secretFunction": "WU-FTPd",
    "propagationTagV2": "Compare/Compute".
                         },
"threat_model": [
    "single_bitflip_spatial"
                             ,
multi_fault_injection": 2,
                           ,
"secretFunction":
                                         ,
propagationTagV2": [
    [33300, 33460]
                           cycle_ref*: 100,
cpu_period*: 40,
batch_sim*: {
    "buffer_overflow*: 2000,
    "secretFunction*: 2000,
    "propagationTagV2*: 2000
                          },
"cycle_ref"
                             multi_res_files"
                                         buffer_overflow
secretFunction "
                                         propagationTagV2":
```

The TCL Generator is used to generate the set of TCL script files which drive the fault injection simulator. This module requires two input files. Figure 4.3 details the TCL Generator. Each blue box represents a python class used to generate the set of output TCL scripts. The initialisation class gets inputs from a configuration file. This JSON-formatted file includes various parameters such as the targeted HDL simulator, the considered fault model and the injection window(s). Furthermore, it encompasses parameters such as the clock period (in ns) of the HDL design and the maximum number of simulated

Listing 4.2: Example of a FISSA target file

clock cycles used to stop the simulation in case of divergence due to the injected fault. Moreover, one extra parameter defines the quantity of simulations per TCL file, allowing a simulation parallelism degree. Listing 4.1 shows an extract of a configuration file used for our fault injection campaigns. Listing 4.2 shows an extract from a target file according to the configuration file provided previously. This file list each stage of the RISC-V core and for each the HDL path of our targets are written. Here, in this example, only the list of targets for the *instruction fetch* stage is listed.

The Targets file contains, in YAML format, the list of the circuit elements (e.g. registers or logic gates) that need to be targeted during the fault injection campaign. For each target, its HDL path and bit-width are specified. TCL Script Generator class gets the configuration parameters from Initialisation class, reads the Targets' file and calls three others classes. The first one, Basic Code Generator, undertakes the fundamental generation of TCL code for initialising a simulation, running a simulation, and ending a simulation. The second one, Fault Generator, produces the TCL code related to fault injection. The TCL Script Generator provides specific parameters to the Fault Generator to produce code for a designated set of targets and a specified set of clock cycles for fault injection. The third one, Log Generator, produces the TCL code to produce logs after each simulation. Logs comprise the simulation's ID, fault model, faulted targets, injection clock cycle(s), end-of-simulation status, values for all targets, and the end-of-simulation clock cycle. This data constitutes the automated aspect of logging. Finally, the TCL Script Generator outputs a set of TCL files, each one correspond to a batch of simulations. This allows the user to perform a per batch results analysis. It is worth noting that each batch starts with a reference simulation, which means a simulation without any fault injected. It allows having results for comparison after when a fault occurred and determine what happened due to the injected fault. Additionally, it generates a target file utilised by TCL scripts to obtain a simplified target list (refer to Subsection 4.2.4), as the simulation log requires a list of targets without their sizes.

**William** ► Modification des Listings 4.1, 4.2, 4.3 en les remplaçant par un exemple simple genre additionneur (à la place de le mettre dans la section 4.3)?

Algorithm 2 depicts the pseudocode of a simulation of a fault injection, showcasing requirements, and each state with essential parameters. Additionally, the corresponding Python class from Figure 4.3 is added for each line. Line 5 in Algorithm 1 corresponds to Algorithm 2. This algorithm is executed



Figure 4.3: Software architecture of the TCL Generator module

multiple times with different inputs to build a TCL script.

```
Algorithm 2 FIA simulation pseudocode
```

```
Require: target
Require: cycle
Require: fault\_model

1: tcl\_script = init\_sim(fault\_model, cycle, target) // generated by Basic Code Generator

2: tcl\_script+ = inject\_fault(fault\_model) // generated by Fault Generator

3: tcl\_script+ = run\_sim() // generated by Basic Code Generator

4: tcl\_script+ = log\_sim(fault\_model) // generated by Log Generator

5: tcl\_script+ = end\_sim() // generated by Basic Code Generator
```

6: tcl file.write(tcl script) // append and write the simulation data inside the TCL file

#### 4.2.4 Fault Injection Simulator

The Fault Injection Simulator mainly relies on an existing HDL simulator to perform simulations by executing the TCL scripts produced by the TCL generator. The log files, in JSON format, are generated by the TCL script for each simulation. This file encompasses data such as the current simulation number, the executed clock cycle count, the values of the targets' file, the targets faulted, the fault model and the end-of-simulation status.

Listing 4.3 shows a simplified example of an output file from a simulation. Many lines are omitted to simplify the text and its comprehension. In this example, we have the result of the first simulation of the campaign. The fault model is a single bit-flip in one target at a given clock cycle, and the target, which is a register in this case, pc\_id\_o\_tag, has a size of one bit. We attack it at the period time of 137,140 ns. The omitted lines, at line 7, include all registers from the register file, all register file tags, and all registers from the target list. The last line, line 14, shows that this simulation ended with a status equal to 3 (i.e., exception delayed from the reference simulation).



Figure 4.4: Fault Injection Simulator architecture

It is worth noting that the set of calls to the generated TCL scripts has to be integrated into the designer's existing design flow, allowing the design compilation, initialisation, and management of input stimuli. The use of TCL scripts simplifies such an integration. Once all the fault injection simulations have been performed, the log files can be sent to the *Analyser* which, is described in the following subsection.

Listing 4.3: Extract of an example of a FISSA output log JSON file

#### 4.2.5 Analyser

The Analyser reads all log files and generates a set of LaTeX tables (.tex files) and/or sensitivity heatmaps (in PDF format) according to the fault models, allowing the user to identify the sensitive hardware elements in the circuit design. The generated tables can be customised through modification in the Analyser Python code. The current configuration captures and counts the diverse end-of-simulation status. Heatmaps are generated for multi-target fault models. For instance, when considering a 2 faults scenario disturbing two hardware elements, a 2-dimension heatmap allows the user to identify sensitive couples of hardware elements leading to a potential vulnerability. Their configuration can be adapted by modifying the Analyser Python code. Heatmaps generation is based on Seaborn [103] which relies on Matplotlib [104].

This library provides a high-level interface for drawing attractive and informative statistical graphics and save them in different formats like PDF, PNG, etc. In the current configuration, heatmaps highlight the targets leading to a specific end-of-simulation status (e.g. a status identified by the designer as a successful attack). Once the results have been generated, they can easily be inserted into a vulnerability assessment report.



Figure 4.5: Analyser architecture

#### 4.2.6 Extending FISSA

In order to extend FISSA for integrating an additional fault model, some modifications to the *TCL Script Generator*, the *Basic Code Generator*, the *Fault Generator* and *Log Generator* modules are necessary. It requires the extension of the *init\_sim*, *inject\_fault* and *log\_sim* functions presented in Algorithm 2 to implement the new fault model from initialisation to logging. For instance, these extensions should define the targets for each simulation, the impact of the injections (set to 0/1, bit-flip, random, etc) and the set of data to be logged for this fault model. The *Log Generator* automates the extraction of specific segments from the ongoing simulation. However, it is customisable, enabling the modification of logged elements, such as incorporating memory content or a list of signals.

Analyser can be extended to produce additional IATEX tables, heatmaps or any other way of results visualisation. This can be achieved by either modifying the existing methods or by developing new ones.

An integral aspect of expanding FISSA involves adjusting functions depending on the used HDL simulator. Despite the definition of the TCL language, specific commands vary between simulators.

## 4.3 Use case example

This section presents a case study to demonstrate the use of FISSA in real conditions. It focuses on the evaluation of the robustness of the DIFT mechanism integrated in the D-RI5CY processor with the Buffer overflow use case from Section 3.2.

**William** ► Est ce que je laisse cet exemple qui est le même que celui de DSD ou j'ajoute un exemple plus simple où j'attaque un additionneur avec 3 registres avec quelques modèles de fautes ?◄

#### 4.3.1 FISSA's configuration

This subsection presents FISSA's configuration for the addressed use case. We have defined four endof-simulation statuses, which will be utilised to automatically generate results tables. Examples of these
tables will be provided in Subsection 4.3.2. The initial status is labelled as a *crash* (status 1), indicating
that the fault injection has caused a deviation in program flow control, leading the processor to execute
instructions different from those expected. The second status, identified as a *silent* fault (status 2),
signifies that a fault has occurred but has not impacted the ongoing simulation behaviour. Status 3,
termed a *delay*, denotes that the fault has delayed the DIFT-related exception, meaning the exception
is not raised at the same clock cycle as in the reference simulation. The final status is referred to as a
success (status 4), indicating a bypass of the DIFT mechanism and thereby marking a successful attack.
This status corresponds to the detection of the end of the simulated program, with no exception being
raised.

In the input configuration file, a single injection window is set between cycles 3428 and 3434, the maximum number of simulated clock cycles is set to 100 from the start of the injection window, this allows us to detect if there were a control flow deviation, the design period is set to 40 ns, the number of simulations per TCL script is set to 2,200. The considered fault models are the seven fault models defined in Section 4.2.2: target set to 0, target set to 1, single bit-flip in one target at a given cycle, single bit-flip in two targets at two different cycles, exhaustive multi-bits faults in one target at a given cycle, exhaustive multi-bits faults in two targets at a given cycle.

Seven FIA simulation campaigns are performed to evaluate the design against the seven fault models. We choose to log the values of the *Targets'* file, the simulation's number, targets' value after the injection, the injection cycle and the end-of-simulation status. The *Targets'* file is filled with the 55 registers of the DIFT security mechanism, representing a total of 127 bits in total.

#### 4.3.2 Experimental results

This section presents results obtained using FISSA on the considered use case. All experiments are performed on a server with the following configuration: Xeon Gold 5220 (2,2 GHz, 18C/36T), 128 GB RAM, Ubuntu 20.04.6 LTS and Questasim 10.6e.

Table 4.2 summarises the outcomes of the seven previously described fault injection campaigns, with each row representing a distinct fault model. Table 4.2's columns delineate the potential end statuses for each simulation. This table is an essential tool for the designers, enabling them to analyse the vulnerabilities associated with each fault model within their design. Consequently, the designers can determine the necessity for additional protective measures or design alterations.

For instance, Table 4.2 illustrates that the 'set to 1' fault model results in only three successful outcomes, whereas the 'single bit-flip in two targets at two different clock cycles' fault model leads to 2,159 successes. These findings guide the designers in evaluating the significance of protecting against specific fault models.

To further assess vulnerabilities, the designers can utilise Table 4.3, which provides detailed information on the register and cycle locations of faults for models with fewer successful outcomes. For fault models with a high number of successes, where the table may become unwieldy, Figures 4.6, 4.7 or 4.8 serve



Figure 4.6: Heatmap generated according to the single bit-flip in two targets at a given clock cycle fault model

as a more accessible reference. These figures help in visualising and interpreting the spatial distribution of vulnerabilities effectively.

Table 4.3 is produced by FISSA and details the successes from three distinct fault injection campaigns: set to 0, set to 1 and single bit-flip in one target at a given cycle. Table 4.3 specifies successes for each fault model, correlated with the cycle and the affected target. For example, a set to 0 fault at cycle 3428 on tcr\_q would lead to a successfully attack. It highlights which targets are sensitive to fault attacks at a cycle-accurate and bit-accurate level, providing the designers precise information on critical elements requiring protection based on their specific needs. Table 4.3 only covers the most basic fault models. Indeed, producing a table for more complex scenarios, such as simultaneous faults in two targets within a same or multiple cycles, would be intricate and challenging to interpret. Consequently, we opted for an alternative method and developed a heatmap representation (e.g. Figures 4.6, 4.7 and 4.8).



Figure 4.7: Heatmap generated according to the single bit-flip in two targets at two different clock cycles fault model

Table 4.2: Results of fault injection simulation campaigns

| Fault model                                                           | Crash | Silent     | Delay | Success         | Total   |
|-----------------------------------------------------------------------|-------|------------|-------|-----------------|---------|
| Set to 0                                                              | 0     | 320        | 1     | 9 (2.73%)       | 330     |
| Set to 1                                                              | 0     | 320        | 7     | 3 (0.91%)       | 330     |
| Single bit-flip in one target at a given clock cycle                  | 0     | 738        | 12    | $12 \ (1.57\%)$ | 762     |
| Single bit-flip in two targets at a given clock cycle                 | 0     | 45,097     | 1,503 | 1,406 (2.93%)   | 48,006  |
| Single bit-flip in two targets at two different clock cycles          | 0     | 238,633    | 1,143 | 2,159 (0.89%)   | 241,935 |
| Exhaustive multi-bits faults in one target at a given clock cycle     | 0     | 927        | 6     | 3 (0.32%)       | 936     |
| Exhaustive multi-bits faults in two targets at a given clock cycle $$ | 0     | $67,\!072$ | 926   | 450~(0.66%)     | 68,448  |

To further explore the impact of FIA on a design, a designer can study heatmaps generated by FISSA. These heatmaps are tailored to a fault model with two faulty registers, where each matrix intersection shows the number of successes with that target pair.

Figure 4.6 shows the heatmap generated for the single bit-flip in two targets at a given clock cycle fault model. The colour scale represents the number of fault injections targeting a couple of hardware elements (i.e. registers for this use case) leading to a *success* as defined in Subsection 4.3.1. We can note that this colour scale, in our case, range from 1 to 272 with 0 excluded. This figure highlights the registers that are critical to a specific fault model, allowing the designer to assess his design and choose which protection and where a protection is required, from low need to very high need. To give an example, it can be noted that the horizontally displayed registers tcr\_q and tpr\_q are critical registers, because a success will occur regardless of the associated register. Similarly, the registers shown vertically, memory\_set\_o\_tag, pc\_if\_o\_tag, and rf\_reg[1], are also critical because they lead to many successes with almost all tested registers.

Figure 4.7 shows the heatmap generated for the single bit-flip in two targets at two different clock cycles fault model. In this figure, colour scale range from 1 success to 32. Figure 4.8 shows the heatmap generated for the exhaustive multi-bits faults in two targets at a given clock cycle fault model. In this figure, colour scale range from 1 success to 320.

To provide an analytical perspective from the buffer overflow use case presented in Section 3.2, the five previously mentioned registers are critical as they either store the DIFT security policy configuration (tpr\_q and tcr\_q) or store (rf\_reg[1] represents the tag associated with the value of the Program Counter (PC), which is stored in the register file at index 1 for RISC-V ISA) and propagate the tag (pc\_



Figure 4.8: Heatmap generated according to the exhaustive multi-bits faults in two targets at a given clock cycle fault model

if\_o\_tag) associated with the PC. This is particularly important in our example, which demonstrates an ROP attack via a buffer overflow. The colour scale indicates the impact of the fault injections on the combination of registers tested. For example, a pair associated with a high number such as 272, 124, and 135 for tcr\_q and tpr\_q are very high priority as they lead to 37.77% success on this fault model. In addition, we can see that several registers produce a low number of successes, such as alu\_operand\_a\_ex\_o\_tag and rf\_reg[2]; these registers are then not the highest priority for protection for the designer.

It allows the designer to identify the critical hardware elements to be protected for the use case under consideration. All of this information allows the designer to prioritize countermeasures according to allocated budget, protection requirements, etc.

While Table 4.2 provides the total number of *successes* for each fault model and Table 4.3 gives the successes for each fault model (*set to 0*, *set to 1*, and a *single bit flip in a target at a given cycle*) cor-

|                       | Cycle 3428              |              | $Cycle \ 3429$ |              | Cycle 3430   |              | Cycle 3431                                 |              | Cycle 3432   |              |              |              |
|-----------------------|-------------------------|--------------|----------------|--------------|--------------|--------------|--------------------------------------------|--------------|--------------|--------------|--------------|--------------|
|                       | $\overline{\text{set}}$ | 0 set        | l bit-flip     | $e^{-1}$     | et 1         | bit-fli      | $p \operatorname{set} 0 \operatorname{se}$ | et 1 bit-fli | p set 0 set  | 1 bit-flip   | set 0 set    | 1 bit-flip   |
| pc_if_o_tag           |                         |              |                |              |              |              |                                            |              | <b>√</b>     | ✓            |              |              |
| $memory\_set\_o\_tag$ |                         | $\checkmark$ | $\checkmark$   |              |              |              |                                            |              |              |              |              |              |
| $rf_reg[1]$           |                         |              |                |              |              |              | $\checkmark$                               | $\checkmark$ |              |              |              |              |
| $tcr\_q$              | $\checkmark$            |              |                | $\checkmark$ |              |              | $\checkmark$                               |              | $\checkmark$ |              | $\checkmark$ |              |
| $tcr_q[21]$           |                         |              | $\checkmark$   |              |              | $\checkmark$ |                                            | ✓            |              | $\checkmark$ |              | $\checkmark$ |
| tpr_q                 | $\checkmark$            | <b>√</b>     |                | $\checkmark$ | $\checkmark$ |              |                                            |              |              |              |              |              |
| $tpr_q[12]$           |                         |              | $\checkmark$   |              |              | $\checkmark$ |                                            |              |              |              |              |              |
| tpr_q[15]             |                         |              | ✓              |              |              | ✓            |                                            |              |              |              |              |              |

Table 4.3: Buffer overflow: success per register, fault type and simulation time

related with the cycle and affected target, Figure 4.6 shows that fault injections in 246 register pairs result in a *success*. This information allows the designer to focus on specific simulation traces to understand the effect(s) of the fault(s) and improve the robustness of his design by implementing adapted countermeasures.

### 4.4 Discussion and Perspectives

In this section, we will discuss this proposed tool and draw some perspectives for the long-term development. In terms of execution time, we did in total around 24,000,000 simulations for approximatively 3 seconds for each simulation in average spanning from initialisation to data recording. The execution time is contingent upon various parameters, including the design's size, the specific simulation case, and the number of targets involve. For example, as we have three different use cases, it goes from an average of 0.4 second to 5.8 seconds per simulation. In emulation campaigns, FPGA-based fault emulation is four times faster than simulation-based techniques, as noted in paper [95]. Actual FIAs are faster than simulations, taking about 0.35 seconds per injection in our tests, relying on the ChipWhisperer-lite platform for clock glitching injection. While simulations may be slower, they offer the benefit of not requiring an FPGA prototype or the final circuit. Furthermore, it allows integrating vulnerability assessment in the first stages of the development flow and provides a rich set of information for the designer in order to understand sources of vulnerabilities in his design.

As perspectives, we plan to extend FISSA to support new fault models and HDL simulators such as Vivado or Verilator. Additionally, we intend to enhance integration into the design workflow by adding more automatisation. This may include the management of HDL sources compilation, design's input stimuli or the development of a graphical user interface to improve the overall user experience.

### 4.5 Summary

In this chapter, we presented FISSA (Fault Injection Simulation for Security Assessment), our advanced and versatile open-source tool designed to automate fault injection campaigns. FISSA is engineered to seamlessly integrate with renowned HDL simulators, such as Questasim. It facilitates the execution of

simulations by generating TCL scripts and produces comprehensive JSON log files for subsequent security analysis.

FISSA empowers designers to evaluate their designs during the conceptual phase by allowing them to select specific assessment parameters, including the fault model and target components, tailored to their unique requirements. The insights gained from the results generated by this tool enable designers to enhance the security of their designs, thus adhering to the principles of *Security by Design*.

616161

61

# **COUNTERMEASURES IMPLEMENTATIONS**

| Conte | ents                                                    |  |  |  |  |  |
|-------|---------------------------------------------------------|--|--|--|--|--|
|       | 5.1 Fault models used in this chapter                   |  |  |  |  |  |
|       | 5.2 Countermeasure 1: Simple Parity                     |  |  |  |  |  |
|       | 5.3 Countermeasure 2: Hamming Code                      |  |  |  |  |  |
|       | 5.3.1 Implementation 1: Optimisation of redundancy bits |  |  |  |  |  |
|       | 5.4 Summary                                             |  |  |  |  |  |
| 5.1   | Fault models used in this chapter                       |  |  |  |  |  |
| 5.2   | Countermeasure 1: Simple Parity                         |  |  |  |  |  |
| 5.3   | Countermeasure 2: Hamming Code                          |  |  |  |  |  |
| 5.3.1 | Implementation 1: Optimisation of redundancy bits       |  |  |  |  |  |
| 5.4   | Summary                                                 |  |  |  |  |  |

# **EXPERIMENTAL SETUP AND RESULTS**

#### Contents

| COLLECTION |                                                                                          |    |
|------------|------------------------------------------------------------------------------------------|----|
| 6.1        | Fault models used in this chapter                                                        | 64 |
| 6.2        | Countermeasure 2: Hamming Code                                                           | 64 |
|            | 6.2.1 Implementation 2: Protection by pipeline stage                                     | 64 |
|            | 6.2.2 Implementation 3: Protection of all registers individually                         | 64 |
|            | 6.2.3 $$ Implementation 4: Protection of all registers individually with CSRs slicing $$ | 64 |
|            | 6.2.4 Implementation 5: Smart protection by pipeline stage                               | 64 |
| 6.3        | Countermeasure 3: Hamming Code - SECDED                                                  | 64 |
|            | 6.3.1 Implementation 1: Optimisation of redundancy bits                                  | 64 |
|            | 6.3.2 Implementation 2: Protection by pipeline stage                                     | 64 |
|            | 6.3.3 Implementation 3: Protection of all registers individually                         | 64 |
|            | 6.3.4  Implementation 4: Protection of all registers individually with CSRs slicing  .   | 64 |
|            | 6.3.5 Implementation 5: Smart protection by pipeline stage                               | 64 |
| 6.4        | Experimental setup                                                                       | 64 |
| 6.5        | Experimental results                                                                     | 64 |
| 6.6        | Summary                                                                                  | 64 |

- 6.1 Fault models used in this chapter
- 6.2 Countermeasure 2: Hamming Code
- 6.2.1 Implementation 2: Protection by pipeline stage
- 6.2.2 Implementation 3: Protection of all registers individually
- 6.2.3 Implementation 4: Protection of all registers individually with CSRs slicing
- 6.2.4 Implementation 5: Smart protection by pipeline stage
- 6.3 Countermeasure 3: Hamming Code SECDED
- 6.3.1 Implementation 1: Optimisation of redundancy bits
- 6.3.2 Implementation 2: Protection by pipeline stage
- 6.3.3 Implementation 3: Protection of all registers individually
- 6.3.4 Implementation 4: Protection of all registers individually with CSRs slicing
- 6.3.5 Implementation 5: Smart protection by pipeline stage
- 6.4 Experimental setup
- 6.5 Experimental results
- 6.6 Summary

## **CONCLUSION**

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

Gene Spafford

### Contents

| 7.1 | Synthesis    | 65 |
|-----|--------------|----|
| 7.2 | Perspectives | 65 |

### 7.1 Synthesis

## 7.2 Perspectives

## **BIBLIOGRAPHY**

- [1] Christian Palmiero et al., "Design and Implementation of a Dynamic Information Flow Tracking Architecture to Secure a RISC-V Core for IoT Applications", in: High Performance Extreme Computing, 2018, DOI: 10.1109/HPEC.2018.8547578.
- [2] William Pensec, Vianney Lapôtre, and Guy Gogniat, "Another Break in the Wall: Harnessing Fault Injection Attacks to Penetrate Software Fortresses", in: Proceedings of the First International Workshop on Security and Privacy of Sensing Systems, SensorsS&P, Istanbul, Turkiye: Association for Computing Machinery, 2023, pp. 8–14, DOI: 10.1145/3628356.3630116.
- [3] William Pensec et al., "Defending the Citadel: Fault Injection Attacks against Dynamic Information Flow Tracking and Related Countermeasures", in: 2024 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Knoxville, United States, July 2024, URL: https://hal.science/hal-04620057.
- [4] William Pensec, Vianney Lapôtre, and Guy Gogniat, "Scripting the Unpredictable: Automate Fault Injection in RTL Simulation for Vulnerability Assessment", in: 2024 27th Euromicro Conference on Digital System Design (DSD), 2024.
- [5] Transforma Insights; Exploding Topics, Number of Internet of Things (IoT) connections worldwide from 2022 to 2023, with forecasts from 2024 to 2033, Online. Accessed 13th August 2024, 2024, URL: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/.
- [6] Transforma Insights, Internet of Things (IoT) total annual revenue worldwide from 2020 to 2030, Online. Accessed 13th August 2024, 2023, URL: https://www.statista.com/statistics/ 1194709/iot-revenue-worldwide/.
- [7] Mardiana binti Mohamad Noor and Wan Haslina Hassan, "Current research on Internet of Things (IoT) security: A survey", in: Computer Networks 148 (2019), pp. 283-294, ISSN: 1389-1286, DOI: https://doi.org/10.1016/j.comnet.2018.11.025.
- [8] Eryk Schiller et al., "Landscape of IoT security", in: Computer Science Review 44 (2022), p. 100467, ISSN: 1574-0137, DOI: https://doi.org/10.1016/j.cosrev.2022.100467.
- [9] Mampi Devi and Abhishek Majumder, "Side-Channel Attack in Internet of Things: A Survey", in: Applications of Internet of Things, Singapore: Springer Singapore, 2021, pp. 213–222, ISBN: 978-981-15-6198-6, DOI: 10.1007/978-981-15-6198-6\_20.
- [10] Paul C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems", in: Advances in Cryptology — CRYPTO '96, Springer Berlin Heidelberg, 1996, pp. 104– 113, ISBN: 978-3-540-68697-2, DOI: 10.1007/3-540-68697-5\_9.
- [11] H. Bar-El et al., "The Sorcerer's Apprentice Guide to Fault Attacks", in: Proceedings of the IEEE 94.2 (2006), pp. 370–382, DOI: 10.1109/JPROC.2005.862424.

- [12] Alessandro Barenghi et al., "Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures", in: Proceedings of the IEEE 100.11 (2012), pp. 3056–3076, DOI: 10.1109/JPROC.2012.2188769.
- [13] Bilgiday Yuce, Patrick Schaumont, and Marc Witteman, "Fault Attacks on Secure Embedded Software: Threats, Design, and Evaluation", in: Journal of Hardware and Systems Security 2 (2018), pp. 111–130, DOI: 10.1007/s41635-018-0038-1.
- [14] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton, "On the Importance of Checking Cryptographic Protocols for Faults", in: Advances in Cryptology EUROCRYPT '97, Berlin, Heidelberg: Springer Berlin Heidelberg, 1997, pp. 37–51, ISBN: 978-3-540-69053-5, DOI: 10.1007/3-540-69053-0\_4.
- [15] Andy Greenberg, A \$500 Open Source Tool Lets Anyone Hack Computer Chips With Lasers, URL: https://www.wired.com/story/rayv-lite-laser-chip-hacking-tool/.
- [16] Riscure, Laser Station 2, URL: https://www.riscure.com/products/laser-station-2/.
- [17] NewAE, ChipWhisperer and ChipSHOUTER, URL: https://www.newae.com/chipwhisperer.
- [18] Martin S. Kelly and Keith Mayes, "High Precision Laser Fault Injection using Low-cost Components", in: 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2020, pp. 219–228, DOI: 10.1109/HOST45689.2020.9300265.
- [19] Johan Laurent et al., "Fault Injection on Hidden Registers in a RISC-V Rocket Processor and Software Countermeasures", in: Design, Automation & Test in Europe Conference (DATE), 2019, DOI: 10.23919/DATE.2019.8715158.
- [20] Thomas Trouchkine et al., "Electromagnetic Fault Injection Against a Complex CPU, toward new Micro-architectural Fault Models", in: Journal of Cryptographic Engineering (2021), DOI: 10.1007/s13389-021-00259-6.
- [21] Vanthanh Khuat, Jean-Max Dutertre, and Jean-Luc Danger, "Analysis of a Laser-induced Instructions Replay Fault Model in a 32-bit Microcontroller", in: Digital System Design (DSD), 2021, DOI: 10.1109/DSD53832.2021.00061.
- [22] Niek Timmers, Albert Spruyt, and Marc Witteman, "Controlling PC on ARM Using Fault Injection", in: Fault Diagnosis and Tolerance in Cryptography (FDTC), 2016, DOI: 10.1109/FDTC. 2016.18.
- [23] Xhani Marvin Saß, Richard Mitev, and Ahmad-Reza Sadeghi, "Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M", in: 32nd USENIX Security Symposium (USENIX Security 23), USENIX Association, Aug. 2023, pp. 6239–6256, ISBN: 978-1-939133-37-3, DOI: 10.48550/arXiv.2302.06932.
- [24] Shoei Nashimoto et al., "Bypassing Isolated Execution on RISC-V using Side-Channel-Assisted Fault-Injection and Its Countermeasure", in: IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES) (2021), DOI: 10.46586/tches.v2022.i1.28-68.
- [25] David E Bell, Leonard J La Padula, et al., "Secure computer system: Unified exposition and multics interpretation", in: (1976).

- [26] Dorothy E. Denning, "A lattice model of secure information flow", in: Commun. ACM 19.5 (May 1976), pp. 236–243, ISSN: 0001-0782, DOI: 10.1145/360051.360056.
- [27] Wei Hu, Armaiti Ardeshiricham, and Ryan Kastner, "Hardware Information Flow Tracking", in: ACM Computing Surveys (2021), DOI: 10.1145/3447867.
- [28] Kejun Chen et al., "Dynamic Information Flow Tracking: Taxonomy, Challenges, and Opportunities", in: Micromachines 12.8 (2021), ISSN: 2072-666X, DOI: 10.3390/mi12080898.
- [29] G. Edward Suh et al., "Secure Program Execution via Dynamic Information Flow Tracking", in: SIGPLAN Not. 39.11 (2004), pp. 85–96, ISSN: 0362-1340, DOI: 10.1145/1037187.1024404.
- [30] Christopher Brant et al., "Challenges and Opportunities for Practical and Effective Dynamic Information Flow Tracking", in: ACM Computing Surveys 55.1 (Nov. 2021), ISSN: 0360-0300, DOI: 10.1145/3483790.
- [31] Ebrary, Overview of Embedded Application Development for Intel Architecture, URL: https://ebrary.net/22038/computer\_science/overview\_embedded\_application\_development\_intel architecture#734.
- [32] Andrew C. Myers, "JFlow: practical mostly-static information flow control", in: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, San Antonio, Texas, USA: Association for Computing Machinery, 1999, pp. 228–241, ISBN: 1581130953, DOI: 10.1145/292540.292561.
- [33] Andrey Chudnov and David A. Naumann, "Inlined Information Flow Monitoring for JavaScript", in: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, Denver, Colorado, USA: Association for Computing Machinery, 2015, pp. 629–643, ISBN: 9781450338325, DOI: 10.1145/2810103.2813684.
- [34] Thomas H. Austin and Cormac Flanagan, "Efficient purely-dynamic information flow analysis", in: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS '09, Dublin, Ireland: Association for Computing Machinery, 2009, pp. 113–124, ISBN: 9781605586458, DOI: 10.1145/1554339.1554353.
- [35] Vasileios P. Kemerlis et al., "libdft: practical dynamic data flow tracking for commodity systems", in: SIGPLAN Not. 47.7 (Mar. 2012), pp. 121–132, ISSN: 0362-1340, DOI: 10.1145/2365864. 2151042.
- [36] William Enck et al., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones", in: ACM Trans. Comput. Syst. 32.2 (June 2014), ISSN: 0734-2071, DOI: 10.1145/2619091.
- [37] Nickolai Zeldovich et al., "Making information flow explicit in HiStar", in: Commun. ACM 54.11 (Nov. 2011), pp. 93–101, ISSN: 0001-0782, DOI: 10.1145/2018396.2018419.
- [38] N. Vachharajani et al., "RIFLE: An Architectural Framework for User-Centric Information-Flow Security", in: 37th International Symposium on Microarchitecture (MICRO-37'04), 2004, pp. 243–254, DOI: 10.1109/MICRO.2004.31.

- [39] Daniel Townley et al., "LATCH: A Locality-Aware Taint CHecker", in: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO '52, Columbus, OH, USA: Association for Computing Machinery, 2019, pp. 969–982, ISBN: 9781450369381, DOI: 10. 1145/3352460.3358327.
- [40] Joël Porquet and Simha Sethumadhavan, "WHISK: An uncore architecture for Dynamic Information Flow Tracking in heterogeneous embedded SoCs", in: 2013 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS), 2013, pp. 1–9, DOI: 10.1109/CODES-ISSS.2013.6658991.
- [41] Michael Dalton, Hari Kannan, and Christos Kozyrakis, "Raksha: a flexible information flow architecture for software security", in: SIGARCH Comput. Archit. News 35.2 (June 2007), pp. 482–493, ISSN: 0163-5964, DOI: 10.1145/1273440.1250722.
- [42] Mohit Tiwari et al., "Complete information flow tracking from the gates up", in: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Washington, DC, USA: Association for Computing Machinery, 2009, pp. 109–120, ISBN: 9781605584065, DOI: 10.1145/1508244.1508258.
- [43] Wei Hu et al., "Theoretical Fundamentals of Gate Level Information Flow Tracking", in: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 30.8 (2011), pp. 1128–1140, DOI: 10.1109/TCAD.2011.2120970.
- [44] Hari Kannan, Michael Dalton, and Christos Kozyrakis, "Decoupling Dynamic Information Flow Tracking with a dedicated coprocessor", in: 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, pp. 105–114, DOI: 10.1109/DSN.2009.5270347.
- [45] Muhammad Abdul Wahab et al., "A small and adaptive coprocessor for information flow tracking in ARM SoCs", in: 2018 International Conference on ReConFigurable Computing and FPGAs (ReConFig), 2018, pp. 1–8, DOI: 10.1109/RECONFIG.2018.8641695.
- [46] Muhammad A. Wahab et al., "ARMHEX: A hardware extension for DIFT on ARM-based SoCs", in: 2017 27th International Conference on Field Programmable Logic and Applications (FPL), 2017, pp. 1–7, DOI: 10.23919/FPL.2017.8056767.
- [47] Shimin Chen et al., "Flexible Hardware Acceleration for Instruction-Grain Program Monitoring", in: SIGARCH Comput. Archit. News 36.3 (June 2008), pp. 377–388, ISSN: 0163-5964, DOI: 10. 1145/1394608.1382153.
- [48] Vijay Nagarajan et al., "Dynamic Information Flow Tracking on Multicores", in: Workshop on Interaction between Compilers and Computer Architectures, 2008, URL: https://www.research.ed.ac.uk/en/publications/dynamic-information-flow-tracking-on-multicores.
- [49] Olatunji Ruwase et al., "Parallelizing dynamic information flow tracking", in: Proceedings of the 20th Annual Symposium on Parallelism in Algorithms and Architectures, SPAA '08, Munich, Germany: Association for Computing Machinery, 2008, pp. 35–45, ISBN: 9781595939739, DOI: 10.1145/1378533.1378538.

- [50] Carlton Shepherd et al., "Physical fault injection and side-channel attacks on mobile devices: A comprehensive analysis", in: Computers & Security 111 (2021), ISSN: 0167-4048, DOI: 10.1016/j.cose.2021.102471.
- [51] Jeffrey Friedman, "TEMPEST: A Signal Problem", in: 2 (1972), URL: https://www.nsa.gov/portals/75/documents/news-features/declassified-documents/cryptologic-spectrum/tempest.pdf.
- [52] Paul Kocher, Joshua Jaffe, Benjamin Jun, et al., "Introduction to differential power analysis and related attacks", in: (1998).
- [53] Paul Kocher et al., "Introduction to differential power analysis", in: Journal of Cryptographic Engineering 1 (2011), pp. 5–27, DOI: 10.1007/s13389-011-0006-y.
- [54] Louis Goubin and Jacques Patarin, "DES and Differential Power Analysis The "Duplication" Method", in: Cryptographic Hardware and Embedded Systems, Springer Berlin Heidelberg, 1999, pp. 158–172, ISBN: 978-3-540-48059-4, DOI: 10.1007/3-540-48059-5\_15.
- [55] Moritz Lipp et al., "PLATYPUS: Software-based Power Side-Channel Attacks on x86", in: 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 355–371, DOI: 10.1109/SP40001.2021. 00063.
- [56] David Brumley and Dan Boneh, "Remote timing attacks are practical", in: Computer Networks 48.5 (2005), Web Security, pp. 701–716, ISSN: 1389-1286, DOI: https://doi.org/10.1016/j.comnet.2005.01.010.
- [57] Jean-Jacques Quisquater and David Samyde, "ElectroMagnetic Analysis (EMA): Measures and Counter-measures for Smart Cards", in: Smart Card Programming and Security, Springer Berlin Heidelberg, 2001, pp. 200–210, ISBN: 978-3-540-45418-2, DOI: 10.1007/3-540-45418-7\_17.
- [58] Asanka Sayakkara, Nhien-An Le-Khac, and Mark Scanlon, "A survey of electromagnetic side-channel attacks and discussion on their case-progressing potential for digital forensics", in: Digital Investigation 29 (2019), pp. 43–54, ISSN: 1742-2876, DOI: 10.1016/j.diin.2019.03.002.
- [59] Jiaji He et al., "EM Side Channels in Hardware Security: Attacks and Defenses", in: IEEE Design & Test 39.2 (2022), pp. 100–111, DOI: 10.1109/MDAT.2021.3135324.
- [60] Johann Heyszl et al., "Localized Electromagnetic Analysis of Cryptographic Implementations", in: Topics in Cryptology - CT-RSA 2012, Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 231-244, ISBN: 978-3-642-27954-6, DOI: 10.1007/978-3-642-27954-6\_15.
- [61] Amit Kumar et al., "Efficient simulation of EM side-channel attack resilience", in: 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), 2017, pp. 123–130, DOI: 10.1109/ ICCAD.2017.8203769.
- [62] Christian Wittke, Zoya Dyka, and Peter Langendoerfer, "Comparison of EM Probes Using SEMA of an ECC Design", in: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2016, pp. 1–5, DOI: 10.1109/NTMS.2016.7792439.

- [63] Abdullah Aljuffri et al., "Applying Thermal Side-Channel Attacks on Asymmetric Cryptography", in: IEEE Transactions on Very Large Scale Integration (VLSI) Systems 29.11 (2021), pp. 1930– 1942, DOI: 10.1109/TVLSI.2021.3111407.
- [64] Michael Hutter and Jörn-Marc Schmidt, "The Temperature Side Channel and Heating Fault Attacks", in: Smart Card Research and Advanced Applications, Cham: Springer International Publishing, 2014, pp. 219–235, ISBN: 978-3-319-08302-5, DOI: 10.1007/978-3-319-08302-5\_15.
- [65] Michael Backes et al., "Acoustic side-channel attacks on printers", in: Proceedings of the 19th USENIX Conference on Security, USENIX Security'10, Washington, DC: USENIX Association, 2010, p. 20, ISBN: 8887666655554, DOI: 10.5555/1929820.1929847.
- [66] Daniel Genkin, Adi Shamir, and Eran Tromer, "Acoustic Cryptanalysis", in: Journal of Cryptology 30 (2017), pp. 392–443, DOI: 10.1007/s00145-015-9224-2.
- [67] Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad, "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards", in: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2023, pp. 270–280, DOI: 10.1109/EuroSPW59978.2023.00034.
- [68] D. Binder, E. C. Smith, and A. B. Holman, "Satellite Anomalies from Galactic Cosmic Rays", in: IEEE Transactions on Nuclear Science 22.6 (1975), pp. 2675–2680, DOI: 10.1109/TNS.1975. 4328188.
- [69] J. F. Ziegler, "Terrestrial cosmic rays", in: IBM Journal of Research and Development 40.1 (1996), pp. 19–39, DOI: 10.1147/rd.401.0019.
- [70] J. F. Ziegler and W. A. Lanford, "Effect of Cosmic Rays on Computer Memories", in: Science 206.4420 (1979), pp. 776-788, DOI: 10.1126/science.206.4420.776.
- [71] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton, "On the Importance of Eliminating Errors in Cryptographic Computations", in: Journal of Cryptology 14 (2001), pp. 101–119, DOI: 10.1007/s001450010016.
- [72] Haissam Ziade, Rafic Ayoubi, and Raoul Velazco, "A survey on Fault Injection Techniques", in: The international Arab journal of information technology 1.2 (Jan. 2004), pp. 171–186, URL: https://hal.science/hal-00105562.
- [73] Roberta Piscitelli, Shivam Bhasin, and Francesco Regazzoni, "Fault attacks, injection techniques and tools for simulation", in: 2015 10th International Conference on Design & Technology of Integrated Systems in Nanoscale Era (DTIS), 2015, pp. 1–6, DOI: 10.1109/DTIS.2015.7127352.
- [74] Jakub Breier and Xiaolu Hou, "How Practical Are Fault Injection Attacks, Really?", in: IEEE Access 10 (2022), pp. 113122–113130, DOI: 10.1109/ACCESS.2022.3217212.
- [75] Wikipedia contributors, *Decapping—Wikipedia*, [Online; accessed 26-August-2024], 2019, URL: https://en.wikipedia.org/wiki/Decapping.
- [76] Sergei P. Skorobogatov and Ross J. Anderson, "Optical Fault Induction Attacks", in: Cryptographic Hardware and Embedded Systems, Springer Berlin Heidelberg, 2002, pp. 2–12, ISBN: 978-3-540-36400-9, DOI: 10.1007/3-540-36400-5\_2.

- [77] Jörn-Marc Schmidt and Michael Hutter, "Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results", in: Austrochip 2007: 15th Austrian Workhop on Microelectronics, Verlag der Technischen Universität Graz, 2007, pp. 61-67, ISBN: 978-3-902465-87-0, URL: https://graz.elsevierpure.com/en/publications/optical-and-em-fault-attacks-on-crt-based-rsa-concrete-results.
- [78] Oscar M. Guillen, Michael Gruber, and Fabrizio De Santis, "Low-Cost Setup for Localized Semi-invasive Optical Fault Injection Attacks", in: Constructive Side-Channel Analysis and Secure Design, Springer International Publishing, 2017, pp. 207–222, ISBN: 978-3-319-64647-3, DOI: 10.1007/978-3-319-64647-3\_13.
- [79] Ray Beaulieu et al., "The SIMON and SPECK Families of Lightweight Block Ciphers", in: (2013), URL: https://eprint.iacr.org/2013/404.
- [80] Stéphanie Anceau et al., "Nanofocused X-Ray Beam to Reprogram Secure Circuits", in: Cryptographic Hardware and Embedded Systems CHES 2017, Springer International Publishing, 2017, pp. 175–188, ISBN: 978-3-319-66787-4, DOI: 10.1007/978-3-319-66787-4\_9.
- [81] Nasr-eddine Ouldei Tebina et al., "Ray-Spect: Local Parametric Degradation for Secure Designs: An application to X-Ray Fault Injection", in: 2023 IEEE 29th International Symposium on On-Line Testing and Robust System Design (IOLTS), 2023, pp. 1–7, DOI: 10.1109/IOLTS59296. 2023.10224894.
- [82] Paul Grandamme, Lilian Bossuet, and Jean-Max Dutertre, "X-Ray Fault Injection in Non-Volatile Memories on Power OFF Devices", in: 2023 IEEE Physical Assurance and Inspection of Electronics (PAINE), 2023, DOI: 10.1109/PAINE58317.2023.10318018.
- [83] Christian Palmiero et al., A Hardware Dynamic Information Flow Tracking Architecture for Lowlevel Security on a RISC-V Core, 2018, URL: https://github.com/sld-columbia/riscv-dift.
- [84] Sandra Loosemore et al., The GNU C Library Reference Manual, 2023, URL: https://www.gnu.org/s/libc/manual/pdf/libc.pdf.
- [85] Jan Richter-Brockmann et al., "FIVER Robust Verification of Countermeasures against Fault Injections", in: IACR Transactions on Cryptographic Hardware and Embedded Systems (2021), DOI: 10.46586/tches.v2021.i4.447-473.
- [86] Victor Arribas, Svetla Nikova, and Vincent Rijmen, "VerMI: Verification Tool for Masked Implementations", in: 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS), 2018, DOI: 10.1109/ICECS.2018.8617841.
- [87] Gilles Barthe et al., "maskVerif: Automated Verification of Higher-Order Masking in Presence of Physical Defaults", in: Computer Security ESORICS 2019: 24th European Symposium on Research in Computer Security, Proceedings, Part I, 2019, DOI: 10.1007/978-3-030-29959-0\_15.
- [88] Simon Tollec et al., "Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults", in: (2024), URL: https://eprint.iacr.org/2024/247.

- [89] Asmita Adhikary and Ileana Buhan, "SoK: Assisted Fault Simulation", in: Applied Cryptography and Network Security Workshops, Springer Nature Switzerland, 2023, DOI: 10.1007/978-3-031-41181-6 10.
- [90] Riscure, FiSim: An open-source deterministic Fault Attack Simulator Prototype, URL: https://github.com/Riscure/FiSim.
- [91] Victor Arribas et al., "Cryptographic Fault Diagnosis using VerFI", in: IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2020, DOI: 10.1109/HOST45689.2020. 9300264.
- [92] Gaetan Canivet et al., "Glitch and laser fault attacks onto a secure AES implementation on a SRAM-based FPGA", in: Journal of Cryptology (2011), DOI: 10.1007/s00145-010-9083-9.
- [93] Florian Hauschild et al., "ARCHIE: A QEMU-Based Framework for Architecture-Independent Evaluation of Faults", in: Workshop on Fault Detection and Tolerance in Cryptography (FDTC), 2021, DOI: 10.1109/FDTC53659.2021.00013.
- [94] Yohannes B. Bekele, Daniel B. Limbrick, and John C. Kelly, "A Survey of QEMU-Based Fault Injection Tools & Techniques for Emulating Physical Faults", in: IEEE Access (2023), DOI: 10.1109/ACCESS.2023.3287503.
- [95] Ralph Nyberg et al., "Closing the Gap between Speed and Configurability of Multi-bit Fault Emulation Environments for Security and Safety-Critical Designs", in: 17th Euromicro Conference on Digital System Design, 2014, DOI: 10.1109/DSD.2014.39.
- [96] Claudio Bozzato, Riccardo Focardi, and Francesco Palmarini, "Shaping the Glitch: Optimizing Voltage Fault Injection Attacks", in: IACR Transactions on Cryptographic Hardware and Embedded Systems (2019), DOI: 10.13154/tches.v2019.i2.199-224.
- [97] Brice Colombier et al., "Multi-Spot Laser Fault Injection Setup: New Possibilities for Fault Injection Attacks", in: Smart Card Research and Advanced Applications, 2022, DOI: 10.1007/978-3-030-97348-3\_9.
- [98] Tobias Schneider, Amir Moradi, and Tim Güneysu, "ParTI-towards combined hardware counter-measures against side-channel and fault-injection attacks", in: Advances in Cryptology-CRYPTO: 36th Annual International Cryptology Conference, Proceedings, Part II 36, 2016, DOI: 10.1007/978-3-662-53008-5\_11.
- [99] William Pensec, FISSA: Fault Injection Simulation for Security Assessment, URL: https://github.com/WilliamPsc/FISSA.
- [100] Siemens, QuestaSim, URL: https://eda.sw.siemens.com/en-US/ic/questa/simulation/advanced-simulator/.
- [101] Verilator, Verilator, URL: https://github.com/verilator/verilator.
- [102] Xilinx, Vivado Design Suite, URL: https://www.xilinx.com/products/design-tools/vivado.html.
- [103] Michael L. Waskom, "Seaborn: statistical data visualization", in: Journal of Open Source Software (2021), DOI: 10.21105/joss.03021.

[104] J. D. Hunter, "Matplotlib: A 2D graphics environment", in: Computing in Science & Engineering (2007), DOI: 10.5281/zenodo.7697899.





Titre: titre (en français).....

Mot clés : de 3 à 6 mots clefs

Résumé : Eius populus ab incunabulis primis ad usque pueritiae tempus extremum, quod annis circumcluditur fere trecentis, circummurana pertulit bella, deinde aetatem ingressus adultam post multiplices bellorum aerumnas Alpes transcendit et fretum, in iuvenem erectus et virum ex omni plaga quam orbis ambit inmensus, reportavit laureas et triumphos, iamque vergens in senium et nomine solo aliquotiens vincens ad tranquilliora vitae discessit. Hoc inmaturo interitu ipse quoque sui pertaesus excessit e vita aetatis nono anno atque vicensimo cum quadriennio imperasset. natus apud Tuscos in Massa Veternensi, patre Constantio Constantini fratre imperatoris, matreque Galla. Thalassius vero

ea tempestate praefectus praetorio praesens ipse quoque adrogantis ingenii, considerans incitationem eius ad multorum augeri discrimina, non maturitate vel consiliis mitigabat, ut aliquotiens celsae potestates iras principum molliverunt, sed adversando iurgandoque cum parum congrueret, eum ad rabiem potius evibrabat, Augustum actus eius exaggerando creberrime docens, idque, incertum qua mente, ne lateret adfectans, quibus mox Caesar acrius efferatus, velut contumaciae quoddam vexillum altius erigens, sine respectu salutis alienae vel suae ad vertenda opposita instar rapidi fluminis irrevocabili impetu ferebatur. Hae duae provinciae bello quondam piratico catervis mixtae praedonum.

Title: titre (en anglais).....

Keywords: de 3 à 6 mots clefs

**Abstract:** Eius populus ab incunabulis primis ad usque pueritiae tempus extremum, quod annis circumcluditur fere trecentis, circummurana pertulit bella, deinde aetatem ingressus adultam post multiplices bellorum aerumnas Alpes transcendit et fretum, in iuvenem erectus et virum ex omni plaga quam orbis ambit inmensus, reportavit laureas et triumphos, iamque vergens in senium et nomine solo aliquotiens vincens ad tranquilliora vitae discessit. Hoc inmaturo interitu ipse quoque sui pertaesus excessit e vita aetatis nono anno atque vicensimo cum quadriennio imperasset. natus apud Tuscos in Massa Veternensi, patre Constantio Constantini fratre imperatoris, matreque Galla. Thalassius vero

ea tempestate praefectus praetorio praesens ipse quoque adrogantis ingenii, considerans incitationem eius ad multorum augeri discrimina, non maturitate vel consiliis mitigabat, ut aliquotiens celsae potestates iras principum molliverunt, sed adversando iurgandoque cum parum congrueret, eum ad rabiem potius evibrabat, Augustum actus eius exaggerando creberrime docens, idque, incertum qua mente, ne lateret adfectans. quibus mox Caesar acrius efferatus, velut contumaciae quoddam vexillum altius erigens, sine respectu salutis alienae vel suae ad vertenda opposita instar rapidi fluminis irrevocabili impetu ferebatur. Hae duae provinciae bello quondam piratico catervis mixtae praedonum.