Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


GILES is designed to help software engineers quickly identify side channel and fault injection security risks during development stages.


Developing software for leaky processors is not straightforward and even experienced developers need to check if the measures that they put in place actually work. Rather than having to go through the onerous task of a fully blown lab evaluation, it would be great if a "push button" solution could be run over the code that identifies leaks and maybe even helps fix them. GILES includes instruction level power profiles (taken on our high lab equipment) and "plugs them into" a simulator, thereby providing an instruction accurate leakage emulator.


This tool simulates instruction-level side channel analysis leakage without the need for anything other that a target program. Additionally it allows for fault injection attacks to be performed concurrently.

It can support multiple different processors and multiple different methods of generating leakage from these. Currently the only supported simulator is the Thumb Timing Simulator. This will simulate an ARM Cortex M0 processor. The supported leakage models can be found here.

Please feel free to add more simulators and models! Here is a guide on how to do this.


  1. Download from the releases page Alternatively, build it yourself.

  2. Compile your target program for your chosen simulator. Currently only one simulator is supported, Thumb Timing Simulator, so compile for this simulator for now. Here is an example to help you get started.

It is heavily recommended (but not essential) that you make use of the elmo-funcs.h file to provide useful functions, such as trigger points and the ability to get random data inside the simulator. This can be found on the releases page.

The target program should be edited to replace the target data, such as the cryptographic key, with randomly generated values.

  1. Run GILES. Here is an example of the most common usage.
GILES my-program-binary-from-step-2 -o output-file.trs

This will use the Hamming weight model. See here for more on models. The ELMO power model requires the file coeffs.json to be in the same directory or specified like so:

GILES my-program-binary-from-step-2 --coefficients some-path/coeffs.json -o output-file.trs
  1. Done! Perform whatever side channel attacks/analysis you want on the output file.

All command line options

All command line options can be printed using the -h or --help flags shown here:

GILES --help

This should produce the result below.

General instruction leakage simulator
Usage: bin/GILES [--input] EXECUTABLE [--coefficients] COEFFICIENTS
  -h [ --help ]                         Print help
  -r [ --runs ] arg (=1)                Number of traces to generate
  -c [ --coefficients ] arg (=./coeffs.json)
                                        Coefficients file
  -i [ --input ] arg                    Executable to be ran in the simulator
  -o [ --output ] arg                   Generated traces output file
  -s [ --simulator ] arg (=Thumb Sim)   The name of the simulator that should 
                                        be used
  -m [ --model ] arg (=Hamming Weight)  The name of the mathematical model that
                                        should be used to generate traces
  -f [ --fault ] arg                    Where to inject a fault. e.g. "--fault 
                                        10 R0 2" is inject a fault before the 
                                        10th clock cycle, by flipping the 
                                        second least significant bit in the 
                                        register R0
  -t [ --timeout ] arg                  The number of clock cycles to force 
                                        stop execution after

See here for a more in depth description of the available flags.

Leakage generation models

There are currently two methods supported for generating leakage supported.

ELMO Power model

This is the recommend model for generating high quality leakage.

This can be used by specifying --model Power.

Details of how it works can be found here.

Hamming weight model

This is the default model and will generate leakage much faster but the leakage may not be as high quality.

This is the default model that will be used if none as specified.

This works by taking the Hamming weight of the operands of the instructions executed.


Please help add more if you can! There will be a document describing how to do this at some point.

Output format

GILES currently saves traces in the .trs format. This format is designed for use in Riscure's Inspector, but can be interpreted in other ways.

We hope to support alternative formats in the future.

API Documentation

Documentation is generated using Doxygen. In order to generate this follow these instructions:

  1. Install Doxygen

  2. Firstly follow the instructions in the Getting started for Development section.

  3. Documentation can be built with CMake using the "doc" target by running the command as shown.

cmake --build . --target doc
  1. Open this file

Additionally, enabling the cmake configuration option GILES_BUILD_DOCUMENTATION will generate the documentation every time you compile.


Refer to for developer specific information.

Built with

Thank you to the creators of all these. Without these, this would not have been possible.


This program is released under license AGPLv3+.

Get a summary of this license here at


This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 725042).

EU Logo