Design of Fault Injection Models Within Pre-silicon Security Methodologies

Fault-injection attacks exploit hardware perturbations to drive a processor into unexpected states or execution paths, which can leak secrets or enable privilege escalation. Fault-injection attacks are taken into account in the design of high-security products (e.g. debit / credit cards, recent smartphones, etc.). The open-source community is now developing new tools and attack approaches, thus widening the importance of this threat in the cybersecurity community. Recent work has emphasized the importance of accounting for the microarchitectural consequences of such injections. In this context, CEA List has developed pre-silicon tools that have proven effective at discovering microarchitectural vulnerabilities or, for a given fault injection model, formally proving the robustness of several RISC-V processors.

µArchiFI is one of these pre-silicon tools; it constructs a formal transition system from a Verilog processor description, a binary program, and an attacker model that encodes the fault model. However, the fault models used by µArchiFI do not incorporate layout information. Analyses are performed at the Register Transfer Level (RTL) and can evaluate a wide range of fault models (bit / word set, reset, flip, and symbolic behaviors) on signals selected individually. In a real fault attack scenario, for instance, using a laser source as the fault injection tool, it may hit different bits of the same signal or of different signals.

The internship objective is to enhance µArchiFI with new fault models so that signals that are affected by the laser beam are selected according to laser-spot location regarding the circuit layout. This requires: 1) integrating layout information and location constraints into the fault models, 2) modelling the laser beam’s Gaussian profile to select signals that fall within the beam surface as studied in the referenced work. These enhanced fault models will be used to rerun security verifications over processor designs already analyzed by µArchiFI. The obtained results will be compared with state-of-the-art experimental characterizations and against previous results produced by µArchiFI, in particular to benchmark the time it takes to perform verification. Additional fault models explore whether other types of information, such as circuit timing, can be leveraged to capture specific injection means such as clock glitching.

References

[1] CEA List, Pre-silicon tools for security assessment against fault-injection attacks.

[2] µArchiFI: a pre-silicon tool to assess the robustness of HW / SW systems against fault-injection attacks. Available :

[3] Simon Tollec et al.: μArchiFI : Formal Modeling and Verification Strategies for Microarchitectural Fault Injections. FMCAD.

[4] Standard CAD Tool-Based Method for Simulation of Laser-Induced Faults in Large-Scale Circuits. PhD Raphael Viera.