Security Contract Semantics for Fault-Injection Attacks in Embedded Systems H / F

Contrat: Post-doctorat

The national TwinSec research project aims to establish an end-to-end methodology to identify and cancel, at the design stage, microarchitecture-specific vulnerabilities. The TwinSec project, which frames this Post-doc research, brings together several French laboratories specializing in hardware and software security to model and analyze fault-injections' effects at physical, hardware (HW), Instruction Set Architecture (ISA), and software (SW) levels. It focuses on physical attacks, mainly on fault injection using lasers, and proposes a more realistic attacker model for a multi-level fault analysis. Existing modeling tools are not yet capable of efficiently predicting an embedded systems' resistance to such attacks due to generic fault models. To ensure scalable formal analyses within this end-to-end methodology, appropriate ways to exchange information between layers must be defined.

Fault-injection attacks exploit hardware perturbations to move a processor into unexpected states or execution paths, potentially exposing secrets or escalating privileges. Recent research has highlighted the need to consider the consequences of fault injection in the processor micro-architecture. In this area, we have developed pre-silicon methodologies and tools that have shown to be successful in finding microarchitectural vulnerabilities and/or formally proving the robustness, for a given fault model, of various RISC-V based processors. We have also developed binary-level program analysis methods (BINSEC/ASE) able to efficiently take into account some predefined ISA-level fault injection models. Yet, a major and common challenge of all these approaches lies in the state space generated by the modeling of the processor’s behavior executing a sequence of instructions and under a fault model.

This CDD or Post-doc position focuses on defining and implementing security contracts for fault-injection attacker models. The proposed security contracts should support a multi-level approach, enabling the design and analysis of hybrid countermeasures, while also bridging fault models derived from experimental characterizations to the software level. They will also be used to revisit our k-fault-resistant partitioning methodology to analyze multi-fault models within complex systems, such as applications processors, and to help our binary-level code analyzers to handle more generic classes of fault models.

• Define a semantics for the use of contracts in the context of fault injection attacks. Potential implementations may involve a domain-specific language or annotations to describe, at the ISA-level, the effects of faults stemming from the microarchitectural level. The model must account for both spatial aspects (defining RTL/netlist-level signals to be targeted) and temporal aspects (identifying injection time intervals).
• Explore how such security contracts can enhance microarchitectural-level analyses, in particular by integrating into fault models information from experimental characterizations of laser injections.
• Investigate the use of security contracts to integrate microarchitectural descriptions into ISA-level analysis tools like Binsec. The expected outcome is the validation of a multi-level semantics for contracts adapted to the context of fault injection attacks, ultimately enabling the implementation of an end-to-end analysis tool.

See attached pdf

We are seeking a motivated researcher with:

• A PhD in computer science, embedded systems, or related fields.
• Expertise in fault-injection attacks, formal verification, or microarchitecture security.
• Strong programming skills and analytical thinking. Experience with RISC-V processors, ISA-level / binary analysis tools, or domain-specific languages is a plus.

In accordance with the commitments made by the CEA in favor of the integration of people with disabilities, this job is open to everyone.

The TwinSec project is also recruiting a PhD candidate to work on the topic of security contracts for fault-injection attacker models. The Post-doc researcher will participate in the co-supervision of this PhD project and contribute to the development of the methodologies and tools designed by the PhD student.

Saclay

05/05/2025

2025-35303

The French Alternative Energies and Atomic Energy Commission (CEA) is a leader in research, development, and innovation across key areas such as defense and security, energy, industry, and fundamental sciences. Within CEA, the List institute focuses on technological innovation in digital systems.