



# THALES



#### MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks

Thomas Chamelot, Damien Couroussé, Karine Heydemann

Published to IEEE TCAD 2023

**TASER 2023** 



#### Fault injection attacks everywhere

cea



2

MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks TASER 2023 10/09/2023

#### Fault injection attacks everywhere





#### State of the Art: Security Properties



Data integrity – not considered in this work Code authenticity / integrity

- Control-flow integrity
  - Direct branches / calls
  - Indirect branches / calls
  - Branchless instructions sequences (a.k.a. *basic blocks*)
    - Execution of all the instructions
      (e.g. no skip)
    - In correct order





A simple loop code:

loop: addi t0, t0, #-1 bne t0, zero, loop



Control-Flow Integrity Code authenticity / Integrity



A simple loop code:





A simple loop code:



• ... and many other

J. Laurent, V. Beroulle, C. Deleuze, F. Pebay-Peyroula, and A. Papadimitriou, "Cross-layer analysis of software fault models and countermeasures against hardware fault attacks in a RISC-V processor," Microprocessors and Microsystems, 2019.

S. Tollec, M. Asavoae, D. Couroussé, K. Heydemann, and M. Jan, "Exploration of Fault Effects on Formal RISC-V Microarchitecture Models," in FDTC, 2022.





#### Objective: full protection of the processor instruction path

Data integrity – not considered in this work



Code integrity

- Control-flow integrity
  - Direct branches / calls
  - Indirect branches / calls
  - Branchless instructions sequences (a.k.a. basic blocks)
- **Control-signals integrity**



# MAFIA: protection of the microarchitecture against fault injection attacks

- Full coverage of in-order processor instruction path
  - Control-Signal Integrity
  - Code Authenticity / Code Integrity
  - Control-Flow Integrity
- Full support of embedded software stacks:
  - Indirect function calls, interrupts
- Implementation based on RISC-V CV32E40P
- Software toolchain support

Control-Flow Integrity Code authenticity / Integrity Control-Signal Integrity



 CACFI: Code Authenticity and Control-Flow Integrity module

- Signature-based
- $\rightarrow$  Pipeline State
- **CSI**: Control-Signal Integrity module

10

# Static signals – depending only on the decoded instruction:

Requirement: deterministic value at compilation time (program invariant)

- Operands, operation selection
- Immediate values
- Dynamic signals depending on other instructions in flight

Selection of control signals emitted by the decode stage

• Forwarding

•

Control-Flow Integrity Code authenticity / Integrity Control-Signal Integrity

#### Pipeline State





# Signature function (CACFI)

- Pipeline state  $\Sigma_i$  (instruction  $I_i$ ) •
- Signature function f:  $S_i = f(\Sigma_i, IV)$ •
- Based on generalized path signature analysis • [Wilken et Shen, 1990]
- Security properties •
  - Collision resistance
  - Error preservation
  - Non-associativity
- Hardware constraints •
  - Computation in 1 CPU cycle
  - Low area
- Supports code authenticity or code integrity

K. Wilken and J. P. Shen, "Continuous signature monitoring: Low-cost concurrent detection of processor control errors," IEEE TCAD, 1990.





10/09/2023

#### 10/09/2023 MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks **TASER 2023** 13

**BB0**:

forwarding

add t0, #1

add t1, a0, t0

load t1, 0(t1)

#### Dynamic signals may take different values •

# e.g. forwarding control signals

We want to protect some dynamic signals,

•

according to the execution path

#### Pipeline state uniqueness

Each instruction is associated to a *unique* ٠ signature value, computed from the current pipeline state value



10





**BB0**:

#### Pipeline state uniqueness

- Each instruction is associated to a *unique* ٠ signature value, computed from the current pipeline state value
- We want to protect some dynamic signals, • e.g. forwarding control signals
- Dynamic signals may take different values • according to the execution path

#### Solution

- The compiler: ٠
  - verifies the pipeline state uniqueness;
  - inserts instructions for breaking dependencies when needed.

$$\begin{array}{c|c} IO & S_0 = f(\Sigma_0, IV) \\ II & S_1 = f(\Sigma_1, S_0) \\ I2 & S_2 = f(\Sigma_2, S_1) \\ \vdots \\ IN & S_N = f(\Sigma_N, S_{N-1}) \end{array}$$





#### Reference CACFI **I-MEM** CSI signatures Pipeline state Write Memory Fetch Decode Execute → back 10/09/2023 MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks **TASER 2023** 15

# Signature verification (CACFI)

- 1 signature associated to each instruction
- Error preservation
  - $\rightarrow$  Verifications can be used anywhere
- Verification triggered by dedicated (control-flow) instructions
  - Load reference signature
  - Verify signature

Cez

Proceed with control-flow



Reference

control signals

# Control-Signal Integrity (CSI module)

- Input: duplication of pipeline state signals, from the CACFI module
- Signals are verified at each stage (until consumption)
- Supports any redundancy scheme. E.g.:
  - Simple copy
  - Complementary copy
  - XOR (signal, constant)



16

Control-Flow Integrity Code authenticity / Integrity Control-Signal Integrity

#### MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks TASER 2023 10/09/2023 17

#### Hardware implementation

- Processor: RISC-V 32-bits CV32E40P
  - ISA: RV32I(MC)
  - 4-stage, in-order pipeline
- Two implementations with different signature functions f:
  - CRC32 code integrity, detects up to 8 bit-flips
  - CBC-MAC Prince code authenticity
- ASIC synthesis 22nm FDSOI @ 400MHz
- Formal verification of the pipeline state coverage





#### 10/09/2023 MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks cea **TASER 2023** 18

#### Software support

- **Dedicated instructions** •
  - Loading of signature patches
  - Signature verifications ٠
- Pipeline state uniqueness: preventing control ٠ signals variability due to e.g. forwarding
- Removal of indirect branches •
- Dispatchers for indirect calls •
- Generation of patches and reference • signatures

Dispatcher dispatch Model generator .0 (decode) LLVM LLVM Signatures Sources **O**bjects Program Program clang lld generator .elf .elf .C .0 libc .a



Microarch.



#### **Experimental evaluation**

#### Methodology

- ASIC synthesis. 22nm FDSOI @ 400MHz
- RTL simulation of Embench IoT •
  - All the code is instrumented (signature continuity)
  - Verifications in each basic block of the benchmarked functions

#### Hardware evaluation

- Surface CV32E40P: 50kGE
- +6,5% (+5kGE) Surface CRC32: 55kGE
- +23,8% (+13kGE) Surface Prince : 64kGE

#### Software evaluation CRC32

- Code size overhead: +29,4%
- Execution time overhead: +18,4%



10/09/2023 MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks **TASER 2023** 



T. Chamelot, D. Couroussé, and K. Heydemann "MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), vol. accepted for publication, 2023. <u>https://doi.org/10.1109/TCAD.2023.3276507</u>

anr<sup>®</sup> THALES

damien.courousse@cea.fr

Open positions! 🙂

