Verifying Redundant-Check Based Countermeasures: A Case Study

Thibault Martin; Nikolai Kosmatov; Virgile Prevosto

doi:10.1145/3477314.3507341

Verifying Redundant-Check Based Countermeasures: A Case Study

Thibault Martin
, Nikolai Kosmatov
, Virgile Prevosto

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

To thwart fault injection based attacks on critical embedded systems, designers of sensitive software use redundancy based countermeasure schemes. In some of these schemes, critical checks (i.e. conditionals) in the code are duplicated to ensure that an attacker cannot bypass such a check by flipping its result in order to get to a protected point (corresponding e.g. to a successful authentication or code integrity verification). This short paper presents a source-code-level verification technique of the correct implementation of such countermeasures. It is based on code instrumentation and deductive verification. The proposed technique was implemented in a tool prototype and evaluated on a real-life case study: the bootloader module of a secure USB storage device called WooKey, supposed to be resistant to fault injection attacks. We were able to prove the correctness of almost all redundant-check countermeasures in the module except two, and found an error in one of the unproven ones.

Original language	English
Title of host publication	Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022
Publisher	Association for Computing Machinery
Pages	1849-1852
Number of pages	4
ISBN (Electronic)	9781450387132
DOIs	https://doi.org/10.1145/3477314.3507341
Publication status	Published - 25 Apr 2022
Externally published	Yes
Event	37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022 - Virtual, Online Duration: 25 Apr 2022 → 29 Apr 2022

Publication series

Name	Proceedings of the ACM Symposium on Applied Computing

Conference

Conference	37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022
City	Virtual, Online
Period	25/04/22 → 29/04/22

Keywords

deductive verification
fault injection attacks
frama-C verification platform
software countermeasures

Access to Document

10.1145/3477314.3507341

Cite this

@inproceedings{f626f30cf5c94caba414f046021a9c5b,

title = "Verifying Redundant-Check Based Countermeasures: A Case Study",

abstract = "To thwart fault injection based attacks on critical embedded systems, designers of sensitive software use redundancy based countermeasure schemes. In some of these schemes, critical checks (i.e. conditionals) in the code are duplicated to ensure that an attacker cannot bypass such a check by flipping its result in order to get to a protected point (corresponding e.g. to a successful authentication or code integrity verification). This short paper presents a source-code-level verification technique of the correct implementation of such countermeasures. It is based on code instrumentation and deductive verification. The proposed technique was implemented in a tool prototype and evaluated on a real-life case study: the bootloader module of a secure USB storage device called WooKey, supposed to be resistant to fault injection attacks. We were able to prove the correctness of almost all redundant-check countermeasures in the module except two, and found an error in one of the unproven ones.",

keywords = "deductive verification, fault injection attacks, frama-C verification platform, software countermeasures",

author = "Thibault Martin and Nikolai Kosmatov and Virgile Prevosto",

note = "Publisher Copyright: {\textcopyright} 2022 Owner/Author.; 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022 ; Conference date: 25-04-2022 Through 29-04-2022",

year = "2022",

month = apr,

day = "25",

doi = "10.1145/3477314.3507341",

language = "English",

series = "Proceedings of the ACM Symposium on Applied Computing",

publisher = "Association for Computing Machinery",

pages = "1849--1852",

booktitle = "Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022",

}

Martin, T, Kosmatov, N & Prevosto, V 2022, Verifying Redundant-Check Based Countermeasures: A Case Study. in Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022. Proceedings of the ACM Symposium on Applied Computing, Association for Computing Machinery, pp. 1849-1852, 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022, Virtual, Online, 25/04/22. https://doi.org/10.1145/3477314.3507341

Verifying Redundant-Check Based Countermeasures: A Case Study. / Martin, Thibault; Kosmatov, Nikolai; Prevosto, Virgile.
Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022. Association for Computing Machinery, 2022. p. 1849-1852 (Proceedings of the ACM Symposium on Applied Computing).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Verifying Redundant-Check Based Countermeasures

T2 - 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022

AU - Martin, Thibault

AU - Kosmatov, Nikolai

AU - Prevosto, Virgile

PY - 2022/4/25

Y1 - 2022/4/25

N2 - To thwart fault injection based attacks on critical embedded systems, designers of sensitive software use redundancy based countermeasure schemes. In some of these schemes, critical checks (i.e. conditionals) in the code are duplicated to ensure that an attacker cannot bypass such a check by flipping its result in order to get to a protected point (corresponding e.g. to a successful authentication or code integrity verification). This short paper presents a source-code-level verification technique of the correct implementation of such countermeasures. It is based on code instrumentation and deductive verification. The proposed technique was implemented in a tool prototype and evaluated on a real-life case study: the bootloader module of a secure USB storage device called WooKey, supposed to be resistant to fault injection attacks. We were able to prove the correctness of almost all redundant-check countermeasures in the module except two, and found an error in one of the unproven ones.

AB - To thwart fault injection based attacks on critical embedded systems, designers of sensitive software use redundancy based countermeasure schemes. In some of these schemes, critical checks (i.e. conditionals) in the code are duplicated to ensure that an attacker cannot bypass such a check by flipping its result in order to get to a protected point (corresponding e.g. to a successful authentication or code integrity verification). This short paper presents a source-code-level verification technique of the correct implementation of such countermeasures. It is based on code instrumentation and deductive verification. The proposed technique was implemented in a tool prototype and evaluated on a real-life case study: the bootloader module of a secure USB storage device called WooKey, supposed to be resistant to fault injection attacks. We were able to prove the correctness of almost all redundant-check countermeasures in the module except two, and found an error in one of the unproven ones.

KW - deductive verification

KW - fault injection attacks

KW - frama-C verification platform

KW - software countermeasures

UR - https://www.scopus.com/pages/publications/85130417162

U2 - 10.1145/3477314.3507341

DO - 10.1145/3477314.3507341

M3 - Conference contribution

AN - SCOPUS:85130417162

T3 - Proceedings of the ACM Symposium on Applied Computing

SP - 1849

EP - 1852

BT - Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022

PB - Association for Computing Machinery

Y2 - 25 April 2022 through 29 April 2022

ER -

Verifying Redundant-Check Based Countermeasures: A Case Study

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this