Cybersecurity formal analysis of fault-injection attacks in hardware/software embedded systems

The CEA's technology research division (DRT) develop a broad portfolio of technologies in the fields of information and communication, energy and health. CEA technology research division leverages a unique innovation-driven culture and unrivalled expertise to develop and disseminate new technologies for industry, effectively bridging the gap between the worlds of research and industry. CEA-List is a research institute specialized in smart digital systems, located in the heart of the Paris-Saclay science and technology cluster.

Within the CEA List, the Electronics Design Automation and Architectures Laboratory (LECA) has the mission of designing innovative and flexible computing architecture (System-on-chip) that meet the challenges of performance, cost, energy consumption, safety and security, targeting critical embedded systems and accelerators for embedded AI. In particular, the laboratory develops methods for modeling and analyzing safety and security properties in order to verify the behavior of multi-core computing architectures using formal methods.

Research Context and Challenge.

Fault-injection attacks exploit hardware perturbations to move a processor into unexpected states or execution paths, potentially exposing secrets or escalating privileges. Recent research has highlighted the need to consider the consequences of fault injection in the processor micro-architecture. In this area, we have developed pre-silicon methodologies and tools that have shown to be successful to find microarchitectural vulnerabilities and/or formally prove the robustness, for a given fault model, of various RISC-V based processors. We have also developed binary-level program analysis methods (BINSEC/ASE) able to efficiently take into account some predefined ISA-level fault injection models. Yet, a major and common challenge of all these approaches lies in the state space generated by the modeling of processor’s behavior executing a sequence of instructions and under a fault model.

Objective.

This position focuses on defining and implementing security contracts for fault-injection attacker models. The proposed security contracts should support a multi-level approach, enabling the design and analysis of hybrid countermeasures, while also bridging fault models derived from experimental characterizations to the software level. They will also be used to revisit our k-fault-resistant partitioning methodology to analysis multi-fault models within complex systems, such as applications processors, and to help our binary-level code analyzers to handle more generic classes of fault models.

 Within the TwinSec research project, your main missions will be to:

• Define a semantics for the use of contracts in the context of fault injection attacks. Potential implementations may involve a domain-specific language or annotations to describe, at the ISA-level, the effects of faults stemming from the microarchitectural level. The model must account for both spatial aspects (defining RTL/netlist-level signals to be targeted) and temporal aspects (identifying injection time intervals);
• Explore how such security contracts can enhance microarchitectural-level analyses, in particular by integrating into fault models information from experimental characterizations of laser injections. In particular, as TwinSec proposes a more realistic attacker model to identify microarchitecture-specific vulnerabilities, microarchitectural analyses could leverage for instance post-layout information;
• Investigate the use of security contracts to integrate microarchitectural descriptions into ISA-level analysis tools like Binsec. The expected outcome is the validation of a multi-level semantics for contracts adapted to the the context of fault injection attacks, ultimately enabling the implementation of an end-to-end analysis tool.

The major breakthrough introduced by security contracts will be the ability to provide formal
composable security properties, thus enabling the exploration of binary-level software analyses with
RTL or post-synthesis level analyses of secure hardware circuits.

Candidate Profile. We are seeking a motivated researcher with:

• A PhD in computer science, embedded systems, or related fields.
• Expertise in fault-injection attacks, formal verification, or microarchitecture security.
• Strong programming skills and analytical thinking. Experience with RISC-V processors, ISA-
• level / binary analysis tools, or domain-specific languages is a plus.

The TwinSec project is also recruiting a PhD candidate to work on the topic of security contracts for
fault-injection attacker models. The Post-doc researcher will participate in the co-supervision of this
PhD project and contribute to the development of the methodologies and tools designed by the PhD
student.

Desired personal qualities :

• Ability to work in a team, while showing a good autonomy in daily life;
• Scientific curiosity, taste for technical challenges;
• Ability to understand and solve complex problems;
• Ability to take a step back and have a transverse vision;
• Rigorous work methods and a spirit of synthesis.