Formal Fault Injection Vulnerability Detection in Binaries: a Software
Total Page:16
File Type:pdf, Size:1020Kb
Formal fault injection vulnerability detection in binaries : a software process and hardware validation Nisrine Jafri To cite this version: Nisrine Jafri. Formal fault injection vulnerability detection in binaries : a software process and hard- ware validation. Cryptography and Security [cs.CR]. Université Rennes 1, 2019. English. NNT : 2019REN1S014. tel-02385208 HAL Id: tel-02385208 https://tel.archives-ouvertes.fr/tel-02385208 Submitted on 28 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. T HÈSE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N°601 Mathèmatique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Par « Nisrine JAFRI » « Formal Fault Injection Vulnerability Detection in Binaries » «A Software Process and Hardware Validation» Thèse présentée et soutenue à RENNES , le 25 mars 2019 Unité de recherche : Inria, TAMIS team Thèse N°: Rapporteurs avant soutenance : Marie-Laure POTET, Professeur des Universités, ENSIMAG Jean-Yves MARION, Professeur des Universités, Université de Lorraine Composition du jury : Président : Pierre-Alain FOUQUE, Professeur des Universités, Université Rennes 1 Examinateurs : Leijla BATINA, Professeur des Université s, Université Radboud de Nimegue Shivam BHASIN, Chercheur, Université technologique de Singapour Sylvain GUILLEY, Professeur des Universités, Télécom ParisTech Annelie HEUSER, Chercheur, CNRS Dir. de thèse : Jean-Louis LANET, Chercheur, Inria Co-dir. de thèse : Axel LEGAY , Professeur des Universités, Université catholique de Louvain Invité(s) iii “The summit of happiness is reached when a person is ready to be what he is.” Desiderius Erasmus إلى�من�بالحب�غمروني�وبجميل�السجايا�أدبوني �إلى�أ�ّمي�و�أبي� v UNIVERSITY RENNES 1 Abstract Inria Doctoral School MATHSTIC Doctor of Philosophy Formal Fault Injection Vulnerability Detection in Binaries - A Software Process and Hardware Validation by Nisrine JAFRI Fault injection is a well known method to test the robustness and security vulner- abilities of systems. Detecting fault injection vulnerabilities has been approached with a variety of different but limited methods. Software-based and hardware-based approaches have both been used to detect fault injection vulnerabilities. Software- based approaches can provide broad and rapid coverage, but may not correlate with genuine hardware vulnerabilities. Hardware-based approaches are indisputable in their results, but rely upon expensive expert knowledge, manual testing, and can not confirm what fault model represent the created effect. First, this thesis focuses on the software-based approach and proposes a general pro- cess that uses model checking to detect fault injection vulnerabilities in binaries. The efficacy and scalability of this process is demonstrated by detecting vulnerabilities in different cryptographic real-world implementations. Then, this thesis bridges software-based and hardware-based fault injection vulnera- bility detection by contrasting results of the two approaches. This demonstrates that: not all software-based vulnerabilities can be reproduced in hardware; prior conjec- tures on the fault model for electromagnetic pulse attacks may not be accurate; and that there is a relationship between software-based and hardware-based approaches. Further, combining both software-based and hardware-based approaches can yield a vastly more accurate and efficient approach to detect genuine fault injection vul- nerabilities. Keywords: Fault Injection, Vulnerability Detection, Model Checking, Formal Meth- ods vii Acknowledgements I would start by expressing my gratitude to my thesis directors Jean-Louis Lanet and Axel Legay. Thank you for giving me the opportunity to experience the PhD journey. Thanks for your directions through the path, your advices and comments. My sincere thanks to Marie-Laure Potet and Jean-Yves Marion for accepting to re- view my work. Marie-Laure Potet, thank you for your advices and goodwill. Jean- Yves Marion, thank you for your availability and pertinent remarque. Thanks for the jury members, Leijla Batina, Shivam Bhasin, Pierre-Alain Fouque, Sylvain Guilley for accepting to be part of my jury. Special thanks to my supervisor Thomas Given-Wilson. My research would have been impossible without your aid, support, and encouragement. Thanks for all the shared techniques and tips that I will carry on with me, and share as well. I owe a very important debt to Annelie Heuser, thanks for helping me finalise this manuscript, but also for all your support and encouragement, it was a real pleasure working with you. Thanks to Clementine Maurice my monitor, your advices, suggestion and encour- agement were a great help to me. I would also like to thank Ronan Lashermes and Sebanjila Kevin Bukasa from the LHS lab for their help in conducting the hardware experiments. Heartfelt thanks go to all the tamis team members. A special thank to Olivier Zen- dra the team leader for his support and help in order to defend my thesis. A unique thanks to Cecile Bouton. Thank you for your goodwill and support, you have been a second mother to me. thanks to the members who become true friends to me. Alex and Kevin we will remain the Trio of Porto. Tania, thanks for everything but especially for the free hugs. Cassius, thanks for your positive energy, and all the shared information about the music bands. Delphine, it was a pleasure to have you as an officemate. Thanks to all the team members with whom I shared a great mo- ment: Stefano, Ioana, Lamine, Céline, Yoann, Christophe, Laurent, Leo, Ludo, Jean, Hélène, Florian, Fabrizio ... I am profoundly grateful to all my friends for their emotional support through the way, thanks Meriem, Fati, Mouad, Routa, Rahaf, Farah. A special thanks to Pierre- Yves who become more than a friend. Thanks for your support, through the last miles of this journey you had the right words to boost my motivation. Thanks to all my Spanish, Sewing, Swimming, and Salsa teachers, spending time in your courses helped me having a balanced life. Thanks to my second family in Rennes, Gabrielle and Claire. You’ve been a true family to me, you embraced me with your love and care, and made me feel at home. And lastly, all the thank goes to my beloved family for their unlimited love and support. Thanks to my parents and brothers Youssef and Youness. My grandparents and to all members of JAFRI and Chouka families, for providing me with unfailing support and continuous encouragement throughout my years of study and through the process of researching and writing this thesis. This accomplishment would not have been possible without them. Thank you. Nisrine JAFRI ix Contents Abstract v Acknowledgements vii Résumé en français 1 Introduction and Background 5 1 Introduction 5 1.1 Context and Motivation ........................... 5 1.2 Motivating Example: Verify PIN Example ................. 7 1.3 Contributions ................................. 8 1.4 Publications .................................. 10 1.5 Organisation of the Thesis .......................... 12 2 Background 15 2.1 Fault Injection ................................. 15 2.1.1 Software-Based Fault Injection Approaches . 18 2.1.2 Hardware-Based Fault Injection Approaches . 20 2.1.3 Fault Model .............................. 22 2.2 Formal Verification .............................. 22 2.2.1 Model Checking ........................... 23 2.2.2 Properties ............................... 25 2.3 Working on Binaries ............................. 25 2.3.1 Binary Model Checking ....................... 26 2.3.2 Binary Translation .......................... 28 I An Automated Formal Process For Detecting Fault injection Vulner- abilities in Binaries 31 3 Overview of Part I 33 3.1 Introduction .................................. 33 3.2 State of the Art ................................. 34 3.3 Case Studies: Cryptographic Algorithms . 36 4 Process, Implementation and Methodology 41 4.1 Fault Injection Vulnerability Detection FIVD Process . 41 4.2 FIVD Process Implementation ........................ 44 4.3 FIVD Process Methodology ......................... 46 5 Experimental Results 49 5.1 Motivating example .............................. 49 5.2 Cryptographic Algorithm .......................... 54 x 6 Details on the Experimental Results and Implementation for the PRESENT Algorithm 59 7 Discusion and Limitations 67 7.1 Discusion .................................... 67 7.2 Limitations ................................... 69 II Bridging Software-Based and Hardware-Based Fault injection At- tacks 71 8 Overview of Part II 73 8.1 Introduction .................................. 73 8.2 State of the Art ................................. 75 8.3 Case Studies: Control flow Hijacking and Backdoor Attack . 76 9 Process, Implementation and Methodology 81 9.1 Software and Hardware based Process ................... 81 9.2 Software and Hardware based Implementation . 83 9.3 Software and Hardware based Methodology . 85 10 Experimental Results 89 10.1 Control Flow Hijacking ...........................