Journal of Cryptographic Engineering

, Volume 4, Issue 3, pp 145–156 | Cite as

Formal verification of a software countermeasure against instruction skip attacks

  • N. Moro
  • K. Heydemann
  • E. Encrenaz
  • B. Robisson
Special Section on Proofs 2013


Fault attacks against embedded circuits enabled to define many new attack paths against secure circuits. Every attack path relies on a specific fault model which defines the type of faults that the attacker can perform. On embedded processors, a fault model consisting in an assembly instruction skip can be very useful for an attacker and has been obtained by using several fault injection means. To avoid this threat, some countermeasure schemes which rely on temporal redundancy have been proposed. Nevertheless, double fault injection in a long enough time interval is practical and can bypass those countermeasure schemes. Some fine-grained countermeasure schemes have also been proposed for specific instructions. However, to the best of our knowledge, no approach that enables to secure a generic assembly program in order to make it fault-tolerant to instruction skip attacks has been formally proven yet. In this paper, we provide a fault-tolerant replacement sequence for almost all the instructions of the Thumb-2 instruction set and provide a formal verification for this fault tolerance. This simple transformation enables to add a reasonably good security level to an embedded program and makes practical fault injection attacks much harder to achieve.


Microcontroller Fault attack Instruction skip  Countermeasure Formal verification 


  1. 1.
    ARM: ARM Architecture Reference Manual—Thumb-2 Supplement (2005)Google Scholar
  2. 2.
    Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2011). doi: 10.1109/FDTC.2011.9
  3. 3.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice guide to fault attacks. In: Proceedings of the IEEE 94 (2006). doi: 10.1109/JPROC.2005.862424
  4. 4.
    Barenghi, A., Bertoni, G.M., Breveglieri, L., Pelliccioli, M., Pelosi, G.: Injection technologies for fault attacks on microprocessors. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography, Information Security and Cryptography, pp. 275–293. Springer, Berlin (2012). doi: 10.1007/978-3-642-29656-7
  5. 5.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012). doi: 10.1109/JPROC.2012.2188769 CrossRefGoogle Scholar
  6. 6.
    Barenghi, A., Breveglieri, L., Koren, I., Pelosi, G., Regazzoni, F.: Countermeasures against fault attacks on software implemented AES. In: Proceedings of the 5th Workshop on Embedded Systems Security—WESS ’10. ACM Press, New York (2010). doi: 10.1145/1873548.1873555
  7. 7.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Advances in Cryptology—EUROCRYPT ’97, Lecture Notes in Computer Science, vol. 1233, pp. 37–51. Springer, Berlin (1997). doi: 10.1007/3-540-69053-0_4
  8. 8.
    Chetali, B., Nguyen, Q.H.: Industrial use of formal methods for a high-level security evaluation. FM 2008: Formal Methods. Lecture Notes in Computer Science, vol. 5014, pp. 198–213. Springer, Berlin (2008) Google Scholar
  9. 9.
    Christofi, M., Chetali, B., Goubin, L., Vigilant, D.: Formal verification of a CRT-RSA implementation against fault attacks. J. Cryptogr. Eng. (2013). doi: 10.1007/s13389-013-0049-3
  10. 10.
    Dehbaoui, A., Dutertre, J.M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: FDTC 2012. IEEE (2012). doi: 10.1109/FDTC.2012.15
  11. 11.
    Fox, A., Myreen, M.: A trustworthy monadic formalization of the armv7 instruction set architecture. Interactive Theorem Proving. Lecture Notes in Computer Science, vol. 6172, pp. 243–258. Springer, Berlin (2010)Google Scholar
  12. 12.
    Guthaus, M., Ringenberg, J., Ernst, D., Austin, T., Mudge, T., Brown, R.: MiBench: a free, commercially representative embedded benchmark suite. In: Proceedings of the Fourth Annual IEEE International Workshop on Workload Characterization. WWC-4. IEEE (2001). doi: 10.1109/WWC.2001.990739
  13. 13.
    Karaklajić, D., Schmidt, J.M., Verbauwhede, I.: Hardware Designer’s Guide to Fault Attacks. In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems (2013). doi: 10.1109/TVLSI.2012.2231707
  14. 14.
    Medwed, M., Schmidt, J.M.: A generic fault countermeasure providing data and program flow integrity. In: 2008 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2008). doi: 10.1109/FDTC.2008.11
  15. 15.
    Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2013). doi: 10.1109/FDTC.2013.9
  16. 16.
    Nguyen, M.H., Robisson, B., Agoyan, M., Drach, N.: Low-cost recovery for the code integrity protection in secure embedded processors. In: 2011 IEEE International Symposium on Hardware-Oriented Security and Trust. IEEE (2011). doi: 10.1109/HST.2011.5955004
  17. 17.
    Rauzy, P., Guilley, S.: A formal proof of countermeasures against fault injection attacks on CRT-RSA. J. Cryptogr. Eng. (2013). doi: 10.1007/s13389-013-0065-3
  18. 18.
    Schmidt, J.M., Herbst, C.: A practical fault attack on square and multiply. In: 2008 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2008). doi: 10.1109/FDTC.2008.10
  19. 19.
    Skorobogatov, S.: Local heating attacks on Flash memory devices. In: 2009 IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 1–6. IEEE (2009). doi: 10.1109/HST.2009.5225028
  20. 20.
    Trichina, E., Korkikyan, R.: Multi fault laser attacks on protected CRT-RSA. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2010). doi: 10.1109/FDTC.2010.14
  21. 21.
    Yiu, J.: The Definitive Guide To The ARM Cortex-M3. Elsevier Science, London (2009)Google Scholar
  22. 22.
    Zussa, L., Dutertre, J.M., Clédière, J., Robisson, B., Tria, A.: Investigation of timing constraints violation as a fault injection means. In: DCIS. Avignon, France (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Sorbonne Universités, UPMC Univ Paris 06, UMR 7606, LIP6ParisFrance
  2. 2.CNRS, UMR 7606, LIP6ParisFrance
  3. 3.CEA, CEA-Tech PACA, LSASGardanneFrance

Personalised recommendations