Runtime Code Polymorphism as a Protection Against Side Channel Attacks

  • Damien Couroussé
  • Thierno Barry
  • Bruno Robisson
  • Philippe Jaillon
  • Olivier Potin
  • Jean-Louis Lanet
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9895)


We present a generic framework for runtime code polymorphism, applicable to a broad range of computing platforms including embedded systems with low computing resources (e.g. microcontrollers with few kilo-bytes of memory). Code polymorphism is defined as the ability to change the observable behaviour of a software component without changing its functional properties. In this paper we present the implementation of code polymorphism with runtime code generation, which offers many code transformation possibilities: we describe the use of random register allocation, random instruction selection, instruction shuffling and insertion of noise instructions. We evaluate the effectiveness of our framework against correlation power analysis: as compared to an unprotected implementation of AES where the secret key could be recovered in less than 50 traces in average, in our protected implementation, we increased the number of traces necessary to achieve the same attack by more than 20000\(\times \). With regards to the state of the art, our implementation shows a moderate impact in terms of performance overhead.


Execution Time Memory Footprint Register Allocation Instruction Schedule Side Channel Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was partially funded by the COGITO project, funded by the French National Research Agency (ANR) as part of the program Digital Engineering and Security (INS-2013), under grant agreement ANR-13-INSE-0006-01.


  1. 1.
    Agosta, G., Barenghi, A., Pelosi, G., Scandale, M.: The MEET approach: Securing cryptographic embedded software against side channel attacks. IEEE TCAD 34(8), 1320–1333 (2015)zbMATHGoogle Scholar
  2. 2.
    Agosta, G., Barenghi, A., Pelosi, G.: A code morphing methodology to automate power analysis countermeasures. In: DAC, pp. 77–82. ACM (2012)Google Scholar
  3. 3.
    Amarilli, A., Müller, S., Naccache, D., Page, D., Rauzy, P., Tunstall, M.: Can code polymorphism limit information leakage? In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 1–21. Springer, Heidelberg (2011)Google Scholar
  4. 4.
    Ambrose, J., Ragel, R., Parameswaran, S.: Rijid: random code injection to mask power analysis based side channel attacks. In: DAC, pp. 489–492 (2007)Google Scholar
  5. 5.
    Aracil, C., Couroussé, D.: Software acceleration of floating-point multiplication using runtime code generation. In: ICEAC, pp. 18–23 (2013)Google Scholar
  6. 6.
    Bayrak, A.G., Velickovic, N., Ienne, P., Burleson, W.: An architecture-independent instruction shuffler to protect against side-channel attacks. TACO 8(4), 1–19 (2012)CrossRefGoogle Scholar
  7. 7.
    Boulet, F., Barthe, M., Le, T.H.: Protection of applets against hidden-channel analysis, WO/2012/085482 (2013)Google Scholar
  8. 8.
    Charles, H.P., Couroussé, D., Lomller, V., Endo, F., Gauguey, R.: \(\mathtt{{deGoal}}\) a tool to embed dynamic code generators into applications. In: Cohen, A. (ed.) CC 2014. LNCS, vol. 8409, pp. 107–112. Springer, Heidelberg (2014)Google Scholar
  9. 9.
    Coron, J.-S., Kizhvatov, I.: Analysis and improvement of the random delay countermeasure of CHES 2009. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 95–109. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: Network And Distributed System Security Symposium, NDSS. vol. 15 (2015)Google Scholar
  11. 11.
    Durvaux, F., Renauld, M., Standaert, F.-X., van Oldeneel tot Oldenzeel, L., Veyrat-Charvillon, N.: Efficient removal of random delays from embedded software implementations using hidden markov models. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 123–140. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Kotzmann, T., Wimmer, C., Mössenböck, H., Rodriguez, T., Russell, K., Cox, D.: Design of the Java Hotspot client compiler for Java 6. TACO 5(1), 7: 1–7: 32 (2008)Google Scholar
  13. 13.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  14. 14.
    May, D., Muller, H.L., Smart, N.P.: Random register renaming to foil DPA. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, p. 28. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    May, D., Muller, H.L., Smart, N.P.: Non-deterministic processors. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, p. 115. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Patterson, D.A., Hennessy, J.L.: Computer Organization and Design: The Hardware/Software Interface, 4th edn. Morgan Kaufmann (2011)Google Scholar
  17. 17.
    Poletto, M., Sarkar, V.: Linear scan register allocation. ACM Trans. Program. Lang. Syst. 21(5), 895–913 (1999)CrossRefGoogle Scholar
  18. 18.
    Strobel, D., Paar, C.: An efficient method for eliminating random delays in power traces of embedded software. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 48–60. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Damien Couroussé
    • 1
    • 2
  • Thierno Barry
    • 1
    • 2
  • Bruno Robisson
    • 3
  • Philippe Jaillon
    • 4
  • Olivier Potin
    • 4
  • Jean-Louis Lanet
    • 5
  1. 1.Univ. Grenoble AlpesGrenobleFrance
  2. 2.CEA, IST, MINATEC CampusGrenobleFrance
  3. 3.CEA-Tech DPACAGardanneFrance
  4. 4.École Nationale Suprieure des Mines de Saint-EtienneSaint-ÉtienneFrance
  5. 5.Inria de RennesRennesFrance

Personalised recommendations