Publications
Below is a list of my publications. My main publications are available from DBLP database. For most of papers, a link is provided to the on-line version. Alternatively, I will happy to send you a copy available on request.
Book Chapters
La Sécurité Logique
Guillaume Barbu,
Guillaume Bouffard,
and Julien Iguchy-Cartigny
-
Les Cartes à puce
(2013)
|
|
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Cryptography and Security: From Theory to Applications -
Essays Dedicated to Jean-Jacques Quisquater on the Occasion of
His 65th Birthday
(2012)
|
|
Java Card is a kind of smart card that implements one of
the two editions, “Classic Edition” or “Connected Edition”, of
the standard Java Card 3.0 [7]. Such a smart card embeds a
virtual machine which interprets codes already romized with
the operating system or downloaded after issuance. Due to
security reasons, the ability to download code into the card
is controlled by a protocol defined by Global Platform. This
protocol ensures that the owner of the code has the necessary
authorization to perform the action. Java Card is an open
platform for smart cards, i.e. able of loading and executing
new applications after issuance. Thus, different applications
from different providers run in the same smart card. Thanks to
type verification, byte codes delivered by the Java compiler
and the converter (in charge of giving a compact
representation of class files) are safe, i.e. the loaded
application is not hostile to other applications in the Java
Card. Furthermore, the Java Card firewall checks permissions
between applications in the card, enforcing isolation between
them.
|
Journal Articles
Thomas Trouchkine,
Sébanjila Kevin Bukasa,
Mathieu Escouteloup,
Ronan Lashermes,
and Guillaume Bouffard
-
Journal of Cryptographic Engineering (JCEN)
(2021)
|
|
The last years have seen the emergence offault attacks
targeting modern Central Processing Units (CPUs). These
attacks are analyzed at a very high abstraction level and, due
to the modern CPUs complexity, the underlying fault effect is
usually unknown. Recently, a few articles have focused on
characterizing faults on modern CPUs. In this article, we
focus on the Electromagnetic Fault Injection (EMFI)
characterization on a bare-metal implementation. With this
approach, we discover and understand new effects on
micro-architectural subsystems. We target the BCM2837 where we
successfully demonstrate persistent faults on L1 instruction
cache, L1 data cache and L2 cache. We also show that faults
can corrupt the Memory Management Unit (MMU). To validate our
fault model, we realize a persistent fault analysis toretrieve
an AES key.
|
Noreddine El Janati El Idrissi,
Guillaume Bouffard,
Jean-Louis Lanet,
and Said El Hajji
-
Journal of Cryptographic Engineering (JCEN)
(2016)
|
|
Retrieving assets inside a secure element is a challenging
task. The most attractive assets are the cryptographic keys
stored into the non volatile memory (NVM) area. Most of the
researches try to obtain cryptographic keys through side
channel attacks or fault injection attacks. Such cryptographic
objects are stored into secure containers. We demonstrate in
this paper how one can use some characteristics of the Java
Card platform to gain access to these assets. Such a smart
card embeds a Firewall that provides isolation between applets
from different clients (using the notion of security
contexts). We exploit the client/server architecture of the
intra platform communication to lure a client application to
execute within its security context, a hostile code written
and called from another security context: the server security
context. This attack shows the possibility for a trusted
application to execute within its security context some
hostile code uploaded previously by the server.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Computers and Security
(2015)
|
|
Recently, researchers published several attacks on smart
cards. Among these, software attacks are the most affordable,
they do not require specific hardware (laser, EM probe, etc.).
Such attacks succeed to modify a sensitive system element
which offers access to the smart card assets. To prevent that,
smart card manufacturers embed dedicated countermeasures that
aim to protect the sensitive system elements. We present a
generic approach based on a Control Flow Transfer (CFT) attack
to modify the Java Card program counter. This attack is built
on a type confusion using the couple of instructions jsr/ret.
Evaluated on different Java Cards, this new attack is a
generic CFT exploitation that succeeds on each attacked cards.
We present several countermeasures proposed by the literature
or implemented by smart card designers and for all of them we
explain how to bypass them. Then, we propose to use Attack
Countermeasure Tree to develop an effective and affordable
countermeasure for this attack.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
International Journal of Trust Management in Computing and
Communications (IJTMCC)
(2014)
|
|
Security and attacks are two sides of the same coin in
smart card industry. Smart cards are subjected to different
types of attacks to gain the assets stored in it and can cause
security issues. It is necessary to identify and exploit these
attacks and implement appropriate countermeasures to mitigate
their effects. Fault attacks are one among them and can
introduce abnormal behaviour on the smart card environment.
Some redundancies are necessary to recognise this problem. In
this work we propose an automatic method to obtain control
flow redundancy using a security automaton to mitigate laser
based fault attacks and hence implement a smart card
countermeasure based on the combination of static analysis and
dynamic monitoring method. This is a very cost effective
approach which can identify and mitigate the effects of fault
attacks in a more efficient way.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Journal Computer Virology and Hacking Techniques
(2014)
|
|
Attacks on smart cards can only be based on a black box
approach where the code of cryptographic primitives and
operating system are not accessible. To perform hardware or
software attacks, a white box approach providing access to the
binary code is more effi- cient. In this paper, we propose a
methodology to discover the romized code whose access is
protected by the virtual machine. It uses a hooked code in an
indirection table. We gained access to real processor, thus
allowing us to run a shell code written in 8051 assembler
language. As a result, this code has been able to dump
completely the ROM of a Java Card operating system. One of the
issues is the possibility to reverse the cryptographic
algorithm and all the embedded countermeasures. Finally, our
attack is evaluated on different cards from distinct
manufacturers.
|
Guillaume Bouffard,
and Tiana Razafindralambo
-
Multi-System & Internet Security (MISC)
(2014)
|
|
L’année 2013 a été une année assez « riche » en termes de
découverte et d’exploitation de 0-day dans la nature en ce qui
concerne la famille Java. Java Card fait tout aussi bien
partie de cette famille. Néanmoins, son processus d’évaluation
suit un tout autre chemin et les attaques découvertes jusqu’à
maintenant n’en sont pas moins intéressantes.
|
Jean Dubreuil,
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
International Journal of Secure Software Engineering
(IJSSE)
(2013)
|
|
One of the challenges for smart card deployment is the
security interoperability. A smart card resistant to an attack
on a given platform should be able to guarantee the same
behavior on another platform. But the current implementations
do not comply with this requirement. In order to improve such
standardization we propose a framework based on annotations
with an external pre-processing to switch the Java Card
Virtual Machine (JCVM) into a secure mode by activating a set
of countermeasures. An example has been proposed in this paper
for implementing a countermeasure against type confusion with
a fault attack. Smart cards are often the target of software,
hardware or combined attacks. In recent days most of the
attacks are based on fault injection which can modify the
behavior of applications loaded onto the card, changing them
into mutant applications. This countermeasure requires a
transformation of the original program byte codes which remain
semantically equivalent. It needs a modification of the JCVM
which stays backward compatible and a dedicated framework to
deploy these applications. Thus, the proposed platform can
resist to a fault enabled mutant.
|
International Conferences with Review and Proceeding
Vincent Giraud,
and Guillaume Bouffard
-
workshop on the Security of Software/Hardware Interfaces
(SILM)
(2023)
|
|
Private and public actors increasingly encounter use cases
where they need to implement sensitive operations on
mass-market peripherals for which they have little or no
control. They are sometimes inclined to attempt this without
using hardware-assisted equipment, such as secure elements. In
this case, the white-box attack model is particularly relevant
and includes access to every asset, retro-engineering, and
binary instrumentation by attackers. At the same time, quantum
attacks are becoming more and more of a threat and challenge
traditional asymmetrical ciphers, which are treasured by
private and public actors. The McEliece cryptosystem is a
code-based public key algorithm introduced in 1978 that is not
subject to well-known quantum attacks and that could be
implemented in an uncontrolled environment. During the NIST
post-quantum cryptography standardization process [17], a
derived candidate commonly refer to as classic McEliece was
selected. This algorithm is however vulnerable to some fault
injection attacks [7] while a priori, this does not apply to
the original McEliece. In this article, we thus focus on the
original McEliece cryptosystem and we study its resilience
against fault injection attacks on an ARM reference
implementation [18]. We disclose the first fault injection
based attack and we discuss on how to modify the original
McEliece cryptosystem to make it resilient to fault injection
attacks.
|
PhiAttack - Rewriting the Java Card Class Hierarchy
Jean Dubreuil,
and Guillaume Bouffard
-
Smart Card Research and Advanced Applications - 20th
International Conference, CARDIS 2021, Lübeck,
Germany, November 11-12, 2021, Revised Selected Papers
(2021)
|
|
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédière
-
18th Workshop on Fault Detection and Tolerance in
Cryptography, FDTC 2021, September 17, 2021, Milan, Italy,
(2021)
|
|
Recently, several Fault Attacks (FAs) which target modern
Central Processing Units (CPUs) have emerged. These attacks
are studied from a practical point of view and, due to the
modern CPUs complexity, the underlying fault effect is usually
unknown. Few works try to characterize at the Instruction Set
Architecture (ISA) level. In this article, we apply a
state-of-the-art faults model characterization approach on
modern CPU. We evaluate the fault model on two different CPUs
from different architectures with the same injection mediums.
We target the CPU of Raspberry Pi 3 (ARM) and an Intel Core i3
(x86) and perturb them with ElectroMagnetic Fault Injection
(EMFI). From the ISA point of view, we disclose a similar
fault model on each component. Additionally, we evaluate a
widely used complex software, OpenSSL, against this fault
model.
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clediere
-
Information Security Theory and Practice - 13th IFIP WG
11.2 International Conference, WISTP 2019, Paris, France,
December 10-11, 2019
(2019)
- Best student paper award
|
|
Recently, several Fault Attacks (FAs) which target modern
Central Processing Units (CPUs) have been emerged. These
attacks are studied from a practical point of view and, due to
the modern CPUs complexity, the underlying fault effect is
usually unknown. In this article, we focus on the
characterization of a perturbation (the fault model) on modern
CPU. For that, we introduce the first approach to characterize
the fault model on modern CPU from the Instruction Set
Architecture (ISA) level to the micro-architectural level.
This fault model helps at determining which micro-architecture
elements are disrupted and how. Our fault model aims at
finding original attack paths and designed efficient
countermeasures. To confront our approach to real modern CPUs,
we apply our approach on ARM and x86 architectures CPUs,
mainly on the BCM2837 (the Raspberry Pi model B CPU) and an
Intel Core i3.
|
Julien Lancia,
and Guillaume Bouffard
-
Smart Card Research and Advanced Applications - 14th
International Conference, CARDIS 2015, Bochum, Germany,
November 4-6, 2015. Revised Selected Papers
(2015)
|
|
The Byte Code Verifier (BCV) is one of the most important
security element in the Java Card environment. Indeed,
embedded applets must be verified prior installation to
prevent ill-formed applet loading. In this article, we
disclose a flaw in the Oracle BCV which affects the applet
linking process and can be exploited on real world Java Card
smartcards. We describe our exploitation of this flaw on a
Java Card implementation that enables injecting and executing
arbitrary native malicious code in the communication buffer
from a verified applet. This native execution allows
snapshotting the smart card memory with OS rights.
|
Guillaume Bouffard,
Michael Lackner,
Jean-Louis Lanet,
and Johannes Loinig
-
Smart Card Research and Advanced Applications - 13th
International Conference, CARDIS 2014, Paris, France,
November 5-7, 2014. Revised Selected Papers
(2014)
|
|
Several logical attacks against Java based smart card have
been published recently. Most of them are based on the
hypothesis that the type verification was not performed, thus
allowing to obtain dynamically a type confusion. To mitigate
such attacks, typed stack have been introduced on recent smart
card. We propose here a new attack path for performing a type
confusion even in presence of a typed stack. Then we propose
using a Fault Tree Analysis a way to design efficiently
counter measure in a top down approach. These counter measures
are then evaluated on a Java Card virtual machine.
|
Jean-Louis Lanet,
Guillaume Bouffard,
Rokia Lamrani,
Ranim Chakra,
Afef Mestiri,
Mohammed Monsif,
and Abdellatif Fandi
-
Smart Card Research and Advanced Applications - 13th
International Conference, CARDIS 2014, Paris, France,
November 5-7, 2014. Revised Selected Papers
(2014)
|
|
Nowadays several papers have shown the ability to dump the
EEPROM area of several Java Cards leading to the disclosure of
already loaded applet and data structure of the card. Such a
reverse engineering process is costly and prone to errors.
Currently no tool are available to help this process. We
propose here an approach to find in the raw data obtained
after a dump, the area containing the code and the data. Then,
once the code area has been identified, we propose to rebuilt
the original binary Cap file in order to be able to obtain the
source code of the applet stored in the card.
|
Guillaume Bouffard,
Tom Khefif,
Jean-Louis Lanet,
Ismael Kane,
and Sergio Casanova Salvia
-
2013 International Conference on Risks and Security of
Internet and Systems (CRiSIS), La Rochelle, France, October
23-25, 2013
(2013)
|
|
Java Card specification allows to load applications after
the post-issuance. Each application to be installed into the
card is verified by a Byte Code Verifier which ensures that
the application is in compliance with the Java security rules.
The Java Card linking process is divided in to two steps. The
first one is done off-card by the Java Card toolchain. The
second one is realized during the appli- cation installation
to resolve each token by an internal reference. In this paper,
we focus on the off-card linker, espe- cially the conversion
part between a Java-Class item and a Java Card-Cap token. For
that, we provide mali- cious export files which will be used
by the converter. This malicious API provides the same
behavior as the original one for the user. With this attack,
we are able to confuse the Java Card linker.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Computer Safety, Reliability, and Security - 32nd
International Conference, SAFECOMP 2013, Toulouse, France,
September 24–27, 2013. Proceedings
(2013)
|
|
In smart card domain, attacks and countermeasures are
advancing at a fast rate. In order to have a generic view of
all the attacks, we propose to use a Fault Tree Analysis. This
method used in safety analysis helps to understand and
implement all the desirable and undesirable events existing in
this domain. We apply this method to Java Card vulnerability
analysis. We define the properties that must be ensured:
integrity and confidentiality of smart card data and code. By
modeling the conditions, we discovered new attack paths to get
access to the smart card contents. Then we introduce a new
security api which is proposed to mitigate the undesirable
events defined in the tree models.
|
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Security in Computing and Communications - International
Symposium, SSCC 2013, Mysore, India, August 22-24, 2013.
Proceedings
(2013)
|
|
Security and interoperability issues are
increasing in smart card domain and it is important to analyze
these issues carefully and implement appropriate
countermeasures to mitigate them. Security issues involve
attacks on smart cards which can lead to their abnormal
behavior. Fault attacks are the most important among them and
they can affect the program execution, smart card memory, etc.
Detecting these abnormalities requires some redundancies,
either by another code execution or by an equivalent
representation. In this paper, we propose an automatic method
to provide this redundancy using a security automaton as the
main detection mechanism. This can enforce some trace
properties on a smart card application, by using the
combination of a static analysis and a dynamic monitoring. The
security officer specifies the fragments of the code that must
be protected against fault attacks and a program transformer
produces an equivalent program that mesh a security automaton
into the code according to the security requirements.
|
Jean Dubreuil,
Guillaume Bouffard,
Jean-Louis Lanet,
and Julien Cartigny
-
Seventh International Conference on Availability,
Reliability and Security, Prague, ARES 2012, Czech Republic,
August 20-24, 2012
(2012)
|
|
Smart card are often the target of software or hardware
attacks. For instance the most recent attacks are based on
fault injection which can modify the behavior of applications
loaded in the card, changing them as mutant application. In
this paper, we propose a new protection mechanism which makes
application to be less prone to mutant generation. This
countermeasure requires a transformation of the original
program byte codes which remains semantically equivalent. It
requires a modification of the Java Virtual Machine which
remains backward compatible and a dedicated framework to
deploy the applications. Hence, our proposition improves the
ability of the platform to resist to Fault Enabled Mutant.
|
Tiana Razafindralambo,
Guillaume Bouffard,
and Jean-Louis Lanet
-
Data and Applications Security and Privacy XXVI - 26th
Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France,
July 11-13,2012. Proceedings
(2012)
|
|
Smart cards are the safer device to execute cryptographic
algorithms. Applications are verified before being loaded into
the card. Recently, the idea of combined attacks to bypass
byte code verification has emerged. Indeed, correct and
legitimate Java Card applications can be dynamically modified
on-card using a laser beam to become mutant applications or
fault enabled viruses . We propose a framework for
manipulating binary applications to design viruses for smart
cards. We present development, experimentation and an example
of this kind of virus.
|
Tiana Razafindralambo,
Guillaume Bouffard,
Bhagyalekshmy N. Thampi,
and Jean-Louis Lanet
-
Recent Trends in Computer Networks and Distributed Systems
Security - International Conference, SNDS 2012, Trivandrum,
India, October 11-12, 2012. Proceedings
(2012)
|
|
Off late security problems related to smart cards have seen
a significant rise and the risks of the attack are of deep
concern for the industries. In this context, smart card
industries try to overcome the anomaly by implementing various
countermeasures. In this paper we discuss and present a
powerful attack based on the vulnerability of the linker which
could change the correct byte code into malicious one. During
the attack, the linker interprets the instructions as tokens
and are able to resolve them. Later we propose a
countermeasure which scrambles the instructions of the method
byte code with the Java Card Program Counter (jpc). Without
the knowledge of jpc used to decrypt the byte code, an
attacker cannot execute any malicious byte code. By this way
we propose security interoperability for different Java Card
platforms.
|
Guillaume Bouffard,
Jean-Louis Lanet,
Jean-Baptiste Machemie,
Jean-Yves Poichotte,
and Jean-Philippe Wary
-
Smart Card Research and Advanced Applications - 10th IFIP
WG 8.8/11.2 International Conference, CARDIS 2011, Leuven,
Belgium, September 14–16, 2011, Revised Selected Papers
(2011)
|
|
The ability of Java Cards to withstand attacks is based on
software and hardware countermeasures, and on the ability of
the Java platform to check the correct behavior of Java code
(by using byte code verification). Recently, the idea of
combining logical attacks with a physical attack in order to
bypass byte code verification has emerged. For instance,
correct and legitimate Java Card applications can be
dynamically modified on-card using a laser beam. Such
applications become mutant applications, with a different
control flow from the original expected behaviour. This
internal change could lead to bypass controls and protections
and thus offer illegal access to secret data and operations
inside the chip. This paper presents an evaluation of the
application ability to become mutant and a new countermeasure
based on the runtime checks of the application control flow to
detect the deviant mutations.
|
Guillaume Bouffard,
Julien Iguchi-Cartigny,
and Jean-Louis Lanet
-
Smart Card Research and Advanced Applications - 10th IFIP
WG 8.8/11.2 International Conference, CARDIS 2011, Leuven,
Belgium, September 14-16, 2011, Revised Selected Papers
|
|
The Java Card uses two components to ensure the security of
its model. On the one hand, the byte code verifier (BCV)
checks, during an applet installation, if the Java Card
security model is ensured. This mechanism may not be present
in the card. On the other hand, the firewall dynamically
checks if there is no illegal access. This paper describes two
attacks to modify the Java Card control flow and to execute
our own malicious byte code. In the first attack, we use a
card without embedded security verifier and we show how it is
simple to change the return address of a current function. In
the second attack, we consider the hypothesis that the card
embeds a partial implementation of a BCV. With the help of a
laser beam, we are able to change the execution flow.
|
National Conferences with Review and Proceeding
Guillaume Bouffard,
and Léo Gaspard
-
Symposium sur la sécurité des technologies de
l’information et des communications (SSTIC), 13–15 june 2018,
Rennes, France
(2018)
|
|
In the world of Java Cards, the Firewall guarantees the
segregation of applet data and ensures the integrity and
confidentiality of each application. In order to be
independent from the microcontroller, most Java Card Virtual
Machine (JCVM) implementations are not designed to use
hardware-based mechanisms. In this article, we describe how
the Memory Protection Unit (MPU) can be used to segregate each
Java Card applet from the Operating System and device drivers.
Even if our contribution is designed to fit a specific
hardware-based mechanism, our JCVM architecture can be reused
for a microcontroller without MPU.
|
Julien Lancia,
and Guillaume Bouffard
-
Symposium sur la sécurité des technologies de
l’information et des communications (SSTIC), 1–3 june 2016,
Rennes, France
(2016)
|
|
The Byte Code Verifier (BCV) is one of the most important
security element in the Java Card environment. Indeed,
embedded applets must be verified prior installation to
prevent ill-formed applet loading. At the CARDIS 2015
conference, we disclosed a flaw in the Oracle BCV which
affects the applet linking process and can be exploited on
real world Java Card smart cards. In this article, we present
how this vulnerability had be found and our exploitation of
this flaw on a Java Card implementation that enables injecting
and executing arbitrary native malicious code in the
communication buffer from a verified applet. This attack was
evaluated on several Java Card implementations with black box
approach. As we cannot evaluate the effect of the control flow
transfer, we develop a generic function which can be executed
from any bytes which compound itself.
|
Guillaume Bouffard,
and Jean-Louis Lanet
-
Symposium sur la sécurité des technologies de
l’information et des communications (SSTIC), 4–6 june 2014,
Rennes, France
(2014)
|
|
La carte à puce est aujourd’hui
considérée comme étant un système
sécurisé. Toutefois, il est possible, via certains
types d’attaques, d’obtenir de l’information. Dans cet
article, nous présentons comment ces informations ont
permis de découvrir l’implémentation
utilisée par une carte à puce pour appeler du code
natif depuis le monde Java Card. Une fois ce mécanisme
appréhendé, nous l’avons exploité pour
exécuter notre propre code natif. Ce code,
exécuté avec les droits du système
d’exploitation, nous a permis de lire la mémoire ROM et
ainsi obtenir tous les secrets de la carte attaquée. Une
évaluation de cette attaque sur des cartes de
modèles différents est présentée en
conclusion.
|
Guillaume Bouffard,
Mathieu Lassale,
Sergio Ona Domene,
Hanan Tadmori,
and Jean-Louis Lanet
-
8ème Conférence sur la Sécurité des
Architectures Réseaux et des Systèmes
d’Information (SAR-SSI), 16–18 septembrer 2013, Mont de
Marsan, France
(2013)
|
|
|
Samiya Hamadouche,
Guillaume Bouffard,
Jean-Louis Lanet,
Bruno Dorsemaine,
Bastien Nouhant,
Alexandre Magloire,
and Arnaud Reygnaud
-
Seventh Conference on Network and Information Systems
Security (SAR-SSI), May 22–25, 2012, Caen, France
(2012)
|
|
|
Agnès Cristèle Noubissi,
Ahmadou Al Khary Sere,
Julien Iguchi-Cartigny,
Jean-Louis Lanet,
Guillaume Bouffard,
and Julien Boutet
-
Majecstic, 16–18 November 2009, Avignon, France
(2009)
|
|
We present in this article our research dealing with faults
attacks and logical attacks on smart cards, especially on Java
Card. We introduce by presenting Java Card and its security
mechanisms, then we present the types of attacks carried out
on smart cards and we present some countermeasures for these
attacks and in particular those faults attacks. And we finish
with the presentation of our work on the tool of manipulation
of a file format of Java Card and other proposals for
countermeasures on faults attacks.
|
Conferences without Proceeding
Vincent Giraud,
and Guillaume Bouffard
-
Journée thématique sur les attaques par injection de fautes
(JAIF), 2022, Valence, France
(2022)
|
|
To perform sensitive operations, it is common to to use
secure components: thanks to their various protections, they
can protection, they can act as a root of trust. However, one
may be forced to use alternative solutions as they are not
available in all information systems. in all information
systems. The industry deploy an approach based on software
obfuscation, which is less software, which is less secure than
those based on a hardware component. component. White-box
cryptography is one of them: each intermediate step is
precomputed and hidden, while the global semantics. Although
it is purely software, hardware attacks could be transposed to
it. be transposed to it. By instrumenting a program, one can
by creating unexpected states in the program. unexpected
states. As the needs of the industry are becoming more
industry, research is now focusing on features such as such as
resistance to quantum attacks and asymmetric and the
asymmetric possibilities of cryptographic schemes.
cryptographic schemes. These aspects are leading to the
resurgence of specifications such as McEliece’s. In our work,
we study the security of a cryptographic white box
implementing implementing the McEliece algorithm and its
resistance to attacks. In this talk, we will also also
question the applicability in the software world of existing
world of existing countermeasures used in hardware components.
hardware components.
|
Guillaume Bouffard,
Valentin Houchouas,
José Lopes-Esteves,
and Thomas Trouchkine
-
3rd URSI AT-AP-RASC, Gran Canaria, 29 May – 3 June 2022
(2022)
|
|
Most of our daily electronic objects store our personal
data. One method used by attackers to retrieve this data
consists in disrupting the operation of the component during
the execution of a sensitive program [2]. For example,
electromagnetic perturbation can disturb the electronic of a
component and infer errors during the execution of the program
and thus leak or modify sensitive information, which can
jeopardize the system security [5]. To generate effective
electromagnetic perturbations, the state-of-the-art fault
injection community uses small hand- made antennas placed
within a few millimeters to the target component [1]. These
antennas are connected to a pulse generator of several hundred
volts and tens of nanoseconds pulse. By moving the antenna
over the compo- nent, an attacker goal is to determine the
parameters (i.e. (x, y) positions and pulse amplitude) that
maximize the probability of obtaining exploitable faults. The
fact that these antennas are handmade [4, 3] complicates the
reproducibility of studies due to the geometry and the
constitutive material variability. Furthermore, the input
impedance of antennas is never indicated in fault injection
related publications. As antennas are placed in the near
vicinity of the component under test (CUT), and because
antenna far field prop- erties are different from near field
ones, it could be relevant to determine the input impedance of
the antenna/target couple which can be computed from the
reflection coefficient (S11) measured by a vector network
analyzer. In our work, we aim at comparing the probability to
obtain a fault at a given position (x, y) with the frequency
dependent absorbed power by the antenna/CUT couple. By doing
so, we expect to be able to get information related to the
sensitive frequencies of the CUT which might pave the way to
narrowband (or continuous wave) injections.
|
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédière
-
CEM France 2020, April 13–15, 2021, Lyon, France
(2020)
|
|
Recently, several Fault Attacks (FAs) targeting modern
Central Processing Units (CPUs) have emerged. These attacks
are studied from a practical point of view and, due to the
modern CPUs complexity, the underlying fault effect is usually
unknown. In this article, we focus on the characterization of
a perturbation (the fault model) on a modern CPU. For that, we
explain an approach to characterize the fault model on modern
CPU from the assembly instruction level to the
micro-architectural level. This fault model helps at
determining which micro-architecture elements are disrupted
and how. The fault model determination aims at finding
original attack paths and design efficient countermeasures. To
confront our approach to real mod- ern CPUs, we apply our
approach on a Raspberry Pi 3 CPU on which the determined fault
model is reused to corrupt an AES implementation.
|
Fault attacks on System On Chip
Thomas Trouchkine,
Guillaume Bouffard,
and Jessy Clédière
-
PHISIC 2018 workshop, May 23–24, 2018, Gardanne, France
(2018)
|
|
|
Anis Bkakria,
Guillaume Bouffard,
Julien Iguchy-Cartigny,
and Jean-Louis Lanet
-
e-Smart 2011, September 21–23, 2011, Sophia Antipolis,
France
(2011)
|
|
In the smart card world, Java Card plays an important role.
To communicate with this type of card, which complies to the
ISO7816 specification you should use a specific library.
Indeed, this kind of library must implement high level
functions, which follows the Global Platform (GP)
specification (authentication protocols, applet installation
process, etc.), and should be interfaced with another library
to handle CAP files like the Cap File Manipulator
Java-library. Therefore, we developed an open-source
Java-library: OPAL, for Open Platform Access Library, which
complies with the Global Platform specification. This library
provides the full-support of the Java Card applets life cycle
and smart card management. Moreover, to exchange data with a
Java Card, we must implement Secure Channel Protocols (SCP) to
pass the authentication step. GP defines three secure
channels: SCP01, SCP02 and SCP03. These protocols provide a
secure communication channel between a card and an entity
which manages it. SCP01 is deprecated but still used. It uses
a challenge-response authentication. When this challenge is a
success, three security levels are used to exchange data (no
security level, signed data or cypher and signed data). In
order to improve the SCP01 security, SCP02 uses a mutual
authentication, different computation methods and a new
security level. The host ensures integrity of the received
card data. Finally, the last improvement is SCP03 which reuses
the SCP01 and SCP02 security levels in addition to a new
security level which guarantees that the exchanged data are
confidential. With OPAL, we would like to provide a
Java-library which is fully compliant with GP. Futhermore, GP
has defined a new authentication protocol, named Remote
Application Management over HTTP. This draft uses an
application provider which manages the applet and smart card
life cycle using the HTTP protocol. Indeed, OPAL can receive a
HTTP POST request sent by the Remote Administration Server and
extract the included APDU command. Afterwards, OPAL sends the
APDU command via the SCP02 protocol to the card and receives
its response. Thus, the response is encapsulated in a HTTP
POST request in order to send it to the Remote Administration
Server.
|
Matthieu Barreaud,
Guillaume Bouffard,
Julien Iguchy-Cartigny,
and Jean-Louis Lanet
-
Crypto’puces 2011, May 8–12, 2011, Porquerolle, France
(2011)
|
|
The emergence of web servers embedded in smart cards cards
facilitates the development of applications. These
applications are close to servlets (applications with a web
server) and are based on the based on the HTTP model known by
many developers. The server can be used externally, via the
phone connection (GSM, 3G, etc.) connection (GSM, 3G, etc.),
for all phases of administration or administration or, via the
phone interface, to provide user provide user services. Here
we will focus on the the Java Card 2.2 WebServer Edtion model.
In order to communicate with this web server, a service
provider can send HTTP frames to the cell phone – or any
other interface other interfaces between the card and the
service provider. These frames are then encapsulated via the
BIP 2 protocol to be sent to the (U)SIM card. The study and
validity of this protocol has been one of our previous
research topics. In the continuity of this work, we have
chosen to verify the HTTP protocol. The implementation of this
type of server must be secured in order to guarantee the
execution of sensitive sensitive commands. However, the
specific constraints of the world of embedded systems forces
to have a complete system of the order of a few kilobytes. As
a result, the optimizations may contribute to the presence of
vulnerabilities. To verify the conformity and the robustness
of the implementation, we have chosen to use fuzzing which is
an error which is a technique of searching for errors in the
software implementation by injecting invalid data. This method
uses a data model representing the grammar and a model
symbolizing the model symbolizing the state machine of the
protocol to be fuzzed. Our analysis tool allows to
characterize the web server embedded in the card and thus to
reduce the tree of of the data model of the HTTP protocol.
This tool is a solution for anyone wishing to verify the
security of the security of the embedded HTTP protocol. The
first experimental results results will be presented during
the conference.
|
Tutorials
Guillaume Bouffard
-
Worskshop on the Security of Software/Hardware Interfaces, November 21st, 2019 Rennes, France
(2019)
|
|
Modern CPUs are daily use in our smartphone and several IoT
devices. These components compute more and more sensitive
data. However, they are only designed to prevent software
attacks. Recently, few publications focus on breaking modern
CPUs from hardware layout. In this presentation, we will see
how hardware security in modern CPU is also important than
software security and why should be take in account.
|
Attacks against the Java Card Platform
Guillaume Bouffard
-
CryptoBG International Summer School, July 20th, 2015, Oriahovitza, Bulgaria
(2015)
|
|
|
Posters
Caractérisation d’antennes pour l’injection de fautes sur
composants électroniques
Guillaume Bouffard,
Valentin Houchouas,
José Lopes-Esteves,
and Thomas Trouchkine
-
GDR Ondes, December, 2021, Lille, France
(2021)
|
|
|
Combined Attacks on Java Card Smart Cards
Guillaume Bouffard,
and Jean-Louis Lanet
-
PHISIC 2011 workshop, October, 2011, Gardanne, France
(2011)
|
|
|
Theses
Guillaume Bouffard
- PhD thesis
-
University of Limoges
(2014)
- Award Prix de thèse de l’action du CNRS Objets intelligents
sécurisés et Internet des objets
|
|
Smart cards are the keystone of various applications which we
daily use: pay money for travel, phone, etc. To improve the
security of this device with a friendly development
environment, the Java technology has been designed to be
embedded in a smart card. Introduce in the mid-nineties, this
technology becomes nowadays the leading application platform
in the world. As a smart card embeds critical information,
evil-minded people are interested to attack this device. In
smart card domain, attacks and countermeasures are advancing
at a fast rate. In order to have a generic view of all the
attacks, we propose to use the Fault Tree Analysis. This
method used in safety analysis helps to understand and
implement all the desirable and undesirable events existing in
this domain. We apply this method to Java Card vulnerability
analysis. We define the properties that must be ensured:
integrity and confidentiality of smart card data and code.
During this thesis, we focused on the integrity property,
especially on the code integrity. Indeed, a perturbation on
this element can break each other properties. By modelling the
conditions, we discovered new attack paths to get access to
the smart card contents. We introduce new countermeasures to
mitigate the undesirable events defined in the tree models.
|
Guillaume Bouffard
- Master thesis
-
Technicolor & University of Limoges
(2010)
|
|
This document describes the work done during the internship
for my master degree Information Technologies Security and
Cryptography at the University of Limoges, France, carried out
with Technicolor at the Technicolor Security and Content
Protection Laboratories at Rennes, France. This internship
aims to protect the sensitive piece of code of a binary exe-
cutable without application source code knowledge. A sensitive
piece of code of a binary application is a set of the most
uses instructions. In order to protect this binary part, I
extracted this sensitive piece of code of the binary
application and I replaced with that provides a way to
communicate to a dongle. On this dongle, the extracted
protected instructions are putted and executed. Thus, to
correctly execute a protected application, the user needs a
dongle which con- tains the missed part of the executed
application. After a short presentation of the context and the
company, I will present each step to my internship. In a first
time, I will describe how to find the sensitive binary part of
an executable program. When this part is found, I will try to
translate this piece of code in another language to protect
it. Next, I will modify the binary application, without the
source code, to change the protected piece of code by a set of
instructions designed to communicate to the dongle containing
the extracted piece of code. That will take us to a proof of
concept. To conclude, I will sum up the completed objectives,
the possible improvements and the difficulties I have
encountered.
|
Preprints
Java Card Virtual Machine Memory Organization: a Design
Proposal
Guillaume Bouffard,
Vincent Giraud,
and Léo Gaspard
-
arXiv
(2021)
|
|
|
Electromagnetic fault injection against a System-on-Chip,
toward new micro-architectural fault models
Thomas Trouchkine,
Sébanjila Kevin Bukasa,
Mathieu Escouteloup,
Ronan Lashermes,
and Guillaume Bouffard
-
arXiv
(2019)
|
|
|