Publications

Below is a list of my publications. My main publications are available from DBLP database. For most of papers, a link is provided to the on-line version. Alternatively, I will happy to send you a copy available on request.

Book Chapters

1. La Sécurité Logique Guillaume Barbu, Guillaume Bouffard, and Julien Iguchy-Cartigny - Les Cartes à puce (2013)

2. The Next Smart Card Nightmare – Logical Attacks, Combined Attacks, Mutant Applications and Other Funny Things Guillaume Bouffard, and Jean-Louis Lanet - Cryptography and Security: From Theory to Applications - Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday (2012)

   Java Card is a kind of smart card that implements one of the two editions, “Classic Edition” or “Connected Edition”, of the standard Java Card 3.0 [7]. Such a smart card embeds a virtual machine which interprets codes already romized with the operating system or downloaded after issuance. Due to security reasons, the ability to download code into the card is controlled by a protocol defined by Global Platform. This protocol ensures that the owner of the code has the necessary authorization to perform the action. Java Card is an open platform for smart cards, i.e. able of loading and executing new applications after issuance. Thus, different applications from different providers run in the same smart card. Thanks to type verification, byte codes delivered by the Java compiler and the converter (in charge of giving a compact representation of class files) are safe, i.e. the loaded application is not hostile to other applications in the Java Card. Furthermore, the Java Card firewall checks permissions between applications in the card, enforcing isolation between them.

Journal Articles

1. Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - Journal of Cryptographic Engineering (JCEN) (2021)

   The last years have seen the emergence offault attacks targeting modern Central Processing Units (CPUs). These attacks are analyzed at a very high abstraction level and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Recently, a few articles have focused on characterizing faults on modern CPUs. In this article, we focus on the Electromagnetic Fault Injection (EMFI) characterization on a bare-metal implementation. With this approach, we discover and understand new effects on micro-architectural subsystems. We target the BCM2837 where we successfully demonstrate persistent faults on L1 instruction cache, L1 data cache and L2 cache. We also show that faults can corrupt the Memory Management Unit (MMU). To validate our fault model, we realize a persistent fault analysis toretrieve an AES key.

2. Trust can be misplaced Noreddine El Janati El Idrissi, Guillaume Bouffard, Jean-Louis Lanet, and Said El Hajji - Journal of Cryptographic Engineering (JCEN) (2017)

   Retrieving assets inside a secure element is a challenging task. The most attractive assets are the cryptographic keys stored into the non volatile memory (NVM) area. Most of the researches try to obtain cryptographic keys through side channel attacks or fault injection attacks. Such cryptographic objects are stored into secure containers. We demonstrate in this paper how one can use some characteristics of the Java Card platform to gain access to these assets. Such a smart card embeds a Firewall that provides isolation between applets from different clients (using the notion of security contexts). We exploit the client/server architecture of the intra platform communication to lure a client application to execute within its security context, a hostile code written and called from another security context: the server security context. This attack shows the possibility for a trusted application to execute within its security context some hostile code uploaded previously by the server.

3. The ultimate control flow transfer in a Java based smart card Guillaume Bouffard, and Jean-Louis Lanet - Computers and Security (2015)

   Recently, researchers published several attacks on smart cards. Among these, software attacks are the most affordable, they do not require specific hardware (laser, EM probe, etc.). Such attacks succeed to modify a sensitive system element which offers access to the smart card assets. To prevent that, smart card manufacturers embed dedicated countermeasures that aim to protect the sensitive system elements. We present a generic approach based on a Control Flow Transfer (CFT) attack to modify the Java Card program counter. This attack is built on a type confusion using the couple of instructions jsr/ret. Evaluated on different Java Cards, this new attack is a generic CFT exploitation that succeeds on each attacked cards. We present several countermeasures proposed by the literature or implemented by smart card designers and for all of them we explain how to bypass them. Then, we propose to use Attack Countermeasure Tree to develop an effective and affordable countermeasure for this attack.

4. Security automaton to mitigate laser-based fault attacks on smart cards Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - International Journal of Trust Management in Computing and Communications (IJTMCC) (2014)

   Security and attacks are two sides of the same coin in smart card industry. Smart cards are subjected to different types of attacks to gain the assets stored in it and can cause security issues. It is necessary to identify and exploit these attacks and implement appropriate countermeasures to mitigate their effects. Fault attacks are one among them and can introduce abnormal behaviour on the smart card environment. Some redundancies are necessary to recognise this problem. In this work we propose an automatic method to obtain control flow redundancy using a security automaton to mitigate laser based fault attacks and hence implement a smart card countermeasure based on the combination of static analysis and dynamic monitoring method. This is a very cost effective approach which can identify and mitigate the effects of fault attacks in a more efficient way.

5. Reversing the operating system of a Java based smart card Guillaume Bouffard, and Jean-Louis Lanet - Journal Computer Virology and Hacking Techniques (2014)

   Attacks on smart cards can only be based on a black box approach where the code of cryptographic primitives and operating system are not accessible. To perform hardware or software attacks, a white box approach providing access to the binary code is more effi- cient. In this paper, we propose a methodology to discover the romized code whose access is protected by the virtual machine. It uses a hooked code in an indirection table. We gained access to real processor, thus allowing us to run a shell code written in 8051 assembler language. As a result, this code has been able to dump completely the ROM of a Java Card operating system. One of the issues is the possibility to reverse the cryptographic algorithm and all the embedded countermeasures. Finally, our attack is evaluated on different cards from distinct manufacturers.

6. Java Card dans tous ses états ! Guillaume Bouffard, and Tiana Razafindralambo - Multi-System & Internet Security (MISC) (2014)
   L’année 2013 a été une année assez « riche » en termes de découverte et d’exploitation de 0-day dans la nature en ce qui concerne la famille Java. Java Card fait tout aussi bien partie de cette famille. Néanmoins, son processus d’évaluation suit un tout autre chemin et les attaques découvertes jusqu’à maintenant n’en sont pas moins intéressantes.

7. Mitigating Type Confusion on Java Card Jean Dubreuil, Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - International Journal of Secure Software Engineering (IJSSE) (2013)

   One of the challenges for smart card deployment is the security interoperability. A smart card resistant to an attack on a given platform should be able to guarantee the same behavior on another platform. But the current implementations do not comply with this requirement. In order to improve such standardization we propose a framework based on annotations with an external pre-processing to switch the Java Card Virtual Machine (JCVM) into a secure mode by activating a set of countermeasures. An example has been proposed in this paper for implementing a countermeasure against type confusion with a fault attack. Smart cards are often the target of software, hardware or combined attacks. In recent days most of the attacks are based on fault injection which can modify the behavior of applications loaded onto the card, changing them into mutant applications. This countermeasure requires a transformation of the original program byte codes which remain semantically equivalent. It needs a modification of the JCVM which stays backward compatible and a dedicated framework to deploy these applications. Thus, the proposed platform can resist to a fault enabled mutant.

International Conferences with Review and Proceeding

1. Faulting original McEliece’s implementations is possible How to mitigate this risk? Vincent Giraud, and Guillaume Bouffard - IEEE European Symposium on Security and Privacy, EuroS&P 2023 - Workshops, Delft, Netherlands, July 3-7, 2023 (2023)

   Private and public actors increasingly encounter use cases where they need to implement sensitive operations on mass-market peripherals for which they have little or no control. They are sometimes inclined to attempt this without using hardware-assisted equipment, such as secure elements. In this case, the white-box attack model is particularly relevant and includes access to every asset, retro-engineering, and binary instrumentation by attackers. At the same time, quantum attacks are becoming more and more of a threat and challenge traditional asymmetrical ciphers, which are treasured by private and public actors. The McEliece cryptosystem is a code-based public key algorithm introduced in 1978 that is not subject to well-known quantum attacks and that could be implemented in an uncontrolled environment. During the NIST post-quantum cryptography standardization process [17], a derived candidate commonly refer to as classic McEliece was selected. This algorithm is however vulnerable to some fault injection attacks [7] while a priori, this does not apply to the original McEliece. In this article, we thus focus on the original McEliece cryptosystem and we study its resilience against fault injection attacks on an ARM reference implementation [18]. We disclose the first fault injection based attack and we discuss on how to modify the original McEliece cryptosystem to make it resilient to fault injection attacks.

2. PhiAttack - Rewriting the Java Card Class Hierarchy Jean Dubreuil, and Guillaume Bouffard - Smart Card Research and Advanced Applications - 20th International Conference, CARDIS 2021, Lübeck, Germany, November 11-12, 2021, Revised Selected Papers (2021)

3. EM Fault Model Characterization on SoCs: From Different Architectures to the Same Fault Model Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - 18th Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2021, September 17, 2021, Milan, Italy (2021)

   Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. Few works try to characterize at the Instruction Set Architecture (ISA) level. In this article, we apply a state-of-the-art faults model characterization approach on modern CPU. We evaluate the fault model on two different CPUs from different architectures with the same injection mediums. We target the CPU of Raspberry Pi 3 (ARM) and an Intel Core i3 (x86) and perturb them with ElectroMagnetic Fault Injection (EMFI). From the ISA point of view, we disclose a similar fault model on each component. Additionally, we evaluate a widely used complex software, OpenSSL, against this fault model.

4. Fault Injection Characterization on modern CPUs – From the ISA to the Micro-Architecture Thomas Trouchkine, Guillaume Bouffard, and Jessy Clediere - Information Security Theory and Practice - 13th IFIP WG 11.2 International Conference, WISTP 2019, Paris, France, December 10-11, 2019 (2019) Best student paper award

   Recently, several Fault Attacks (FAs) which target modern Central Processing Units (CPUs) have been emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on modern CPU. For that, we introduce the first approach to characterize the fault model on modern CPU from the Instruction Set Architecture (ISA) level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. Our fault model aims at finding original attack paths and designed efficient countermeasures. To confront our approach to real modern CPUs, we apply our approach on ARM and x86 architectures CPUs, mainly on the BCM2837 (the Raspberry Pi model B CPU) and an Intel Core i3.

5. Java Card Virtual Machine Compromising from a Bytecode Verified Applet Julien Lancia, and Guillaume Bouffard - Smart Card Research and Advanced Applications - 14th International Conference, CARDIS 2015, Bochum, Germany, November 4-6, 2015. Revised Selected Papers (2015)

   The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. In this article, we disclose a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smartcards. We describe our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This native execution allows snapshotting the smart card memory with OS rights.

6. Heap ... Hop! Heap Is Also Vulnerable Guillaume Bouffard, Michael Lackner, Jean-Louis Lanet, and Johannes Loinig - Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers (2014)

   Several logical attacks against Java based smart card have been published recently. Most of them are based on the hypothesis that the type verification was not performed, thus allowing to obtain dynamically a type confusion. To mitigate such attacks, typed stack have been introduced on recent smart card. We propose here a new attack path for performing a type confusion even in presence of a typed stack. Then we propose using a Fault Tree Analysis a way to design efficiently counter measure in a top down approach. These counter measures are then evaluated on a Java Card virtual machine.

7. Memory Forensics of a Java Card Dump Jean-Louis Lanet, Guillaume Bouffard, Rokia Lamrani, Ranim Chakra, Afef Mestiri, Mohammed Monsif, and Abdellatif Fandi - Smart Card Research and Advanced Applications - 13th International Conference, CARDIS 2014, Paris, France, November 5-7, 2014. Revised Selected Papers (2014)

   Nowadays several papers have shown the ability to dump the EEPROM area of several Java Cards leading to the disclosure of already loaded applet and data structure of the card. Such a reverse engineering process is costly and prone to errors. Currently no tool are available to help this process. We propose here an approach to find in the raw data obtained after a dump, the area containing the code and the data. Then, once the code area has been identified, we propose to rebuilt the original binary Cap file in order to be able to obtain the source code of the applet stored in the card.

8. Accessing secure information using export file fraudulence Guillaume Bouffard, Tom Khefif, Jean-Louis Lanet, Ismael Kane, and Sergio Casanova Salvia - International Conference on Risks and Security of Internet and Systems (CRiSIS), La Rochelle, France, October 23-25, 2013 (2013)

   Java Card specification allows to load applications after the post-issuance. Each application to be installed into the card is verified by a Byte Code Verifier which ensures that the application is in compliance with the Java security rules. The Java Card linking process is divided in to two steps. The first one is done off-card by the Java Card toolchain. The second one is realized during the appli- cation installation to resolve each token by an internal reference. In this paper, we focus on the off-card linker, espe- cially the conversion part between a Java-Class item and a Java Card-Cap token. For that, we provide mali- cious export files which will be used by the converter. This malicious API provides the same behavior as the original one for the user. With this attack, we are able to confuse the Java Card linker.

9. Vulnerability Analysis on Smart Cards Using Fault Tree Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Computer Safety, Reliability, and Security - 32nd International Conference, SAFECOMP 2013, Toulouse, France, September 24–27, 2013. Proceedings (2013)

   In smart card domain, attacks and countermeasures are advancing at a fast rate. In order to have a generic view of all the attacks, we propose to use a Fault Tree Analysis. This method used in safety analysis helps to understand and implement all the desirable and undesirable events existing in this domain. We apply this method to Java Card vulnerability analysis. We define the properties that must be ensured: integrity and confidentiality of smart card data and code. By modeling the conditions, we discovered new attack paths to get access to the smart card contents. Then we introduce a new security api which is proposed to mitigate the undesirable events defined in the tree models.

10. Detecting Laser Fault Injection for Smart Cards Using Security Automata Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Security in Computing and Communications - International Symposium, SSCC 2013, Mysore, India, August 22-24, 2013. Proceedings (2013)

    Security and interoperability issues are increasing in smart card domain and it is important to analyze these issues carefully and implement appropriate countermeasures to mitigate them. Security issues involve attacks on smart cards which can lead to their abnormal behavior. Fault attacks are the most important among them and they can affect the program execution, smart card memory, etc. Detecting these abnormalities requires some redundancies, either by another code execution or by an equivalent representation. In this paper, we propose an automatic method to provide this redundancy using a security automaton as the main detection mechanism. This can enforce some trace properties on a smart card application, by using the combination of a static analysis and a dynamic monitoring. The security officer specifies the fragments of the code that must be protected against fault attacks and a program transformer produces an equivalent program that mesh a security automaton into the code according to the security requirements.

11. Type Classification against Fault Enabled Mutant in Java Based Smart Card Jean Dubreuil, Guillaume Bouffard, Jean-Louis Lanet, and Julien Cartigny - Seventh International Conference on Availability, Reliability and Security, Prague, ARES 2012, Czech Republic, August 20-24, 2012 (2012)

    Smart card are often the target of software or hardware attacks. For instance the most recent attacks are based on fault injection which can modify the behavior of applications loaded in the card, changing them as mutant application. In this paper, we propose a new protection mechanism which makes application to be less prone to mutant generation. This countermeasure requires a transformation of the original program byte codes which remains semantically equivalent. It requires a modification of the Java Virtual Machine which remains backward compatible and a dedicated framework to deploy the applications. Hence, our proposition improves the ability of the platform to resist to Fault Enabled Mutant.

12. A Friendly Framework for Hidding fault enabled virus for Java Based Smartcard Tiana Razafindralambo, Guillaume Bouffard, and Jean-Louis Lanet - Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France, July 11-13,2012. Proceedings (2012)

    Smart cards are the safer device to execute cryptographic algorithms. Applications are verified before being loaded into the card. Recently, the idea of combined attacks to bypass byte code verification has emerged. Indeed, correct and legitimate Java Card applications can be dynamically modified on-card using a laser beam to become mutant applications or fault enabled viruses . We propose a framework for manipulating binary applications to design viruses for smart cards. We present development, experimentation and an example of this kind of virus.

13. A Dynamic Syntax Interpretation for Java Based Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N. Thampi, and Jean-Louis Lanet - Recent Trends in Computer Networks and Distributed Systems Security - International Conference, SNDS 2012, Trivandrum, India, October 11-12, 2012. Proceedings (2012)

    Off late security problems related to smart cards have seen a significant rise and the risks of the attack are of deep concern for the industries. In this context, smart card industries try to overcome the anomaly by implementing various countermeasures. In this paper we discuss and present a powerful attack based on the vulnerability of the linker which could change the correct byte code into malicious one. During the attack, the linker interprets the instructions as tokens and are able to resolve them. Later we propose a countermeasure which scrambles the instructions of the method byte code with the Java Card Program Counter (jpc). Without the knowledge of jpc used to decrypt the byte code, an attacker cannot execute any malicious byte code. By this way we propose security interoperability for different Java Card platforms.

14. Evaluation of the Ability to Transform SIM Applications into Hostile Applications Guillaume Bouffard, Jean-Louis Lanet, Jean-Baptiste Machemie, Jean-Yves Poichotte, and Jean-Philippe Wary - Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14–16, 2011, Revised Selected Papers (2011)

    The ability of Java Cards to withstand attacks is based on software and hardware countermeasures, and on the ability of the Java platform to check the correct behavior of Java code (by using byte code verification). Recently, the idea of combining logical attacks with a physical attack in order to bypass byte code verification has emerged. For instance, correct and legitimate Java Card applications can be dynamically modified on-card using a laser beam. Such applications become mutant applications, with a different control flow from the original expected behaviour. This internal change could lead to bypass controls and protections and thus offer illegal access to secret data and operations inside the chip. This paper presents an evaluation of the application ability to become mutant and a new countermeasure based on the runtime checks of the application control flow to detect the deviant mutations.

15. Combined Software and Hardware Attacks on the Java Card Control Flow Guillaume Bouffard, Julien Iguchi-Cartigny, and Jean-Louis Lanet - Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers

    The Java Card uses two components to ensure the security of its model. On the one hand, the byte code verifier (BCV) checks, during an applet installation, if the Java Card security model is ensured. This mechanism may not be present in the card. On the other hand, the firewall dynamically checks if there is no illegal access. This paper describes two attacks to modify the Java Card control flow and to execute our own malicious byte code. In the first attack, we use a card without embedded security verifier and we show how it is simple to change the return address of a current function. In the second attack, we consider the hypothesis that the card embeds a partial implementation of a BCV. With the help of a laser beam, we are able to change the execution flow.

National Conferences with Review and Proceeding

1. Hardening a Java Card Virtual Machine Implementation with the MPU Guillaume Bouffard, and Léo Gaspard - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC), 13–15 june 2018, Rennes, France (2018)

   In the world of Java Cards, the Firewall guarantees the segregation of applet data and ensures the integrity and confidentiality of each application. In order to be independent from the microcontroller, most Java Card Virtual Machine (JCVM) implementations are not designed to use hardware-based mechanisms. In this article, we describe how the Memory Protection Unit (MPU) can be used to segregate each Java Card applet from the Operating System and device drivers. Even if our contribution is designed to fit a specific hardware-based mechanism, our JCVM architecture can be reused for a microcontroller without MPU.

2. Fuzzing and Overflows in Java Card Smart Cards Julien Lancia, and Guillaume Bouffard - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC), 1–3 june 2016, Rennes, France (2016)

   The Byte Code Verifier (BCV) is one of the most important security element in the Java Card environment. Indeed, embedded applets must be verified prior installation to prevent ill-formed applet loading. At the CARDIS 2015 conference, we disclosed a flaw in the Oracle BCV which affects the applet linking process and can be exploited on real world Java Card smart cards. In this article, we present how this vulnerability had be found and our exploitation of this flaw on a Java Card implementation that enables injecting and executing arbitrary native malicious code in the communication buffer from a verified applet. This attack was evaluated on several Java Card implementations with black box approach. As we cannot evaluate the effect of the control flow transfer, we develop a generic function which can be executed from any bytes which compound itself.

3. Escalade de privilège dans une carte à puce Java Card Guillaume Bouffard, and Jean-Louis Lanet - Symposium sur la sécurité des technologies de l’information et des communications (SSTIC), 4–6 june 2014, Rennes, France (2014)

   La carte à puce est aujourd’hui considérée comme étant un système sécurisé. Toutefois, il est possible, via certains types d’attaques, d’obtenir de l’information. Dans cet article, nous présentons comment ces informations ont permis de découvrir l’implémentation utilisée par une carte à puce pour appeler du code natif depuis le monde Java Card. Une fois ce mécanisme appréhendé, nous l’avons exploité pour exécuter notre propre code natif. Ce code, exécuté avec les droits du système d’exploitation, nous a permis de lire la mémoire ROM et ainsi obtenir tous les secrets de la carte attaquée. Une évaluation de cette attaque sur des cartes de modèles différents est présentée en conclusion.

4. Intégration d’une politique de flot de contrôle dans un automate de sécurité Guillaume Bouffard, Mathieu Lassale, Sergio Ona Domene, Hanan Tadmori, and Jean-Louis Lanet - 8ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information (SAR-SSI), 16–18 septembrer 2013, Mont de Marsan, France (2013)

   La carte à puce est un objet contenant des informations sensibles. Les attaques par injection de faute sont les plus difficiles à se prémunir. La surveillance du flot d’exécution par la machine virtuelle est un des mécanisme permettant de s’en protéger. Nous intégrons dans l’interpréteur Java Card un automate de sécurité permettant de garantir une politique de sécurité. Nous montrons comment une optimisation permet d’obtenir une solution efficace tant dans son utilisation mémoire que dans la surcharge de calcul.

5. Subverting Byte Code Linker service to characterize Java Card API Samiya Hamadouche, Guillaume Bouffard, Jean-Louis Lanet, Bruno Dorsemaine, Bastien Nouhant, Alexandre Magloire, and Arnaud Reygnaud - Seventh Conference on Network and Information Systems Security (SAR-SSI), May 22–25, 2012, Caen, France (2012)

   Smart card is the safest device to execute cryptographic algorithms. Recent cards have the ability to download programs after issuance. These applications are verified before being loaded in the card. Recently, the idea of combining logical attacks with a physical attack in order to bypass byte code verification has emerged. For instance, correct and legitimate Java Card applications can be dynamically modified inside the card using a laser beam. Such applications become mutant applications. We propose here to go a step further in designing explicit viruses for smart cards. In order to generate efficient viruses we need to retrieve information concerning the linking process in the card. We have developed and experimented on most of the Java Card publicly available this generic attack. We present an example of virus using the result of this attack.

6. Carte à puce : Attaques et Contremesures Agnès Cristèle Noubissi, Ahmadou Al Khary Sere, Julien Iguchi-Cartigny, Jean-Louis Lanet, Guillaume Bouffard, and Julien Boutet - Majecstic, 16–18 November 2009, Avignon, France (2009)

   We present in this article our research dealing with faults attacks and logical attacks on smart cards, especially on Java Card. We introduce by presenting Java Card and its security mechanisms, then we present the types of attacks carried out on smart cards and we present some countermeasures for these attacks and in particular those faults attacks. And we finish with the presentation of our work on the tool of manipulation of a file format of Java Card and other proposals for countermeasures on faults attacks.

Conferences without Proceeding

1. Pew Pew, I’m root! - De la caractérisation à l’exploitation: un voyage plein d’embûches Alexandre Iooss, Thomas Trouchkine, and Guillaume Bouffard - Journée thématique sur les attaques par injection de fautes (JAIF), 2023, Gardanne, France (2023)

   Les attaques par faute constituent un vecteur d’attaque semi-invasif puissant et difficile à prévenir contre les applications logicielles si l’environnement d’exécution matérielle n’embarque pas de mécanismes de protection. Néanmoins ces attaques sont difficile à mettre en place et les réussir nécessite trois étapes: caractériser les effets de la faute sur un échantillon du composant exécutant l’application cible, utiliser ce modèle de faute sur l’application sensible (en simulation par exemple) afin de déterminer les chemins d’attaques possibles et exploiter l’effet de la faute injectée sur le composant cible. Dans la littérature, ce travail reste principalement porté sur la sécurité des implémentations cryptographiques implémenté sur des micro-contrôleurs. Cependant, avec la démocratisation des appareils portables et mobiles tels que les smartphones, la menace des attaques semi-invasives devient crédible pour des applications plus variées. Nous pensons que pour protéger efficacement ces systèmes il est nécessaire d’avoir une méthodologie d’analyse de la réponse de ce type d’applications, des effets d’une faute sur le matériel jusqu’à sa manifestation sur les logiciels haut niveau. Dans cette présentation, nous aborderons une analyse complète allant de la caractérisation des effets d’une faute électromagnétique à l’exploitation sur une application complexe sensible. Pour ce faire, nous examinerons la sécurité de l’implémentation de l’application sudo intégrée dans la distribution Linux Raspberry Pi OS Lite (https://www.raspberrypi.com/software/) pour Raspberry Pi4. Dans ce travail, nous montrons comment il est possible de transposer une caractérisation de la sensibilité à une application logicielle complexe, et comment, en l’absence de protections, il est possible de réaliser efficacement une attaque permettant d’accéder aux informations sensibles. En complément de l’approche présentée dans, notre méthode est suffisamment efficace pour forcer l’authentification via l’application sudo sans la modifier au préalable.

2. Characterizing and Modeling Clock-Glitch Fault Injection Amélie Marotta, Ronan Lashermes, Olivier Sentieys, Rachid Dafali, and Guillaume Bouffard - Journée thématique sur les attaques par injection de fautes (JAIF), 2023, Gardanne, France (2023)

   Fault injection techniques are numerous, including laser, electromagnetic fault injection (EMFI), power glitch, and clock glitch. The physical effects that are caused from fault injection result in fault models that can be interpreted at three different abstraction levels: physical (impact on logic gates and flip-flop), register-transfer (bit-set, bit-reset) and microarchitectural (impact on the execution of programs). To fully characterize the effects of fault injection, it is important to know all three abstractions levels and how they are linked to each other. In this work, we focus on a particular type of clock glitch fault injection. We use TRAITOR, a many-fault injection platform, which uses a specific pertubation on the clock signal to induce incorrect behaviors in the target. Some observations of these behaviours at a microarchitectural level have been made, but until now, lower level fault models haven’t been proposed. We observe that the sampling process of registers can be compromised by TRAITOR’s glitched clock. While some fault models already exist, they do not explain this behaviour. Simulation- based investigations were done to characterize precisely when a register would latch or not depending on the glitched clock cycle shape. They revealed that the issue arises due to an insufficient energy supply on the clock port of the register. Besides, experiments were done on registers in FPGAs, to highlight that the hardware environment of the target system influences the fault results. During our presentation, we will introduce our approach to characterize the impact of TRAITOR on registers. We will present a new physical fault model which explains its effects

3. Fault attacks on whitebox computations Vincent Giraud, and Guillaume Bouffard - Journée thématique sur les attaques par injection de fautes (JAIF), 2022, Valence, France (2022)

   To perform sensitive operations, it is common to to use secure components: thanks to their various protections, they can protection, they can act as a root of trust. However, one may be forced to use alternative solutions as they are not available in all information systems. in all information systems. The industry deploy an approach based on software obfuscation, which is less software, which is less secure than those based on a hardware component. component. White-box cryptography is one of them: each intermediate step is precomputed and hidden, while the global semantics. Although it is purely software, hardware attacks could be transposed to it. be transposed to it. By instrumenting a program, one can by creating unexpected states in the program. unexpected states. As the needs of the industry are becoming more industry, research is now focusing on features such as such as resistance to quantum attacks and asymmetric and the asymmetric possibilities of cryptographic schemes. cryptographic schemes. These aspects are leading to the resurgence of specifications such as McEliece’s. In our work, we study the security of a cryptographic white box implementing implementing the McEliece algorithm and its resistance to attacks. In this talk, we will also also question the applicability in the software world of existing world of existing countermeasures used in hardware components. hardware components.

4. Fault injection effectiveness compared to reflection coefficient of antenna/target couple Guillaume Bouffard, Valentin Houchouas, José Lopes-Esteves, and Thomas Trouchkine - 3rd URSI AT-AP-RASC, Gran Canaria, 29 May – 3 June 2022 (2022)

   Most of our daily electronic objects store our personal data. One method used by attackers to retrieve this data consists in disrupting the operation of the component during the execution of a sensitive program [2]. For example, electromagnetic perturbation can disturb the electronic of a component and infer errors during the execution of the program and thus leak or modify sensitive information, which can jeopardize the system security [5]. To generate effective electromagnetic perturbations, the state-of-the-art fault injection community uses small hand- made antennas placed within a few millimeters to the target component [1]. These antennas are connected to a pulse generator of several hundred volts and tens of nanoseconds pulse. By moving the antenna over the compo- nent, an attacker goal is to determine the parameters (i.e. (x, y) positions and pulse amplitude) that maximize the probability of obtaining exploitable faults. The fact that these antennas are handmade [4, 3] complicates the reproducibility of studies due to the geometry and the constitutive material variability. Furthermore, the input impedance of antennas is never indicated in fault injection related publications. As antennas are placed in the near vicinity of the component under test (CUT), and because antenna far field prop- erties are different from near field ones, it could be relevant to determine the input impedance of the antenna/target couple which can be computed from the reflection coefficient (S11) measured by a vector network analyzer. In our work, we aim at comparing the probability to obtain a fault at a given position (x, y) with the frequency dependent absorbed power by the antenna/CUT couple. By doing so, we expect to be able to get information related to the sensitive frequencies of the CUT which might pave the way to narrowband (or continuous wave) injections.

5. EM Injection Vs Modern CPU – Fault Characterization And AES Differential Fault Analysis Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - CEM France 2020, April 13–15, 2021, Lyon, France (2020)

   Recently, several Fault Attacks (FAs) targeting modern Central Processing Units (CPUs) have emerged. These attacks are studied from a practical point of view and, due to the modern CPUs complexity, the underlying fault effect is usually unknown. In this article, we focus on the characterization of a perturbation (the fault model) on a modern CPU. For that, we explain an approach to characterize the fault model on modern CPU from the assembly instruction level to the micro-architectural level. This fault model helps at determining which micro-architecture elements are disrupted and how. The fault model determination aims at finding original attack paths and design efficient countermeasures. To confront our approach to real mod- ern CPUs, we apply our approach on a Raspberry Pi 3 CPU on which the determined fault model is reused to corrupt an AES implementation.

6. Fault attacks on System On Chip Thomas Trouchkine, Guillaume Bouffard, and Jessy Clédière - PHISIC 2018 workshop, May 23–24, 2018, Gardanne, France (2018)

7. OPAL: an open-source global platform Java Library which includes the remote application management over HTTP Anis Bkakria, Guillaume Bouffard, Julien Iguchy-Cartigny, and Jean-Louis Lanet - e-Smart 2011, September 21–23, 2011, Sophia Antipolis, France (2011)

   In the smart card world, Java Card plays an important role. To communicate with this type of card, which complies to the ISO7816 specification you should use a specific library. Indeed, this kind of library must implement high level functions, which follows the Global Platform (GP) specification (authentication protocols, applet installation process, etc.), and should be interfaced with another library to handle CAP files like the Cap File Manipulator Java-library. Therefore, we developed an open-source Java-library: OPAL, for Open Platform Access Library, which complies with the Global Platform specification. This library provides the full-support of the Java Card applets life cycle and smart card management. Moreover, to exchange data with a Java Card, we must implement Secure Channel Protocols (SCP) to pass the authentication step. GP defines three secure channels: SCP01, SCP02 and SCP03. These protocols provide a secure communication channel between a card and an entity which manages it. SCP01 is deprecated but still used. It uses a challenge-response authentication. When this challenge is a success, three security levels are used to exchange data (no security level, signed data or cypher and signed data). In order to improve the SCP01 security, SCP02 uses a mutual authentication, different computation methods and a new security level. The host ensures integrity of the received card data. Finally, the last improvement is SCP03 which reuses the SCP01 and SCP02 security levels in addition to a new security level which guarantees that the exchanged data are confidential. With OPAL, we would like to provide a Java-library which is fully compliant with GP. Futhermore, GP has defined a new authentication protocol, named Remote Application Management over HTTP. This draft uses an application provider which manages the applet and smart card life cycle using the HTTP protocol. Indeed, OPAL can receive a HTTP POST request sent by the Remote Administration Server and extract the included APDU command. Afterwards, OPAL sends the APDU command via the SCP02 protocol to the card and receives its response. Thus, the response is encapsulated in a HTTP POST request in order to send it to the Remote Administration Server.

8. Fuzzing du protocole HTTP sur carte à puce Matthieu Barreaud, Guillaume Bouffard, Julien Iguchy-Cartigny, and Jean-Louis Lanet - Crypto’puces 2011, May 8–12, 2011, Porquerolle, France (2011)

   The emergence of web servers embedded in smart cards cards facilitates the development of applications. These applications are close to servlets (applications with a web server) and are based on the based on the HTTP model known by many developers. The server can be used externally, via the phone connection (GSM, 3G, etc.) connection (GSM, 3G, etc.), for all phases of administration or administration or, via the phone interface, to provide user provide user services. Here we will focus on the the Java Card 2.2 WebServer Edtion model. In order to communicate with this web server, a service provider can send HTTP frames to the cell phone – or any other interface other interfaces between the card and the service provider. These frames are then encapsulated via the BIP 2 protocol to be sent to the (U)SIM card. The study and validity of this protocol has been one of our previous research topics. In the continuity of this work, we have chosen to verify the HTTP protocol. The implementation of this type of server must be secured in order to guarantee the execution of sensitive sensitive commands. However, the specific constraints of the world of embedded systems forces to have a complete system of the order of a few kilobytes. As a result, the optimizations may contribute to the presence of vulnerabilities. To verify the conformity and the robustness of the implementation, we have chosen to use fuzzing which is an error which is a technique of searching for errors in the software implementation by injecting invalid data. This method uses a data model representing the grammar and a model symbolizing the model symbolizing the state machine of the protocol to be fuzzed. Our analysis tool allows to characterize the web server embedded in the card and thus to reduce the tree of of the data model of the HTTP protocol. This tool is a solution for anyone wishing to verify the security of the security of the embedded HTTP protocol. The first experimental results results will be presented during the conference.

Tutorials

1. Security in modern CPU Guillaume Bouffard - Worskshop on the Security of Software/Hardware Interfaces, November 21st, 2019 Rennes, France (2019)

   Modern CPUs are daily use in our smartphone and several IoT devices. These components compute more and more sensitive data. However, they are only designed to prevent software attacks. Recently, few publications focus on breaking modern CPUs from hardware layout. In this presentation, we will see how hardware security in modern CPU is also important than software security and why should be take in account.

2. Attacks against the Java Card Platform Guillaume Bouffard - CryptoBG International Summer School, July 20th, 2015, Oriahovitza, Bulgaria (2015)

Posters

1. Caractérisation d’antennes pour l’injection de fautes sur composants électroniques Guillaume Bouffard, Valentin Houchouas, José Lopes-Esteves, and Thomas Trouchkine - GDR Ondes, December, 2021, Lille, France (2021)

2. Combined Attacks on Java Card Smart Cards Guillaume Bouffard, and Jean-Louis Lanet - PHISIC 2011 workshop, October, 2011, Gardanne, France (2011)

Theses

1. A Generic Approach for Protecting Java Card Smart Card Against Software Attacks Guillaume Bouffard - PhD thesis - University of Limoges (2014) Award Prix de thèse de l’action du CNRS Objets intelligents sécurisés et Internet des objets

   Smart cards are the keystone of various applications which we daily use: pay money for travel, phone, etc. To improve the security of this device with a friendly development environment, the Java technology has been designed to be embedded in a smart card. Introduce in the mid-nineties, this technology becomes nowadays the leading application platform in the world. As a smart card embeds critical information, evil-minded people are interested to attack this device. In smart card domain, attacks and countermeasures are advancing at a fast rate. In order to have a generic view of all the attacks, we propose to use the Fault Tree Analysis. This method used in safety analysis helps to understand and implement all the desirable and undesirable events existing in this domain. We apply this method to Java Card vulnerability analysis. We define the properties that must be ensured: integrity and confidentiality of smart card data and code. During this thesis, we focused on the integrity property, especially on the code integrity. Indeed, a perturbation on this element can break each other properties. By modelling the conditions, we discovered new attack paths to get access to the smart card contents. We introduce new countermeasures to mitigate the undesirable events defined in the tree models.

2. Analysis and binary transformation Guillaume Bouffard - Master thesis - Technicolor & University of Limoges (2010)

   This document describes the work done during the internship for my master degree Information Technologies Security and Cryptography at the University of Limoges, France, carried out with Technicolor at the Technicolor Security and Content Protection Laboratories at Rennes, France. This internship aims to protect the sensitive piece of code of a binary exe- cutable without application source code knowledge. A sensitive piece of code of a binary application is a set of the most uses instructions. In order to protect this binary part, I extracted this sensitive piece of code of the binary application and I replaced with that provides a way to communicate to a dongle. On this dongle, the extracted protected instructions are putted and executed. Thus, to correctly execute a protected application, the user needs a dongle which con- tains the missed part of the executed application. After a short presentation of the context and the company, I will present each step to my internship. In a first time, I will describe how to find the sensitive binary part of an executable program. When this part is found, I will try to translate this piece of code in another language to protect it. Next, I will modify the binary application, without the source code, to change the protected piece of code by a set of instructions designed to communicate to the dongle containing the extracted piece of code. That will take us to a proof of concept. To conclude, I will sum up the completed objectives, the possible improvements and the difficulties I have encountered.

Preprints

1. Electromagnetic fault injection against a System-on-Chip, toward new micro-architectural fault models Thomas Trouchkine, Sébanjila Kevin Bukasa, Mathieu Escouteloup, Ronan Lashermes, and Guillaume Bouffard - arXiv (2019)