Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
  • G06F21/12—Protecting executable software
  • G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
  • G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack

Definitions

• applet any program executed by a virtual machine.
• a program written in Java-Card language and intended to be executed by the JVM of a smart card is called applet.
• .NET applet or Multos applet, for programs developed in a .NET environment for smart cards (respectively a Multos environment).
• the instructions included in an applet are often called op-codes, for "operation code", in the Java- Card context.
• a virtual machine is an entity that is able to execute an applet that is saved as a succession of statements, and that, when the applet is executed, translates each statement into an elementary operation or a sequence of elementary operations and executes this elementary operation (s).
• a virtual machine allows to dissociate the interface by means of which the program is registered or transmitted, of the platform which carries out the elementary operations. Examples of virtual machines include Java Virtual Machine (JVM), or various Common Language Infrastructure (CLI) implementations such as Common Language Runtime (CLR) for C # (.NET environment).
• Virtual machines are often purely software. They can then run the same applet on all kinds of platforms very different from each other provided that there is a virtual machine suitable for each of these platforms. But it is also possible to use hardware virtual machines (for example a dedicated electronic circuit) or virtual machines associating a software part and a hardware part.
• An inverse applet is called an activity that aims to understand how the applet was designed to copy, modify, or hijack the applet, most often without the consent of its authors and / or owners.
• Hidden channel analysis is an analysis based on information obtained from the physical implementation of an electronic device. This information is often variations of certain physical quantities that are caused by the execution of a program in the electronic device. These physical quantities (called “hidden channels”) can be, in particular, the electrical consumption of the device, or the electromagnetic field that is produced by the device, and can distinguish the tasks performed according to the power consumption they require or electromagnetic radiation they cause. We can also measure the vibrations emitted (some components may vibrate, in a different way depending on what they do), or the temperature variations, or the time spent performing a particular task (“timing attacks"). Etc.)
• a basic analysis may simply consist in identifying a given characteristic according to a given measurement on the targeted electronic device. This is the case, for example, of so-called SPA (Simple Power Analysis) attacks. More sophisticated analyzes can rely on statistical studies based on a large number of measurements (this is the case for example DPA attacks, for Differential Power Analysis, and more particularly HODPA attacks, for High Order DPA ).
• SPA Simple Power Analysis
• More sophisticated analyzes can rely on statistical studies based on a large number of measurements (this is the case for example DPA attacks, for Differential Power Analysis, and more particularly HODPA attacks, for High Order DPA ).
• an attacker can for example proceed in two stages.
• the attacker loads learning applets on the card (for some Java cards, this manipulation is indeed allowed, for others it may be necessary to perform a first attack to load the applets learning).
• the learning applets are encoded by the attacker in a way that allows him to characterize the instructions by corresponding models.
• a pattern is a signal related to a hidden channel of an instruction.
• the set of models then forms a base of models of the instructions that have been characterized.
• the attacker measures the signal coming from a hidden channel during the execution of the applet he wishes to discover. Then, it uses the model database built in the characterization step to find the sequence of instructions of the applet. The detection is based on the coherence between the signal acquired during the detection step and the models stored in the base.
• One of the simplest consistency measures is correlation.
• the situation C1 corresponds, for example, to a case in which no hardware or software countermeasure is implemented, or only elementary (ineffective) countermeasures are implemented.
• a typical example of this type of countermeasures is the addition of random noise on the channel (e.g. power consumption or electromagnetic radiation).
• this random noise can be isolated by running the characterization applets a large number of times and averaging the signals.
• the C2 situation can occur especially if some hardware or software countermeasures are implemented.
• the solution using a deterministic noise proposed in the patent FR2903508B1 makes it possible to make the extraction of the models more difficult. Countermeasures to desynchronize the signals (for example: jitter, clock division ...) can disturb the obtaining of the models but it is often possible to find them thanks to techniques of signal processing.
• the solution according to FR2903508B1 is relatively expensive in terms of performance.
• the deterministic noise is not correctly generated (that is, it does not lead to signatures strongly resembling the signatures naturally generated during the execution of the instruction considered), an attacker could extract it from the raw signals.
• the C3 situation could arise in case of very strong security, for example through low-level interventions, at a hardware level, directly in a component running the applet, or at a software level, in an interpreter (virtual machine running the applet).
• the purpose of these interventions is generally to make the models constant or not constant but identical, so that it is impossible to distinguish one instruction from another.
• it is very difficult to guarantee such a property, and the case C3 is relatively theoretical.
• the situation C4 can occur when the attacked device is designed to provide false models (that is, models that do not match the models of the attacked applet), during the learning phase.
• false models that is to say generate different types of noise in the two stages of characterization and detection, to disturb the detection.
• the models are typically the same. If the attacker manages to find a way to isolate the additive noise (for example isolate a signal coming from the crypto-processor that is used as noise), it is possible that he can reverse engineer the applet attacked by the analysis of hidden channels.
• Possibilities C1 and C2 in turn allow, in general, a detection of the instructions in the second step in which two situations can be envisaged:
• the situation in which the models can not be detected is usually the result of the C3 situation, and is therefore not studied.
• a noise can be superimposed on the power supply in order to make its operation more difficult, to smooth the power consumption (for example with capacitors), to limit electromagnetic emissions by adequate shielding, etc.
• a particular internal clock whose characteristic is to have a frequency of operation which varies randomly, which makes the measurements difficult to exploit (the instructions of the applet then being carried out at a rate which varies constantly , and which is a priori unknown to the attacker).
• Java-Card smart cards can condition the execution of an applet to the correct presentation of a PIN.
• WO 02/50641 (Nicolas Giraud et al.) Discloses a technique for protecting the execution of an operator (in particular the XOR operator) belonging to the set of arithmetic instructions of a microprocessor. This technique consists in replacing the execution of the same operator by the execution of one of several possible sequences of operations, the different sequences being functionally identical to the operator. However, this technique protects an operator without making any distinction as to the context in which this operator is used. On the other hand, it is not intended to specifically protect an electronic device equipped with a virtual machine (this type of electronic devices not even being disclosed).
• the invention aims to improve the situation.
• One aspect of the invention relates to an electronic device equipped with a virtual machine for executing an applet, the virtual machine being arranged to recognize the instructions of the applet and execute a code corresponding to each instruction.
• the electronic device is, for example, a card to puce (SIM card, bank card, health card, etc.), an electronic identity document (electronic passport, electronic identity card, electronic visa, etc.), a USB key, a token, etc.
• the virtual machine comprises an association module arranged to associate, in the same instruction, several separate but functionally identical codes.
• the virtual machine has several ways to execute the same instruction. It is possible to protect several instructions, each of them being associated with several different codes but functionally identical.
• the definition of the sets of codes to be associated with each instruction can be done upstream (for example during the design of the device), and the association module can then simply memorize the list of predefined codes associated with each instruction concerned.
• the virtual machine also comprises a selection module arranged to select the code to be executed for the instruction considered in a random manner. By random, we mean that it is not possible for an entity outside the device to easily deduce deterministic properties that would predict future selections based on past selections. The selection can take place for example by means of a so-called "pseudo-random" generator, such as a linear congruent generator, which can be software or hardware.
• the series of random numbers generated by such a generator is deterministic, but of long duration, and relies on a secret that is not shared with the outside world.
• the association module and the selection module are, for example, software modules executed by a processor of the device, or modules in hardwired logic (for example for a virtual machine made using a dedicated electronic component). .
• This embodiment is also advantageous in that it allows protection performed at a level higher than the processor level. It is thus possible to protect certain instructions when they are used by an applet executed by a virtual machine.
• This protection can be combined with a low level protection, for example the processor can, in addition, replace some operations of the processor with one of several functionally equivalent sequences.
• an electronic device comprising a virtual machine may be required to execute many types of codes, the applets of which only constitute a subset.
• some codes may correspond to portions of the operating system of the electronic device (or softmasks), and may be executed without the virtual machine being requested (or even informed of their execution).
• the various codes associated with the instruction are distinguished by their duration of execution by the device.
• the execution time of an applet fluctuates in an unpredictable way, not only globally (total duration of execution of the applet) but also at the level of each instruction associated with several codes.
• the various codes associated with said instruction are distinguished by the power consumption or the electromagnetic radiation they generate during their execution by the device.
• measurements of electromagnetic radiation or electrical consumption during the execution of an applet do not make it easy to deduce what the applet is doing, the electromagnetic signature (or consumption) being variable for each instruction associated with several codes.
• the virtual machine is arranged to operate the random selection of the code to be executed for each instruction associated with several codes based on a measurement of the physical characteristic of the device. For example, it is possible to measure, using a analog-to-digital converter, the noise of a resistor, which has stochastic physical properties.
• the physical measurement or measurements can be used directly, or used as seeds of a software pseudo-random generator, or be processed (for example using a crypto-processor) to improve their statistical properties. Relying on a physical feature increases the quality (the unpredictability) of the selection.
• two instructions each associated with several codes at least one of the codes associated with the first instruction has at least one characteristic common to one of the codes associated with the second instruction, the common characteristics including the duration of execution by the device, as well as the power consumption and the electromagnetic radiation generated during execution of the code by the device.
• the common characteristics are limited to one or more of these three characteristics.
• the virtual machine is arranged to identify the most frequent instructions and to use several codes only for said most frequent instructions.
• the virtual machine can identify the most frequent instructions (for which several codes are available), for example by using a pre-stored list of instructions (this list being defined for example during the design of the device). It can thus be statistically determined that this or that instruction is more frequent. It is also possible to analyze the code of the applet considered in order to identify the most frequent instructions for this particular applet.
• the five most frequent instructions are the instructions sload, sconst_0, baload, getfield_a_this, sstore, and one can only modify these five instructions, or even a subset of any of these five instructions.
• the most frequent instructions include one of the instructions of the addition, subtraction, multiplication, modulo, and exclusive orignal instructions, and it is advantageous to modify only instructions belonging to the this subset of instructions (addition, subtraction, multiplication, modulo, and or exclusive).
• Such elementary arithmetic instructions very common, have a high probability of appearing in any applet, and appearing quite often. By focusing on the protection of some very common instructions, one can minimize the complexity of implementing the protection (by avoiding to protect the entire instruction set), while ensuring that the protection will be effective enough (thanks to the frequency of appearance of the chosen instructions, which thus induces a possible attacker in error, the signature of these instructions constantly changing).
• the virtual machine is arranged to identify the most sensitive instructions and to use several codes for these most sensitive instructions. This protects the most critical operations (an attacker is often interested in only parts of the applet).
• the identification of the most sensitive instructions can be static, that is to say that the list of the most sensitive instructions can be preprogrammed in the virtual machine at the time of the design of the virtual machine and / or the device that integrates it.
• the most sensitive instructions include one of the instructions among the instructions implementing cryptographic algorithms as well as the access control instructions (including PIN code verification instructions, or passwords). ).
• Another aspect of the invention relates to a method of securing an electronic device against concealed channel attacks, the electronic device being equipped with a virtual machine recognizing the instructions of an applet and executing a code corresponding to each instruction. Since one (at least) instruction is associated with several distinct but functionally identical codes, the virtual machine selects the code to be executed for this instruction associated with several codes in a random manner.
• the various codes associated with said instruction are distinguished by their duration of execution by the device.
• the various codes associated with said instruction are distinguished by the power consumption or the electromagnetic radiation they generate during their execution by the device.
• the virtual machine selects the code to be executed for said instruction based on a measurement of the physical characteristic of the device.
• This physical characteristic electrical noise in a component sampled by an analog-to-digital converter, etc.
• a parameter calculated from the physical characteristic may for example have better statistical properties.
• two instructions each associated with several codes at least one of the codes associated with the first instruction has at least one characteristic common to one of the codes associated with the second instruction, the common characteristics including the execution time by the device, as well as the power consumption and the electromagnetic radiation generated during execution of the code by the device.
• the virtual machine identifies the most frequent instructions and uses several codes only for the most frequent instructions.
• Figure 1 illustrates different scenarios of an inverse applet engineering by hidden channel analysis
• Figure 2 is a diagram illustrating an implementation of applet protection performed according to an embodiment of the invention.
• the protection of a program interpreted by a virtual machine against reverse engineering using a hidden channel analysis is based on the use of alternative models making it possible to render the phases of characterization and detection more difficult.
• An instruction can thus correspond to several different codes, therefore to several different models.
• an addition operation is generally very close to the subtraction operation (SUB). It is possible to code the ADD and the SUB in such a way that their signatures are identical or very similar. For example, it is conceivable to implement the ADD addition, which takes as parameters two operands Op1 and Op2, as follows:
• this SUB operation performs exactly the same steps as the ADD operation, except that it uses as parameter, in line 4, the complement X instead of the parameter Op2.
• this is not typically observed on the electromagnetic or other emissions generated by the execution of the ADD and SUB operations, because only the address used is changed (the address of X not being the address of Op2 ). Or read data to a first address or to another address of the same memory component generates in principle the same traces.
• This results in an ADD operation that may be slightly slower than a conventional ADD operation since it computes a seemingly useless X complement (which is not used later), but on the other hand the fact that this complement is computed makes it possible to get the same signature as for the SUB operation.
• the complement is a step performed in hardware in parallel with the other steps, and does not slow down the ADD operation.
• the models of the same instruction are different not only at the form level (the consumption power, the electromagnetic radiation) but also at the duration level (the execution time), for example by adding unnecessary operations.
• the operations unnecessary can be NOP operations. It is advisable not to use exclusively NOPs for this type of task (artificial extension of the execution time) because it is then possible for an attacker to be able to identify the NOPs and to consider them as indicators of "time stuffing", whose execution time must be deducted to determine the true execution time.
• some models are only authorized for applets stored in a certain type of memory (for example in ROM).
• the ROM typically contains highly controlled applets because they have necessarily been "loaded” during a step of masking the ROM component which implies knowledge of the applet by the manufacturers responsible for manufacturing this component ROM, which therefore have opportunity to check are content.
• it is easy (and known from the state of the art) to obtain the source code of the applet even when one has only its binary code (which may be the case of the manufacturers above).
• the ROM models are not valid for applets loaded in memories other than the ROM, such as EEPROM or FLASH memories, or battery-buffered RAM.
• memories such as EEPROM or FLASH memories, or battery-buffered RAM.
• the models are different according to the memory areas.
• some electronic device operating systems partition rewritable memories (such as EEPROM and FLASH), defining at least:
• a second zone accessible to the manufacturer of the device, for loading patches, softmasks, etc. or applets (possibly applet updates), the second zone being generally controlled according to a second level of protection (often higher than the first level of protection).
• the second level of protection can be determined and can not be modified, while the first level of protection can be modified.
• This first level can be modified for example by a telecommunications operator (typically in the case of electronic devices in the form of SIM cards), by a financial institution (typically in the case of bank cards), or by any entity that has purchased the electronic device and having made it available to an end user.
• characterization applets possibly implemented by the attacker are not relevant for all the applets. , and in particular for the applets stored in certain types of memories or in certain memory zones considered more sensitive and not accessible to the attacker.
• This may include system applets, such as applets offering authentication functions or credential sharing functions.
• Authentication functions may include biometric authentication (fingerprint verification by match-on-card technique, Iris verification, etc.), password checks, code checks PIN, etc.
• the credential sharing functions may include, for example, PIN sharing functions by a system applet to prevent all user applets from each having to request the same PIN code from the user, which would be detrimental the usability of the use of the electronic device (users are typically annoyed at having to enter the same secret code several times), and would even be generally harmful to security.
• PIN sharing functions by a system applet to prevent all user applets from each having to request the same PIN code from the user, which would be detrimental the usability of the use of the electronic device (users are typically annoyed at having to enter the same secret code several times), and would even be generally harmful to security.
• each new entry of a PIN can be the object of an attack (social engineering, for example person observing the entry of the PIN code and memorizing it, or system of espionage type "key logger" namely interceptor keystrokes).
• each new transmission of a PIN code to the electronic device can potentially be attacked.
• the models of the same instruction are alternately activated according to certain rules defined for the application target. For example, all the models can be activated in a random manner, the rule for an applet that can be determined according to the mechanism defined in the patent application FR2903508 ("Protection of a program interpreted by a virtual machine", filed on 10 July 2006), that is to say it is possible to take into account a condensed applet (for example the result of a SHA-1 function applied to the binary code of the applet), so vary the models differently for the same instruction depending on whether it belongs to one applet or another.
• Alternate models can be applied to all instructions or to a set of the most critical and / or most called instructions.
• the effects generated by this countermeasure are as follows.
• An attacker could be aware of the existence of different models implemented by the target electronic device for the same instructions (depending on the context in which the instruction is executed by the device). Such an attacker may then seek to take this feature into account in attempting to determine which rule (s) is (are) used by the target electronic device to choose one model over another. In the case where an attacker can not characterize the models with raw signals and where he is obliged to record many occurrences of the signals then to average these signals to reduce the noise:
• only a few instructions are protected, which makes it possible to have a low performance impact (of the order of a few cents, that is to say that the speed of execution of the applet can be almost unchanged).
• the simple fact of changing only one very frequent instruction (for example the addition) in associating it with four possible codes instead of one may be enough to make an attack much more complex, while having a very negligible impact on the development time (at the interpreter device, applets, etc.) than on performance (the secure applet being almost as fast as an unprotected applet according to this embodiment).
• the most frequent instructions are: sload, sconst_0, baload, getfield_a_this, sstore, and it is a subset of these instructions (or all these instructions) that is protected.
• An embodiment limited to protecting frequent instructions is particularly advantageous, particularly for products with strong performance constraints, such as low memory capacity, slow processor, and so on.
• smart cards have much lower computing and storage resources than those of a conventional computer, and this embodiment is particularly suitable for them.
• Targeting only certain instructions also avoids a long development time and a large interpreter size.
• Fig. 2 relates to an implementation of applet protection according to one embodiment.
• OPi designates the instruction number i (having op-code OPi).
• Ri denotes a rule of this applet corresponding to the OPi instruction.
• the rule Ri can for example define the algorithm for selecting the code to be executed for the instruction OPi. It can be a conventional pseudo-random algorithm, but it can also be an algorithm that random in the sense that it is not easily predictable, selects the different codes with unequal probabilities.
• OP.SEQi designates the step of executing an OPi instruction in the sequence of instructions constituted by the applet.
• the code executed during OP.SEQi is not always the same, it depends on the one hand on the OPi instruction which determines the function that must be performed by the code, and on the Ri rule, which determines which code ( among all codes performing this function) must be executed.
• a virtual machine generates, from an applet represented by a series of instructions (OP1, OP2, OP3, %), from a series of rules. (R1, R2, R3, ...), and from a series of sets of codes (Codes of ⁇ 1, Codes of ⁇ 2, Codes of ⁇ 3, ...), each set of codes being associated with a set of codes instruction, an execution sequence (OP.SEQ1, OP.SEQ2, OP.SEQ3, %) performing the tasks provided in the applet, but using randomly chosen codes.
• the device embodying the invention may also be, for example, a mobile communication equipment, a contactless identification tag, a contactless identification tag reader, a smart card, a reader of such smart cards, an access control system, etc.
• kinds of smart cards for which the invention can be advantageously implemented can be in particular health smart cards, identity or passport chip cards, bank chip cards, control chip cards. access or smart cards electronic game media.
• Protectable applets are not limited to JavaCard applets, but can be for example .NET applets, or Multos applets.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• Computer Security & Cryptography (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Physics (AREA)
• Multimedia (AREA)
• Technology Law (AREA)
• Storage Device Security (AREA)
• Power Sources (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=44275914

Family Applications (1)

Country Status (6)

Families Citing this family (7)

Citations (1)

Family Cites Families (11)

• 2010
  • 2010-12-24 FR FR1061252A patent/FR2969787B1/fr not_active Expired - Fee Related
• 2011
  • 2011-12-22 WO PCT/FR2011/053160 patent/WO2012085482A1/fr active Application Filing
  • 2011-12-22 CN CN201180066192.0A patent/CN103597490A/zh active Pending
  • 2011-12-22 EP EP11815528.2A patent/EP2656268A1/de not_active Ceased
  • 2011-12-22 CN CN201810136156.0A patent/CN108171021A/zh active Pending
  • 2011-12-22 RU RU2013134481/08A patent/RU2603545C2/ru not_active IP Right Cessation
  • 2011-12-22 US US13/997,136 patent/US20130312110A1/en not_active Abandoned

Patent Citations (1)

Also Published As

Similar Documents

Legal Events