Scientific direction Development of key enabling technologies
Transfer of knowledge to industry

PhD : selection by topics

Technological challenges >> Cyber security : hardware and sofware
14 proposition(s).

Unsupervised deep learning methods for side-channel attacks

Département Systèmes (LETI)

Centre d'Evaluation de la Sécurité des Technologies de l'Information

01-09-2020

SL-DRT-20-0324

eleonora.cagli@cea.fr

Cyber security : hardware and sofware (.pdf)

Secure components exploiting embedded cryptographic mechanisms, for instance smart cards, may be vulnerable to the side-channel attacks. Such attacks are based onto the observation of some physical features measured during the device activity, such as power consumption, electromagnetic irradiation, execution time? the variation of these quantity may provoke an information leakage. A deep analysis of the leakage may lead an attacker to retrieve sensitive information, for instance the secret keys of the embedded cryptographic algorithms, and so to break the device security. In order to analyze the leakages, which are typically collected as high-dimensional signals big datasets, the deep-learning methods are nowadays a privileged tool. Since 2016, the interest of embedded security researchers toward this topic grows very fast, especially because of the efficiency of these methods in the context of profiled attacks. In this context, the attacker has access to a second dataset, over which he has complete knowledge. This second dataset allows him to perform a preliminary supervised training phase. This context is the most advantageous for the attacker. To setup the attacks on the field, for instance in the context of complex secure systems evaluation, this scenario is not available. In the wide state-of-the-art concerning non-supervised attacks, machine-learning techniques appeared about ten years ago. In particular clustering methods attracted considerable interest. Today, the deep-learning research makes clustering algorithms evolve, in particular through ?embedding? techniques. These techniques aim at represent data into a space that enhances certain ?useful? relations among data. The principal application domain of these techniques today is the representation of words for the natural language analysis: a useful representation should embed words into a space where words belonging to the same semantic field are close to each other. The goal of this research is studying ?deep embedding? techniques, evaluating their suitability for non-profiled attack scenarios, in particular in the context of public key cryptographic algorithms, formalizing an efficient deep-clustering-based attack strategy and deeply analyzing its properties.

Download the offer (.zip)

Design of neural networks adapted to FHE and MPC

Département Architectures Conception et Logiciels Embarqués (LIST-LETI)

Laboratoire composants logiciels pour la Sûreté et la Sécurité des Systèmes

01-10-2019

SL-DRT-20-0388

aymen.boudguiga@cea.fr

Cyber security : hardware and sofware (.pdf)

In this thesis, the student will investigate the variety of scenarios in which homomorphic encryption provides a meaningful countermeasure to confidentiality threats applying to neural net systems. To do this, she/he will leverage on the many degrees of freedom in neural network design as well as homomorphic encryption scheme design to propose specialized networks and FHE-schemes efficiently working together. The candidate will attempt to push this application/FHE co-design strategy to its limits in order to notably: evaluate deep neural networks over encrypted data (input/output privacy), evaluate encrypted deep networks over clear or encrypted inputs (model/output privacy with optional input privacy). This will require to define an efficient FHE-neuron as well as to bring privacy-by-design at all stages of its lifecycle: from the unitary encrypted-domain execution of the neuron itself, to input-private and/or model-private evaluation of networks of that neuron, and then up to the training of networks of such neurons (over clear data). In addition, she/he will investigate the use of MPC for the same evaluations. Ideally, she/he will identify situations where using either FHE or MPC are more suitable for ensuring data confidentiality. In addition, synergies between FHE and MPC usage will be studied. Furthermore, implementing proof of concepts will provide clear experimental evidences of either the practicality of marrying a neural network technique with a specific homomorphic encryption or MPC scheme or measuring/estimating the remaining gap to achieve the evaluation of networks of practically relevant size and complexity.

Download the offer (.zip)

Proved simplification engine for software deductive verification

Département Ingénierie Logiciels et Systèmes (LIST)

Laboratoire pour la Sûreté du Logiciel

01-09-2020

SL-DRT-20-0396

loic.correnson@cea.fr

Cyber security : hardware and sofware (.pdf)

The Frama-C platform developped at CEA is dedicated to formally establish the absence of bugs in critical sofwares. It is used at an industrial scale in various domains, such as avionics and energy production plants. No asses such waranties on critical sofwares, it is necessary to automate the verfication process with proof assistants (Coq, PVS, HOL) and SMT solvers (Z3, CVC4, Alt-Ergo). However, for these techniques to be applicable on industrial codes, it is necessary to first simplify our proof objectives. Inside Frama-C, we have developped the Qed engine which is precisely in charge of building and simplifying logical formula. This engine was typically responsible for dramatic gains in performance for proving critical codes at Airbus, leading to the adoption of the approach in their production process. Since Qed early developments in 2015 the engine has been extended with many improvements with an increasing complexity. It now becomes difficult to certify that the engine remains sound and only produce valid simplifications. To this end, the subject of the thesis is to completely redesign the Qed engine with the Why-3 proof environment by specifying its simplification algorithms and formally verifying their correctness. Eventually, the extracted code from this Why-3 development will replace the existing engine inside Frama-C.

Download the offer (.zip)

Hardware countermeasure techniques of cryptographic algorithms exploiting in-memory computing

Département Architectures Conception et Logiciels Embarqués (LIST-LETI)

Laboratoire Intégration Silicium des Architectures Numériques

01-10-2020

SL-DRT-20-0401

simone.bacles-min@cea.fr

Cyber security : hardware and sofware (.pdf)

The LISAN Laboratory (Digital Design & Architecture Laboratory) develops and designs innovative chip systems based on multicore architectures and low-power architectures dedicated to the Internet of Things (IoT). The field of IoT overcomes many prerequisites, especially in the area of security of autonomous connected objects in energy. New architectures are supposed to be the most energy efficient as possible. The implementation of IoT security must also be guided by the available energy without causing any security breach. An intelligent memory, called C-SRAM, able to perform in memory computing has been designed within the laboratory. The aim of the thesis is to study the possibilities of this memory from the point of view of security. The intrinsic properties of this intelligent memory make it possible to envisage the implementation of several algorithms and in particular new countermeasures against combined physical attacks (side-channels and faults).

Download the offer (.zip)

Side-Channel Analysis against the confidentiality of embedded neural networks: attack, protection, evaluation

Département Systèmes (LETI)

Laboratoire Sécurité des Objets et des Systèmes Physiques

01-09-2020

SL-DRT-20-0584

pierre-alain.moellic@cea.fr

Cyber security : hardware and sofware (.pdf)

One of the major trends of Artificial Intelligence is the large-scale deployment of Machine Learning systems to a large variety of embedded platforms. A lot of semi-conductor practioners propose "A.I. suitable" products, majoritarely with neural networks for inference purpose. The security of the embedded models is a major issue for the deployment of these systems. Several works raised threats such as the adversarial examples or the membership inference attacks with disastrous impact. These works consider the ML aglorithms through a pure algorithmic point of view without aking into consideration the specificities of their physical implementation. Moreover, advanced works are compulsory for physical attacks (i.e., side-channel and fault injection analysis). By considering a overall attack surface gathering the theoretical (i.e. algorithmic) and physical facets, this subject propose to analyze side-channel analysis threats (SCA) targeting the confidentiality of the data as well as the model (reverse engineering) of embedded machine learning systems and the development of appropriate protections. Several works have studied physical attacks for embedded neural networks but with usually naive model architecture on 'simple' 8-bit microcontrolers, or FPGA or at a pure simulation level. These works do not try to link the fault models or the leakages with well-known algorithmic threats. Being based on the experience on other critical systems (e.g., cryptographic primitive), the main idea of this PhD subject will be to jointly analysis the algorithmic and physical world in order to better understand the complexity of the threats and develop efficient defense schemes. The works will answer the following scientific challenges: (1) Caracterization and exploitation of side-channel leakages: how to exploit side-channel leakages (power or EM) to guess sensible information focused on the training data or information on the model architecture. (2) Evaluation of the relevance of classical countermeasures such as hiding or masking techniques for this kind of systems and threats. (3) Develop new protections suitable to embedded neural networks.

Download the offer (.zip)

Safety/Security Modeling for Security Characterization of Industrial Control Systems

Département Systèmes (LETI)

Laboratoire Sécurité des Objets et des Systèmes Physiques

01-10-2020

SL-DRT-20-0594

Cyber security : hardware and sofware (.pdf)

Industrial systems are often used to monitor and control a physical process such as energy production and distribution, water cleaning or transport systems. They are often simply called Supervisory Control And Data Acquisition (SCADA) systems. Due to their interaction with the real world, the safety of these systems is critical and any incident can potentially harm humans and the environment. Since the Stuxnet worm in 2010, such systems increasingly face cyberattacks caused by various intruders, including terrorists or enemy governments [1]. As the frequency of such attacks is increasing, the security of SCADA systems becomes a priority for governmental agencies [2]. One of the main research axis in cybersecurity of industrial systems deals with combination of safety and security properties. Safety relates to applicative properties of the system (e.g. chemical properties for a chemical factory); while security properties take into account how an intruder can harm the system. As show in [3], combining safety and security is a challenging topic as these properties can be either dependent, strengthening, antagonist or independent. As show in [4], combining both safety and security in a common modeling is challenging as both come with sources of combinatorial explosion. Moreover, there are tools used either for security or safety analyzes but currently no tool is able to handle both aspects at the same time. In this context, we propose a Ph.D thesis revolving around modeling of industrial systems taking into account both safety properties of the physical process and security properties. Besides the definition of an accurate, yet automatically analyzable modeling framework/language, many aspects can be part of the subject. For instance, programmable automata (PLC) configuration files could be generated from this model in order to only deploy programs validated beforehand. PLC vulnerabilities could be studied (firmware reverse engineering, protocol fuzzing) in order to test the technical feasibility of found attacks. Finally, in a certification context, security analyzes on the model could include requirements from standards such as IEC 62443 [5] to help evaluation process. Références [1] J. Weiss, Protecting industrial control systems from electronic, Momentum Press, 2010. [2] ANSSI, Managing cybersecurity for ICS, ANSSI, 2012. [3] L. Piètre-Cambacédès, Des relations entre sûreté et sécurité, Paris: Télécom ParisTech, 2010. [4] M. P. a. A. K. M. Puys, Generation of applicative attacks scenarios against industrial systems, Nancy: FPS'17, 2017. [5] IEC-62443, Industrial communication networks - Network and, International Electrotechnical Commission, 2010.

Download the offer (.zip)

Protecting elliptic curve cryptography against Template atttacks and Horizontal attacks

Département Systèmes (LETI)

Laboratoire Sécurité des Objets et des Systèmes Physiques

01-09-2020

SL-DRT-20-0600

antoine.loiseau@cea.fr

Cyber security : hardware and sofware (.pdf)

This study is focused on the security of embedded systems and in particular asymmetric cryptography against horizontal attacks and Template attacks. Recent studies, applied to symmetric cryptography, have made it possible to build new techniques for side channel attacks. By improving the effectiveness of Template attacks, these new attacks make it easier to bypass masking countermeasures. It seems appropriate to study these new tools in depth in the context of Template and horizontal attacks against asymmetric cryptography, especially for elliptic curves. The use of machine learning in the context of side channel attacks. The main purpose of the thesis is to evaluate the security properties of ECCs against the most advanced Template and Horizontal attacks that use machine learning. Depending on the results obtained, new countermeasures will have to be constructed in order to address any new weaknesses.

Download the offer (.zip)

RTN entropy source extraction from RRAM for TRNG application

Département Systèmes (LETI)

Laboratoire Sécurité des Objets et des Systèmes Physiques

01-06-2020

SL-DRT-20-0693

florian.pebay@cea.fr

Cyber security : hardware and sofware (.pdf)

As a consequence of the rapid development of the Internet of Things (IoT), where devices are massively interconnected, security breaches are discovered daily. The growing threat of physical attacks, on which connected objects are widely exposed, forces chipmakers to increase the security of their products. True Random Number Generators are the cornerstone of device security; they are required for running cryptographic algorithms and fully integrated into encryption engines. The security level of the system directly depends on the randomness of the bits generated. Furthermore, IoT chips are facing harsh constraints in terms of price and power consumption. In order to be integrated into these chips, TRNG must offer an efficient tradeoff between cost and security. In this perspective, TRNGs based on already integrated components, such as RRAM memories, is a promising lead.

Download the offer (.zip)

Moving code analysis from safety to security: taking the attacker model into account

Département Ingénierie Logiciels et Systèmes (LIST)

Laboratoire pour la Sûreté du Logiciel

SL-DRT-20-0741

sebastien.bardin@cea.fr

Cyber security : hardware and sofware (.pdf)

So-called formal techniques for automated program analysis have been proven highly successful over the past decade in the field of safety critical systems. A current Grand Challenge of formal verification is to scale to the security analysis of non-regulated programs. In code analyzers, code-level attackers are implicitly restricted to sending crafted messages. Yet, realistic attackers can do much worst, typically deduce or modify information during executions ? using for example pure hardware attacks (side channel attacks, fault injection) or mixed hardware/software attacks (e.g., Rowhammer, cache attacks, speculative attacks such as Spectre). The goal of this doctoral thesis is precisely to understand how relevant attacker models can be *efficiently* added to the standard program analysis framework. This requires to identify relevant attacker models (capacities, goals), and to formalize them in a way amenable to efficient code analysis.

Download the offer (.zip)

Vulnerability study of electronic system against electromagnetic perturbation

Département Systèmes (LETI)

Centre d'Evaluation de la Sécurité des Technologies de l'Information

01-09-2020

SL-DRT-20-0830

Cyber security : hardware and sofware (.pdf)

In the field of electronic system evaluation, the Leti ITSEF evaluates the component resistance against perturbation attacks using classical methods (voltage/clock glitch, glitch, photoelectric perturbation). Usual methods allow the evaluator to inject faults on the target with a high level of precision but require a physical access to the product in order to be very close to the area of the perturbation, which is sometimes unrealistic. Indeed, state of the art equipment used by the leti ITSEF for electromagnetic perturbations usually require to put a wire loop at less than 1mm of the component. The Leti ITSEF wants to develop a novel distant perturbation method based on electromagnetic perturbation. On the other hand, the CEA-DAM of Gramat has a serious experience in electromagnetic susceptibility of electronic system against electromagnetic aggressions. They want to use their technology in order to evaluate the vulnerability of a communicating system against an electromagnetic aggression. Objectives The research will be based on previous studies performed by the CEA-DAM of Gramat on the vulnerability of electronic systems against electromagnetic radiations, which is very effective for permanent or temporarily denial of service. First, it will be necessary to make the link between the Gramat technology that is very effective in term of service denial and the Leti technology, which allows a more precise effect. Then, a laboratory demonstrator will be developed to perform perturbation attacks on a representative target. Execution of the Thesis The first part of the thesis will be dedicated to the bibliography review on the effects of electromagnetic perturbations on electronic systems and the study of different ways to produce such electromagnetic perturbations. In the second part, the technical choice from the previous part will be tested against different representative targets of IoT devices. It will be necessary to measure the perturbation impact on different targets and to compare the results regarding a theoretical model. The last part will be dedicated to the prototype development.

Download the offer (.zip)

Optimization of countermeasure insertion for the safety of Integrated Circuits.

Département Architectures Conception et Logiciels Embarqués (LIST-LETI)

Laboratoire Calcul Embarqué

01-10-2019

SL-DRT-20-0836

lilia.zaourar@cea.fr

Cyber security : hardware and sofware (.pdf)

Hardware Trojans (HTs) are malicious blocks inserted into Systems on Chip (SoC) by untrusted parties in the IC design/manufacturing flow. They have been identified as a realistic threat, among others to the car safety and military. HTs aim to change SoCs' behavior, ranging from denial of service, decreased reliability, to confidential information leakage. Such attacks lead to multi-billions dollars loss per year for the semiconductor industry. Countermeasures against HTs exist, divided into two categories: detection and prevention. Ten years of research have shown that detection is a very challenging task, knowing the stealthy nature of the threat and the multiple possible forms of HTs. Prevention consists in modifying the design flow to take into account security issues. Despite its potential cost, it represents a more effective way to overcome HT insertion. So-called Design-for-Hardware-Trust (DfHT) methods exist, with various goals and impacts on performance. The MOOSIC project proposes a framework dedicated to security that can be integrated into the conventional IC design flow. The goal is to take into account, as early in the design phase, both countermeasures against HTs and performance, to ensure that the SoC behavior is guaranteed despite untrusted IPs vendors or foundry. Towards this objective, the project envisions to establish and evaluate security properties and then integrate them during synthesis with multi-objective optimization techniques, which will be built on a mathematical modeling of the problem that takes into account both the performance and the HTs?effects. It is indeed necessary to find a good compromise between the level of security sought after and performance. The candidate will have to propose a complete mathematical model of the problem that supports all the constraints and objectives (security, area, frequency, consumption). He will then have to develop optimization algorithms to effectively solve the problem of insertion of countermeasures on conventional criteria (time, area, consumption). Finally, a validation of the methodology on simple first examples is envisaged as well as some test on industrial use cases improvement with some improvement if necessary. The thesis will take place at the CEA LIST LCE and will be led by the LIP6 / Sorbonne University in Paris.

Download the offer (.zip)

Systematic construction and interpretation of electromagnetic leakages models for embedded processors

Département Systèmes (LETI)

Laboratoire Sécurité des Objets et des Systèmes Physiques

01-10-2020

SL-DRT-20-0838

maxime.lecomte@cea.fr

Cyber security : hardware and sofware (.pdf)

Side-channel attacks consist in measuring the physical activity emitted by a circuit (processor, microcontroller or cryptographic accelerator) to extract secrets. The consumption of the circuit or the electromagnetic emanation are the most commonly exploited signals. Due to the development of the Internet of Things (IoT), more and more systems are exposed to these attacks. Unfortunately, integrating countermeasures (software or hardware) against such attacks is extremely expensive. Therefore, it is essential to have an accurate idea of side-channel leakages as early as possible in the design phases. On the one hand to target countermeasures on critical areas and on the other hand to have a realistic view of leakages in order to automate the application of countermeasures. The thesis topic is the exploration of electromagnetic leakage models and different ways of interpreting them. The general objective of this work is to model the leakages of a processor based on its state at different abstraction level: Register Transfer Level (RTL), micro-architecture or even instruction set simulator (ISS). The LSOSP laboratory of CEA-LETI where the thesis will take place has a strong experience on physical measurements and has already performed preliminary research on the subject. Therefore, the candidate will start from these results and will perform physical measurements and manipulate different logic models to create a precise leakage model of the targeted processor.

Download the offer (.zip)

Random number generators ? Tests and exploitation of vulnerabilities

Département Systèmes (LETI)

Centre d'Evaluation de la Sécurité des Technologies de l'Information

01-10-2020

SL-DRT-20-0857

cecile.dumas@cea.fr

Cyber security : hardware and sofware (.pdf)

The embedded cryptography in smart card amply uses random numbers in order to guarantee uniformity properties or to hide information. In practice these numbers are generated by the chip from a hardware unit named TRNG (True Random Number Generator). The evaluation of this generator requires on the one hand to characterize the statistical properties of generated numbers and on the other hand to verify its resistance to side channel attacks. This thesis proposal is to study methods of evaluating the generator quality, to characterize the defects observed at the output and to analyze the ways of exploiting these vulnerabilities when using numbers that are not quite random.

Download the offer (.zip)

Impact of micro-architecture on side-channel attack countermeasures

Département Architectures Conception et Logiciels Embarqués (LIST-LETI)

Laboratoire Infrastructure et Ateliers Logiciels pour Puces

01-09-2020

SL-DRT-20-0921

nicolas.belleville@cea.fr

Cyber security : hardware and sofware (.pdf)

The context of this thesis is the context of cyber-security for embedded systems and IoT. The thesis addresses the application of countermeasures by compilation against side-channel attacks exploiting power consumption or electromagnetic emissions, which represent a major threat against these systems. A leakage model can be used when applying countermeasures: it models how side-channel leakages are related to the program and the data being manipulated by the processor. An unfaithful model does not allow the countermeasure to be applied effectively. The models currently employed are insufficient since they do not take into account the micro-architecture of the components. Indeed, micro-architecture and in particular elements that are invisible at the assembly level (hidden registers or buffers) can cause leakages. The objective of this thesis is to study the impact of micro-architecture on the automated application of countermeasures against auxiliary channel attacks during compilation. A first axis is to study how to modify the way countermeasures are applied within the compiler to take into account precise leakage models that are micro-architecture aware, for example how to adapt the instruction selection or register allocation in the compiler depending on the leakage model. A second axis is to adapt the countermeasures themselves in order to better take into account the nature of the leakages, with the objective of improving the reduction of information leakage and thus improving the security/performance trade-off.

Download the offer (.zip)

Voir toutes nos offres