Detecting Fault Injection Attacks with Runtime Verification
Fault injections are increasingly used to attack secure applications. Software countermeasures against fault injections can be categorized into (i) algorithm-level countermeasures, which are easy to deploy and introduce low overhead but not so difficult to bypass, and (ii) instruction-level countermeasures, which are more robust but introduce high overhead and require changes in the instruction set. In this paper, we define formal models of runtime monitors that can detect fault injections that result in test inversion and arbitrary jumps in the control flow of a program. Runtime monitors offer several advantages. The code implementing a runtime monitor is small compared to the entire application code, have the advantages of algorithm-level countermeasures. They benefit from a formal semantics; it can be proved that they effectively detect attacks. Each monitor is a module dedicated to an attack and can be deployed as needed to secure the application. It can run separately from the application (e.g., in a trusted memory zone) or "weaved" inside the application. These features make monitors suitable for low-resource devices such as IoT devices. Our monitors have been validated by detecting simulated attacks on a program that verifies a user PIN under the control of a number of trials.
READ FULL TEXT