This Ph.D. position takes place in the context of the Labex CominLabs SCRATCHS (Side-Channel Resistant ApplicationsThrough Co-designed Hardware/Software) project. SCRATCHS is a collaboration between researchers in the fields of for-mal methods (Celtique, Inria Rennes), security (Cidre, CentraleSupélec Rennes) and hardware design (Lab-STICC). Themain goal of SCRATCHS is to co-design a RISC-V processor and a compiler toolchain to ensure by construction that asecurity sensitive code is immune to timing side-channel attacks while running at maximal speed. Our claim is that aco-design is essential to get end-to-end security: cooperation between the compiler and hardware is necessary to avoidtime leaks due to the micro-architecture with minimal overhead.
Modern hardware is typically optimised for maximising the instruction throughput. This is done by implementingcomplex logic and sophisticated heuristics guided by the dynamic behaviour of programs. For example, on some proces-sors, some instructions (e.g., multiplication on x86) take a variable amount of time to execute, depending on the valuesof their operands. As another example, a processor with cache memory will perform memory accesses directly from thecache when the requested memory address is already available in the cache (cache hit, fast), and will have to access thereal memory otherwise (cache miss, slow).
Because micro-architectural details are often left unspecified, it is very hard to predict the precise running time ofprograms. The security issue is that an attacker can exploit the difference in execution time to infer secret informationand, in particular, reconstruct cryptographic keys. One of the most easily exploitable timing side-channels are cache-based timing attacks where the time difference between a cache hit and miss is used to infer the memory access patterns.More generally, any micro-architectural shared resource may induce a potential timing channel that can be exploited byan attacker.
There are two extreme competing approaches to ensure the absence of timing leaks. The pure software approach im-plements costly software countermeasures but makes few assumptions about the hardware. The pure hardware approachimplements costly hardware countermeasures but makes few assumptions about the running software. Our claim is thatboth software and hardware need to cooperate in order to eliminate timing leaks without sacrificing efficiency. The gainis twofold: the software may delegate security to the hardware; and the hardware may exploit properties of the software.A challenge is to have a hardware that has a precise timing specification and security countermeasures against time side-channels while being as efficient as possible. Another challenge is to make sure that the compiler leverages the hardwaresupport while minimising the software countermeasures to ensure the absence of timing leaks.
Our goal is to protect such devices from side-channel attacks. We will use cache-based attacks as examples, but ourmethodology aim to apply to other types of side-channels. Physical attacks (electromagnetic analysis or laser attacks) areout of the scope of this project.
In order to provide a high level of security without sacrificing processor timing performances (i.e. disabling existing op-timisations), we believe that both processor architecture and compiler have to be specified together. In this project, wefocus our work on constant-time execution. To achieve this goal, we propose to ensure, at the micro-architectural level,constant-time properties that the compiler can rely on while optimising and generating an application binary.
The whole project will start with the specification of secure ISA, which requires a close collaboration between thepartners. The PhD student will participate to an ISA specification that takes into account the timing side-channel andtherefore specifies timing guarantees for all instructions. As cache attacks are a major timing channel, our secure ISA willprovide specific mechanisms to secure memory accesses. In particular, our ISA will expose fine-grained mechanisms toconfigure the behaviour of the memory hierarchy. The challenge is to expose abstractions that can be optimised by themicro-architecture but also amenable to compiler analyses.
Then, the PhD student will specify and implement a processor, based on the proposed ISA specification, ensuringconstant-time properties facilitating the generation and formal verification of constant-time code. For that purpose, wewill rely on an existing RISC-V core. Finally, she/he will propose and implement a cache architecture to counter cache-based side-channel attacks. The proposed architecture will be evaluated regarding security and metrics such as perfor-mances, area, cost and energy consumption.
Applicants must have a Master Degree in Computer Science, Computer Engineering or a related field and they are ex-pected to have:
- A strong background in processor architecture,
- Skills in hardware design (VHDL or Verilog),
- Knowledge in software/hardware security,
- Programming skills in C language,
- Some programming skills in assembly language are also welcome.
- Pr. Guy Gogniat - email@example.com
- Dr. Pascal Cotret - firstname.lastname@example.org
- Dr. Vianney Lapôtre - email@example.com
Date and location
This position is available starting from 2021, September 1st. The thesis will take place at Lab-STICC laboratory in Lorient,France.
 Gilles Barthe, Sandrine Blazy, Benjamin Grégoire, Rémi Hutin, Vincent Laporte, David Pichardie, and Alix Trieu. For-mal verification of a constant-time preserving c compiler.Proc. ACM Program. Lang., 4(POPL), December 2019.
 Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad S. Wahby, John Renner, Benjamin Grégoire,Gilles Barthe, Ranjit Jhala, and Deian Stefan. Fact: A dsl for timing-sensitive computation. InProceedings of the 40thACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, page 174–189, NewYork, NY, USA, 2019. Association for Computing Machinery.
 Qian Ge, Yuval Yarom, and Gernot Heiser. No security without time protection: We need a new hardware-softwarecontract. InProceedings of the 9th Asia-Pacific Workshop on Systems, APSys ’18, New York, NY, USA, 2018. Associationfor Computing Machinery.
 Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard. Flush+flush: A fast and stealthy cache at-tack. In Juan Caballero, Urko Zurutuza, and Ricardo J. Rodríguez, editors,Detection of Intrusions and Malware, andVulnerability Assessment, pages 279–299, Cham, 2016. Springer International Publishing.
 J. Kong, O. Aciicmez, J. Seifert, and H. Zhou. Architecting against software cache-based side-channel attacks.IEEETransactions on Computers, 62(7):1276–1288, 2013.
 Yangdi Lyu and Prabhat Mishra. A survey of side-channel attacks on caches and countermeasures.Journal of Hard-ware and Systems Security, 2, 03 2018.
 Sparsh Mittal. A survey of techniques for cache locking.ACM Trans. Des. Autom. Electron. Syst., 21(3), May 2016.
 Maria Mushtaq, Muhammad Asim Mukhtar, Vianney Lapotre, Muhammad Khurram Bhatti, and Guy Gogniat. Winteris here! a decade of cache-based side-channel attacks, detection & mitigation for rsa.Information Systems, 92:101524,2020.
 Zhenghong Wang and Ruby B. Lee. New cache designs for thwarting software cache-based side channel attacks.SIGARCH Comput. Archit. News, 35(2):494–505, June 2007.
 Mario Werner, Thomas Unterluggauer, Lukas Giner, Michael Schwarz, Daniel Gruss, and Stefan Mangard. Scatter-cache: Thwarting cache attacks via cache set randomization. In28th USENIX Security Symposium (USENIX Security19), pages 675–692, 2019.
 Meng Wu, Shengjian Guo, Patrick Schaumont, and Chao Wang. Eliminating timing side-channel leaks using programrepair. InProceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA2018, page 15–26, New York, NY, USA, 2018. Association for Computing Machinery.
 Yuval Yarom, Daniel Genkin, and Nadia Heninger. Cachebleed: A timing attack on openssl constant time rsa. InJournal of Cryptographic Engineering, volume 9813, pages 346–367, 08 2016.