ENS Information Security Group

Currently, I am a PhD candidate at the Ecole normale supérieure de Paris (ENS), under the supervision of Pr. David Naccache. As well, I am a member of the ENS Information security group, part of the Computer Science department. I started my PhD in November 2015. Also, I am a full-time Data extraction specialist in the French Ministry of Interior (IRCGN Forensic Science Laboratory of the French Gendarmerie, IT Forensics Department).

Statistical methods applied to side channel attacks: theoretical part.

The security of the information contained and manipulated in embedded systems is a major focus emphasized by the worldwide well knownmanufacturers such as “Apple”, “Samsung” and “Blackberry” to ensure the security of the customers' information.

An electronic circuit is comprised of logic gates whichstate changes are functions of transactions. The flow of information within the various components (constituting the circuit) generates variations of the electromagnetic radiation and power consumption. We know that consumption and electromagnetic radiation caused by an operation can be modeled using the Hamming weight or the Hamming transition model.

The detailed analysis of these hidden channels can enable us to do a reverse engineering of code and data which it manipulates. Such reverse engineering is the goal of this thesis. As a forensic view, in many sensitive cases handled by the IRCGN (murders, drug trafficking, terrorism, etc.), securing embedded systems must be bypassed to extract datawhich constitute evidence for the criminal court. We, therefore suggest to implement various attacks using statistical methods to carry signals from one component to infer the content.

I suggest to analyze statistical methods that may be used during physical attacks on electronic components. As a theoretical physicist, I work at the interface of physics and computer security and bring a statistical physics approach to secure embeddedsystems against physical attacks.

Statistical methods applied to side channel attacks: practical part.

To assess the robustness of a memory component, I will achieve reverse engineering of memorycomponents by using FPGA. This will be also used for synchronization of all our signals for recovering data in our attacks. We set the FPGA for real-time control signals (high frequencies) to analyze and model the CPU memory exchanges and other memory components. The search for the transfer phase of security information (such as passwords) will be characterized.

Thus, we will endeavor to implement algorithms coupling capture-the-fly interpretation of the data for simultaneous comparison with the reference target data. We will analyze the real-time queries to characterize the information flow of the analyzed systems to model.

Current memory components are made up of millions of transistors and interconnects with the other elements of the circuit. These circuits and connections therefore generate electromagnetic emissions. This property was used to carry out attacks on security components. The electromagnetic channel attack can be used when an attacker cannot gain access to a measure of current consumption.

Electromagnetic emissions are often seen as giving very precise information on the data processed by the characterization of the component of the strategic positioning of electromagnetic sensors in order to record these emissions and will be characterized in this thesis practical ways.

Once the acquired signal, a deconvolution function to isolate the phenomenon observed will be applied to it. Such treatment will require the regulation of adaptive algorithms (Tikhonov or Lucy-Richardson). The objective is to characterize and model the degree of disorganization (lack of information) of a system from a global signal, regardless of memory. In real time, I want to observe the data exchanged in the invisible channels. The goal will be to map these global exchanges and experimentally isolate each data post-processing with the entropy estimation at different points. I will apply the techniques developed in two practical platforms: mobile phone (Blackberry) and a protected FPGA (whose purpose would be to extract the bitstream).

Allowing Counter Measures of Reverse Engineering.

I will develop new defenses to counter the reverse engineering attempts. In particular we will study the OISC type architecture of applicability (One Instruction Set Computer) protection against reverse engineering. The OISC architecture, which is a typical representation, for example, subleq4 language, is a microprocessor with only one instruction. A compiled and optimized code to such a microprocessor is difficult to understand and has a very regular power consumption signature due to the simple structure of the microprocessor. I will study the various options OISC, perform the FPGA and yest the attacks on them.

Thibaut Heckmann