Share

Cogito, for more secure embedded software

Cogito is a compilation chain that automatically deploys countermeasures against side channel and fault injection attacks to enhance the security of software and data embedded in electronic systems.

Use

Deploying software countermeasures in embedded systems

Electronic systems like smart cards, IoT devices, and smartphones have embedded software that collects, stores, and processes sensitive data. The kind of software found in embedded systems is particularly vulnerable to side channel and fault injection attacks—two kinds of hardware attack.

Side channel attacks look at the physical behavior of a system, observing things like power consumption at runtime. Fault injection attacks, as the name suggests, introduce glitches into a system in order to change the behavior of the clock or power supply, for instance. The end goal of both of these attacks is to disrupt normal execution of the embedded software to extract secret keys or bypass security mechanisms.

Cogito automatically integrates countermeasures into potentially vulnerable software during the compilation phase, shielding embedded systems against these hardware attacks. Securing software at compile time offers several advantages, including:

  • Shorter countermeasure-related development cycles.
  • A more cost-effective and reliable process to support standard and widespread deployment.

Cogito offers a broad and varied range of countermeasures. These include CEA-List software bricks built on techniques patented by the institute. One example is code polymorphism, which intentionally causes software behavior to vary without changing the software’s functional properties, dramatically reducing the effectiveness of attacks.

Cogito uses the LLVM compiler infrastructure.

Cogito is the fruit of research carried out under several collaborative projects funded by the French government and the EU. These include the ANR (French national research agency) Cogito project, which ran from 2013 to 2017.

Strengths

Low-resource and portable

Cogito’s main advantages:

  • A low-cost, low-resource solution with limited impact on performance, making it ideal for constrained embedded environments.
  • Can be ported on a range of IoT, mobile, and server components.
  • A great addition to the usual security techniques.
  • Backed by CEA-List, a leader in cybersecurity, and its ecosystem.

Electromagnetic radiation measurement bench observed with a probe and an oscilloscope. Cogito can help protect this potential channel of attack.

Applications

  • IoT
  • Objets connectés basse consommation
  • Automobile
  • Industrie
  • Mobiles

Publications

Runtime Code Polymorphism as a Protection against Side Channel Attacks, D. Couroussé, T. Barry, B. Robisson, P. Jaillon, O. Potin, and J.-L. Lanet, in 10th IFIP International Conference on Information Security Theory and Practice (WISTP), 2016.

Compilation of a Countermeasure against Instruction-Skip Fault Attacks, T. Barry, D. Couroussé, and B. Robisson, in Proceedings of the Third Workshop on Cryptography and Security in Computing Systems (CS2), 2016.

Automated Software Protection for the Masses against Side-Channel Attacks, N. Belleville, D. Couroussé, K. Heydemann, and H.-P. Charles, ACM Transactions on Architecture and Code Optimization (TACO), vol. 15, no. 4, 2019.

Maskara: Compilation of a Masking Countermeasure with Optimised Polynomial Interpolation, N. Belleville, D. Couroussé, K. Heydemann, Q. Meunier, and I. Ben El Ouahma. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), 2020.

PROSECCO: Formally-Proven Secure Compiled Code, N. Belleville, D. Couroussé, E. Encrenaz, K. Heydeman and Q. Meunier, in C&ESAR, 2021.

Code Polymorphism Meets Code Encryption: Confidentiality and Side-Channel Protection of Software Components, L. Morel, D. Couroussé, and T. Hiscock ACM Digital Threats: Research and Practice (DTRAP), 2021.

SCI-FI – Control Signal, Code, and Control Flow Integrity against Fault Injection Attacks, T. Chamelot, D. Couroussé, and K. Heydeman. Design, Automation & Test in Europe Conference (DATE), 2022.

See also

Focus areas

Cybersecurity: toward safety and privacy by design

Cybersecurity is at the heart of digital sovereignty, and an essential constituent of modern societies. As a crucial element for peace and security in cyberspace, it is an invisible but key enabler fo...
Read more