# On-line Instruction Flow Obfuscation: Formal Proof and Proposal for Implementation on CVA6

Common meeting CT SED and GT AFSEC

30/01/2025

Théo Serru theo.serru@univ-nantes.fr Jean-Luc Béchennec Loïg Jezequel

Mikaël Briday Sébastien Faucou







SEC-V

Side-channel attacks



| Countermeasures                                                                                                            |                                                                                                                                      |  |  |  |  |  |
|----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|
| Software                                                                                                                   | Hardware                                                                                                                             |  |  |  |  |  |
| <ul> <li>Detection and response</li> <li>Obfuscation</li> <li>Randomization</li> <li>Masking</li> <li>Splitting</li> </ul> | <ul> <li>Use of custom gates</li> <li>Minimization of metal artifacts</li> <li>Redundancy</li> <li>Detection and response</li> </ul> |  |  |  |  |  |



Side-channel attacks



| Countermeasures                                                                                                      |                                                                                                                                                  |  |  |  |  |  |  |
|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|--|
| Software                                                                                                             | Hardware                                                                                                                                         |  |  |  |  |  |  |
| <ul> <li>Provably secure</li> <li>Flexible by nature</li> <li>Widespread</li> <li>Incur a higher overhead</li> </ul> | <ul> <li>Less studied in the literature</li> <li>Lack of formal proof</li> <li>Lesser overhead</li> </ul> Needed for secure-by-design processors |  |  |  |  |  |  |



Implement on-line instruction reordering by modifying the pipeline of a CVA6<sup>1</sup> core running with RISC-V instruction set architecture



Main subsystems of the CVA6 core

<sup>1</sup> https://github.com/openhwgroup/cva6



Implement on-line instruction reordering by modifying the pipeline of a CVA6<sup>1</sup> core running with RISC-V instruction set architecture

| Inst  | Name                    | FMT | Opcode  | funct3 | funct7             | Description (C)       | Not  |
|-------|-------------------------|-----|---------|--------|--------------------|-----------------------|------|
| add   | ADD                     | R   | 0110011 | 0×0    | e                  | d = rs1 + rs2         |      |
| sub   | SUB                     | R   | 0110011 | 0×0    | add rd, rs1, rs2   | a – 131 132           |      |
| xor   | XOR                     | R   | 0110011 | 0×4    | e sub rd, rs1, rs2 | d = rs1 ^ rs2         |      |
| or    | OR                      | R   | 0110011 | 0×6    | xor rd, rs1, rs2   | d = rs1   rs2         |      |
| and   | AND                     | R   | 0110011 | 0x7    | Onco               |                       |      |
| sll   | Shift Left Logical      | R   | 0110011 | 0×1    | 0×00               | rd = rs1 << rs2       |      |
| srl   | Shift Right Logical     | R   | 0110011 | 0×5    | 0×00               | rd = rs1 >> rs2       |      |
| sra   | Shift Right Arith*      | R   | 0110011 | 0×5    | 0x20               | rd = rs1 >> rs2       | mst  |
| slt   | Set Less Than           | R   | 0110011 | 0x2    | 0×00               | rd = (rs1 < rs2)?1:0  |      |
| sltu  | Set Less Than (U)       | R   | 0110011 | 0x3    | 0x00               | rd = (rs1 < rs2)?1:0  | zero |
| addi  | ADD Immediate           | I   | 0010011 | 0×0    |                    | rd = rs1 + imm        |      |
| xori  | XOR Immediate           | I   | 0010011 | 0×4    |                    | rd = rs1 ^ imm        |      |
| ori   | OR Immediate            | I   | 0010011 | 0×6    |                    | rd = rs1   imm        |      |
| andi  | AND Immediate           | I   | 0010011 | 0×7    |                    | rd = rs1 & imm        |      |
| slli  | Shift Left Logical Imm  | I   | 0010011 | 0x1    | imm[5:11]=0x00     | rd = rs1 << imm[0:4]  |      |
| srli  | Shift Right Logical Imm | I   | 0010011 | 0×5    | imm[5:11]=0x00     | rd = rs1 >> imm[0:4]  |      |
| srai  | Shift Right Arith Imm   | I   | 0010011 | 0×5    | imm[5:11]=0x20     | rd = rs1 >> imm[0:4]  | mst  |
| slti  | Set Less Than Imm       | I   | 0010011 | 0x2    |                    | rd = (rs1 < imm)?1:0  |      |
| sltiu | Set Less Than Imm (U)   | I   | 0010011 | 0x3    |                    | rd = (rs1 < imm)?1:0  | zero |
| lb    | Load Byte               | I   | 0000011 | 0×0    |                    | rd = M[rs1+imm][0:7]  |      |
| lh    | Load Half               | I   | 0000011 | 0×1    |                    | rd = M[rs1+imm][0:15] |      |
| lw    | Load Word               | I   | 0000011 | 0x2    |                    | rd = M[rs1+imm][0:31] |      |
| lbu   | Load Byte (U)           | I   | 0000011 | 0×4    |                    | rd = M[rs1+imm][0:7]  | zero |
| 1hu   | Load Half (II)          | Т   | 0000011 | 0×5    |                    | rd = M[rs1+imm][0.15] | zero |

Extract of the RISC-V ISA

| Register | ABI Name | Description           | Saver  |
|----------|----------|-----------------------|--------|
| x0       | zero     | Zero constant         | —      |
| x1       | ra       | Return address        | Caller |
| x2       | sp       | Stack pointer         | —      |
| х3       | gp       | Global pointer        | —      |
| x4       | tp       | Thread pointer        | Callee |
| x5       | t0-t2    | Temporaries           | Caller |
| x8       | s0 / fp  | Saved / frame pointer | Callee |
| x9       | s1       | Saved register        | Callee |
| x10-x11  | a0-a1    | Fn args/return values | Caller |
| x12-x17  | a2-a7    | Fn args               | Caller |
| x18-x27  | s2-s11   | Saved registers       | Callee |
| x28-x31  | t3-t6    | Temporaries           | Caller |
| f0-7     | ft0-7    | FP temporaries        | Caller |
| f8-9     | fs0-1    | FP saved registers    | Callee |
| f10-11   | fa0-1    | FP args/return values | Caller |
| f12-17   | fa2-7    | FP args               | Caller |
| f18-27   | fs2-11   | FP saved registers    | Callee |
| f28-31   | ft8-11   | FP temporaries        | Caller |

**RISC-V** registers

+ Program counter (pc) that points to the instruction to be executed next



<sup>1</sup> https://github.com/openhwgroup/cva6

Théo Serru et al. – Online obfuscation of instruction flow: formal proof and implementation on CVA6 – 30/01/2025

6

Focus  $\rightarrow$  new hardware, formally proven countermeasure against SC attacks, based on code obfuscation (i.e. instruction reordering)

#### Contributions

- 1. Rules for reordering independent instructions
- 2. Formal proof of correctness and implementation guidelines
- 3. Achitecture modifications that enables reordering

4. Evaluation of diversity



## 1.

## **Reordering independent instructions**

Proof of correctness 000000

Architecture model 00000000

Architecture proposal 000

Evaluation of diversity

#### **Reordering instructions**

Based on previous works [1, 2], we choose to reorder independent instructions



We can swap two consecutive instructions *i* and *i*' if :

- *i* and *i*' are **data** and **control independent**
- *i*' is **not a load or store** (for peripheral management)
- *i* is **not a return**

[1]: Couroussé, Damien, et al. "Runtime Code Polymorphism as a Protection Against Side Channel Attacks." In Information Security Theory and Practice, 2016. [2]: Belleville, Nicolas. "Compilation Pour l'application de Contre-Mesures Contre Les Attaques Par Canal Auxiliaire." These de doctorat, 2019.



| Reordering instructions             | Proof of correctness | Architecture model | Architecture proposal | Evaluation of diversity |
|-------------------------------------|----------------------|--------------------|-----------------------|-------------------------|
| $\bullet \bullet \circ \circ \circ$ | 000000               | 00000000           | 000                   | 0                       |

### **Incoming proof**

Reordering independent instructions does not change the program behavior, i.e. executing a program P and P<sub>reordered</sub> leads to the same program state.



| Reordering instructions | Proof of correctness | Architecture model | Architecture proposal | Evaluation of diversity |
|-------------------------|----------------------|--------------------|-----------------------|-------------------------|
|                         | 000000               | 00000000           | 000                   | 0                       |
|                         |                      |                    |                       |                         |

#### **Definitions**

The state s of a program P is a cuple  $(p, \sigma)$  where  $p \in \{1, \dots, |P|\}$  and  $\sigma$  is a valuation of all registers.

In P a step allows to pass from a state s to a state s' by executing an instruction (e.g. i), it is written  $s \stackrel{i}{\rightarrow}_{p} s'$ A sequence of steps is called an **execution**:  $s_0 \xrightarrow{i_0}_P s_1 \xrightarrow{i_1}_P s_2 \xrightarrow{i_2}_P \cdots$ 

#### **Instructions** *i*=(*o*, *in*, *out*) are classified into three distinct sets:

- Affectation( $\mathcal{A}$ ):  $pc \notin in$  and  $pc \notin out$   $\rightarrow$  Arithmetic operations
- Branch( $\mathcal{B}$ ):  $pc \notin in$  and  $out \in \{pc\}$   $\rightarrow$  Branching instructions
- Call (C):  $pc \in in$  and  $pc \in out$

- → Jump instructions

Executing an instruction changes the value of *out* as such:

• if  $v \in out$  then  $\sigma'(v) = f(\{\sigma(v^*) | v^* \in in\})$ , with  $v \in Reg \cup pc$ 



Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $_{\bigcirc}$ 

### **Definitions**

We define the set of all executions of a program as a Control-Flow Tree, i.e. an unfolding of the control-flow graph.



Example of a Function from AES Code, and its Associated Control-Flow Tree

 $T = (n_0, N, A, \ell)$ 

 $(n_0, N, A)$  is a directed tree and

 $\ell:n_o\to Inst$  is a labelling of the nodes

An execution is the labeling of a path:  $\pi = (n_0, n_1)(n_1, n_2) \dots (n_{k-1}, n_k)$ 

that is, the sequence:

 $\ell(\pi) = \ell(n_0)\ell(n_1)\ldots\ell(n_k)$ 

lw a1,4(a0) addi sp,sp,-16 sw s0,8(sp) sw ra,12(sp) addi a5,gp,168 mv s0,a0 beq a1,a5,12108 jal 12ff0

e.g.





Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $_{\bigcirc}$ 

#### **Reordering Instructions**



A one to one correspondence can be expressed between executions in T and T', i.e.

if  $\pi = \rho_{pre}(n, n')(n', p_1)\rho_{post}$  and  $\pi' = \rho_{pre}(n', n_{p_1})(n_{p_1}, p_1)\rho_{post}$ , then  $\ell(\pi)$  and  $\ell(\pi')$  are matching executions.



## **Proof of Correctness**

2.

Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $\bigcirc$ 

### Reordering $(\mathcal{A})$ and $(\mathcal{C})$ independent instructions

**Data independence** Two instructions  $i_A = (o_A, in_A, out_A)$  and  $i_B =$ add x1, x2, x2  $(o_B, in_B, out_B)$  are data-independent if: sub x3, x4, x4  $[in_A \cap out_B] \cup [out_A \cap in_B] \cup [out_A \cap out_B] = \emptyset$  $\pi'$  $\pi$ If  $\rho_{\text{pre}}$  $\rho_{\text{pre}}$ • T is a control-flow tree • T' is the matching tree with respect to (n,n')n' n •  $\ell(n), \ell(n') \in \mathcal{A} \cup \mathcal{C}$  are data-independent n' n **Theorem 1.**  $\ell'(\pi')$  the matching execution of  $\ell(\pi)$  is possible from  $s_0$ , and reaches  $s' = (p', \sigma')$  from  $s_0$ , with  $\sigma' = \sigma$ .  $\rho_{\text{post}}$  $\rho_{\text{post}}$ 



Proof of correctness ••0000

Architecture model 00000000

Architecture proposal 000

Evaluation of diversity

### **Reordering** $(\mathcal{A})$ and $(\mathcal{C})$ independent instructions

Reg

x0

x1

x2

х3

x4

x5

x6

х7

x8

x9

 $\ell(n) = \text{add x1, x2, x2}$  $\ell(n') = sub x3, x4, x4$ 



- 1. Execute  $\ell(n)$  from  $s_{pre}$
- 2. Execute  $\ell(n')$  from  $s_n$

- 1. Execute  $\ell(n')$  from  $s_{pre}$
- 2. Execute  $\ell(n)$  from  $s_{n'}$

| Val   |                                    | Reg | Val   |
|-------|------------------------------------|-----|-------|
| x0    |                                    | x0  | x0    |
| x2+x2 |                                    | x1  | x2+x2 |
| x2    |                                    | x2  | x2    |
| x4-x4 | $\sigma_{nn'} \equiv \sigma_{n'n}$ | х3  | x4-x4 |
| x4    |                                    | x4  | x4    |
| x5    |                                    | x5  | x5    |
| x6    |                                    | x6  | x6    |
| х7    |                                    | x7  | x7    |
| x8    |                                    | x8  | x8    |
| x9    |                                    | x9  | x9    |
|       |                                    |     |       |



Proof of correctness  $\bullet \bullet \bullet \circ \circ \circ$ 

Architecture model 00000000

Architecture proposal 000

Evaluation of diversity

### **Reordering** $(\mathcal{A})$ and $(\mathcal{C})$ dependent instructions

Reg

x0

x1

x2

х3

x4

x5

x6

х7

x8

x9

 $\ell(n) = \text{add x3, x2, x2}$  $\ell(n') = sub x3, x4, x4$ 



- 1. Execute  $\ell(n)$  from  $s_{pre}$
- 2. Execute  $\ell(n')$  from  $s_n$

- 1. Execute  $\ell(n')$  from  $s_{pre}$
- 2. Execute  $\ell(n)$  from  $s_{n'}$

Val

x0

x1

x2

x4

x5

x6

х7

x8

x9

x2+x2

| Val   |                                  | Reg |
|-------|----------------------------------|-----|
| x0    |                                  | x0  |
| x1    |                                  | x1  |
| x2    |                                  | x2  |
| x4-x4 | $\sigma_{nn'} \neq \sigma_{n'n}$ | х3  |
| x4    |                                  | x4  |
| x5    |                                  | x5  |
| x6    |                                  | x6  |
| х7    |                                  | x7  |
| x8    |                                  | x8  |
| x9    |                                  | x9  |
|       |                                  |     |



Architecture proposal

Evaluation of diversity

### Reordering $(\mathcal{A})$ and $(\mathcal{C})$ independent instructions

**Proof** Let  $\pi$  be a maximal path of T and let  $s_0$  be a state such that  $\ell(\pi)$  is possible from  $s_0$ . Let  $\pi'$  be the matching path of  $\pi$  in T' with respect to (n,n').

- 1. (n, n') is not part of  $\pi$ . In this case  $\pi' = \pi$ , and  $\ell'(\pi') = \ell(\pi)$ .
- 2. (n, n') is part of  $\pi$ . In this case,  $\ell(\pi) = \rho_{pre}\ell(n)\ell(n')\rho_{post}$  exists and  $\ell'(\pi') = \rho_{pre}\ell(n')\ell(n)\rho_{post}$ . Then, given  $s_{pre} \stackrel{\ell(n)}{\to}_P s_n \stackrel{\ell(n')}{\to}_P s_{nn'}$  and  $s_{pre} \stackrel{\ell(n')}{\to}_P s'_n \stackrel{\ell(n)}{\to}_P s_{n'n}$ , we must prove that  $\sigma_{nn'} = \sigma_{n'n}$ .
  - (a)  $\ell(n')\ell(n)$  is possible from  $s_{pre}$
  - (b)  $\sigma_{nn'} = \sigma_{n'n}$  (previous slides)

From points (1) and (2) we get that Theorem 1 is correct.

By induction, Corollary 1 is a consequence of Theorem 1. → Theorem 1 is valid when reordering k independent instructions



Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity

### Reordering $(\mathcal{B})$ Independent Instructions

**Control independence** Two instructions  $i_A$  and  $i_B$  are control-independent if  $s \xrightarrow{i_A} p s'$  (with  $s' = (p', \sigma')$ ) and for every initial states  $s_0$ :

 $P(p') = i_B \oplus P(p') \neq i_B$ 

If

- T is a control-flow tree
- T' is the matching tree with respect to (n,n')
- $\ell(n) \in \mathcal{A} \cup \mathcal{C}, \ \ell(n') \in \mathcal{B}$  are data and control-independent

**Theorem 2.**  $\ell'(\pi')$  the matching execution of  $\ell(\pi)$  is possible from  $s_0$ , and reaches  $s' = (p', \sigma')$  from  $s_0$ , with  $\sigma' = \sigma$ .





19

 Reordering instructions
 Proof of correctness
 Architecture model
 Architecture proposal
 Evaluation of diversity

 ••••••
 ••••••
 ••••••
 •••••
 •••••
 •••••
 •••••

### Reordering $(\mathcal{B})$ Independent Instructions

The only difference in the proof is we must show that branching evaluation will be the same, i.e. that instruction n doesn't change  $in_{n'}$ 

 $\ell(n) = \text{ add x1, x2, x2}$  $\ell(n') = \text{beq x3, x4, 80050}$ 

As  $\ell(n)$  and  $\ell(n')$  are data-independent,  $in_{n'}$  is disjoint from  $out_n$ , meaning that  $\forall v \in in_{n'}, \sigma_{pre}(v) = \sigma_n(v)$ .

Then, Theorem 2 is valid and Corollary 2 allows to reorder multiple independent  $\mathcal{A}$  and  $\mathcal{C}$  instructions over a branching.



### <u>3.</u>

### Architecture model for on-line obfuscation

 $\rightarrow$  Simple case

Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $\odot$ 

### Architecture model for on-line obfuscation

Inspired by the work of Couroussé et al. [1], we employ a random insertion FIFO to reorder instructions.



Use our rules to identify insertion slots
 Insert randomly among possible slots





Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $\bigcirc$ 

### Architecture model for on-line obfuscation

If we reorder only(A) instructions, the behavior of the processor follows Theorem 1.

**Theorem 3** Given a control flow tree T of a program P, we denote  $\pi$  a path of T such that  $\ell(\pi)$  exists from  $s_0$ . Executing P from  $s_0$  with our processor, and reordering only  $\mathcal{A}$  instructions leads to a sequence  $\ell'(\pi')$  that exists in T' and matches  $\ell(\pi)$ .

The processor follows Theorem 1

**Proof** If an instruction from  $\mathcal{A}$  is fetched and reordered in the FIFO the processor may reorder an instruction in  $\pi$  with m independent and consecutive instructions.

- If m = 1, we reorder two instructions  $\ell(n)$  and  $\ell(n')$ . According to Theorem 1, the matching execution  $\ell'(\pi')$  reaches the same state.
- If m > 1, Corollary 1 states that the execution  $\ell_k(\pi_k)$  resulting from several reordering matches  $\ell(\pi)$ .

In both cases, the semantic is preserved.



### <u>3.</u>

### Architecture model for on-line obfuscation

- $\rightarrow$  Simple case
- $\rightarrow$  Less simple case

 Reordering instructions
 Proof of correctness
 Architecture model
 Architecture proposal
 Evaluation of diversity

 ••••••
 ••••••
 ••••••
 ••••••
 ••••••
 ••••••

#### Architecture model for on-line obfuscation

#### Modern processors use branch prediction



Théo Serru et al. – Online obfuscation of instruction flow: formal proof and implementation on CVA6 – 30/01/2025

25

SEC-V

Laboratoire des Sciences

du Numérique de Nantes

Reordering instructionsProof of correctnessArchitecture modelArchitecture proposal••••••••••••••••••••••••••••

Evaluation of diversity

#### Architecture model for on-line obfuscation

Branch prediction is a threat to reordering correctness.



We need to save reordered instructions in case of flush

26

Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity  $\bigcirc$ 

#### Architecture model for on-line obfuscation

New rule: save and label instructions that are reordered after a branch/jump

| Pipeline |  |    |                | ρ₀             |                                                     |
|----------|--|----|----------------|----------------|-----------------------------------------------------|
| Label    |  |    |                | none           |                                                     |
| Pipeline |  |    | ρ₀             | b <sub>1</sub> | <br>                                                |
| Label    |  |    | 1              | 1              | Insert/reorder b1 and actualize imbrication counter |
|          |  |    |                |                |                                                     |
| Pipeline |  | ρ₀ | ρ <sub>2</sub> | b1             | Insert/reorder $\rho_2$                             |
| Label    |  | 1  | none           | 1              |                                                     |
|          |  |    |                |                |                                                     |
| Pipeline |  |    | ρο             | ρ <sub>2</sub> | Commit b <sub>1</sub>                               |
| Label    |  |    | 0              | none           | Decrement counters                                  |
| Divelies |  |    |                |                |                                                     |
| Pipeline |  |    |                | ρ              | Bad prediction = flush if label $\neq 0$            |
| Label    |  |    |                | 0              |                                                     |



Théo Serru et al. – Online obfuscation of instruction flow: formal proof and implementation on CVA6 – 30/01/2025

27

| Reordering instructions<br>●●●●● |                | Proof       | Proof of correctness<br>●●●●●● |                | Architecture model<br>●●●●●●○○ |            | Architecture       | proposal      | Evaluation of diversity |
|----------------------------------|----------------|-------------|--------------------------------|----------------|--------------------------------|------------|--------------------|---------------|-------------------------|
| rchite                           | ectur          | e mo        | odel                           | for o          | on-line                        | e ob       | fuscat             | ion           |                         |
| ew rule: sav                     | ve and lat     | oel instrue | ctions tha                     | at are reor    | rdered after                   | r a branch | n/jump             |               |                         |
| Pipeline                         |                |             |                                |                | ρ₀                             |            |                    |               |                         |
| Label                            |                |             |                                |                | none                           |            |                    |               |                         |
| Pipeline                         |                |             |                                | ρ₀             | b <sub>1</sub>                 | Insert     | ∕reorder b₁a       | nd actualiz   | e imbrication counter   |
| Label                            |                |             |                                | 1              | 1                              |            | ,                  |               |                         |
| Pipeline                         |                |             | ρ₀                             | ρ <sub>2</sub> | b <sub>1</sub>                 | Incort     | (rearder e         |               |                         |
| Label                            |                |             | 1                              | none           | 1                              |            | /reorder $\rho_2$  |               |                         |
| Pipeline                         | ρ <sub>4</sub> | ρ₀          | ρ2                             | b₃             | b <sub>1</sub>                 | Insert     | /reorder b₃ ar     | nd actualize  | e imbrication counter   |
| Label                            | none           | 1           | 2                              | 2              | 1                              | Insert     | •                  |               |                         |
| Pipeline                         |                | ρ4          | ρ                              | ρ2             | b <sub>3</sub>                 | Comr       | nit b <sub>1</sub> |               |                         |
| Label                            |                | none        | 0                              | 1              | 1                              |            | ment counter       | S             |                         |
| Pipeline                         |                |             |                                |                | ρ₀                             | Bada       | radiation - fl     | uch if labol  | <i>→</i> 0              |
|                                  |                |             |                                |                | <b>P</b> 0                     | Бай р      | rediction = flu    | usii ii iabel | <i>+</i> 0              |

28

Théo Serru et al. – Online obfuscation of instruction flow: formal proof and implementation on CVA6 – 30/01/2025

0

Label

SEC·V

Laboratoire des Sciences

du Numérique de Nantes



#### Architecture model for on-line obfuscation

**Theorem 4** Executing P with our processor and reordering  $\ell(n)$  and  $\ell(n')$  leads to a sequence  $\ell'(\pi')$  that exists in T' and matches  $\ell(\pi)$ .

**FIFO** Insert n' and save n Explore the good branch H  $\pi'_{predicted}$  $\ell'(\pi'_{nredicted}) = \rho_{pre}\ell(n')\ell(n)\ell(i_2)\ell(i_3).$ 

**Control-flow tree** Reorder tree Original tree Explore the good branch n  $\pi$ **i**5  $\ell(\pi') = \rho_{pre}\ell(n')\ell(n)\ell(i_2)\ell(i_3).$ 

According to Theorem 2,  $\ell(\pi') \equiv \ell'(\pi'_{predicted}) \equiv \ell(\pi)$ 



Théo Serru et al. – Online obfuscation of instruction flow: formal proof and implementation on CVA6 – 30/01/2025



1. Case for good prediction



#### Architecture model for on-line obfuscation

**Theorem 4** Executing P with our processor and reordering  $\ell(n)$  and  $\ell(n')$  leads to a sequence  $\ell'(\pi')$  that exists in T' and matches  $\ell(\pi)$ .



According to Theorem 2,  $\ell(\pi') \equiv \ell(\pi_{flush\_and\_restore}) \equiv \ell(\pi)$ 



2. Case for misprediction

### 3.

### Architecture model for on-line obfuscation

The FIFO allows to reorder independent instructions and to follow Theorem 1 and 2

Note on exceptions and interruptions:

- 1) They save the context
- 2) Execute trap handling procedure
- 3) Restore the context
- $\rightarrow$  Control flow is not modified, the proof holds

### 4.

### A real architecture for on-line obfuscation

(On-going work)

Reordering instructionsProof of correctnessArchitecture modelArchitecture proposalEvaluation of diversity••••••••••••••••••••••••••••••••••••••

#### **Implementation proposal**

One idea is to add a stage in the CVA6 pipeline







One idea is to add a stage in the CVA6 pipeline



Hardware implementation of the FIFO with dependency management





#### **Implementation proposal**

Branch prediction with global counter is yet to come.



### 5.

### **Evaluation of diversity**

Proof of correctness

Architecture model

Architecture proposal

Evaluation of diversity

### **Evaluation of diversity**

Before the real implementation, we can write a script to have insight on the diversity obtained.





### Conclusion

### Conclusion

We proposed on-line code obfuscation to protect against side-channel attacks with:

- Formal proof of correctness
- Architecture model compliant with the proof
- Clues about a real implementation (on-going)
- Diversity measurements (on-going)

#### In the future:

- Implement architecture on a simulator
- Tests against side-channels (overhead vs security)
- Implement other obfuscation methods (noise injection, register reallocation, etc.)
- Tests against other attacks



### **Thanks for listening**



Common meeting CT SED and GT AFSEC

30/01/2025

**Théo Serru** theo.serru@univ-nantes.fr Jean-Luc Béchennec Loïg Jezequel

Mikaël Briday Sébastien Faucou





