Pierre Guillemin

TEC-Tree: A Low-Cost, Parallelizable Tree for Efficient Defense Against Memory Replay Attacks

Replay attacks are often the most costly attacks to thwart when dealing with off-chip memory integrity. With a trusted System-on-Chip, the existing countermeasures against replay require a large amount of on-chip memory to provide tamper-proof storage for metadata such as hash values or nonces. Tree-based strategies can be deployed to reduce this unacceptable overhead; for example, the well-known Merkle tree technique decreases this overhead to a single hash value. However, it comes at the cost of performance-killing characteristics for embedded systems --- e.g. non-parallelizable hash computations on tree updates. In this paper, we propose an alternative solution: the Tamper-Evident Counter Tree (TEC-Tree). It allows for tamper-evident off-chip storage of the nonces involved in a replay countermeasure; TEC-Tree parallelizes the computations involved in both the authentication and tree update processes. Moreover, because our tree relies on block encryption, it provides data confidentiality at no extra cost. TEC-Tree is a deployable solution for memory integrity, with low performance hit and hardware cost.

A parallelized way to provide data encryption and integrity checking on a processor-memory bus

This paper describes a novel engine, called PE-ICE (parallelized encryption and integrity checking engine), enabling to guarantee confidentiality and integrity of data exchanged between a SoC (system on chip) and its external memory. The PE-ICE approach is based on an existing block-encryption algorithm to which the integrity checking capability is added. Simulation results show that the performance overhead of PE-ICE remains low (below 4%) compared to block-encryption-only systems (which provide data confidentiality only)

Hardware Engines for Bus Encryption: A Survey of Existing Techniques

The widening spectrum of applications and services provided by portable and embedded devices brings a new dimension of concerns in security. Most of those embedded systems (pay-TV, PDAs, mobile phones, etc.) make use of external memory. As a result, the main problem is that data and instructions are constantly exchanged between memory (RAM) and CPU in clear form on the bus. This memory may contain confidential data like commercial software or private contents, which either the end-user or the content provider is willing to protect. The paper describes the problem of processor-memory bus communications in this regard and the existing techniques applied to secure the communication channel through encryption. Performance overheads implied by those solutions are discussed extensively.

Universal motor control with fuzzy logic

Abstract Introduced in 1965, fuzzy logic now takes more and more importance in industrial, home appliance, and consumer applications such as camcorders, washing machines, vacuum cleaners, microwave ovens. In a wide range of applications, from complex (chemical process regulation, automotive features like anti blocking system) to very simple applications (temperature or voltage control), fuzzy logic concepts associated with fuzzy logic development tools bring beneficial advantages to system design. This paper describes the design of fuzzy logic motor control with a standard low-end microcontroller and a fuzzy logic development tool. The ‘ fuzzy TECH ST6 Explorer Edition‘ covers all the steps of a fuzzy logic design, from the initial concept definition, up to the generation of executable code for the SGS-THOMSON ST6 microcontroller. The necessary required characteristics of the motor, the way they are used with the development tool and the tool utilisation are described in this paper. The fuzzy membership functions sets and rules of the application are defined in a practical way.

SecBus: operating system controlled hierarchical page-based memory bus protection

This paper presents a new two-levels page-based memory bus protection scheme. A trusted Operating System drives a hardware cryptographic unit and manages security contexts for each protected memory page. The hardware unit is located between the internal system bus and the memory controller. It protects the integrity and confidentiality of selected memory pages. For better acceptability the processor (CPU) architecture and the software application level are unmodified. The impact of the security on cost and performance is optimized by several algorithmic and hardware techniques and by a differentiated handling of memory pages, depending on their characteristics.

Block-level added redundancy explicit authentication for parallelized encryption and integrity checking of processor-memory transactions

The bus between the System on Chip (SoC) and the external memory is one of the weakest points of computer systems: an adversary can easily probe this bus in order to read private data (data confidentiality concern) or to inject data (data integrity concern). The conventional way to protect data against such attacks and to ensure data confidentiality and integrity is to implement two dedicated engines: one performing data encryption and another data authentication. This approach, while secure, prevents parallelizability of the underlying computations. In this paper, we introduce the concept of Block-Level Added Redundancy Explicit Authentication (BL-AREA) and we describe a Parallelized Encryption and Integrity Checking Engine (PE-ICE) based on this concept. BL-AREA and PE-ICE have been designed to provide an effective solution to ensure both security services while allowing for full parallelization on processor read and write operations and optimizing the hardware resources. Compared to standard encryption which ensures only confidentiality, we show that PE-ICE additionally guarantees code and data integrity for less than 4% of run-time performance overhead.

PE-ICE: Parallelized Encryption and Integrity Checking Engine

This paper describes a novel engine, called PE-ICE (parallelized encryption and integrity checking engine), enabling to guarantee the confidentiality and the integrity of data exchanged between a SoC (system on chip) and its external memory by adding the integrity checking capability to a block encryption algorithm