Improving the security of processors against cyberattacks

Changed on 01/03/2024
The University of Rennes Inria Centre is taking part in the Arsene research project, which is part of the cybersecurity PEPR (Priority Research Programme and Equipment) initiative financed by the French government. The aim of the project is to build sovereign solutions that can be transferred to industry to improve the security of processor cores in embedded systems. The work will culminate in the creation of two demonstrators, one in a specially built ASIC (Application-Specific Integrated Circuit) and the other in an FPGA (Field-Programmable Gate Array). Concerning the latter, part of the work by the Rennes team aims to reduce the risks associated with Spectre, a vulnerability that exploits the speculative execution carried out by processors to optimise their performance, as Ronan Lashermes, a research engineer at the High-Security Laboratory, explains.
image processeur - cybersécurité - malware
© Damian / Pixabay


€65 million, 200 researchers, 26 academic establishments... The Cybersecurity PEPR was created as part of the France 2030. Led by the CEA, the CNRS and Inria, it includes 10 basics projects for industry and government organisations.

For this project, the scientists are using RISC-V. The scientist, Ronan Lashermes, at the High-Security Laboratory LHS[1] in Rennes, explains:


RISC-V is an instruction set for microprocessors, like x86 for PCs or ARM for telephones”, explains Ronan Lashermes. “However, unlike the other two, RISC-V is open and isn’t owned by a private company. Instead, it is supported by a foundation. This offers a real advantage in terms of strategic and geopolitical sovereignty for France. We all remember the tensions between the USA and China when President Trump blocked the exportation of technology based on the ARM instruction set. Chinese manufacturers were immediately stuck. As RISC-V cannot be subject to this type of embargo, it is a good alternative! 


Ronan Lashermes


Research engineer

Furthermore, RISC-V is supported not only by a large community of researchers, including Inria, but also leading companies such as Google and Intel in the USA and Thales, in France.

Fault injection attacks

The Arsene project[2] focuses on improving the security of two types of RISC-V processors. The first is a 32-bit processor. "This is the equivalent of a microcontroller, the kind of simple little processor you find in household appliances and smart objects. They are difficult to protect against physical attacks because the attacker can steal the object and then subject it to fault injection attacks. This means that the processor must be fault-tolerant, but we also need to prove that this protection works, which requires applying formal methods to the hardware." This part involves researchers from  Taran[3], a team from Rennes working on the optimisation and resilience of specialised microarchitectures. The work is coordinated by Simon Rokicki.

The scientists of the Taran team have also developed expertise in DBT (Dynamic Binary Translation), a technique that takes an external instruction set and converts it into one that is optimised for hardware accelerators. In the context of the project, the aim is to achieve a translation to an instruction set with specific security properties, which will allow certain critical operations to be executed several times to prevent error.

Spectre: a conceptual vulnerability

The second processor is a 64-bit application processor, like those used in desktops and mobile phones. It will be a demonstrator in an FPGA reprogrammable circuit.

Here, the researchers are specifically interested in Spectre, a conceptual vulnerability in modern processors. “These processors are in constant pursuit of speed. To improve their performance, they use a technique called speculative execution. When the processor has to make a choice that depends on a condition, it can take a long time to retrieve the information about this condition, such as knowing whether it is true or false, especially if it is waiting for the results of a particularly long division or data that is stored deep in the system’s memory. Instead of waiting for a very long time, the processor speculates by guessing the result of this branch and continuing its execution during a certain lapse of time, which can be fairly long, in the order of several hundred instructions. At the end, if its prediction was correct, it will have saved a lot of time. However, if it was wrong, it must go back and continue as though it had never executed all the instructions during the speculative execution.”

There is one problem, however: “when it goes back, the processor cannot erase all the traces left by the execution. This is where the Spectre vulnerability comes in: an attacker can attempt to use the information contained in these traces.” One way of mitigating this risk is to stop the speculative execution if it is likely to reveal traces of sensitive information.


La visualisation de l’état microarchitectural d’un processeur lors d’une attaque de type Spectre. L’exécution spéculative (grisée) laisse des traces permettant de faire fuir un secret.
© Inria / TARAN
Visualisation of the microarchitectural state of a processor during a Spectre-type attack. Speculative execution (in grey) leaves traces that can reveal confidential information.

Bringing developers into the loop

The scientists also want to include a key player in the security loop: the developer. “Currently, developers are faced with the problem of the ergonomics of their tools. For example, when they write code in C, the language has no way of telling them: ‘caution, this or that variable is secret and must be used in such-and-such a way’. We want to give developers the means to exercise greater control over what they do so that compilation can be managed in a better way. We would also like the compiler to be able to automatically infer that a piece of data is secret and generate instructions accordingly."  This part of the project will be carried out by Pacap [4] the second Rennes team involved in the work, composed of specialists in processor architecture and compilation.


Miniature podcast Ronan Lasherme
Titre du lecteur

Find out more about the ARSENE project with Ronan Lasherme (in French)

Fichier audio
Audio file

[1] The LHS is a joint laboratory between the Brittany region, the DGA, Inria, CentraleSupelec and the CNRS and is part of the Cyber Excellence Cluster (PEC).

[2] Led by the CEA (LCYL, LFIM, LSCO), the Arsene consortium involves some 80 scientists from around 20 institutions, including the CNRS (Lab-STICC, LIRMM, LHC)), Inria (LHS, Taran, Pacap), IMT Mines Saint-Étienne (SAS, SSH), Université Grenoble Alpes (LCIS, TIMA, Verimag), Jean Monnet University in Saint-Etienne, the University of Rennes, UBO, UBS,  Ensta Bretagne, TelecomParisTech, INP Grenoble and TelecomParisTech.  Arsene stands for Architecture SEcurisées pour le Numérique Embarqué (Secure Architecture for Embedded Digital Systems).

[3] Taran is a joint team between Inria, the University of Rennes and ENS Rennes, in collaboration with Irisa.

[4] Pacap is a joint team between Inria and the University of Rennes, in collaboration with Irisa.