Anti-fault programmming tips

[r3dlight]

When programming to protect against fault-injections (E.g: glitching, voltage spikes, lasers), it is common to introduce multiple checks, which unfortunately can be removed by the compiler for obvious optimization reasons.

When the compiler sees two consecutive tests that are exactly identical and have no observable side effects, it applies an optimization known as common subexpression elimination (CSE): the second reading of the same value is removed and the second if statement becomes a simple conditional jump that will never be executed separately.

In a fault injection context, we want each test to be actually executed; otherwise, the attacker could corrupt the first read and the program would still pass the check.

To prevent this kind behavior, an observable side effect must be introduced between the two readings, or the compiler must be explicitly told that the read value can change “externally.” Here are the most common techniques in Rust that should addressed :

• Read the data using volatile access ( https://doc.rust-lang.org/std/ptr/fn.read_volatile.html) (unsafe of course)
• Use Atomics with strict ordering SeqCst (https://doc.rust-lang.org/std/sync/atomic/enum.Ordering.html)
• ASM inline (can be architecture dependent)

EDIT: Blackboxes removed as discussed below.

[polazarus]

Very interesting point!

My expertise is more on memory wipe than fault injection detection but from my understanding it's very similar.

First, LLVM has been shown to optimize away some volatile access (at least for Dead Store Elimination).

For the black_box, do you have any reference, except for the warning in the doc?

From my experience, ASM inline is not necessarily architecture dependent (except for the actual support of ASM inline on the platform). From my understanding, in most case, it can be limited to a more specialized memory barrier, and a classic write (for memory secure erase) or read (for the fault injection detection).

[r3dlight]

@polazarus : Thanks for your reply. What do you mean by "ASM inline is not necessarily architecture dependent (except for the actual support of ASM inline on the platform)" ?

[bjorn3]

black_box is internally implemented as an empty asm block (but this is not guaranteed. the only way that is guaranteed to not get optimized away in all future rustc versions is implementing your entire program inside a single asm!() block). asm!("") is not portable across architectures as rustc only allows asm!() on stable for a handful of architectures. black_box works on all architectures as it gets lowered to an empty asm block during codegen, long after the asm!() stability check.

[polazarus]

@polazarus : Thanks for your reply. What do you mean by "ASM inline is not necessarily architecture dependent (except for the actual support of ASM inline on the platform)" ?

Like @bjorn3 says for black_box, the memory barrier is an empty asm!, there is no need for architecture specific assembly.

[PThierry]

there is something i don't understand. memory barriers are not only something that need to be considered by the compiler when reordering asm, but also by the host ALU when considering out of order execution or hardware manipulation (e.g. when initializing a clock line or interacting with an hardware IP). this is a requirement so that any border effect associated to the way the potential (hardware) reordering due to the pipeline and the caches are interacting do not endenger the proper hardware behavior (software is nothing more than a way to ask the hardware to do something,...). barriers are not a compile time only problem, optimisation is also something done at hardware level against which software may requires limitations.
Moreover, there are multiple memory barriers (data, instruction, sync barriers) which respond to various needs

[PThierry]

About fault injection response from toolchains, what can be considered is the security enhancements that have been added to the GCC core (used by Gnat) by AdaCore, in gcc-14+ (https://blog.adacore.com/adacore-enhances-gcc-security-with-innovative-features).
These features does work for both C & Ada/Spark, meaning that they should also be usable with the Adacore's GnatPro for Rust (https://www.adacore.com/gnatpro-rust). This should be verified, yet, for the arches that are officially supported by this toolchain, the anti-fault is maybe a supported feature.
Nonetheless, some of the hardening flags added by Adacore are highly impacting in term of SWAP.

[r3dlight]

Hum, I'm not sure these enhancements are included in gnatpro-rust. It should be verified.
I'm also thinking about LLVM sanitizers like -Zsanitizer=cfi but it seems to be unstable only.
https://dev-doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html