A major trend in Artificial Intelligence is the deployment of Machine Learning models even for highly constrained platforms such as low power 32-bit microcontrollers. However, the security of embedded Machine Learning systems is one of the most important issues to this massive deployment, more particularly for deep neural network-based systems. The difficulty comes from a complex twofold attack surface. First of all, an impressive amount of works demonstrate algorithmic flaws targeting the model’s integrity (e.g., adversarial examples) or the confidentiality and privacy of data and models (e.g., membership inference, model inversion). However, few works take into consideration the specificities of embedded models (e.g. quantization, pruning). Second, physical attacks (side-channel and fault injection analysis) represent upcoming and highly critical threats. Today, these two types of threats are considered separately. For the first time, the PICTURE project proposes to jointly analyze the algorithmic and physical threats in order to develop protection schemes bridging these two worlds and to promote a set of good practices enabling the design, development and deployment of more robust models. PICTURE gathers CEA Tech (LETI) and Ecole des Mines de Saint-Etienne (MSE, Centre de Microélectronique de Provence) as academic partners and IDEMIA and STMicroelectronics as industrial partners that will bring real, complete and critical use cases more particularly focused on Facial Recognition. To achieve its objectives, the consortium of PICTURE will precisely describe the different threat models targeting the integrity and the confidentiality of software implementation of neural network models on hardware targets from 32-bit microcontrollers (Cortex-M), dual architecture with Cortex-M and Cortex-A platforms to GPU platforms dedicated to embedded systems. Then, PICTURE aims at demonstrating and analyzing – for the first time – complex attacks combining algorithmic and physical attacks. On one hand, for integrity-based threats (i.e. fooling the prediction of a model) by combining principle of adversarial examples attacks and fault injection approaches. On the other hand, by studying the impact of the exploitation of side-channel leakages (side-channel analysis), even fault injection analysis associated to theoretical approaches to reverse engineer a model (model inversion) or to extract training data (membership inference attack). The development of new protection schemes will be achieved by the analysis of the relevance of state-of-the-art countermeasures against physical attacks (such an analysis has never been achieved at this scale). PICTURE will propose protections that will take place at different position within the traditional Machine Learning pipeline and more particularly training-based approaches that enable more robust models. Finally, PICTURE will present new evaluation methods to promote PICTURE results to academic and industrial actors. PICTURE aims at facilitating a shift in the way to consider ML models by putting security at the core of the development and deployment strategy and anticipate as well as influence future certification strategies.

Although much works has been done on conservation treatments of archaeological collections, there are few studies available in two critical situations involving the pre- and post-treatment phases: Archaeological organic artefacts are generally found in a waterlogged state which must be maintained until treatment as they cannot support air drying. One of the topics of this project deals with developing strategies that permit storage of organic archaeological finds for long durations (several months) in the waterlogged state i.e. under pre-treatment conditions without compromising the scientific evidence they contain. Several methods of controlling storage conditions will be tested on real archaeological wooden and leather samples. Specific monitoring protocols for these wet artefacts will be adapted. The experimentations will be carried out by samples analysis of the organic materials before and after their storage period. Experiments are foreseen in a true archaeological excavation context (Biskupin site in Poland). The second topic aims at setting up efficient and practical methods to assess the short/long-term degradation of archaeological organic artefacts, i.e. to assess their post-treatment conditions. Knowledge of the impact of environmental conditions and of conservation treatments will allow earlier identification of potential degradation, which in turn offers better protection of the objects and more cost-effective mitigation measures. The main objective is to establish an assessment protocol on treated and untreated archaeological materials, artificially or natural aged. These practical assessment well suited for musems and storage centers, will be validated by advanced analytical techniques to observe the reality of the degradation. This project further intends to reinforce interdisciplinary approaches among archaeologists, conservators and conservation scientists in order to improve the sustainability of protection practices (sustainable protection and enhancement of values). The expected results will involve field practices both for the stabilization of waterlogged artefacts for excavation/archaeometry situations and for degradation assessments in museums or storage centers.

The growing complexity of embedded system comes with a strong corollary: security level has to similarly increase since new and powerful attacks take advantage of any flaws, ignoring no longer pertinent frontiers such as software and hardware. Physical attacks are particularly effective threats to strike confidentiality, integrity or authenticity of systems. Traditional research works on side-channel and fault injection analysis have dealt with breaking cryptographic primitives (like guessing AES key) but the set of potential applications is wider since physical attacks - more particularly fault injection - aims at targeting the integrity of code execution. For example, an attack may entirely disrupt the authentication and encryption processes of a secure boot providing unrestricted privilege to the attacker. To thwart such worrying threat, several protections have been proposed such as software-based Control Flow Integrity (CFI) or hardware-based monitoring of the control-flow or code integrity (at the price of high overheads) but most of the proposed protection schemes do not cover all the levels of a system (hardware, ISA, software). The project COFFI aims at demonstrating how co-design approaches leveraging the interaction between software and hardware may significantly improve the Control Flow and Execution Integrity (CFEI) against powerful physical attacks. Taking advantage of the complementarity expertise of its consortium, composed by three academic partners (ARMINES, CEA, Sorbonne University) and an industrial actor in the field of secure microprocessor (ISSM/INVIA), COFFI will cover the integrity against both instruction-based and data-based obstruction paradigms with an objective of reaching the best trade-off between security properties and performance overheads. To fulfill its scientific objectives, COFFI will demonstrate its results with a set of representative and relevant use cases and by using the RISC-V platform - the open source instruction set architecture - to implement the secure components (more particularly with an FPGA prototype) as well as porting practical solutions in the proprietary microprocessor from ISSM called S8. The efficiency of the innovative solutions developed in COFFI will be evaluated using state-of-the-art fault injection (such as laser beam) and side-channel analysis equipment. COFFI meets the ninth challenge of the ANR 2018 work program, more particularly with the development of innovative schemes for the "protection of information system" (challenge 9, axe 1.4) and will be part of the National Research Strategy (SNR) with the 41th orientation on the "resilience of the security system".

Wooden pile dwelling is an inexhaustible and precious source of information on landscape and cultural activities. Even there has been significant research dedicated on Pile Dwellings immerged in Alpine area, there are important knowledge gaps for the Mediterranean volcanic and karstic lakes. The conservation of these archaeological materials are peculiarly endangered by the impact of climatic change and the anthropogenic pressure. This project gets the ambitious to treat all the aspects of these pile dwelling conservation issue: assessing the climatic risk (collection of high-resolution climatic data about the second half of the Holocene and Bronze age in the northern Mediterranean), monitoring campaign on the field on case studies to assess the environmental conditions (soil, water,wildlife), the wood degradation, capitalizations of results (network of big and meta data about lake sites by collecting archaeobiologic knowledge) and awareness of the local actors and population on the historical, cultural and environmental value of the pile dwelling to establish a decision-making process (pro-active involvement and participation of stakeholder). No doubt this project enters fully into the scope of the topic Management of Cultural Heritage at Risk. Three case-studies are selected: Banyoles lake in Spain and Bolsena and Mezzano lakes in Italy. The foreseen investigations will use a very large spectrum of skills and disciplines such as: palynology, dendrochronology,la micromorphologie, micromorphology, wood anatomy and innovative tools as isotopic analysis. Characterization of wooden materials will involve gravimetric measurements, solid NMR, microbiological analysis, XRD, FTIR-imaging, GC-MS-py and thermogravimetry. Different wooden sampling sources will be considered: immersed, reburied finds and yet restored wood. Finally, exploitation and conservation of this specific cultural heritage represents both a challenge and an unique opportunity to develop harmoniously these sensitive rural area by combining: conservation of cultural heritage, preservation of the environment, touristic activities and water supplying for cities and agriculture.

In CES 39, MISTRAL takes part of the "Sécurité globale et cybersécurité" topic (8.8) of the ANR AAP2019 work program. More specifically, this project aims to experimentally develop secured schemes to protect objects and embedded systems as listed as key points in "Cybersécurité: liberté et sécurité dans le cyberespace, sécurisation des systèmes d'information, lutte contre la cybercriminalité".This item detailed in the paragraph E.8, "Domaines transverses". Moreover, MISTRAL adresses the topic (5.6), "Modèles numériques, simulation, applications" by leveraging technological solutions of secured embedded systems with MRAM NVM memory and the energy consumption of countermeasures in LWC algorithms. So far connected objects have been designed and deployed with strong cost and power consumption constraints, postponing security to secondary requirements. Recent successful attacks have proved that the security of IoT will become a major and crucial issue. Technical solutions, like Light Weight Cryptographic (LWC) and countermeasures against physical attacks, have to be designed to bridge the gap between security needs and cost constraints. The implementation of such solutions is a key point for both academic and industrial actors. MISTRAL is addressing the security of the cryptography embedded in connected objects at its highest standards while keeping concern by the energy footprint. Consequently, the project aims at proposing innovative research about the MRAM and CMOS hybridization to secure LWC algorithms with a particular focus on the resistance against physical attacks at lowest energetic impact. The proposed methodology and estimated results rely on: - LWC algorithm benchmarking as reference point to compare future results: including the report overhead in terms of silicon and power consumption. - Specifications of countermeasures against fault attacks taking benefits from MRAM/CMOS hybridization properties: Attacks scenarii that can be faced with the help of permanent states stored in the logic will be fully documented. - LWC algorithm designs: CMOS-based circuit as reference, hybridized and embedding MRAM-based coutermeasures: Design these non-volatile strengthening up to `place and route' on 28 nm FDSOI process. This hybridization approach can be built using NV process design kit. This is fully relevant as regard to ecosystems in STT-MRAM that is announced these days. As a result, the proposed circuits will be simulated (electrical, logic) to determine effective robustness of our solution against fault attacks as well as energy footprint compared to a CMOS built-in reference. - Security characterization of the MRAM bitcells: It is mandatory to insure that innovation will not bring new vulnerabilities, or to mitigate these one. The side-channel robustness will be evaluated on identified use cases. The power consumption traces will be estimated by simulation, challenged power analysis-based attacks and compared to the CMOS built-in reference. Vulnerabilities versus fault attacks will be characterized on dedicated samples (STT-MRAM bitcells) manufactured for the purpose of the project. They will be electrically characterized prior and after to any physical attack as Laser or Electromagnetic pulses. Modelization of the effects will be done and included in the simulation flow. Then a hardened STT-MRAM will be fabricated and validated following the same characterization sequence. To further improve this MRAM study, the SOT-MRAM (Spin Orbit Torque) will also be considered for simulations, nanofabrication and characterization.