Paper 2023/677

Secure Context Switching of Masked Software Implementations

Barbara Gigerl, Graz University of Technology
Robert Primas, Graz University of Technology
Stefan Mangard, Graz University of Technology

Cryptographic software running on embedded devices requires protection against physical side-channel attacks such as power analysis. Masking is a widely deployed countermeasure against these attacksand is directly implemented on algorithmic level. Many works study the security of masked cryptographic software on CPUs, pointing out potential problems on algorithmic/microarchitecture-level, as well as corresponding solutions, and even show masked software can be implemented efficiently and with strong (formal) security guarantees. However, these works also make the implicit assumption that software is executed directly on the CPU without any abstraction layers in-between, i.e., they focus exclusively on the bare-metal case. Many practical applications, including IoT and automotive/industrial environments, require multitasking embedded OSs on which masked software runs as one out of many concurrent tasks. For such applications, the potential impact of events like context switches on the secure execution of masked software has not been studied so far at all. In this paper, we provide the first security analysis of masked cryptographic software spanning all three layers (SW, OS, CPU). First, we apply a formal verification approach to identify leaks within the execution of masked software that are caused by the embedded OS itself, rather than on algorithmic or microarchitecture level. After showing that these leaks are primarily caused by context switching, we propose several different strategies to harden a context switching routine against such leakage, ultimately allowing masked software from previous works to remain secure when being executed on embedded OSs. Finally, we present a case study focusing on FreeRTOS, a popular embedded OS for embedded devices, running on a RISC-V core, allowing us to evaluate the practicality and ease of integration of each strategy.

Available format(s)
Publication info
Published elsewhere. AsiaCCS 2023
verificationmaskingside-channelsRTOSembedded OSRISC-Vpower analysis
Contact author(s)
barbara gigerl @ iaik tugraz at
robert primas @ iaik tugraz at
stefan mangard @ iaik tugraz at
2023-05-15: approved
2023-05-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Barbara Gigerl and Robert Primas and Stefan Mangard},
      title = {Secure Context Switching of Masked Software Implementations},
      howpublished = {Cryptology ePrint Archive, Paper 2023/677},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.