Method of Attack, Physical Access

Slides created by: Professor Ian G. Harris

Method of Attack, Physical Access Attacker has physical possession of the device

Many devices are small and portable Assume that attacker has only external access

Short access time Lacks knowledge about internals

Attack through external interface Normal user interface USB, SD card interface


Physical Access Attacks Attacker can do what user can do

Read numbers from a phone Examine digital pictures, etc.

USB/SD card allows large, fast data theft USB may be “bootable”

Device may automatically run code on USB key

Attacker can rewrite Flash memory Install arbitrary malware


Defenses Against Physical Attacks

Do not lose physical control of your device Enable password protection on the device

Can be inconvenient


Intrusive Physical Attacks

Attacker gains extended physical access to the device

Attacker knows about the design of the device Attacker opens the device and accesses internal

signals Requires unusual sophistication Normal users do not need to worry


Reading Internal Signals

Attacker can view data transferred between ICs Intellectual property (songs, videos, etc.) Secret keys, etc.

CPU RAM

Logic Analyzer


Reading Internal Signals, Defenses

Encrypt all data in transit between ICs Expensive and time consuming

Make device tamper-proof Very expensive

Use internal board layers for routing Layers can be sanded down

Epoxy over ICs to hide part numbers Epoxy is removable


Reprogramming FLASH Memory

Attacker can reprogram the entire device though its JTAG interface

CPUFlash JTAG


Reprogramming FLASH Defenses

Make flash unprogrammable Blow an internal fuse Updates become impossible

Require secret key to access JTAG Costly


“Super” Intrusive Attacks

Attacker gains access to the design of the ICs inside the device

Requires time, knowledge, and access Only large organizations could launch this type

of attack


Hardware Trojans

Attacker modifies IC design before fabrication Spy at the design and/or fabrication site IC includes altered functionality

CPU ASICTrojan Trojan


Side-Channel Attacks Examine “information leakage” via power and delay

analysis

If key[i] == 1 then power will be higher and delay will be longer

Requires precise knowledge of IC algorithm and implementation

if (key[I]) then {. . . }


IP Watermarking

Attacker steals IP design and sells it as his own Need to prove that a stolen design is actually

stolen Insert “markers” into the design which can be

recognized later Add extra logic that has no real function

Markers must not be apparent to the attacker


ATmega Assemblya = b + c;

lw $r1, ($s1)lw $r2, ($s2)add $r3, $r2, $r1sw $r3, ($s3)

Load b from memoryLoad c from memoryAdd b and cStore result a in memory

10010001000000110000001000000001add $r3 $r2 $r1

Compiler

Assembler


Assembly Instructions

Assembly instructions are a readable mnemonic for machine instructions

One-to-one mapping from assembly instructions to machine instructions• Except macros

ADD R0, R1 0000110000000001


ATmega Instruction Formats

16-bit machine instructions6-bit opcode2 5-bit register arguments (32 registers)Direct Register Addressing mode used

ADD instructionRd <- Rd + Rr

OOOO11RDDDDDRRRR


Instruction Format, 1 register

4-bit opcode1 4-bit register argument (only 16 registers)8-bit constant

ANDI instructionRd <- Rd && K

0111KKKKDDDDKKKK


Instruction Format, 1 register

11-bit opcode1 5-bit register argument

ASR (arithmetic shift right) instructionRd <- Rd >> 1

1001010DDDDD0101


Instruction Format, Branch

Assumes that comparison (sub) already performed9-bit opcode11 constant, PC offset addressingBranch distance is limited

BREQ (branch if equal) instructionZ == 1 then PC <- PC + K + 1

111100KKKKKKK001


Assembly Code Structure

An input line may take one of the four following forms:1. [label:] directive [operands] [Comment]2. [label:] instruction [operands] [Comment]3. Comment4. Empty line

Label is an alias for a line of code• Used for jumps/branches


Example Assembly Program

label: .EQU var1=100 ; Set var1 to 100 (Directive) .EQU var2=200 ; Set var2 to 200test: rjmp test ; Infinite loop (Instruction) ; Pure comment line

.EQU assigns a string to a constantSemicolon (;) sets off comments


Some Arithmetic Operations

Some instructions take immediate (constant) argumentsSome instructions use carry from previous operations


Some Logical Operations

Logical operations are bitwiseSome instructions take only one argument


Accessing Registers/Memory

All registers are memory mappedSpecial instructions are used to access non-register

memory


General Purpose Registers

General-purpose registers are written using: • LDI - Load Immediate LDI R16, 0xFF R16 <- 0xFF• MOV - Copy Register MOV R0, R1 R0 <- R1• SBR - Set Bits in Register SBR R0, 0xFF R0 <- R0 | 0xFF• CBR - Clear Bits in Register CBR R0, 0xAA R0 <- R0 & (0xFF -

0xAA)


LDI Instruction

LDI Rd, K8-bits for the immediate, K4-bits for the register, RdCan only access 16 registers (R16 - R31)SBR and CBR have the same limitation


MOV Instruction

MOV Rd, Rr5-bits for each register, can access all registersCan move from high regs to low regs


I/O Registers

I/O registers are written/read using: • IN - In Port IN R0, PORTB R0 <- PINB• OUT - Out Port OUT R0, PORTB PORTB <- R0• SBI - Set Bit in I/O Register SBI PORTB, 3 PORTB <- PORTB | 1<<3• CBI - Clear Bits in I/O Register CBI PORTB, 3 PORTB <- PORTB & !

(1<<3)


SBI Instruction

SBI A, b5 bits specify register, 3 bits specify bit to set


Addressing SRAM (Ext. I/O)

• Instructions are 16-bits long• SRAM addresses are 16-bits long• Address cannot fit in the instruction• Memory addresses are stored in special-purpose

registers• X, Y, and Z registers are each 2 bytes• LD, ST instructions are used to access SRAM


Data Indirect Addressing

LDI XH HIGH(0x01A8)LDI XL HIGH(0x01A8)LD R0, XST X, R0

• Registers X, Y, and Z can be used to address SRAM• XH (YH, ZH) and XL (YL, ZL) are low and high bytes


Branching

PC typically advances by 2 after each instruction• Instructions are 2 bytes long

Branching changes the PC counter to a new locationUnconditional Branches always occurConditional Branches occur only if a condition is

trueNeeded to implement conditional control flow (if,

then) and loops (while, for, etc.)Labels are used to name branch destination


Unconditional Branching

JMP k32-bit instructionNeed 22-bits to address 4M memory spaceAssembler substitutes label with address


Relative Jump (RJMP)

RJMP kOnly 16-bit instruction, address is 12 bits long (4K range)PC relative addressing used• Destination is PC + k + 1

Restricted to close jumps (+/- 2K)Not usually a problem (especially on small processors)


Conditional BranchesBranch occurs is appropriate condition is satisfiedConditions depend on results of previous

arithmetic operationsADD R0, R1BRVS dest..

dest: ADD R2, R3

BRVS is Branch is Overflow is SetBranch occurs if previous addition resulted in overflow


Status Register (SREG)

Bit 5 – H: Half Carry FlagBit 4 – S: Sign Bit, S = N ⊕ VBit 3 – V: Two’s Complement Overflow FlagBit 2 – N: Negative FlagBit 1 – Z: Zero FlagBit 0 – C: Carry Flag

SREG contains information about the results of arithmetic/logic operations


Conditional Branch Instructions

Test indicates the relationship between operands

Boolean shows values in SREG


Branch Conditions

SREG must be set before conditional branch instructionC code example: if x < y then x++; else y++;Assume x is in R0 and y is in R1

CP R0, R1BRLT then

else: INC R1RJMP done

then: INC R0done: …

Compare operation, CP, used to set SREG• Does not affect other regs


Skip Instructions

“Skip” instructions skip the next instruction if a condition is satisfied

Can be used as a mini conditional branchSBRC - Skip if bit in register is cleared (0)

SBRS R0, 0INC R0

Rounds R0 up to nearest even number


Subroutines

RCALL k calls a subroutine starting at label k• PC + 1 is pushed onto the stack

RET returns from a subroutine• PC is popped off of the stack

No other calling procedures are followed• Registers are not pushed/popped• Arguments are not pushed/popped• No local vars allocated on stack


Using the StackPUSH Rd places contents of Rd on the stack

Decrements stack pointer (SP)POP Rd places contents of stack in Rd• Increments (SP)

SP must be initialized to top of SRAM, RAMEND

LDI R0, LOW(RAMEND)OUT SPL, R0LDI R0, HIGH(RAMEND)OUT SPH, R0


Assembler Directives

Assembler directives give commands to the assemblerDo not generate machine code instructions

.DSEGvar1: .byte 1var2: .byte 2

.CSEGldi XL, LOW(var1)ldi XH, HIGH(var1)ld R0, X

.DSEG declares data segment• Placed in SRAM

.CSEG declares code segment• Placed in FLASH

.BYTE allocates space• Only in data segment


EEPROM Segment.ESEG

eeconsts:.db 0xff, 0x11.CSEG

fconsts: .dw 0xffff

.ESEG declares initialized data in EEPROM.DB declares a data byte in program memory (CSEG)

or EEPROM (ESEG).DW declares a word (16-bits) in CSEG or ESEG


Other Assembler Directives.DEF <symbol>=R<n>

Define a symbol to refer to a register Ex. .DEF i=R9 Placement in file should precede first use .UNDEF undefines the symbol

.EQU <constant>=<expression> Define a constant to refer to a constant value Ex. .EQU ZERO = 0 Constant cannot be redefined or undefined

.SET <variable>=<expression> Same as .EQU except variables can be changed later

Documents

Method of Attack, Physical Access