Upload
44con
View
304
Download
0
Embed Size (px)
DESCRIPTION
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs. By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Citation preview
44CON 2014Joe FitzPatrick
Simple Hardware Sidechannel Attacks for 10GBP or Less
What are Side Channel Attacks?
f(x)=y
What are Side Channel Attacks?
f(x)=y
input
What are Side Channel Attacks?
f(x)=youtput
What are Side Channel Attacks?
f(x)=y
HOW?
What are Side Channel Attacks?
f(x)=yHow long does it take?
How much power does it consume?How does it react to temperature?How much EMI does it give off?
How does it affect g(), h(), and i()?How is it affected by x&y?
What does HARDWARE buy us?
Does network latency hide sidechannels?
What does HARDWARE buy us?
Does network latency hide sidechannels?
If not, does it obscure them?
What does HARDWARE buy us?
Does network latency hide sidechannels?
If not, does it obscure them?
How about software latency?
What does HARDWARE buy us?
Does network latency hide sidechannels?
If not, does it obscure them?
How about software latency?
Often, hardware permits observation with fixed, deterministic latencies
State of the Art Approach
Expensive Scopes ($10k+)Expensive Probes ($2k+)
Expensive software ($2k+)Smart People ($?)
Custom software to glue it all together
So what’s wrong with that?
Encryption is complicated
So what’s wrong with that?
Encryption is complicated
Math is hard
So what’s wrong with that?
Encryption is complicated
Math is hard
Money is expensive
So what’s wrong with that?
Encryption is complicated
Math is hard
Money is expensive
Hardware SCAs seem too difficult to most people
My Objective?
Side Channel Attacks for every
Man, Woman, and Child
My Objective?
Side Channel Attacks that anyone can understand
and reproduce at home
My Objective?
Side Channel Attacks as part of
Common Core State Standards?
My Target
My Budget
Simplifying Timing Attacks
teh codez
teh codez
Finally,Some Hardware
Preparing for observation
Time is on your side...
what matchestest to test time time increment, us
null 19.13
0 char 31.56 12.43
1 char 32.88 1.32
2 char 34.18 1.3
3 char 35.51 1.33
4 char 36.63 1.12
But what about the real world?
But what about the real world?
The 00’s called, they want their DIPs back
The 00’s called, they want their DIPs back
The LED Reach-Around Attack
Or just trigger the solenoid...
Easy Fix!
Or is it?
SIMPLE power analysis
State of the Art Approach
Expensive Scopes ($10k+)Expensive Probes ($2k+)
Expensive software ($2k+)Smart People ($?)
Custom software to glue it all together
“Cheapskate” approach
Colin O’Flynn - http://www.newae.com/
My Approach
Building a BoardU1 AD9200ARZ 20msps 10-bit A/D converter
U2 AD8130ARMZ differential amplifier
U3 VAT1-S5-D12-SMT 5v to +-12v converter
C1-C8 0603 SMT Capacitor .1uF
C11-16 0805 SMT Capacitor 10uF
R3 0603 SMT resistor 150 ohm
R4 0603 SMT resistor 10 ohm
Rv 0603 SMT resistor 1 ohm
Rg 0603 SMT resistor 100 ohm
Rf1 0603 SMT resistor 1k ohm
$18.50 + shipping!
Alternate Build Options
Differential Amplifier: AD8129 vs. AD8130
Gain setting circuit: Rf=1k Ohm resistor or Rf1=10k Ohm Potentiometer
Voltage Regulator Load: R1=R2= 2.4k Ohm resistors for a dummy load
Alternate Build 2⅞” Split Key Ring
Key (load tested to 3 keys)
Alternate Build 3*
Fiberglass dust from filing boards
Rolled up sticker from swag bag
* not tested or recommended
Shunting High and Shunting Low
Shunting High and Shunting Low
Target modification
Bypass VRM & Enable clock out via fuse
Characterizing Instructions
Characterizing Instructions
Sources of ‘Noise’
Pretty Software Frontend
This slide intentionally left blank
Back to Lockpicking….
Back to Lockpicking….Keypad Entry Idle begins idle ends diff
1-2-3-4 2021972.5 2039705.5 17733
1-2-3-3 4574962.5 4592694.5 17732
1-2-2-2 5565872.5 5583603.5 17731
1-1-1-1 3234456 3252186 17730
5-5-5-5 7314302 7332031 17729
Rev 1.1
Rev 1.1
I’ll show you my O(scope)-Face
Future Improvements
Pretty SoftwareTunable clock offset
Tuneable amplifier offset for higher gainsfix AD8129
Integrate EZ-USBFX2 and synch clock
But Wait!
There’s More!
© 2014 Hardware Security Resources, LLC.
Sidechannel Attacks
Non-Invasive = no hardware modification Invasive = hardware modificaiton
Passive = observation only Simple timing analysis with an o-scope/LA
Power analysis - may require removing decoupling capacitors
Decapping and imaging the die
Active = simulating input
Clock shrinking/skewing
Reset pulses
Synthetic power droop
Modifying power/clock circuits
Decapping and stimulating/altering logic and power circuits
For another 10GBP, can we do some glitching?
Normal Operation
The Real Boundary...
Failing region
Optimal Condition
Voltage Glitching
Frequency Glitching
But when?But how?
Die Datenkrake?
Die Datenkrake?
Zu Teuer!
EZ-USB FX2?
EZ-USB FX2?
Too Slow!
● Glitching device outputs a clock● Tie an interrupt pin to a trigger on the target● Program a configurable software delay● Toggle a pin tied to a pulse generator● AND the pulse generator with your clock
© 2014 Hardware Security Resources, LLC.
Sidechannel Attacks in the Wild
© 2014 Hardware Security Resources, LLC.
Sidechannel Attacks in the WildDetails for the fat hack
========================
On fats, the bootloader we glitch is CB, so we can run the CD we want.
cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is
slowed down a lot, there's a test point on the motherboard that's a
fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the
console boots, and 520Khz when that signal is asserted.
https://github.com/gligli/tools/blob/master/reset_glitch_hack/reset_glitch_hack.txt
© 2014 Hardware Security Resources, LLC.
Sidechannel Attacks in the Wild - We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and
image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of
entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of
getting POST error AD, the boot process continues and CB runs our custom
CD.
https://github.com/gligli/tools/blob/master/reset_glitch_hack/reset_glitch_hack.txt
Matrix Glitcher code...
Back to our test system…
Further implementation is still WIP
- ATMEGA328p needs to be undervolted to work- Needs to provide the trigger itself for now
Joe FitzPatrick@securelyfitz
http://www.securinghardware.com
Questions?