44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick

44CON 2014Joe FitzPatrick

Simple Hardware Sidechannel Attacks for 10GBP or Less

What are Side Channel Attacks?

f(x)=y


f(x)=y

input


f(x)=youtput


f(x)=y

HOW?


f(x)=yHow long does it take?

How much power does it consume?How does it react to temperature?How much EMI does it give off?

How does it affect g(), h(), and i()?How is it affected by x&y?

What does HARDWARE buy us?

Does network latency hide sidechannels?



If not, does it obscure them?




How about software latency?




How about software latency?

Often, hardware permits observation with fixed, deterministic latencies

State of the Art Approach

Expensive Scopes ($10k+)Expensive Probes ($2k+)

Expensive software ($2k+)Smart People ($?)

Custom software to glue it all together

So what’s wrong with that?

Encryption is complicated



Math is hard



Math is hard

Money is expensive



Math is hard

Money is expensive

Hardware SCAs seem too difficult to most people

My Objective?

Side Channel Attacks for every

Man, Woman, and Child

My Objective?

Side Channel Attacks that anyone can understand

and reproduce at home

My Objective?

Side Channel Attacks as part of

Common Core State Standards?

My Target

My Budget

Simplifying Timing Attacks

teh codez

teh codez

Finally,Some Hardware

Preparing for observation

Time is on your side...

what matchestest to test time time increment, us

null 19.13

0 char 31.56 12.43

1 char 32.88 1.32

2 char 34.18 1.3

3 char 35.51 1.33

4 char 36.63 1.12

But what about the real world?

But what about the real world?

The 00’s called, they want their DIPs back

The 00’s called, they want their DIPs back

The LED Reach-Around Attack

Or just trigger the solenoid...

Easy Fix!

Or is it?

SIMPLE power analysis

State of the Art Approach

Expensive Scopes ($10k+)Expensive Probes ($2k+)

Expensive software ($2k+)Smart People ($?)

Custom software to glue it all together

“Cheapskate” approach

Colin O’Flynn - http://www.newae.com/

My Approach

Building a BoardU1 AD9200ARZ 20msps 10-bit A/D converter

U2 AD8130ARMZ differential amplifier

U3 VAT1-S5-D12-SMT 5v to +-12v converter

C1-C8 0603 SMT Capacitor .1uF

C11-16 0805 SMT Capacitor 10uF

R3 0603 SMT resistor 150 ohm

R4 0603 SMT resistor 10 ohm

Rv 0603 SMT resistor 1 ohm

Rg 0603 SMT resistor 100 ohm

Rf1 0603 SMT resistor 1k ohm

$18.50 + shipping!

Alternate Build Options

Differential Amplifier: AD8129 vs. AD8130

Gain setting circuit: Rf=1k Ohm resistor or Rf1=10k Ohm Potentiometer

Voltage Regulator Load: R1=R2= 2.4k Ohm resistors for a dummy load

Alternate Build 2⅞” Split Key Ring

Key (load tested to 3 keys)

Alternate Build 3*

Fiberglass dust from filing boards

Rolled up sticker from swag bag

* not tested or recommended

Shunting High and Shunting Low

Shunting High and Shunting Low

Target modification

Bypass VRM & Enable clock out via fuse

Characterizing Instructions

Characterizing Instructions

Sources of ‘Noise’

Pretty Software Frontend

This slide intentionally left blank

Back to Lockpicking….

Back to Lockpicking….Keypad Entry Idle begins idle ends diff

1-2-3-4 2021972.5 2039705.5 17733

1-2-3-3 4574962.5 4592694.5 17732

1-2-2-2 5565872.5 5583603.5 17731

1-1-1-1 3234456 3252186 17730

5-5-5-5 7314302 7332031 17729

Rev 1.1

Rev 1.1

I’ll show you my O(scope)-Face

Future Improvements

Pretty SoftwareTunable clock offset

Tuneable amplifier offset for higher gainsfix AD8129

Integrate EZ-USBFX2 and synch clock

But Wait!

There’s More!

© 2014 Hardware Security Resources, LLC.

Sidechannel Attacks

Non-Invasive = no hardware modification Invasive = hardware modificaiton

Passive = observation only Simple timing analysis with an o-scope/LA

Power analysis - may require removing decoupling capacitors

Decapping and imaging the die

Active = simulating input

Clock shrinking/skewing

Reset pulses

Synthetic power droop

Modifying power/clock circuits

Decapping and stimulating/altering logic and power circuits

For another 10GBP, can we do some glitching?

Normal Operation

The Real Boundary...

Failing region

Optimal Condition

Voltage Glitching

Frequency Glitching

But when?But how?

Die Datenkrake?

Die Datenkrake?

Zu Teuer!

EZ-USB FX2?

EZ-USB FX2?

Too Slow!

● Glitching device outputs a clock● Tie an interrupt pin to a trigger on the target● Program a configurable software delay● Toggle a pin tied to a pulse generator● AND the pulse generator with your clock


Sidechannel Attacks in the Wild


Sidechannel Attacks in the WildDetails for the fat hack

========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is

slowed down a lot, there's a test point on the motherboard that's a

fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the

console boots, and 520Khz when that signal is asserted.

https://github.com/gligli/tools/blob/master/reset_glitch_hack/reset_glitch_hack.txt


Sidechannel Attacks in the Wild - We assert CPU_PLL_BYPASS around POST code 36 (hex).

- We wait for POST 39 start (POST 39 is the memcmp between stored hash and

image hash), and start a counter.

- When that counter has reached a precise value (it's often around 62% of

entire POST 39 length), we send a 100ns pulse on CPU_RESET.

- We wait some time and then we deassert CPU_PLL_BYPASS.

- The cpu speed goes back to normal, and with a bit of luck, instead of

getting POST error AD, the boot process continues and CB runs our custom

CD.

https://github.com/gligli/tools/blob/master/reset_glitch_hack/reset_glitch_hack.txt

Matrix Glitcher code...

Back to our test system…

Further implementation is still WIP

- ATMEGA328p needs to be undervolted to work- Needs to provide the trigger itself for now

Joe FitzPatrick@securelyfitz

http://www.securinghardware.com

Questions?

Technology

44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick