We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

TrustZone-M: Hardware attacks on ARMv8-M security features

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
110
 Cite
 Share
 Related Material
 Download Purchase
Logo of Chaos Computer Club e.V.Chaos Computer Club e.V.
 Roth, Thomas

Formal Metadata

Title
TrustZone-M: Hardware attacks on ARMv8-M security features
Alternative Title
TrustZone-M(eh): Breaking ARMv8-M's security. Hardware attacks on the latest generation of ARM Cortex-M processors.
Title of Series
Number of Parts
254
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Most modern embedded devices have something to protect: Whether it's cryptographic keys for your bitcoins, the password to your WiFi, or the integrity of the engine-control unit code for your car. To protect these devices, vendors often utilise the latest processors with the newest security features: From read-out protections, crypto storage, secure-boot up to TrustZone-M on the latest ARM processors. In this talk, we break these features: We show how it is possible to bypass the security features of modern IoT/embedded processors using fault-injection attacks, including breaking TrustZone-M on the new ARMv8-M processors. We are also releasing and open-sourcing our entire soft- and hardware toolchain for doing so, making it possible to integrate fault-injection testing into the secure development lifecycle. Modern devices, especially secure ones, often rely on the security of the underlying silicon: Read-out protection, secure-boot, JTAG locking, integrated crypto accelerators or advanced features such as TrustZone are just some of the features utilized by modern embedded devices. Processor vendors are keeping up with this demand by releasing new, secure processors every year. Often, device vendors place a significant trust into the security claims of the processors. In this talk, we look at using fault-injection attacks to bypass security features of modern processors, allowing us to defeat the latest chip security measures such as TrustZone-M on the new ARMv8 processors. After a quick introduction into the theory of glitching, we introduce our fully open-source FPGA platform for glitching: An FPGA-based glitcher with a fully open-source toolchain & hardware, making glitching accessible to a wider audience and significantly reducing the costs of getting started with it - going as far as being able to integrate glitch-testing into the Secure Development Lifecycle of a product. Then, we look at how to conduct glitching attacks on real-world targets, beyond academic environments, including how to prepare a device for glitching and how to find potential glitch targets. Afterwards, we demonstrate fault-injection vulnerabilities we found in modern, widely-used IoT/embedded processors and devices, allowing us to bypass security features integrated into the chip, such as: - Re-enabling locked JTAG - Bypassing a secure bootloader - Recovering symmetric crypto keys by glitching the AES implementation - Bypassing secure-boot - Fully bypassing TrustZone-M security features on some new ARMv8M processors We will also demonstrating how to bypass security features and how to break the reference secure bootloader of the Microchip SAM L11, one of the newest, TrustZone-M enabled ARM Cortex-M processors, using roughly $5 of equipment. After the talk, PCBs of our hardware platform will be given out to attendees.
Keywords
00:00
TwitterInformation technology consultingUltraviolet photoelectron spectroscopyRoundness (object)Information securityTouch typingArmWave packetComputer hardwareTime zoneComputer animationLecture/Conference
01:02
Information securityFeedbackInformation technology consultingInformation securityMultiplication signMereologyPower (physics)Domain nameComputer animationLecture/ConferenceMeeting/Interview
01:55
Domain nameMathematical analysisPower (physics)Computer hardwareTime zoneInformation securityBefehlsprozessorRead-only memoryRevision controlMathematical analysisDifferent (Kate Ryan album)Power (physics)Time zoneInformation securityCoprocessorRevision controlElectronic mailing listInjektivitätDifferential (mechanical device)Real numberComputer hardwareDomain nameBefehlsprozessorAndroid (robot)Data storage deviceKey (cryptography)Sampling (statistics)Mobile appProcess (computing)Computer animation
03:10
Physical systemTime zoneInformation securityFirmwareOperations researchInformation technology consultingComputer hardwareMobile appOperating systemDifferent (Kate Ryan album)2 (number)Flow separationKey (cryptography)Type theoryTime zoneSurfaceData storage deviceMessage passingWorkstation <Musikinstrument>Lecture/ConferenceMeeting/Interview
04:15
Information securitySoftwareComputer hardwareInformationTerm (mathematics)Computer hardwareKey (cryptography)Endliche ModelltheorieSoftwareTime zoneDescriptive statisticsCASE <Informatik>InjektivitätInformation securityBitLatent heatSide channel attackProtein foldingExpert systemSoftware testingLecture/ConferenceXML
05:36
Information securityRead-only memoryTime zoneState of matterFunction (mathematics)System callException handlingKernel (computing)Gateway (telecommunications)Hyperbolic functionCodeMessage sequence chartAddress spaceImplementationVariable (mathematics)Maß <Mathematik>MathematicsLimit (category theory)Control flowSemiconductor memoryAddress spaceCodeExecution unitFlash memoryInformation securityAttribute grammarDefault (computer science)Branch (computer science)Level (video gaming)Memory managementTime zoneTable (information)System callVirtual memoryDiagramFunctional (mathematics)ArmPhysical systemKernel (computing)Gateway (telecommunications)ImplementationKey (cryptography)TheoryState of matterStructural loadReal numberLimit (category theory)InjektivitätCurvatureComputing platformBitAreaPeripheralWordElectronic visual displayException handlingMereologyCryptographyNumberRange (statistics)DialectGame controllerType theoryDifferent (Kate Ryan album)HypothesisWeb crawlerDistanceInsertion lossMultiplication signProcess (computing)Rule of inferenceArchaeological field surveyComputerLecture/Conference
12:19
Address spaceLimit (category theory)Information securityState of matterRead-only memoryMaß <Mathematik>Time zoneImplementationVector potentialStandard deviationArmFrequencyMathematicsPoint (geometry)Multiplication signAddress spaceState of matterInformation securitySpeicherschutzSystem callInjektivitätArmAttribute grammarExecution unitPower (physics)Time zoneFrequencyMereologyLecture/ConferenceMeeting/InterviewComputer animationXML
13:29
Moment (mathematics)Information securityPower (physics)Flash memoryRead-only memoryStability theoryPower (physics)Semiconductor memoryMoment (mathematics)Multiplication signFlash memoryDrop (liquid)Process (computing)Functional (mathematics)Right angle2 (number)FirmwareCodeTouch typingPanel paintingComputer animationDiagram
14:43
BootingFlash memoryRead-only memoryInformation securityPulse (signal processing)Drop (liquid)CodeFirmwareFunctional (mathematics)BootingInheritance (object-oriented programming)Multiplication signFlash memoryControl flowPower (physics)Time zonePulse (signal processing)Theory of relativity2 (number)Position operatorMereologyLecture/ConferenceMeeting/InterviewComputer animation
15:38
Field programmable gate arrayInformation securityFunction (mathematics)Pulse (signal processing)Line (geometry)outputCore dumpBefehlsprozessorDomain namePower (physics)Multiplication signField programmable gate arrayLattice (group)CodeMereologyHookingWebsiteVoltmeterFunction (mathematics)Pulse (signal processing)Line (geometry)BefehlsprozessorCore dumpoutputDifferent (Kate Ryan album)Power (physics)BootingMicrocontrollerPeripheralRegulator genePoint (geometry)2 (number)ArmGoodness of fitSet (mathematics)Lecture/ConferenceMeeting/InterviewComputer animation
17:00
Regulator geneBefehlsprozessorCore dumpInformation securityPower (physics)Domain nameDirected setCore dumpProxy serverPoint (geometry)BefehlsprozessoroutputRegulator geneCoprocessorFunction (mathematics)Channel capacityTrailMathematics
17:55
Information securityBefehlsprozessorRegulator geneCore dumpPower (physics)Channel capacityPoint (geometry)Power (physics)Multiplication signLattice (group)VoltmeterHookingMereologyHydraulic jumpComputer hardwareControl flowComputing platformComputer configuration
18:41
Information securityoutputAnalogyMultiplication signComputer hardwareField programmable gate arrayComputing platformControl flowTask (computing)Hand fanCompilation album40 (number)AngleMereologyCodePoint (geometry)Digital electronicsOpen sourceWhiteboardSoftware developerDependent and independent variablesMessage passingGroup actionBitSpacetimeProduct (business)VoltmeterAnalogyDebuggeroutputChainLattice (group)INTEGRALLecture/ConferenceMeeting/Interview
19:49
outputAnalogyDigital electronicsFront and back endsInformation securityFlash memoryInheritance (object-oriented programming)Flash memoryComputer hardwareInformation securityMessage passingDigital electronicsProduct (business)WebsiteWordSign (mathematics)
21:01
Social classWordLevel (video gaming)Power (physics)FamilyProduct (business)Time zoneInformation systemsAdvanced Encryption StandardBootingSoftwarePhase transitionPartition (number theory)Computer hardwareFlash memoryCodeInformation securityThresholding (image processing)Non-volatile memoryParameter (computer programming)Turing testAsynchronous Transfer ModeSample (statistics)Computer programFrequencyInterrupt <Informatik>Information securityLevel (video gaming)Computer hardwareAttribute grammarWordCore dumpExecution unitTime zoneTerm (mathematics)Product (business)Descriptive statisticsInternet der DingePhysical systemPhysicalismImplementationSystem callComputer animation
22:13
Turing testBootingInformation securityTime zoneFlash memoryCodeStructural loadConfiguration spaceBootingCodeInformation securityExecution unitBootingMereologyFlash memoryStructural loadDialectCartesian coordinate systemAttribute grammarImplementationHydraulic jumpKey (cryptography)BitJSONXMLUML
23:51
Information securityInheritance (object-oriented programming)Set (mathematics)CompilerFirmwareStability theoryInheritance (object-oriented programming)Group actionLecture/ConferenceXMLComputer animation
24:35
BootingInformation securityRead-only memoryForceMathematical analysisPower (physics)BootingFlash memoryComputer hardwarePoint (geometry)Web pageRange (statistics)CASE <Informatik>Tracing (software)Programmer (hardware)Different (Kate Ryan album)Power (physics)Mathematical analysisCartesian coordinate systemMultiplication signPeripheralInformation securityUniform resource locatorComputer programmingRight angleForcing (mathematics)Control flowDrum memory2 (number)Lecture/ConferenceXMLUML
26:56
Mathematical analysisInformation securityPower (physics)FirmwareEvent horizonPulse (signal processing)Control flowString (computer science)Letterpress printingLoop (music)Tracing (software)Information securityScripting languageAsynchronous Transfer ModeStatisticsPoint (geometry)Different (Kate Ryan album)2 (number)Multiplication signRight angleRange (statistics)Price indexVideoconferencingCASE <Informatik>Key (cryptography)Pulse (signal processing)Loop (music)HookingPairwise comparisonConfiguration spaceFraction (mathematics)Revision controlMereologyLengthLine (geometry)Stability theoryWhiteboardTime zoneFirmwareControl flowBitVideo gameLocal ringSubsetDiffuser (automotive)CuboidReal numberLecture/ConferenceComputer animation
30:41
Information securityCodeIntegrated development environmentCondition numberSoftware development kitMereologyCodeReverse engineeringTerm (mathematics)Channel capacityInformation securityBitControl flowCore dumpKey (cryptography)JSONXMLUMLLecture/Conference
31:28
Information securityFunction (mathematics)Letterpress printingString (computer science)Control flowPulse (signal processing)ChainAddress spaceProgrammer (hardware)Field programmable gate arraySpeicherschutzFunctional (mathematics)Web 2.0ChainVulnerability (computing)Core dumpMereologyIntegrated development environmentRoot2 (number)NumberOpen setScaling (geometry)Computer programmingXML
33:35
Order (biology)Information securityMathematicsAddress spaceLogical constantSoftwareState of matterFeedbackTime zoneFlash memoryKey (cryptography)Closed setInheritance (object-oriented programming)Physical systemVector spaceFeedbackMereologyOrder (biology)Time zoneBackdoor (computing)Type theory1 (number)Internet der DingeRevision controlCoprocessorAsynchronous Transfer ModeInjektivitätDialectState of matterRight angleSoftwareUltraviolet photoelectron spectroscopyInformation securityGame controllerChainComputer hardwareCodeEntire functionAddress spaceGreatest elementSystem callAttribute grammarMultiplication signExecution unitLevel (video gaming)Moving averageSemiconductor memoryPort scannerProcess (computing)Network topologyMusical ensembleDifferent (Kate Ryan album)Division (mathematics)Lecture/Conference
37:21
CodeFlash memoryBootingInformation securityLinker (computing)Address spaceMathematicsPointer (computer programming)Table (information)NP-hardCodeBootingWeb pageBlogBitGroup actionAddress spaceState of matterPointer (computer programming)Table (information)Branch (computer science)InformationReading (process)Exception handlingInformation securityLecture/ConferenceMeeting/InterviewComputer animation
38:55
Normal (geometry)CodeInformation securityNP-hardRead-only memoryRing (mathematics)Address spaceComputer filePeripheralFlash memoryMathematicsControl flowLimit (category theory)User interfaceDDR SDRAMData typeSemiconductor memoryMoving averageInformation securityCodeAreaImplementationConfiguration spaceVulnerability (computing)Attribute grammarWordFlash memoryAddress spaceNormal (geometry)Asynchronous Transfer ModeSystem callPoint (geometry)Game controllerPhysical systemArmBranch (computer science)2 (number)BitHydraulic jumpPeripheralState of matterExecution unitMultiplication signStability theorySpeicherschutzInterpreter (computing)Computer animation
42:01
Information securitySimilarity (geometry)Duality (mathematics)Dependent and independent variablesSystem callCodeFreewareArmUltraviolet photoelectron spectroscopyWeb pageInterpreter (computing)Core dumpInformation securityDependent and independent variablesExpert systemOvalDuality (mathematics)Game controllerOnline helpCodeValue-added networkLecture/ConferenceMeeting/InterviewComputer animation
43:14
Information securityControl flowAsynchronous Transfer ModeRead-only memoryFlagPhysical systemMassIdentical particlesDependent and independent variablesGame controllerBitInformation securitySpeicherschutzAddition1 (number)Semiconductor memoryState of matterAttribute grammarCodeExecution unitDependent and independent variablesArmLatent heatXMLComputer animation
44:31
Information securityData modelLatent heatTwitterLatent heatEndliche ModelltheorieMereologyTwitterInjektivitätBuildingComputer hardwareKey (cryptography)NumberLecture/ConferenceMeeting/Interview
45:36
Time zoneNumberFirewall (computing)Cartesian closed categoryPlanningInternetworkingCore dumpShared memoryLecture/ConferenceMeeting/Interview
46:21
Time zoneMaterialization (paranormal)BefehlsprozessorFrequencyMulti-core processorCoefficient of determinationService (economics)Personal digital assistantAreaLecture/Conference
47:04
Information securityTwitterLibrary (computing)Functional (mathematics)AreaNumberChainArmPairwise comparisonElectric generatorInformation securityComputer animationLecture/ConferenceMeeting/Interview
47:47
Computer hardwareInformation securitySoftwarePairwise comparisonPower (physics)Point (geometry)NumberCASE <Informatik>EinsteckmodulKey (cryptography)Attribute grammarCodeSpacetimeMultiplication signEndliche ModelltheorieChainExploit (computer security)Order (biology)Goodness of fitObject (grammar)ArmTouch typingExecution unitChannel capacityLecture/ConferenceMeeting/Interview
50:41
Element (mathematics)Category of beingQuicksortComputer hardwareInformation securityStability theoryNumberTerm (mathematics)MereologyDegree (graph theory)Multiplication signPoint (geometry)RandomizationArmComputer iconElectronic signatureEuler anglesWorkstation <Musikinstrument>OctahedronTable (information)SpacetimeTheoryLecture/ConferenceMeeting/Interview
53:11
InternetworkingElectronic signatureTheoryMixed realityLevel (video gaming)NumberCASE <Informatik>Type theoryInformation securityGodSeries (mathematics)Lecture/Conference
54:01
Revision controlOpen sourceNumberSpeichermodellVideo gameCodeLattice (group)Computer hardwareSource codeWhiteboardMoment (mathematics)Normal (geometry)Connected spaceSeries (mathematics)Domain nameArmControl flowNP-hardSimilarity (geometry)Order (biology)Mobile WebShift operatorTouchscreenLecture/Conference
56:32
Roundness (object)Lecture/ConferenceMeeting/InterviewComputer animation
Transcript: English(auto-generated)
00:20
Speaker's way is paved with broken trust zones. He's no stranger to breaking arms equipment or Crypto wallets or basically anything he touches it just dissolves in his fingers he's one of Forbes 30 under 30s in tech and Please give a warm round of applause to Thomas Roth
00:50
That's okay. Wonderful Yeah, welcome to my talk trust on M hardware attacks on arm v8m security features My name is Thomas Roth. You can find me on Twitter. I'm at stack smashing and
01:04
I'm a security researcher consultant and trainer affiliated with a couple of companies and Yeah before we can start I need to to thank some people So first off Josh that go and Dimitri in the just pass off Who've been super helpful and anytime I was stuck somewhere or just wanted some feedback
01:20
They immediately helped me and also Colin O'Flynn who? gave me constant feedback and helped me with some troubles gave me tips and so on and So without these people and many more who paved the way towards this research I wouldn't be here. Also. Thanks to NXP and microchip who I had to work with as part of this talk and it was
01:44
Awesome I had a lot of very bad vendor experience, but these two were really nice to work with Also some prior work, so Colin O'Flynn and Alex Devar Released the paper I guess last year or this year on device power analysis across hardware security domains
02:01
and they basically looked at trust zone from a differential power analysis viewpoint and otherwise trust zone M is pretty new but lots of work has been done on the big and or real trust zone and Also lots and lots of works on fault injection and would be far too much to list here So just Google fault injection and you will see what I mean
02:24
Before we start what is trust zone M? So trust zone M is the small trust zone It's basically a simplified version of the big trust zone that you find on cortex a processors So basically if you have an Android phone Chances are very high that your phone actually runs trust zone and that for example your key store of Android is backed by trust zone and
02:44
Trust zone basically splits the CPU into a secure and a non-secure world And so for example, you can say that a certain peripheral should only be available to the secure world So for example, if you have a crypto accelerator, you might only want to use it in the secure world
03:01
It also if you're wondering what's the difference to an MPU? It also comes with two MPUs. Sorry not MMUs and pews and so last year We gave a talk on Bitcoin wallets And so let's take those as an example on a Bitcoin wallet You often have different apps So for example for a Bitcoin, Dogecoin or Monero and then underneath you have an operating system
03:23
The problem is kind of this operating system is very complex because it has to handle graphics rendering and so on and so forth and Chances are high that it gets compromised and if it gets compromised All your funds are gone and so with trust zone you could basically have a second operating system separated from your
03:42
normal one that handles all the important stuff like firmware update key store attestation and so on and reduces your attack surface and The reason I actually looked at trust zone M is we got a lot of requests for consulting on trust zone M So basically after our talk last year a lot of companies reached out to us and said, okay
04:02
We want to do this but more securely and a lot of them try to use trust zone M for this And so far there's been as far as I know little public research into trust zone M and whether it's Protected against certain types of attacks and we also have companies that start using them as secure chips
04:21
So for example in the automotive industry, I know somebody who was thinking about putting them into car keys I know about some people in the payment industry evaluating this and a set hardware wallets and one of the term the terms that come up again and again is This is a secret chip, but I mean, what is the secret chip without a threat model?
04:42
There's no such thing as a secret chip Because there are so many attacks and you need to have a threat model to understand What are you actually protecting against? So for example a chip might have software features or hardware features that make the software more secure such as annex bit and Swan and so forth and on the other hand you have hardware attacks, for example debug ports side channel attacks and fault injection and
05:08
Often the description of a chip doesn't really tell you What it's protecting you against and often I would even say it's misleading in some cases And so you will see oh, this is a secret chip and you ask marketing and they say yeah
05:22
It has the most modern security features But it doesn't really specify whether they are for example protecting against fault injection attacks or whether they consider this out of scope in this talk We will exclusively look at hardware attacks and more specifically. We will look at fault injection attacks on trust zone M
05:41
And so all of the attacks we're gonna see are Local to the device only you need to have it in your hands and there's no chance normally of remotely exploiting them And yeah, so this will be our agenda we will start with a short introduction of trust on them Which will have a lot of theory on like memory layouts and so on
06:02
We will talk a bit about the fault injection setup and then we will start attacking real chips These three as you will see So on a cortex M processor, you have a flat memory map You don't have a memory management unit and all your peripherals your flash your RAM it's all mapped to a certain address and in memory and trust zone M allows you to partition your flash or your RAM into
06:26
secure and non-secure parts And so for example, you could have a tiny secure area because your secure code is very small and a big non-secure area The same is true for RAM and also for the peripherals So for example, if you have a display and crypto engine and so on
06:42
you can decide whether these peripherals should be secure or non-secure and So let's talk about these two security states secure and non-secure Well, if you have code running in secure flash or you have secure code running it can call anywhere into the non-secure world It's basically the highest privilege level you can have and so there's no
07:05
protection there However, the opposite if we try to go from the non-secure world into the secure world would be insecure because for example you could jump to the parts of the code that are behind certain protections and so on and So that's why if you try to jump from non-secure code into secure code, it will cause an exception
07:25
And to handle that there's a third memory state which is called non-secure callable and as the name applies Basically, your non-secure code can call into the non-secure callable code More specifically it can only call to non-secure callable code
07:42
Addresses where there's an SG instruction which stands for secure gateway And the idea behind the secret gateway is that if you have a non-secure kernel running You probably also have a secure kernel running and somehow this secure kernel will expose certain system calls For example, and so we want to somehow call from the non-secure kernel into these the system calls
08:07
But as I've just mentioned we can't do that because This will unfortunately cause an exception and so the way this is handled on TrustZone M is that you create so-called secure gateway veneer functions These are very short functions in the non-secure callable area
08:23
And so if we want for example to call the load key system call we would call the load key veneer function Which in turn would call the real load key function and these veneer functions are super short So if you look at this assembly of them, it's like two instructions
08:40
It's a secret gateway instruction and then a branch instruction towards your real function And so if we combine this we end up with this With this diagram secure can call into non-secure non-secure can call into NSC and NSC can call into the secure word But how do we manage these memory states, how do we know
09:03
What security status and address have and so for this in TrustZone M we use something called attribution units and There by default there are two attribution units available The first one is the SAU the security attribution unit, which is standard across chips
09:20
It's basically defined by ARM how you use this and then there's the IDAU the Implementation defined attribution unit, which is basically custom to the silicon vendor, but can also be the same across several chips and To get the security state of an address the security attribution of both the SAU and the IDAU are combined and
09:46
Whichever one has the higher privilege level will basically win And so let's say our SAU says this address is secure and our IDAU says this address is non-secure the SAU wins because it's the highest privilege level and
10:02
Basically, our address will be considered secure This is a short table if both the SAU and the IDAU agree We will be non-secure if both say hey, this is secure. It will be secure However, if they disagree and the SAU says hey this address is secure the IDAU says it's non-secure
10:22
It will still be secure because secure is the higher privilege level the opposite is true and with even with non-secure callable secure is more privileged than NSC and so a secure will win, but if we mix NS and NSC we get non-secure callable Okay, my initial hypothesis when I read all of this was if we break or disable the attribution units
10:46
we probably break the security So to break these we have to understand them and so let's look at the SAU the security attribution unit It's standardized by ARM It's not available on all chips and it basically allows you to create memory regions with different security states
11:05
So for example, if the SAU is turned off Everything will be considered secure and if we turn it on but no regions are configured Still everything will be secure. We can then go and add for example Address ranges and make them NSC or non-secure and so on and this is done very very easily
11:25
you basically have these five registers you have the SAU control register Where you basically can turn it on and off you have the SAU type which gives you the number of supported regions on your platform because this can be different across different chips and
11:41
Then we have the region number register Which you use to select the region you want to configure and then you set the base address and the limit address and that's basically it So for example, if we want to set region 0 we simply set the RNR register to 0 Then we set the base address to 0x1000 We set the limit address to 0x1FE0
12:04
which is identical to 1FFF because there are some other bits behind there that we don't care about right now and then we turn on the security attribution unit and now Our memory range is marked as secure if you want to create a second region. We simply change RNR to for example 1
12:23
Again insert some nice addresses turn on the SAU and we have a second region this time from 4000 to 5FFF So to summarize we have three memory security states We have S secure and we have NSC non-secure callable and we have NS non-secure
12:42
We also have the two attribution units the SAU Standard by arm and the IDAU which is potentially custom We will use SAU and IDAU a lot. So this was very important Cool, let's talk about fault injection. So as I've mentioned
13:02
we want to use fault injection to compromise trust zone and The idea behind fault injection or as it's also called glitching is to introduce faults into your chip So for example, you cut the power for a very short amount of time Or you change the period of the clock signal or even you could go and inject the electromagnetic shocks in your chip
13:22
you can also shoot at it with a laser and so on and so forth lots of ways to do this and The goal of this is to cause undefined behavior. And in this talk we will specifically look at something called voltage glitching and so the behind the idea behind voltage glitching is That we cut the power to the chip for a very very short amount of time at a very precisely timed moment
13:46
And this will cause some interesting behavior. So basically if you Would look at this on an on an oscilloscope We would basically have a stable voltage stable voltage stable voltage and then suddenly it drops and immediately returns and
14:04
This drop will only be a couple of nanoseconds long And so for example, you can have glitches that are 10 nanoseconds long or 15 nanoseconds long and so on Depends on your chip and yeah, and this allows you to do different things
14:20
So for example a glitch can allow you to skip instructions It can corrupt flash reads or flash writes. It can corrupt memory register or register reads and writes and skipping instructions for me is always the most interesting one because It allows you to directly go from disassembly to understanding what you can potentially jump over
14:43
So for example, if we have some code This would be a basic firmware boot up code. We have an initialized device function Then we have a function that basically verifies the firmware that's in flash And then we have this boolean check whether our firmware is valid and now if we glitch at just the right time
15:03
We might be able to glitch over this check and boot our potentially compromised firmware Which is Super nice. So how does this relate trust zone to trust zone? Well if we Manage to glitch over enable trust zone. We might be able
15:21
to break trust zone So, um, how do you actually do this? Well, we need something to wait for a certain delay and generate a pulse at just the right time With very high precision. We're talking about nanoseconds here And we also need something to drop the power to the target And so if you need precise timing and so on what's what works very well is an fpga
15:45
And so for example the code that i'll release as part of this all runs on the lattice i stick Which is roughly 30 bucks and you need a cheap mosfet and so together this is like 31 dollars of equipment And on a setup site this looks something like this you would have your fpga which has a trigger input
16:05
And so for example, if you want to glitch something during the boot up of a chip You could connect this to the reset line of the chip And then we have an output for the glitch pulse and then if we hook this all up we basically have our power supply To the chip run over a mosfet and then if the glitch pulse goes high
16:24
We drop the power to ground and the chip doesn't get power for a couple of nanoseconds Let's talk about this power supply because a chip Has a lot of different things inside of it. So for example a microcontroller
16:41
Has a cpu core we have a wi-fi peripheral we have gpio. We might have bluetooth and so on and Often these peripherals run at different voltages and so while our microcontroller might just have a 3.3 volt input Internally, there are a lot of different voltages at play And the way these voltages are generated often is using in-chip regulators
17:05
And basically these regulators connect to the 3.3 voltage in And then generate the different voltages for the cpu core and so on But what's nice is that on a lot of chips there are behind the core regulator so-called bypass capacitors and these external capacitors
17:23
Are basically there to stabilize the voltage because regulators tend to have a very noisy output and you use the capacitor To make it more smooth But if you look at this this also gives us direct access to the cpu core power supply And so if we just take a heat gun and remove the capacitor
17:41
We actually kind of changed the pin out of the processor because now we have a 3.3 voltage in We have a point to input the core voltage And we have ground so we basically gained direct access to the internal cpu core voltage rails The only problem is these capacitors are there for a reason and so if we remove them then your chip might stop working
18:05
But very easy solution you just hook up a power supply to it set it to 1.2 volts or whatever And then suddenly it works and this also allows you to glitch very easily you just Glitch on your power rail towards the chip
18:20
and so This is our current setup. So we have the lattice i stick We also use a multiplexer as an analog switch to cut the power to the entire device if we want to reboot everything We have a mosfet and we have a power supply now hooking this all up on a breadboard is fun the first time It's okay the second time
18:42
But the third time it begins to really really suck and as soon as something breaks with like a hundred jumper wires on your desk The only way to debug is is to start over and so that's why I decided to Design a small hardware platform that combines all of these things. So it has an fpga on it. It has
19:00
Analog input and it has a lot of glitch circuitry and it's called the mark 11 if you've read william gibson You might know where this is from And it contains a lattice ice 40 which is which has a fully open source tool chain Thanks to cliff evolve and so on and this allows us to very very quickly
19:20
Develop new triggers develop new glitch code and so on and it makes compilation and everything really really fast It also comes with three integrated power supplies So we have a 1.2 volt power supply 3.3 5 volts and so on and you can use it for a dpa And this is based around some existing devices. So for example, the fpga part is based on the one bit squared ice breaker
19:45
The analog front end thanks to colin o'flinn is based on the chip whisperer nano And then the glitch circuit is basically what we've been using on breadboards for quite a while Just combined on a single device And so unfortunately as always with hardware production takes longer than you might assume
20:03
But if you drop me a message on twitter, i'm happy to send you a pcb as soon as they work Well, and the bomb is around 50 bucks Cool. So now that we are ready to To actually attack chips. Let's look at an example So the very first chip that I encountered that used trust on m was the microchip seml 11
20:25
And so this chip was released in june 2018 And it's kind of a small slow chip. It runs at 32 megahertz It has up to 64 kilobytes of flash and 16 kilobytes of s ram, but it's super cheap. It's like one dollar eighty
20:43
At quantity one and so it's really nice really affordable and we had people come up to us and suggest hey I want to build a tpm on top of this or I want to build A hardware wallet on top of this and so on and so forth. And if we look at the website of this chip
21:00
It has a lot of security in it So it's the best contribution to iot security winner of 2018 and if you just type secure into The word search you get like 57 hits. So this chip is 57 secure and
21:20
And even on the website itself you have like chip level security and then if you look at the further descriptions you have robust chip level security include chip level temper resistance active shield protects against physical attacks and resists micro probing attacks And even in the data sheet where I got really worried was because I said I do a lot with the core voltage
21:43
The brown it has a brownout detector that has been calibrated in production and must not be changed and so on Yeah, to be fair when I talk to my microchip They mentioned that they absolutely want to communicate that this chip is not hardened against hardware attacks
22:01
But I can see how somebody who looks at this would get the wrong impression given All the terms and so on Anyway, so let's talk about the trust zone in this chip. So the seml11 does not have a secure security attribution unit Instead it only has the implementation defined attribution unit and the configuration for this implementation defined attribution unit
22:24
Is stored in the user row, which is basically the configuration flash It's also called fuses in the data sheet sometimes, but it's really I think it's flash based I haven't checked but I i'm pretty sure it is because you can read it write it change it and so on And then the idau once you've configured it
22:41
Will be configured by the boot rom During the start of the chip and The idea behind the idau is that all your flash is partitioned into two parts. You have the bootloader part and the application part And both of these can be split into secure Non-secure callable and non-secure so you can have a bootloader a secure and a non-secure one
23:05
And you can have an application a secure and non-secure one And the size of these regions is controlled by these five registers and for example if we want to change Our non-secure application to be bigger and make our cq application a bit smaller We just fill it with these registers and the sizes will adjust and the same with the bootloader
23:26
So this is pretty simple How do we attack it My goal initially was I want to somehow read data from the secure world While running code in the non-secure world So jump the security gap my code in non-secure should be able to for example extract keys from the secure world and
23:46
My attack path for that was well, I glitched the bootrom code that loads the idau configuration But before we can actually do this we need to understand is this chip actually glitchable and can we Is it susceptible to glitches or do we immediately get?
24:03
Get thrown out and so I used a very simple setup where I just had a firmware and tried to glitch out of a loop and enable an led And I had success in less than five minutes and super stable glitches almost immediately Like when I saw this I was 100 sure that I messed up my setup or that the compiler optimized out my loop
24:24
Or that I did something wrong because I never glitched the chip in five minutes And so this was pretty awesome, but I also spent another two hours verifying my setup so Okay, cool. We know the chip is glitchable. So let's glitch it
24:43
What do we glitch? Well if we think about it Somewhere during the bootrom these registers are read from flash and then Some hardware is somehow configured We don't know how because we can't dump the bootrom We don't know what's going on in the chip and the data sheet has a lot of pages and i'm a millennial so
25:04
I read what I have to read and that's it But my basically my basic idea is if we somehow manage to glitch the point where it tries to read the value of the as register We might be able to set it to zero because most chip peripherals will initialize to zero
25:20
And if we glitch over the instruction that reads as Maybe we can make our non-secure application bigger so that we that actually we can read the secure application data Because now it's considered non-secure but problem one the bootrom is not dumpable so we cannot just disassemble it and figure out when does it roughly do this and
25:48
The problem too is that we don't know when exactly this reader cures and our glitch needs to be instruction precise We need to hit just right instruction to make this work and the solution is brute force, but I mean like
26:03
Nobody has time for that, right? So if the chip boots for two milliseconds, that's a long range where you have to search for glitches And so very easy solution power analysis and it turns out that for example risk here has done this before where basically they They try to figure out where in time a jtech lock is set by comparing the power
26:25
consumption and so the idea is We basically write different values to the as register then we collect a lot of power traces And then we look for the differences And this is relatively simple to do if you have a chip whisperer. So
26:42
This was my rough setup. So we we just have the chip whisperer light We have a breakout with the chip. We want to attack and a programmer And then we basically collect a couple of traces and in my case even just 20 traces are enough Which takes I don't know like half a second to run and if you have 20 traces in unsecured
27:03
In unsecured mode 20 traces in secure mode and you compare them You can see that there are clear differences in the power consumption starting at a certain point And so I wrote a script that does some more statistics on it and so on And that basically told me the best glitch candidate starts at 2.18
27:21
Milliseconds and this needs to be so precise because as I said, we're in the milli and the nanosecond range And so we want to make sure that That we had the right point in time now How do you actually? configure how do you build this setup where basically you you You get a success indication once you broke this for this I needed to write a firmware that basically
27:46
attempts to read secure data And then if it's successful enables the GPIO and if it fails it does nothing and I just reset and try again And so I know I knew my rough delay and I was triggering of the reset of the chip
28:00
Then I just tried any delay after it and tried different glitch pulse length and so on And eventually I had a success and these glitches You will see with the glitcher. We released a while back Is are super easy to write because all you have is like 20 lines of python you basically
28:20
Set up a loop delay from delay to You set up the pulse length You trade over a range of pulses and then in this case you just check whether your GPIO is high or low That's all it takes and then once you have this running in a stable fashion. It's amazing how fast it works So this is now a recorded video of a live glitch of a real glitch basically
28:43
And you can see we have like 20 attempts per second And after a couple of seconds, we actually get a success indication We just broke a chip sweet But one thing I moved to a part of germany to the very south. It's called the Schwabenland
29:05
And I mean 60 bucks we are known to be very cheap and 60 bucks translates to like six beers at octoberfest Just to convert this to the local currency. That's like 60 club mater
29:22
Unacceptable we need to go cheaper much cheaper And so What if we take a chip That's 57 secure And we try to break it with the smallest chip
29:41
And so this is an 80 tiny which costs like I don't know a euro or two euro We combine it with a mosfet to keep the comparison that's roughly three club mater And we hook it all up on a jumper board and turns up this works like you can have a relatively stable glitch Glitcher with like 120 lines of assembly running on the 80 tiny
30:03
And this will glitch your chip successfully and can break trust zone on the semele 11 The problem is chips are very complex and it's always very hard to do an attack on a chip that you configured yourself Because as you will see chances are very high that you messed up the configuration And for example missed the security bit forgot to set something and so on and so forth
30:25
But luckily in the case of the seml 11 There's a version of this chip which is already configured and only ships in non-secure mode And so this is called the seml 11 kph And so it comes pre-provisioned with a key
30:41
And it comes pre-provisioned with a trusted execution environment already loaded into the secure part of the chips And it ships completely secured and the customer can write and debug non-secure code only and also you can download the sdk for it And write your own trustlets and so on but I couldn't because it requires you to agree to their terms and conditions. So
31:04
Which exclude reverse engineering so no chance, unfortunately But anyway, this is the perfect example to test our attack you can buy these chips on digikey And then try to break into the secure world because these chips are hopefully decently secured and have everything set up and so on
31:22
And yeah, so this was the setup We designed our own breakout board for the semele 11 which makes it a bit more accessible Has jtech and has no capacitors in the way so you get access to all the core Voltages and so on and you have the fpga on the top left the super cheap 20 bucks our power supply
31:42
And a programmer and then we just implemented a simple function That uses openocd to try to read an address that we normally can't read. So we basically We glitch then we start openocd which uses the jtech adapter to try to read secure memory
32:01
and so Hooked it all up wrote a nice script and let it rip and so After a while or well a couple of seconds immediately again got successful Got a successful attack on the chip and more and more and you can see just how Stable you can get these glitches and how well you can attack this
32:24
Yeah, so sweet hacked we can compromise the root of trust and the trust execution environment And this is perfect for supply chain attacks, right because if you can Compromise a part of the chip that the customer will not be able to access. He will never find you
32:42
But the problem with supply chain attacks is they're pretty hard to scale and they're only for sophisticated actors Normally and far too expensive is what most people will tell you except if you hack the distributor And so as I guess last year or or this year, I don't know I actually found the vulnerability in digi key
33:04
Which allowed me to access any invoice on digi key including the credentials you need to actually change the invoice and so basically the The buck is that they did not check when you when you basically requested an invoice They did not check whether you actually had permission to access it
33:22
And you have the web access id on top and the Invoice number and that's all you need to call digi key and change the delivery basically and so This also is all data that you need to reroute the shipment I disclosed this it's fixed. It's been fixed again afterwards and now hopefully this should be fine. So I feel good to talk about it
33:45
And so let's walk through a scenario. So we have eve and we have digi key And eve builds this new super sophisticated iot toilet and she needs a secret chip So she goes to digi key and orders some seml 11 kphs
34:02
And her meloree meloree scans all new invoices on digi key and as soon as somebody orders a seml 11 They talk to digi key via the api or via phone call to change the delivery address and because you know Who the chips are going to you can actually target this very very well
34:22
So now the chips get delivered to meloree meloree back to us the chips and then Sense the backward chips to eve who's none the wiser because it's the same career. It's the same It looks the same you have to be very very mindful of these types of attack to actually recognize them and even if they open the chips and they
34:42
Sorry, they open the package and they try the chip they scan everything they can scan The backdoor will be in the in a part of the chip that they cannot access and so we just supply chain attacked Whoever using a ups envelope basically so
35:00
Yeah Interesting attack fine vector. So I talked to microchip and it's been great. They've been super nice It was really a pleasure. I also talked to trust tonic who Who were very open to this and wanted to understand it and so it was great and they Explicitly state that this chip only protects against software attacks while it has some hardware features
35:24
Like temporary system ram it is not built to withstand fault injection attacks And even if you if you compare now different revisions of the data sheet You can see that as some data sheets the early ones like mentioned some fault injection resistance And it's now gone from the data sheet
35:41
and they are also asking for feedback on making it more clear what this chip protects against which I think is a It's a noble goal because we all know marketing Versus technicians is always an interesting fight. Let's say Cool, um first chip broken time for the next one, right?
36:00
So the next trip I looked at was the most the nouveau ton new micro m2351 rolls of the tongue It's a cortex m23 processor It has trust zone m and I was super excited because this finally has an sau a security attribution unit And an idau and also I talked to the marketing it explicitly protects against fault injection
36:25
So that's awesome I was excited. Let's see how that turns out Let's briefly talk about the trust zone in the nouveau township So as i've mentioned before The sau if it's turned off
36:41
Or turned on without regions Will be to fully secure and no matter what the idau is the most privileged level always wins And so if our entire security attribution unit is secure Our final security state will also be secure And so if we now add some small regions the final state will also have the small non-secure regions
37:03
and I mean I saw this Looked at how this this code works and you can see that at the very bottom sau control is set to one Simple right we glitch over the sau enabling and all our code will be secure and we'll just run our code in secure mode
37:21
No problem Is what I thought And and so basically the secure bootloader starts execution of non-secure code We disable the sau by glitching over the instruction and now everything is secure. So our code runs in a secure world. It's easy except
37:40
Read the fucking manual So it turns out these thousands of pages of documentation actually contain useful information and You need a special instruction to transition from secure to non-secure state which is called blxns which stands for branch optionally linked and exchanged to non-secure
38:04
This is exactly made to prevent this it prevents Accidentally jumping into non-secure code. It will cause a secure fault if you try to do it and What's interesting is that? Even if you if you use this instruction, it will not always transition
38:20
The state it depends on the last bit in the destination address whether the state is transitioned And the way the bootloader will actually get its addresses it jumps to is from what's called the reset table Which is basically where your reset handlers are where your stack pointer Your initial stack pointer is and so on and you will notice that the last bit is always set
38:43
And if the last bit is set it will jump to secure code. So somehow they manage to branch to this address And run it into non-secure. And so how do they do this? They use an explicit bit clear instruction What do we know about instructions? We can glitch over them
39:02
And so basically we can with two glitches we can glitch over the sau Control enable now our entire memory is secure And then we glitch over the bit clear instruction And then branch linked x non-secure Again rolls of the tongue
39:22
Will run secure code and now our normal word code is running in secure mode The problem is works, but it's very hard to get stable So, I mean this was I somehow got it working, but it was not very stable and it was a big pain to to actually Make use of so I wanted a different vulnerability
39:42
And I read up on the implementation defined attribution unit of the M2351 And it turns out that each flash ram peripheral and so on is mapped twice into memory and so basically Once as secure as the address 0x2000 and once as non-secure at the address 0x3000
40:05
And so you have the you have the flash twice and you have the The RAM twice this is super important This is the same memory And so I came up with an attack that I call crow arbor because uh vulnerability basically doesn't exist if it doesn't have a fancy name
40:26
and The basic point of this is that the security of the system relies on the region configuration of the sau What if we glitch this initialization combined with this idea you? layout again
40:40
The idea you mirrors the memory has it once as secure and once as non-secure Now let's say we have at the very bottom of our flash. We have a secret which is in the secure area It will also be in the mirror of this memory, but again because our sau Configuration is fine It will not be accessible
41:02
By the non-secure region. However, the start of this non-secure area is configured by the arbor register And so maybe if we glitch this Arbar being set we can increase the size of the non-secure area And if you check the arm documentation on the arbor register the reset value state of this register is unknown
41:23
So unfortunately, it doesn't just say zero But I tried this on all chips I had access to and it's zero on all chips I tested and so now what we can do is we glitch over this arbor and now our final security state Will be bigger and our secure code is still running in the bottom half
41:41
But then the jump into non-secure will also give us access to the secret And it works We get a fully stable glitch takes roughly 30 seconds to bypass it I should mention that this is what I think happens All I know is that I inject the glitch and I can read the secret. I cannot tell you exactly what happens
42:02
Well, this is the best interpretation I have so far. So woohoo, we have an attack with a cool name And so I looked at another chip called the NXP LPC55S69 And this one has two Cortex M33 cores one of which has TrustZone M
42:22
The IDAU and the oval TrustZone layout seem to be very similar to the new micro And I got the dual glitch attack working and also the crow arbor attack working and The vendor response was amazing like holy crap, they called me and wanted to fully understand it
42:41
They reproduced it. They got me on the phone with an expert And the expert was super nice. But what what he said came down to was RTFM But again, this is a long document but it turns out that the example code did not enable a certain security feature and this security feature is
43:01
Helpfully named miscellaneous control register, basically Which stands for secure control register obviously and This register has A bit if you set it it enables secure checking
43:23
And if I read just a couple of sentences further when I read about the TrustZone on the chip, I would have actually seen this but Millennial, sorry Yeah, and so what this enables is called the memory protection checkers And this is an additional memory security check that gives you finer control over the memory layout
43:43
and so it basically checks if the attribution unit security state is identical with the Memory protection checker security state and so for example if our attack code tries to access memory The MPC will check whether this was really a valid Request so to say and stop you if you are unlucky as I was
44:06
But turns out it's it's glitchable, but it's much much harder to glitch and you need multiple glitches and The vendor response was awesome. They're also as I heard working on improving the documentation for for this so Yeah
44:21
super cool, but still like it's not a full protection against glitching but it gives you certain security and I think that's pretty awesome before we finish Is everything broken? No, these chips are not insecure. They are not protected against a very specific attack scenario
44:41
And align the chips that you want to use with your threat model if fault injection is part of your threat model So for example, you're building a car key Maybe you should protect against glitching if you're building a hardware wallet. Definitely you should protect against glitching Thank you Also, by the way, if you want to play with some awesome fault injection equipment
45:01
I have an emfi glitcher with me and so on so just hit me up on twitter and i'm happy to Show it to you. So thanks a lot Thank you very much. Thomas
45:21
We do have an awesome 15 minutes for q and a so if you line up we have three microphones microphone number three Actually has an induction loop. So if you're hearing impaired and have a suitable device you can go to microphone three and actually Hear the answer And we're starting off with our signal angel with questions from the internet
45:42
Hello internet Hello Are you away? Are you aware of the st's cortex m4 firewall and can you research be somehow related to it? Or maybe do you have plans to explore it in the future? I so yes, i'm very aware of the stm32 f4
46:00
If you watched our talk last year at ccc called wallet fail We actually exploited the sister chip the stm32 f2 The f4 has this this strange firewall thing which feels very similar to trust zone m However, I cannot yet share any research related to that chip Unfortunately, sorry. Thank you microphone number one, please
46:24
I'm just thought hello I'm, just wondering have you tried to replicate this attack on multi-core CPUs with higher frequency? Such like 2g cars and or if not, how would you go about that? So, um, I have not because there there are no trust zone m chips with this frequency
46:44
However, people have done it on mobile phones and other equipment. So for example Yeah, there's there are a lot of materials on glitching higher frequency stuff But yeah, it will get expensive really quickly because a scope the way you can even see a two gigahertz clock
47:01
That's a nice car on oscilloscope Microphone number two, please. Thank you for your talk Is the veneer functionality to go from a non-secure to secure area are there? same says Defined functionalities or are the preparatory libraries from nxp or other so the the veneer stuff is standard
47:23
And you will find arm documents basically recommending you to do this But all the tool chains for example the the one for the semeleven will generate the veneers for you And so I have to be honest. I have not looked at how exactly they're generated However, I did some rust stuff to play around with it. And yeah, it's relatively simple for the toolchain and it's standard. So
47:47
The signal angel is signaling Yeah, that's not a question from the internet But for me and I wanted to know how important is the hardware security in comparison to the software security? Because you cannot hack these devices without having physical access to them except of this supply chain attack
48:07
Exactly, and um that depends on your threat model. So the that's basically If you build a door if you build a hardware wallet You want to have hardware protection because somebody can steal it potentially very easily and the more and if you for example
48:21
Look at your phone. You probably Maybe don't want to have anyone at customs be able to immediately break into your phone And that's another point where hardware security is very important and there's With a car key. It's the same if you rent a car you hopefully the car rental company doesn't want you to copy the the uh the key and interestingly the probably one of the most protected things in your home is your printer cartridge because
48:46
I can tell you that the vendor invests a lot of money into you not being able to clone The printer cartridge and so there are a lot of cases where it's maybe not the user who wants to protect against hardware attacks But it's the vendor who wants to protect against it
49:01
Microphone number one, please So, uh, thank you again for the amazing talk. Thank you Um, you mentioned higher order attacks, uh, I think twice and for the second chip You actually said you you broke it with two, uh glitches two exploitable glitches Yes, so, um, what did you do to reduce the search space or did you just search over the entire space?
49:20
So the nice thing about these chips is that you can actually you can If you have a security attribution unit, you can decide when you turn it on because you can just So I had a gpo go go up Then I enabled the sau And then I had my search space very small because I knew it would be just after I pushed pulled up the gpo
49:42
And so I was able to very precisely time where I glitch And I was able because I wrote the code basically that does it I could Almost count on the oscilloscope which instruction i'm hitting All right. Thank you Next question from microphone number two, please. Yeah. Thank you for the talk I was just wondering if the vendor was to include the capacitor directly on the die how
50:04
Fixed would you consider it to be? Um, so against voltage glitching it might help it depends but for example on a recent ship We just used a negative voltage to suck out the power from the capacitor And also you will have emfi glitching as a possibility and emfi glitching is awesome because you don't even have to solder you just
50:26
Basically put a small coil on top of your chip and inject the voltage directly into it behind any of the capacitors and and so on So it it helps but it's not a often it's not done for security reasons. Let's say
50:41
Next question again from our signal angel Did you get to use your your own custom hardware to help you Uh, I partially the part that worked Is the summary Microphone number one, please. Hi. Uh, thanks for the interesting talk
51:02
all these vendors pretty much said This sort of attack is sort of not really in scope for what they're doing Yes, are you aware of anyone like in this sort of category of chip actually doing anything against Glitching attacks not in this category, but there are secure elements that explicitly protect against it
51:21
A big problem with researching those is that it's also to a large degree security by nda At least for me because I have no idea what's going on. I can't buy one to play around with it And so I can't tell you how good these are But I know from some friends that there are some chips that are very good at protecting against glitches and
51:41
Apparently the term you need to look for is called glitch monitor And if you see that in the data sheet that tells you that they at least thought about it microphone number two, please So, uh, what about the brown or detection added microchip? Say why it didn't catch your glitching attempts
52:01
It's not made to glitch add to to catch glitching attacks. Basically a brown detector is mainly there to keep your chip stable And so for example, if your supply voltage drops you want to make sure that you notice and don't accidentally glitch yourself So for example if it if it's running on a battery and your battery goes empty you want your chip to run stable stable stable
52:23
Off and that's the idea behind a brown out detector is my understanding but uh, yeah They are not made to be fast enough to catch glitching attacks Do we have any more questions from the hall?
52:40
Yes, where you um, thank you for your amazing talk. Um You have shown that it gets very complicated if you have two consecutive glitches So wouldn't it be an easy protection to just do the stuff twice or three times? And maybe randomize it would would you consider this then impossible to be glitched so
53:03
Adding randomization to the point in time where you enable it helps but then you can trigger off the power consumption and so on And I should add I only try to to trigger once and then use just a simple delay But in theory if you do it twice, you could also glitch on the power consumption signature and so on So it might help but somebody very motivated will still be able to do it probably
53:26
Okay, we have another question from the internet Is there a mitigation for such a tag that I can do on PCB level or it can be addressed only on chip level only on chip level because if you have a heat gun you just pull the chip off and do it in
53:42
In a socket or if you do emfi glitching, you don't even have to touch the chip You just go over it with the coil and inject directly into the chip So the chip needs to be secured against this type of stuff or you can add A temper protection case around your your chip. So yeah
54:00
Another question from microphone number one So I was wondering if you've heard anything or nothing about the stm32l5 series I've heard a lot. I've seen nothing so Yes, i've heard about it, but it doesn't ship yet as far as I know we are all eagerly awaiting it Thank you
54:20
Microphone number two, please. Hey, very good talk. Thank you Um, do you will you release all the hardware design of the board on the script? Yes Is there anything already available even if I understood it's not all finished. Yes. So on chip.fail They are dot fail domains. It's awesome. Chip.fail has the source code to
54:42
Our glitcher i've also ported it to the lattice and I need to push that hopefully in the next few days But then all the hardware will be open sourced Also because it's based on open source hardware and yeah not not planning to make any money or anything Using it. It's just to make life easier
55:01
microphone number two, please So you said already you don't really know what happens at the exact moment of the glitch and You were lucky that you uh that you skipped an instruction maybe Do you have Yes a feeling what is happening in inside the chip at the moment of the glitch so
55:26
I asked this precise question what exactly happens to Multiple people I got multiple answers But basically my my understanding is that you basically pull the voltage that it needs to set for example a register
55:42
but I'm It's absolutely out of my domain to give an educated comment on this. I'm a breaker unfortunately not a maker when it comes to chips microphone number two, please Okay. Thank you Uh, you said a lot of the uh chip attack. Can you tell something about jtech attacks?
56:04
So I just have a connection to jtech Yeah, so, um, for example the attack on the kph version of the chip was basically a jtech attack I used jtech to read out the chip, but I did have jtech in normal world However, it's possible on most on on a lot of chips to re-enable jtech even if it's locked and
56:26
For example again referencing last year's talk we were able to re-enable jtech on the stm32 f2 And I would assume something similar as possible on this chip as well But I haven't tried Are there any more questions we still have
56:44
a few minutes I guess not well a big warm round of applause for thomas