Glitching and Side-Channel Analysis for All

Video in TIB AV-Portal: Glitching and Side-Channel Analysis for All

Formal Metadata

Glitching and Side-Channel Analysis for All
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The super-cool area of side-channel power analysis and glitching attacks are devious methods of breaking embedded devices. Recent presentations (such as at RECON 2014) have shown that these attacks are possible even with lower-cost hardware, but it still requires a fair amount of hardware setup and experimentation. But we can do better. This presentation sums up the most recent advances in the open-source ChipWhisperer project, which aims to bring side channel power analysis and fault injections into a wider realm than ever before. It provides an open-source base for experimentation in this field. The ChipWhisperer project won 2nd place in the Hackaday Prize in 2014, and in 2015 an even lower-cost version of the hardware was released, costing approximately 200. Attacks on real physical devices is demonstrated including AES peripherals in microcontrollers, Raspberry Pi devices, and more. All of the attacks can be replicated with standard lab equipment – the demos here will use the open-source ChipWhisperer hardware, but it’s not required for your experimentation.
Goodness of fit Computer animation
Point (geometry) Presentation of a group Implementation Service (economics) Open source Real number Open set Correlation and dependence Function (mathematics) Mereology Code Food energy Theory Power (physics) Number Revision control Bit rate Computer hardware Encryption Energy level Symmetric-key algorithm Metropolitan area network Descriptive statistics Physical system Algorithm Touchscreen Projective plane Mathematical analysis Computer simulation Bit Line (geometry) Cryptography Measurement Computer animation Vector space Hard disk drive output Iteration Quicksort Table (information) Advanced Encryption Standard
Point (geometry) Greatest element Multiplication sign View (database) Sheaf (mathematics) Set (mathematics) Microcontroller Correlation and dependence Function (mathematics) Intermediate value theorem Technical drawing Number Power (physics) Bit rate Square number Algorithm Key (cryptography) Weight Mathematical analysis Bit Cartesian coordinate system Rectangle Measurement Computer animation Self-organization Quicksort Row (database)
Computer program Arm Peripheral Computer hardware Projective plane Encryption Combinational logic Whiteboard Measurement Power (physics) Library (computing)
Point (geometry) Scripting language Computer program Open source Mathematical analysis Sheaf (mathematics) Bit Theory Product (business) Wave packet Revision control Software Very-high-bit-rate digital subscriber line Analogy Computer hardware Whiteboard Quicksort Data conversion Information security Library (computing)
Computer animation Software Motion capture Encryption Video game Waveform Demoscene Power (physics)
Computer program Randomization Greatest element Projective plane Motion capture Mathematical analysis Tracing (software) Power (physics) Inference Message passing Mathematics Different (Kate Ryan album) Encryption Right angle Waveform Quicksort Hydraulic jump Library (computing) Row (database)
Scripting language Presentation of a group File format Personal digital assistant Projective plane Waveform Bit Microcontroller Endliche Modelltheorie Tracing (software) Power (physics)
Point (geometry) Service (economics) Key (cryptography) Information Multiplication sign Source code Mathematical analysis Correlation and dependence Instance (computer science) Tracing (software) Demoscene Latent heat Process (computing) Operator (mathematics) Encryption
Area Standard deviation Computer animation Demo (music) Interface (computing) Mathematical analysis Internet der Dinge Quicksort Wireless LAN Communications protocol
Computer animation Software Multiplication sign 1 (number) OSI model Food energy Communications protocol
Point (geometry) Gateway (telecommunications) File format Interface (computing) Software developer Multiplication sign Forcing (mathematics) Microcontroller Field (computer science) Frame problem Power (physics) Broadcasting (networking) Message passing Centralizer and normalizer Computer animation Software Mixed reality Operator (mathematics) Quicksort Whiteboard System on a chip Information security Address space Vulnerability (computing)
Computer animation Personal digital assistant Formal verification Mathematical analysis Encryption Cryptography
Key (cryptography) Information Calculus of variations Mathematical analysis Frame problem Power (physics) Mathematics Message passing Computer animation output Quicksort Error message Asynchronous Transfer Mode
Shift operator Algorithm Standard deviation Roundness (object) Computer animation Key (cryptography) Operator (mathematics) Mereology Automatic differentiation Technical drawing Asynchronous Transfer Mode
Roundness (object) Computer animation Key (cryptography) Personal digital assistant
Algorithm Finitismus Link (knot theory) Key (cryptography) Multiplication sign Mathematical analysis Mereology Revision control Message passing Roundness (object) Computer animation Personal digital assistant Computer hardware Formal verification output System on a chip Quicksort Absolute value Booting
Email Key (cryptography) Information Computer file Block (periodic table) Mathematical analysis Generic programming Microcontroller Bit Cryptography Side channel attack Technical drawing Number Electronic signature Goodness of fit Roundness (object) Statement (computer science) Encryption output Communications protocol Firmware Asynchronous Transfer Mode
Point (geometry) Overlay-Netz Implementation Key (cryptography) Multiplication sign Mathematical analysis Bit Line (geometry) Tracing (software) Side channel attack Power (physics) Number Roundness (object) Computer animation Bit rate Personal digital assistant Synchronization Operator (mathematics) Encryption Quicksort Social class
Game controller Arm Interface (computing) Multiplication sign Projective plane Mathematical analysis Bit Microcontroller T-symmetry Power (physics) Computer animation Software Whiteboard Endliche Modelltheorie
Polar coordinate system Addition Loop (music) Computer animation Bit rate Personal digital assistant
Microcontroller Smartphone Computer Power (physics)
Game controller Information Multiplication sign Structural load Parameter (computer programming) Code Power (physics) Number Loop (music) Computer animation Ring (mathematics) Different (Kate Ryan album) Password Encryption Waveform
Point (geometry) Presentation of a group Computer animation Multiplication sign Mathematical analysis Bit Computer Power (physics)
I'm good at the end of the day and you you you you you so my
of of not the th so it's
so it'll take a 2nd when I switch for undoing the damage merit but picture sticking around for the your it for a 2nd year so you find this interesting learn a little bit about the so the more hardware hacking level stuff in particular all be talking about side-channel power analysis in glitching so very quickly I'm
going to review what side-channel power analysis is previous presentations we have gone over this in a lot more detail so this is going to be the super abridged version of that sort of talk I'm not going to go over every little detail of how the theory of a working system of previous talks we're interested in that would the 2 examples where you can use I felt our analysis on real targets in after that'll pretty briefly cover what glitch as in the sermon example of doing glitching against Razali Pyron in embedded Linux alright so there we right now I'm doing a PhD at Dalhousie which is in Halifax Canada as part of that design is open source project called chip was and it's gone through a few different iterations in the most recent iteration is the 1 I'm talking about trip was polite in I spent a company to help commercialize that but it's completely open source projects where everything's open but it's a little like the talk before the previous 1 thing one-man man rating crappy code that very much the same to the point that I learned Python during this project so the early code is a lot sketches and the later carried consider see the progression at below at the and so on a chat with this little bit of various black that's the we call last year there's of an earlier version in albeit DEF CON in black and in this year's review their in 100 alright so what is side-channel channel power analysis very briefly what you need to do this is you need some sort of device so we have the crypto device and that device in the center is you know whatever algorithm were interested in Soviet and AES sort symmetric algorithm or something else but we also have to have either input or output it doesn't matter which we'll need both and we'll have to control that we have to be a book to see what 1 of those pieces of data is ordeal to determine so this is a yes for example yes 128 and we would have to know you know this I the plaintext is what I'll be using but it also has to be operating with the secret key loaded so that's sort of 1 of the other critical thing will see so you can't use side-channel power analysis if you have a hard drive sitting on a table that will that's not encrypt energy crypton in in this won't work against that sort of an targets of you know that the self crypton drive if you can do these measurements well the drive is encryption and decryption is a viable attack vector so that the only caveat you have to understand what it is it's not just magical tactic against encryption it's very specifically attack against implementations when they're doing a specific work as the super fast description of how it works is that if you look inside digital devices and inside a digital device you have something like 80 bus lines these are you know the data bus lines in the data was aligned just long wires these long wires you can sort of um simulator you know view them as just capacitors there is a the long where has a capacitor and Stewart to change the voltage on the capacitor takes physical power so the change of from 0 to a 1 a takes a tiny amount of church and if we look in the chip if we have so here I have 2 data lines and then there's the lines always which up on the clock and if I were to with the data lines which from 0 to 1 and it takes you know this have to do it once you're switching up into the service spike apparent you can see on the screen and then later on at for example that the the lines which low so I'm only looking at power consumed from 1 of the power rails and this which low so it doesn't take any paraffin the positive rail as you don't see that spike so the idea is that there's some linear relationship between power consumption and the number of bits set to 1 on the date of us in this is real it's not simply go it
kind works locally this is a measurement I did on a small an 8 bit microcontroller and showing you for the the bottom is what they call Hamming weight so this is number of bits set to 1 and so we don't know better set to wanna all that's the set 1 and on this axis is the the current so consumed by the device and its own measurements related to the current so it's not directly on millions or something a bit you can see there's a very beautiful linear relationship why this is useful
to us is if we look at a lot of algorithms so again going back to the yes i it's 128 bit key so we can guess the key anyway we want but but what we we could look at is we say well it operates on 1 byte at a time and if we just concentrate on 1 little section of the organs of I just to sort drive truth square rectangle around that that section of their the what the power analysis will tell us is that we're gonna look just at say this point in the oven where you look at the data rate at this that output here so view of something is strained there is this so but there so we're only looking at 1 by of the key 1 there the key and the open that 1 and in 1 spot if we could figure out you know based on the power analysis that there is a 4 bit set out when I put on a plain text of AB XAB and the only way we get 4 bit set is if the key is some other bite and in reality will of course get candidate number of possible lights for that key as so we could send another piece appointed as they will always and this other by 2 point plaintext there's 2 bits set at an intermediate value we know all about how the algorithm works so we can narrow down what that by the key it's a so the point is that we're doing this guess and check on a single byte of the key and we stood 16 times in a row so it's just to deviate guesses 16 times so it's very tractable museum and I to do the
measurement of the power all you really need is something that like an oscilloscope arm or something that is capable of measuring the power I have my own custom do this but this is just an off the shelf USB scope and i've a device that is running whatever encryption example I'm interested in size that a board that's a chip running you know some program using encryption and that's really all that involved in the In the attacks which you require so to help simplify this is what
I had shown last year I did this chip whisper projects so it's designed to be a combination of the hardware which is the replace the oscilloscope so doing the power measurement side as well as a board for programming with you know if you want to analyze say 80 s library and programming into the board and do the measurements that you can of course that target physical devices also some examples of that a last year was in 2nd place in ha'penny prize in 2014 and and
that version of the hardware was then sold as a security analysis tools so again all open-source hardware and software and to make it even more accessible so the problem with this is that was still a bit fiddly and a little bit more expensive like 15 hundred dollars and it we really need to push it to the point that all people know about this that might have to design these products or look at the security of products and so it on a Kickstarter for at the the Kickstarter 200
US dollars but the the trip was for like board and it's doing almost the same thing so it has a section of the board that is um doing the set the target device so this is the it's an analog to make the program with whatever library want and then there's a portion of the board that does stuff like the digital converter and it has a high speed USB it has an FPGA and all that stuff and so it it's effectively designed to give you a tool to warn about the theory behind these attacks at the critical thing was side-channel analysis is it's not never going to be a you know script kiddies point-and-click attack you have to understand how everything works about them to you know you hope to applied so this tools designed to give you that sort of training and of course you don't there's nothing special about it
you can just go back and build your own if you have an oscilloscope works that the software works with
anything and it will work with regular oscilloscopes is that right use to use virtually
give you a example of what this looks like that in real life this was the super-fast talk the super-fast demo that had done last nite and also do the same thing just so you see what that the waveforms look like and so for running the capture tool is going to do that's sending data to the device a reward power and as see what the encryption is looking pull over which what is the and so this is the the the tools
all written in Python and it very thinly on this monitor here and it's just they can attack attached to various target so I'm gonna be attacking in the US on
this like make aboard so what it's doing is it's going to send encryption messages to the device and then work or the Paris so you can see the sort of traces bouncing around that is it's a recording different messages and can view the AES 128 and outputs I just cross over in this example I just intestinal library so just sends a message encryption nuts and what I can do for example to give you a more intuitive feel is that if I uh set this to fix so if it's really interesting the same data repeatedly you sort of see the waveform doesn't jump around quite as much as but the noise but that the peaks if you look at the bottom down here I don't change nearly as much device which this back to yeah encryptor random data and you can see those peaks jumping around a lot more so it because a feeling there is a data dependency based just on me what's been interrupted Our it's what we're gonna do is we're just cannot capture like 50 traces so just send 50 messages to the device inferences and monitors the parable it's and doing that encryption the some analysts say you tests recon 2015 and there's no undue and this curious so I don't need a new and in fact if you you can't close a project and reopen project the closing the whole thing so it has lots of features like that right and then the analysis side is a separate program so the analyzer of previously I people than during this research for 15 to 20 years and that
the power analysis side alone and in
you can use you know straight Python you can use uh matlab scripts you don't have to use this it's a very simple file format but the idea of the bigger is just to sort of get you started and give you a feel for what the traces look like so if I open the project and what we see is
the the waveform here so is the way forward is captured in the attack so we have to know a little bit about the device to attack it in this case a know yes 128 in because it's on a microcontroller the certain power models we use and I talk with than previous presentations all skip that and um in all it's going to
do it's during the analysis and the key in red is the correct encryption key uh and it knows what the correct he is because of told that what the correct years a so you can see in this example 150 traces that almost entirely recover the key there's 1 by the may needed a few more traces for um but it's very very fast like that you know a few minutes start to finish for the whole demo but 1 of the other questions people always ask is well how do we know where encryption is happening in the analysis the itself gives you some of those answers
and then so what this is this is a graph in at the correlation between and it looks for a linear relationship into this peak is at various points in time as its executing instructions so all I do is I say I send you data at some point in sending new data and getting data back you're running the encryption algorithm and doing that operation and I so I can compare for example this is recovering byte for if I look at recovering by 5 what you'll services you notice that peak is marching on in time and this is because this is an a yes uh software implementation and so it's doing you know by 5 . 6 . 7 and you can see the specific instance in time where that um that operation of interest is occurring so it also gives you some information about the the underlying process alright so there's
that that's where the such an analysis briefly looks like this so I what can we do it again so
years to sort of demos and or work and then more recently so this this area 15 for a standard is was held to be a big protocol for the Internet of things I never really turned out as much but there's a few things using that at the nest thermometers uses 1 of the interfaces I believe the some wireless light bulbs that use and it's used a bit for
smart energy sometimes for connecting 2 networks in the home in that you might
know it better by other names so 15 4 is the lower layer protocol used by all of these so all the ZigBee ones people are opt for probably heard about it but in all of these protocols are built on top of 802 15 4 and if you want more details by the way the the the attacked in this paper here that I sort of just put online so this is the 1st time a really talked about it and in what I'm
doing is I have eaten 215 for node In this data 15 for node I'm using a development board here and that's sold by a 3rd party in entered in Haiti in to 15 for system-on-a-chip sort has a microcontroller and the radio all on board and at the same time and measuring the power by using the shunt here of the board so for this attack you physically need to have the device you don't necessarily need to use the sense you can do stuff like and magnetic field probe of which doesn't require the soldering we still need to be close to the device but what's really interesting about this is for example that a lot of targets you know a lot of central rotors at some point will have a web-based interface as well as the of 215 4 so the nest thermometer right off the commander does but bitterness protect I think 1 of the gateways has 15 4 on 1 side your internal network on the other hand so well you can't get access to the gateway you may be able to get access to a device that the gateways talking to and so you maybe you can use the device the gateways talking to 2 then falls into the and the gateway to find vulnerabilities so there is a lot of reason why should be concerned if we can break these devices fairly easily and and spoof messages on the needed to 15 for network as the inter
215 for frame format looks something like this and very briefly when we're doing a secure message and the only stuff you really care about is of the destination address we can set of broadcast so we can just sort of force a note to receive it and any node that receives you know about looking messages going to try decoding at and if we set this security stuff out what that's can include is it's going to include the device will try to décrit the message it'll obviously thrown away as soon as it realizes its an invalid but we can cause that of those operations we required happens so way back
here I said for side-channel
analysis we just what we need
is the ability to cause the device to do the encryption or decryption and with data we know or control or something like that so in this case I'm sending the device in the
cyphertext and and it's going to decrypt
just because that's what MLE do it's going to verify the MAC which will fail on for away we don't care we don't care what the verification and it
using AES encounter mode which gives us 1 sort of problem in that only a few of these bytes we actually control or even very is the real problem so there's just this at this frame counter that comes from the over the error message at the frame counters for of the bytes to the imports so if we looked at the input
what this means is that and you know these are known about these these 4 bytes our variable and the rest are all fixed and so we need to use that power analysis attack I mentioned how tumors guess and check and there's no way to guess when you don't have any variation in the input message and you'll only beable to recover the key is where there is some change what the input data is the the bites where the input is fixed won't give you any information for this type of
standard attack others previous work on AES counter mode a showing how to push this in the later rounds so I of extended that a little to the specific mode used in 15 for and what you end up with is that you basically you're trying to push the the attack in the later rounds of a yes so ADS itself when we perform the attack will cover 4 bytes of the key and as part of the AES algorithm is going to do this shift rose operation
here so effectively shifts around the
keys and sister and bites and then
mixes them together but what this will mean is that if we looked at the 2nd round of a yes and we no longer have the case where only 4 of those wider constant a whole bunch of those by choosing a very because
that's so the the design of a yes and we can now recover a lot more of the key material and we have to push this to the 4th
round and eventually we can recover the the entire and from the AES algorithm even though only for those bytes very at the input so it's also not always the case that you can just look at and say 0 it's safe because you know few bytes change only and there's a lot of tricks like this you can the 2nd part of the attack is looking at the the 1504 system-on-a-chip it has a hardware a yes peripheral so the question is can we attack that was such an analysis does lead but in this case the answer is yes it does basically and so this is showing what's known as the the guessing entropy if the entropy goes to 0 we know the key with absolute certainty as you can see the interviews going down toward 0 uh basically if you can send the device you know 20 thousand 10 to 20 thousand messages you can recover the and that the key and for the 15 for no that doesn't take very long as a finite messages other devices the crypt them the verification fails not throws away it never tells the higher layer and intervention eventually we can get the key and then send a message from you know as if as if it was properly from send a message from the device infected with the the key for whatever that link is where that example
1 example to use a AES 256 loader and I sort of pull this because if you look at at notes from a lot of silicon vendors what they have is the local like here's a yes we would to analyze 1 and I can even read Freescale and whatever this 1 is has 1 as well as a few other ones and they're all more or less the same time as a note a few more details version of a tutorial road on this In that a recent paper it was just published on this attack In very briefly all
these protocols vaguely use this idea where you get the updated microcontroller firmware and they'd be splitted into you know whatever size blocks the using a they prepend some fixed number of bytes in the front of these fixed bytes we form the signature in the idea being it's just gonna decryption every block and check those fix those 4 bytes cracked that this to ensure that it's in supposed to be an update files so this is kind of what they use other some variations of but it makes a good generic generic statements so what's interesting to us and it's used in US CBC mode is that had the the data if we just send the device of walk like this you know of encrypted data we put the CRC on it with the header on it it's gonna decrepit and check the signature the signature will fail and throw it away but but again we don't care about that we care that we were able to get the device to the tripped properly and and so this is great because we can do a side channel attacks now because what we have is we have a situation we have the input save attacks here the AES 256 decryption and in this center In the after the decryption it's applying the idea so we don't even care with the ideas in fact at least initially we have everything we need to do the entire side-channel analysis the only caveat because it's AES 256 it's a tiny bit more difficult in that you have to do the attack twice and so you'll do it 1st on the 1st round of the decryption you last round of the encryption whichever way you wanna look at it and you will cover all of these we will cover the information here to figure out what the you know the final round key or a 1st round the decryption key is once you have that key you
can then attacked the next round and can recover the full 32 by key 256
the know and you know you there's always tricks as this it's never just a push-button attack with a side channel analysis so in this case 1 of the problems might be that the EADS implementation actually as a timing attack and as well in so things become unsynchronized so we have the 1st round going here and at some point there's a time-dependent operation so what you can see is that if I overlay I think about 100 traces paraphrases up until that point they all look you know this versus amplitude differs but there's a very nice and some sort of airline beyond that point things look crazy it's not synchronized at all and that's because there is some time-dependent operator data operation with the time depends in the data given as the timing attack which we ignore and so all we do is you know we can resynchronize basically you try shifting each trace a little bit a few points over there at the synchronization again and and then you're going to do the side-channel channel power analysis attack on an extra and what
this looks like so this to success rate here a success rate of 1 means i 100 per cent of the time to recover the key with a certain number of encryption attempts at so for the 1st 16 bytes of the key you can see that in about 60 traces it almost with 100 per cent certainty is able to recover the encryption key very wavy line over should be about straight and and it takes a few more to recover the last as 16 bytes of the key but we're still talking about your 102 maybe 200 encryption attempts in each attempt is really just sending that garbage packet to the device so this does not take very long at all to do that in class
that interests you have you get started on really all you need to get started is a few things you need a simple target of do not try sigh general analysis for the 1st time on raspberry Pi armor or anything like that you want to you know a bit microcontroller ideally so in ADR board like a show the 1 earlier and there and we don't know again not the arm stuff or pick controller and you just need some way to to measure the power on it so a scope with the USB API so I like the Pecos go models and a lot of and skills habits the only thing to be wary of it is the get really cheap off-brand scopes are the a lot of the time the USB interfaces for so comes with software and that's all it works with you'll spend a lot of time reverse engineering at and
or of course 1 of the project I have so
the chip whisper whisper light witches somewhat
commercial were was back here and or you
can build 1 yourself all the designs are open all
PCs are available a rate so that's the side
channels of what wrote which in so what is glitch is the
1st that question switching is really when we make the device do something that it i is not supposed to be doing but so in this case what we might have is I'm doing an example of which is where I just have a simple loop and I just go through the loop and it up is doing some different things so it's just doing these additions and I
can insert glitches by using just a short on the power rail In the
shortest electronics which are shortened
in you to do this in 2nd AVR microcontroller ingredients that
Android device so this is a smartphone and more even something like a raspberry Pi running
Linux and what you end up with certain all I'm doing is I'm shorten the the VCC power rail here and in what they end up with is 80 and a
nice wave forms like this so
engage the short it drops the power for a very controlled manner time and then generates a large rings spike and this will cause incorrect instructions to be executed so I might as well all I'm looking for is you know that the wrong number speculated you can use this to I calculate that incorrect
and encryption information you can use it to bypass stuff like a password checked or anything else and all again you can get started really easily and just use a small target you loads simple code like showed you like the for loop and a you start trying different parameter sizes so
and the chip polite supports the same idea with that with having electronics which all integrated on and so hopefully this really quick presentation has given you some
pretty interesting so of thoughts about why side-channel power analysis is fun and it's not that difficult even though might seem like a really complicated thing I just with a little bit of experimentation on your own you can probably get started on it so at that point if you want to contact me there's various ways and and all everything's post bunch of whispered outcome get in for with that so questions the 1st time 1 question the no questions of