Bestand wählen
Merken

Opening Closed Systems with GlitchKit

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
tree and
think the is and and see if the alright but you know it's way very great pleasure to introduce Donnagon caves were talk about opening closed systems with glitch kids and they brought a bunch of interesting looking electronics with them and I'm very curious to hear how they're going to help us liberate all our own devices so please give a warm welcome to Donnagon kid few thank you the number that we are given an or right on don't this estates these
local all faces of and with than those of the 1 of my list about how terrible this is a right which agrees to get its and mostly I work on software and firmware full unhindered was his things like a graph great that treats explain you off of the magazines working perfect so I'm not really in the sexy or recision year so why maintain projects especially that lets you get more information about systems and see inside them I especially love things that help people to learn about different systems and can I get a foot in the door in various things faced entered for example is something I'm not maintain your version of that's people get their fingers and USB great that we both are maintained that the multi to what will get their fingers and all different kinds of things so were coming up this talk from that the
perspective of people who really have and neither of really InfoSec people thank you see red suffer from living it's like I do reverse engineering which is kind of on the periphery of the core like hacking culture anything and really what we're talk about today is a tool that we built that helps people do things like reverse engineering and learning about systems more effectively so that mostly what we build this is interesting tools to to open up things and then we we rely on the idea other people pick up tools and do really interesting security things with them so you um naturally from 102 think tools it seems to make sense that we make Muslim open source and available to people and another we might find a couple of people up from uh with Scott Scanlon um achieved of some fantastic reverse engineering work and is very good that explain things the hunting of streams and you videos means absolute check them out and and there's some stuff in this presentation that was directly inspired by the work of colorful and a sample flow really interesting witching work and told people that past couple years and also I should thank the risk of gadgets because they do and enables to common attend events like this and spend all time working on these things like and so in this stuff we're not really the In the brilliant people doing anything that's absolutely shattering were not coming up with new new techniques that are like enable you like to sit on the cutting edge of science and said we're tool builders we build things that like you do cool things and so we can have like the foundational people who of you have started blazing summer this past autumn were building up a lot of the work so yeah and I mean the reason that the 1st to a list of people who were small enough is a attracts the success of the clock on working it's it's fantastic of his she whispers really cool myself was gonna great and I knew nothing about switching and I think we got into a conversation about I think that this stuff's really cool the light when it be great if someone who's like knowledge unions like someone like me could pick it up and like glitches system and so that's the legislature came from is to try to make those things to slow the marks of school of the easier for everyone to use them so what's right along the same of conversations with those 1st 2 people so get to really awesome I really appreciate that
foundation they build so cannot give you the background for a wiry doing this kind of thing this is a the circuit board traced demise which nothing super special about it other than the fact that I was using a few months ago and it was incredibly an incredibly irritating flaw in that sometimes when you doing like playing a video game or watching TV to advise flicker on and off and so naturally I did what anyone does when they're electronic stop working in a took of the Arctic apart so figured out what the problem was in this case it was all the little signals the hot topic popular detect signal that tell you whether ht my cables ob ob with this people at present employed then the signals that indicated presence actually had a little bit of noise on and the system was a properly compensating for that noise so everyone's a while a cable they didn't at point in another cable plugged in but suddenly see a cable for just a split-second and would try to automatically switch over to that input and this device
happens to be driven by an Intel 80 51 have equivalent microcontroller iterative microcontroller and if I had the firmware for that microcontroller it would have been probably 10 minutes of work to you put a little bit of denouncing the little bit of noise filtering into that a system and be able to have fix this and have this work but without the firmware without this I kind of thing is that having thing we have to start off by rewriting the from were from scratch or not coming up with some other hacks analog filtering the a make this thing work or as cited by a slightly better right you might actually hear something the solution is to build a glitch framework the some of the solutions to spend 50 books and I'm really pleased features both here's another device that day was
messing around a little while ago this device is the inside of a thermal camera says the 30 g 165 at a relatively inexpensive men like 203 hundred USD thermal camera and it's actually really cool piece of electronics got and that's the character demographic either the captures pictures on to the USB port that uses only to upload this pictures to computers and instead got a pre powerful class 3 large my control around there and it would be really love that he gives a board like this for all kinds of in our experiments where you could take in thermal data and passed to the PC but the designers this didn't really think about that use case to identify there is a use case they're interested in and so despite the fact he had this giant my controller with 512 kilobytes of flash which was only using something about a hundred kilobytes these other firmware that is on this device you can't really do that much and so luckily this
particular device has its firmware in an accessible format because it takes from repeated reuse b and if you look at the file that they upload onto the onto this device it has what looks very clearly like an ARM cortex and vector table at the beginning but that's not the only thing that this file is also some metadata in the beginning and scattered about this file and unless you want they're getting the metadata means knowing what kind of Jackson is this what Canisius seek this be is this you know a link here that describes how much the whether it was in the blog posts when a gas at those kind of things you can have an even able to upload new from which the boot loader but the bootloader
itself some there that's not act did in those from update images it knows what is used to actually talk to in upload things aren't there and so if you have this polarity able to get the water out somehow then you can easily go to reverse-engineer the code and figure out what the actual on structure that metadata is an
I delight in actually get that letter up by clicking existing about format was able to Pathfinder the vulnerability and get the butler out of some simpler exploits this device was able to be as tools for it and you have a lot easier to do that if we have the ability to get the biliterate almost immediately and then use that to now all
of my gets play with responsibility excellent alright that the click and so you know all the many many of security issues that we have all come from of making assumptions and those some assumptions not being valid some such as local atomic or the code units up the code on that assumption but things like streak of light streak obviously generally known to be a pretty bad idea if you know giving a lens field and if you if you use that like you have no way to know how long your and the walls and it's can adjust the couple of your stack and I hear from some hackers about that but on the right hand side here there's a favor by uh uh so again and you end up about poses and so we have this concept that if we design of file formats that those that the 2 people below the poles of very well the font file format that was pulses will treat things the same way and it turns out people a very bad coming up with unambiguous file formats and so imposes about now it turns out you do exactly the same thing and how well 1 of things you do is you you have to make an assumption that if in the data sheet you say power this chip with a voltage of between this on this because I have to make the assumption that the band power supplies stable in the past was constant and the same goes for the clock you make this assumption that as long as the clock speed is within your valid range of think should should what problem you I have to make this assumption that they the clock is not going to you know go away or change dramatically and all the power is going to increase or lower drastically and so this is what which incomes and because what we do is we suppose assumptions and are able to use them to the so to change the behavioral part but considerable to secure systems usually by identifying the assumptions we make constraining was assumptions so we can do things like say I'm not going assume that the user's handing me a nice null-terminated string that fits nicely my buffer is a lot harder to build a chip that behaves correctly when you stop pulling is power away after a period time really drives up the cost you chip is anything with the clock you start having these kind of fundamental assumptions it's really not worth coming of solutions so that could not worth constraining your device to necessarily have to work without power without a stable clock and so when you start subverting these assumptions just like when you stupid the assumptions of some in designing software you get all kinds of interesting and potentially exploitable behaviors there and I think at that point he touched on which is that they're all methods for avoiding this they absolutely exist but they're expensive they um they add complexity to the to the polytope using may add a cost and and what you end up with this is much more expensive microcontrollers which you and means you're not gonna get your head to achieve on Internet-connected camera or whatever other like cheap fired the knowledge that you you buy is going to go up in price and then manufactures when the lowest-cost thing so it was that the vast majority of of pulse so we see out there that don't have any of those come protection from what he's talking about going and so they
can come quick show of hands who has like nodes have witching works as which something before richer like comedy see because the acute stage lights but I don't think that's a huge difference to the audience so I was in everyone else's shoes up until very recently and some song and trying to an explanation and then when I don't badly k is gonna fill in the gaps but essentially there are the 2 key types so that we can be talking about the the use 1 it's called witching and the other is is power of altered switching with with quot watching what you do is you take this nice of my money is always a in the while that is almost invisible to me so good luck to you about that what we have is we have these nice clock pulses that you can you can see on the slides and they come in the the I think the way eligible visualize what happens inside uh forces so when the clock signal comes on is like everything happens as soon as the clock pulse happens but realistically what what happens is those things happen in stages so 1st of all maybe we increment the program counter and then we go and decode the instructions were pointing to and then we will work out what was going Canada and maybe implement might know is an ad is an stages but in parallel we have all the intermediary piece of those computations coming together right so here we see if we were to take a look inside the circuit with the all the different pieces working kind of together coming up with different pieces of the computation and then finally right before the next clock edges some period time for the next talk and everything results to a stable state right thank you this is a whole above uh but what happens if we if we shorten the clock pulse and we we but bring the recalled 1 back down midway through that can we can we make it so that may be the sum of the conversation happens but all the polls don't happen and swallows the answer is yes um and so we can do things like have the the instruction at the instruction pointer increments and then the next the result of whatever the next that piece of conversation is doesn't go anywhere it just doesn't happen and then on the next pulse the program counter is exactly where where was that the previous instruction then happen so that previous instructions a jump we've now just moved over time in in the that have been remove on excellent excellent this is the 1 that I
don't know as well arrival description of so inside the chip role of transistors yeah this is like you know and although the more I don't do all worked so this'll transistors and they when that when the stable woman not switching um they have they they draw very little power right but I sorry that have check I just I want a wrong on the when they are switching they draw a little more time and so the idea being that the fairly stable if you can make it so that when this switching you rapidly change very briefly change the voltage that use point to the chair you'll very great you have a much better chance of influencing them in a way that's this unintended um so if we suddenly drop the power to as its calculating say the final stage a check some or something so yes but of then it's much more likely that those values will come out incorrect right below the take away here is that if you have a portion of the chip that is making some kind of computational changed this changing state and you were to suddenly deprived the chip of the energy it needs those pieces are much more likely to be affected by the back ground up the rapid drop in the voltage then our these is there in the steady state raise if the chips not doing anything new made this possible around such can take have that much effect it's only the things the changing right now so the register the value that is currently writing all or something like that is much more likely all of the values come calculating is much more likely to change of a point that you you moves that that power a the
why would offer a K is anyone genuinely feel more informed than they did 2 slides ago the and this file to be much more if there was a mind blower and I so here's some pseudocode um this is this is just something let's say we got above we want send up buffer somewhere but we have a function called standpoint and we we iterate over the buffer so by wiring code like that on the left but much of many people have and this might be what it looks like when is compiled so let's say that what we really want to do is send out above the we want to us about the system to you to send out everything that comes off a lot of was another rest and now there are a couple
things here a couple of steps in this in this program which might be of interest to a spectrum of already this disclaimer this is also codes this is assembly that I wrote to be represented in a plane I think it's a weird mix so they come up with between Lake of RISC processor Navy 51 because that's how is natural to express the speed of thought that the following this is something that people who were familiar with Assembly could understand excellent right so this is written in Temkin micro um so 1st of all we do is we we multiply we multiply this with that of what background but we do not apply to to work out the the size of a list if we could modify that in some way we can get a landfill this way way bigger than than the landfill that that was supposed to and and so therefore so when when we compare wouldn't get much more alternately every time we currently we we decrement the lens if we can make this decrement failed I Paul happen in a strange way we might be able to some get a much bigger number of loaded into the the and failed and therefore again we get a lot of road out and the final 1 is this this jump if we can make that jump get skit then the land Oregon decremented next summer on the loop the loop length will become negative 1 and we'll just keep decrementing the latent so we run out of and so we we lived through the entire incident right and so we have these opportunities that we can ever keep all corrupting values are people of skipping instructions we have this kind of windows that we can use to see things that are passed that offer in memory and depending on the individual device what you're sending out there could be a trap emissions substance in read-only memory and you could get what's next after that read-only memory which might be firmware might be secrets if it's in brand potentially of other values that the device may not want to disclose and we'll see in more complex cases we can actually take advantage of this to get more than just the Dalits immediately following in RAM but the key is the the timing is absolutely critical in order to be able to do this we need to be able to we don't really know at what point exactly the devices can be vulnerable we can a guess here that's in those instructions in red are likely to have the effect you want but we don't know when during the clock cycles we might wanna glitch we don't necessarily know you what kind of which there can be effectively and you're gonna be effective on a given system so Internet do that we need to be able to experiment in order to be able to experiment and have was experimental results mean anything we really need of very precise way of identifying time as is relative to the thing that is executing the program itself yeah so that in this diagram just kind shows the that but this red line here these are all the options we have to have a successful which in fact but and and it's because it's fairly spread out there there a lot of them so this is the multiplied with the 1 chance about then this kind decrement happens every time Emily and and we always we have lots of chances to take about 1 and each time and then finally we have some this this jump when and when we finish the late and unlike we only have 1 chance so really skipping that step as well because the linear 1 time that I jumped is meaningful and that's when we observe that and so this may seem odd
reason that include such less so this may seem pretty synthetic at the Mesa might become a could you hopefully not see lot of programs depending on the use case depending on the constraints but that's exactly the way in Hartford DMA controller works right is constantly subtracting from its latest register by 1 or more is constantly incrementally the address that is our reading from datasets sending down the Boston gather data so even if that's all for example looked a bit synthetic it is absolutely applicable to embedded hardware the yeah and there's there's absolutely no error-checking because what I mean you got a DMA control on on a microcontroller what you can do when arrows etc. and this confocal all says hey something's gone wrong or you know writing memory is system was told and so we we done that this isn't this isn't like super clever attack again
something right this is a low Python script the um the case I thought which talks to the DMA controller on UV-erasable describes the system and just allows us all does is take the prompt as we develop from programming programs into the DMA controller and I'm not specifically on 42 43 30 yeah like because this is not something that you see in every DMA controller Carlotti embedded DMA controllers error-checking is a premium feature and is left out a lot of the individual peripherals that use DMA so the CPU itself may execute on the bus and the transactions and get notified if the request memory didn't exist a lot of sense the MA controller will have absolutely no error-checking just because there's no way to handle errors 1 hardware is executing them so it won't stop transactions it won't generate fault in 1 generated interrupt is just happy to do things like read all zeros right and so that's the thing I just read a section of memory did I know Islam I write 128 bytes other any any gave it to me but if I were to do the same thing again and read uh with rest 3 yeah it the 3 0 0 0 0 but you do not convinced of the sections of memory that the dominant thing that memory of soil they're just like a reserve sections that exists a dozen error it all the DMA controller we're which is represented on-screen exact dimmer controls dim back and when it has when it gets nothing back over the bosses so system memory had like to read this this value and the various peripherals no non-response under my control those who gasses there isn't any just keep going and so if we can convince a DMA controller to you to read a section of RAM and just keep going it will just read zeros until it runs out until it's um counter overflows and then just organ of the bottom around sometimes that and and so we can just keep re as long as we can get the DMA control to do the thing we want we can get it to keep reading out and this is really cool because if you actually go and ask the person and address that all the way the end of the ran this particular MacDraw as a 32 bit address space if I say I want the absolute last nite that's in attestation 127 bytes following it will happily read that last bite and then the 127 bytes it gets like increments that last class and rolls back around 0 yeah this is almost unlimited opportunity if willing to the absurd amounts of data to explore the address space and if we happen to have for example corrupt Elaine fields must have a value of 10 and
32 bits long and that's really really
really long there's chances that we're going to get things the have after that and memory wrapping back around starting again yeah exactly so if we do you manage to take the the 32 bit landfilled and and which it's become negative 1 jumbo that um comparisons there I think it's been it's become negative 1 it will continue reading all way all around until that that still it's which happens to be about the point that memory loads on this thing so like which we get all I think that she was brought
so 1 of the foundational is the technology we're using our is in 1 of our work on is the chip whisper that picture is the chip was light which is the inexperience at inexpensive variant of Colin of land switching toolkit and this is a toolkit that lets you do some power such an analysis and some basic question attacks has modules for Clark clinching and for power which means we can implement both of those 2 kinds of attacks and it provides software and firmware ionic control on FPGA that are designed to let you precisely time which is relative to some known synchronization point but that synchronization point has to be specified for the chip whisper so the chief whispered light has only capabilities synchronized to a single rising into a single level figured that events so it can go and say I want time this to for example a USB communication or to your communication it can only say and tell me when something happens in the host by building your own piece of hardware and having a hardware indicate to me that something's happening there so what we want to those through to tie them that you DMA something this using the DMA controller and and decrementing that that land value or whatever to to the shit Westbrook where we want just spilled salient go for it which now and so we we want to tie those 2 things together and we did so if you look at
a typical moderate control datasheet what you see is something on this on these lines on of the all little box translated peripherals the implement various particles and things that we've go you what's we've got a USB somewhere on here we go a season tax this as you go thing up here Hudson's rethink all challenge protocols for you might wanna speak so the chances that attackers might take a device that has a lot of these busses populated take borders using you search and you do your using USB and it's using the S deported connected to the image card if I wanna start breaking into that device I build purpose-built triggering hardware right now that is capable of identifying exactly when the individual peripherals are being used and for what a synchronized up with this I have to go and build a purpose-built pieces of hardware to test an attack that I'm not even sure is necessarily get a work there be a lot nicer to be able to instead of to build that purpose built hardware have some good toolkit that provides a lot of those missing pieces so that you can actually go and say some I wonder if attacked USB is going to work that we try USB today OK this pre-made toolkit is showing me that use the seems to be a good option you know 12 hours later when you run this for a while I seem to have some interesting behaviorally me go more into more depth with USB yeah the
so this is work which becomes then this is something that we that we've been working on over the past couple months um and it it ties together a lot of these features that we that we want to use and it it ties together and various different way it it as good a synchronization features of um the guns management on the other so this level diagram of which get we're gonna go into in detail 2nd test that is that this is our open-source software toolkit with that is designed to work with some existing open-source hardware and that kind of bridges that gap and lets you go from Canada interest in exploring system to attacking the system as quickly as you can use that to make some harbor modifications to the target device that lets you adding transistors in rewriting wires instead of building purpose-built hardware in order to be able to try testing those individual layer which was individual busses and often the modifications that you make modifications that are actually useful across all those different biases for example modifying the power supplies you which is not exactly this form of matter which 1 of those busses you're trying to attack was on the voltage between the the goal is the you you you know we don't bring the manifold where I can you have to do them to 0 because Bush impossible in this and with this technology but we try to take it from a spent 2 weeks might defining a custom bold sending after these 3 fat getting it back building this thing with to like a couple of hours OK was full of all the coupling clusters and now I hope someone help what now is go and see if we can glitches so I just show produce utterance on make it easier for special you will have to design so what we really need is something that takes the
influence a bunch of these different but the these different peripherals and things like that so it seems like if we going to when those we should just fine I will publish data she is from and and build onto a board which
time that we're together because we did the civil around and and this is great that this my my hand about this big meet the scale and it is it is uh microcontroller board that Michaelson designs and his from God and he's the eyes of the source of where it's it's like a a breakable to build interesting modules to sit on top of the medals 1st use the stuff that we spoken about before and it's you can get the 1 itself right now but assigns wrong get and so this is so this is my controller here and the way this board bond of existing is that this was used previously in contrast to really be made to use this chip and a graph and and I think and I might was ring-based some points at the spots really cool you some the other peripherals and about to make it easier for other people to use some of these peripherals and and see how um and then have easy access I want over other plug something into a USB port and then I wanted to speak cheaper all spiral something directly and I wanna builds dual listings all single that's kind of great for events so great that provides a based platform which which you can build on top of the and other features that he's not yet on words that are similar to shield called neighbors theoretically at other is the head the names
it thank transistors that but I have no problem calling the neighbors I have a problem with the fact that i stole neighbor differently to the rest of my company but the
FIL solicitor fruitless that's which the recall promising also so we talk about great that we're talking both that board and other words that are compatible with it so if you have a radio bad because you want a C C camps a few years ago to 15 year 15 then you're really have a great effect because the effects of runs currently on that it's not the preferred form to contact with additional headers on their but it'll work just fine for doing which analysis of the literature you really have a couple as right so that you wish enable can take its now I and it's a right a list through the through this get there 3 main kind of sections of of this is good for us that we've got an event roots and even read so let's ask but take things that are happening in ontology hardware and combine them in interesting ways so now we've got some it the quizzical over me about this some sort uh so so maybe we want to use only bring up the power supply when this all the thing happens and we wanna light um fit with the clock in some way when this cheaper line goes goes higher and we're able to kind of connect those events and and make more complicated structures of of and the whole West state that common kind of task when you're using these devices near can English devices is to get things synchronized no across a variety of tasks so you might let's say be attacking USB device where you need to apply power and then wait for the system to boot refer to show you that the my controller on board has started up and then at that point you're ready to apply some stimulus in order to generate attack or you might have a device that you need to power up and then immediately a clock which is going to drive that device the younger brother clock before powers on otherwise you're driving current into a chip that has no VCC supply rail so this event writing system is kind of the heart of glitch kid and it lets you take all these different pieces of information all these pieces of stimulus and use them to drive things like that right when the CC turns on the target board I also wanna start a clock and I wanna wait for this is due to appear to boot by muttering 1 of its GP Ireland the 1 that was high and then finally when that happens I wanna doesn't stimulus added and then finally when that stimulus has taken I want trigger a glitch set of routing system is what connects all those individual pieces of those have of clock management section which is the but which handles things like making sure that all the individual pieces of your system share a common clock when you can is a lot easier to get everything synchronized of they're all executing on the same time this so talk manageable taking an external clock allowed the glitch get hardware the great at itself to be an the execute on the same clock as your at your target for is the chip whisper as you can get all the ship whisper emigre fit pieces that stacked synchronizer there and also provide clocks to things that are better off being being given an external clock so it can then go and apply clocks and Europe in the future modify the subsequently genes using this particular path that gives you the ability to buffer talks and spread them out throughout a system without having to necessarily build purpose-built hardware ensure the clock is stable as being distributed briefly it against the show was if you if you do things that require like incredibly tight timing it's useful to be running from the same time so we can have the chip was revolt and the great fat and whatever all target device that way which on a glitch will running from the same clocks look on learning in lock step with each other so that we know if we try like if we've got a time offset between of the star and then when we like to have a voltage which we know that's consistent across the boards um
so the other thing you might want to write a love which England to try and get the the blue literals I might happen way will doing things we add to the letter might happen supra Leon you might like turn on the chip and immediately trying to something but after a short couple instruction delay something the sometimes you want to for the whole word somewhere you want to breed some normally and then you wanna modified some method uh some some From stop so and so you we can act as a USB host and a USB device and sometime in the future uh uh flash chip on and see the MMC device and so the idea being you know maybe maybe the thing that I think that's the the the the the request to the device that I want which is like some some uh USB commands that has to happen after we've enumerated the device so we've got like 5 or 6 USB commands the need to go between the us and the device before consults ending at this this command and and an intronic literature in command and so what we're able to do is world a brand advice enumerated gains the right state send it that command and then immediately tell which it was prepared now sits on stock which in fact this is the the ability to do really precisely timed stimulation that device you think that the vorable piece of code evolvable harbor function is only ever exercised once you received a certain command no I'm USB device I have a self-described I'm only going to do that when you ask for a descriptor you need to be able to go and start poking that device prodding in an hour to get it into a state with doing the task leaving a vulnerable and in a why you doing that you often wonder you know what stimulus are being applied where they are in time because sometimes the stimulus for triggering is I've just asked it to respond to a given command so all these stimulus modules also exist and to move the device through you a given device into a given state and exist so that they can provide inputs the that routing system so you can do things like say turn on use the the bus and then send the command and use those as inputs sphere in Beaufort teaching in triggering which in and further generating other events like turning on Fox and so so by extending the the the by allowing us to come into solid was for longer and and do more to change the state that was before we try attack it we massive increase the attack surface because we can now we're not just going fur ther a small subset of the some of the code this run out was going full we can now start to play around with the also with all the tree USB um functionality of this thing because you don't know where which part of this can be the most susceptible um and like there's a fair chance that the descriptor stuff might be really slowly and they might even be implanted like in the whole world the peripheral but like those USB vendor request that someone site thrown together to like you know the day before they have to ship this dissolve where they might be written in that so more sketchy style of analysis that that would persist decrements an integer and say how it was there might be more than 1 thing going on in the harbor as a descriptor inside that makes it very difficult to glitch because if you start watching this descriptor request you might also something that is responsible for the core functionality of device and devices memory bus may go down right so being able to explore a lot of that is really important also worth noting I think this is but the 1st pitch you've heard today were we tell you that a project massively increases the tax
surface so that the input images when the pitch he has can increase your of those OK so it's a terrific this is this is gonna whether it's a full came from origin is is that 1 of things we want to do with the the have become more complex methods for deciding OK well so let's take for example the simple then trigger here would also allows us to look into a bunch of bio on so many on the target advice and say well when this thing happens 5 times in these 2 on the high and like this this line pulses that's when you trigger and so this is kind font you can just look up to like us spy chip and you can say when know this thing's gonna read like 4 times whilst also often then what I wanna do is try and light glitch it right after does the false read and so we do you look up to like the enable line and you say well that one's poles full times that's when you trigger all light William model which on the simple event triggers that you take a variety of just general Boolean conditions for input patterns and build complex conditional that them so common example when I think that the more complex thing that I was talking before as I might have a controller that reads some information of an external flash I might wanna know where it is in that leaf and I could go and build a whole escape referral and you know kind of fake must have flashed Japan and noted by emulating the display flesh chip I get this insight or I could say OK I know that this thing it's same way every time the force the need for thing readers always that piece of information that I'm interested in using as my time based so let me just say OK the year 24th pocket here there 30 second conquered here while the chip while that should enable his low happens to be the thing that I'm interested in triggering on and necessarily have to be the thing that generates the final which triggered this can be the thing that prompts utility turn on the systems clock tournament that part the right to the end of the target device or you can use that as a a time assert executing some stimulus so when he gets this point that's when I wanna start sending a USB and packets yet sites and you mark my do that because you want to apply Council of ice and wait for it to come up before you start trying to told to over USB and and things about so you might just wait for for example with those those are the ones that have to be like complex ChIP-chip and you just hook into 1 abilities and so when this LED comes on I was booted um something like that and you arts um everyone to buy your because I inference then economy doesn't compile and think you are in 1 and it's not surprising I knew all is um is like a pretty common kernel debugger interface you gonna find like future territory 1 of those extend reaches is that you get from your eyes like nothing's gonna gonna have a serial connection on it and so you might wanna use that to walk out when it's 3 would started Opel something about because it will dump some information from and then these things can be use the final thing is to and taught chip whisperer and trees now but from so that this is a cool
things you can you take the trigger signal and you can trigger the chip whispered to start doing and switching process or if you want to you can use that we have private trigger input yourselves topologic analyzes you can use this as a source of given information outside of switching because our main purpose so that is a general-purpose stimulus and triggering engine that we happen to be using for which yeah so 1 of the kindest of pieces of work that happen in a couple years ago before I but years ago before we are now members have really inspiring for this was done by my friend maker out who wanted to be able to take a USB tablet that she had and you said as have a general code execution engine to prove that they had an idea that she had which was that these things are often lot like RFID readers and she kind of had the idea that you want to be able to take this run her own from more on and be able to you read an RFID token that was held really close to the actual switching matrix of this but from tablet to is the kind of thing that you normally use with inductive drawing anything with the pen has no battery in but by holding it close to the tablet it's able to receive power modulate the its load on that yes switching matrix and that's how to communicate a little bit of information like I guess I'm a pen and being passed as hard and that have functionally looks a lot like an RFID chip which also does kind of a load modulation so is the pen was receiving power and then loading the power lines more or less in order to communicate where it was on a grid and communicate how hard it did was being passed and RFID takes power and then just transmits back the level of modulation a simple fixed ID and so she had the idea that those things could be as basically same pieces of hardware just that and in this case is a little more complex and so she wanted to come to be able to get some from executions device but looking at it she found that it had a customer controller called 7 which is completely custom architecture by your answer me and hate had interface exposed and on the was completely undocumented so she was able to extract the from where an easy way so what you did because she was related
which did because she's super devoted and really loves getting in-depth these kind of things if she decided to try to extract the form where by taking advantage of the way our USB packages sent and trying some voltage switching techniques if you look at the way you
see now control request sent it happens in a few stages 1st you send a command I did this state is called the set up stage which can contain the standard USB commands that are force complied devices described themselves so I could get descriptor will make a USB device respond with some descriptor describing it's on functionality so when you plug a USB device says you know hello yes I'm aware from tablets you're operating system those that because it the out the device 1st for its device descriptor which contains a vendredi inner product ID and a couple of string descriptors that contain that string is a low-income tablet MCT 450 and in In order to be compliant device every device has to be able to do some amount of self description and the way that you executed is by taking small pieces of that that are usually either in RAM on read-only memory and just making them right out of the device so here we have a good descriptor requests executing it has a single packet is transmitted back in response and then we have an acknowledgment that package was that indeed received so we have the host sending get that please give me a descriptor we the descriptor being transmitted response host says yes I got this theoretically doesn't have to 1 in the center at the heart of the device decides to respond with a very very long package that could also theoretically valid so there might be multiple packets and they get paid a longer transaction was the 1 and but it'll bites on a bus has a maximum packet later 64 that could be packetized broken up into a lot of sequential packets if you look at the way
a USB have device works it's often very similar to a host controller in that it has a linked list that contains this basically amount of bytes to transfer and then pointers in memory to the pages that contain the data you send so really you have a link and address here if we look at the way
that I do get descriptor request my work for long descriptor you could have a device essentially populating a little DMA descriptors says I wanna send 256 bytes and they start at address hits 1 thousand and the device is gonna doing that just send out a single pattern of late 64 exist the most if it on this particular mask I must be physical patterns pick bus rather it's gonna decrement delays and income the address this looks a lot like the example provided in the beginning if it's you keep doing that until it gets to the point where the length field reaches 0 and use the is almost the null-terminated kind of protocol and that when it finishes a transfer it indicates that by sending a packet that is shorter than the maximum wage so in this case it's set all maximum wavepackets until it was done so has to send a 0 layer packet in order to indicate that it is indeed complete now if were able to start applying voltage switching or a population of river the glitch something in the system and corrupt that leads to the mobile get instead of those nice orderly transaction where we stand for an individual packets to this to but this and that the configuration descriptor is will get a link that attention a much larger which continues to transmit and transmit and transmit well beyond when the device stopped and if you have a device to the DMA controller that works like most of them do and the controllers it will continue not just out of that descriptors location in RAM around but continued throughout the entire memory map until that lead field is brought down to 0 the and so on In order to be able to
do those that kind of which the system you really need a way to be able to synchronize with the system and provide the stimulus some I could build a custom piece of hardware called the face whisper name because of its use of the chip whisper technology is the set chip whisper technology and its inspiration the face dancer project and this particular board Indian save my control which happens to be the same 1 that is ownership whisper and a USB host ship which happens to be the same on the starfish density and then some up buffering hardware and although it does is with very precise timing synchronizers of up to a particular point in the tablets execution element freefallers our programming cation and then send its and USB packets and simultaneously trigger that chip was start executing which is so in doing that she was able to actually
still the 4 of them as my controller and using that is able to find vulnerabilities in the former and eventually prevent that indeed you could read RFID tokens using USB tablet as long as the oppressed exactly against the tablet and this is very cold both because it shows a novel way of getting from 1 of the device and because it was a really ingenious solution to get at something that was being a whole bunch of steps away from much initially wanted to use the kind of person who has that kind of hyperfocus and dedication to say it was like to see what the firmware in this that we build an entire built piece of purpose-built hardware firmware and everything you need to be able to get the from Republic tablets so they can then go in the promoter abilities yeah so I fill having having said all that I do feel sorry about the next slide which is we we've essentially taken her right there and try to make it easier and so like their mind which can whistles but didn't exist when should this when like designed aboard built a board attached eclipse the thing goal the far more outwards of built this but so now we can implement that and that
is so I think the the 1 of the conversations of my guy had afterwards was just hit the ball was really love making technology accessible to people right to the heart of the purposes of this some of things that have promised Michael when I started doing this is that we would take this and this whole technique which required a custom piece of hardware and it required a whole lot of difference of the levels of understanding of what development Canada intestine idea and make it into something that you can apply a has barely easily so here's the back end code for by applying the same things of which get this is written in Python but we were going to go through this but thing we're running long time only get them in done so so like you would have to explain this at some point but possibly not now industry the before from the important part is that you don't actually have to write this code because the final form of which kid has fancy do that's at the writing chip whispers of you up I'll use the attack that Micah did you can start figuring that right from the gooey of chip whisper
yeah so then what hunters OK 1st and I just she was doing and then we'll
talk about our work well so this is what she was
really we now have added um these various uh which can um method so they'll talk to agree that sort of and there's a there's a big mess of wasn't connectors and things um on the table there and this and say we have a great friendship whisperer hooked up to a target growth that and the the process of configuring this really you go and you select instead of you know the type of target you want us like directly to say OK I would like to talk to the great fact that's running a USB stack source like last USB and from the you you can immediately configure gas at like to read a device descriptor I'd like to have that right descriptor of the red immediately when a certain pins no high privacy concerns building everything you need to allow you to all interested URIs are used difficult cm board but now if you look over here here's all the configuration settings you a data used to be the preconditions that determine whether individual USB event is generated appear on the side of the you nodes this in space 90 say when this when this to the pain goes high then and and this 1 goes low and in this 1 happens almost full-time or whatever and and those complex conditions so we're came out you can just have it at that point the soulful and like set the trigger the that she was supported those things
and so naturally you know word I had was refusing other people's work we want to try doing simple things are so at some point you have to turn against her own creation right and so here is a have great that that has been and this matches properly modified so that I promised the portal for example for a made modifications but I gained everyone the coupling capital passes rather roughly office device try to make it easier to start depriving the device power I've added a couple of have pretty nasty barge wires here 1 that I have connects the the CC REL coupled SMA connectors so you can do things like I inject voltage gated digest but the signals and pull the voltage down to 0 and not because we still want some de-coupling have had coupling network here that is replacing all the decoupling capacitors on the board and that is connected via a smaller views that we can hold the device really readily 0 but it can recharge are the PCC bus route from these devices via that Smolensky is approximately 10 numbers and so on sorry to my constant because we totally destroyed this thing that he's created prior totally destroyed the city created I'm but more importantly it I'm sorry to everyone else because look at this thing from this actually trees this picture and both you got significant and relaxing retweets marketable people being likely new PCB planned that there's of ugliness that's about it's about the question and and make this this actually modification was done like after a couple of drinks like on the nite of christmas which is the perfect time to start setting interest so so you know the the great thing about this is when I will take which this board and where we might even if the farmer of that but there's some problems about 1 is the it's open source so weary of the from Web because we at but also tons of manufacturers board is incredibly litigious and he sends out
cease-and-desist letters when people trauma of us devices and I mean I even sometimes source shall be you know in my that's a because that is the opposite of what we have a source code to this and on get out and that's a major particularly interesting in our reverse-engineering target and 2 because we're terribly afraid of litigation we decided instead of attacking the are greater suffer the running on the application process that would attack the letter that is sitting in Rahmani LTC 43 have thousands of 40 the 100 series may have controllers yeah they only see 43
for 43 100 service for the other USB uh DFU um be lighter and also small USB functionality which is set enrollment as anyone Rome section here um which complex appointed the use of informative thanks to that this device has a USB litter that does all the same things that tablet because comply to use the standard so you can do things like that you respond to again now device descriptor request and so we started applying the same kind lifting tax to the prom when you might be kind saying or why is it interesting to attack this problem 1 is that a bunch these devices it runs from the shadow area that is at the start of round because the Quadex MI controller once inspector table to be looking at address 0 so it's very low and ran everything that's interesting follows it including undefaced practice slash the contents of flash over here and so because if you look at the secure mode parts 1 of the things
that they do inside this water is reading cryptid images from things like flash chips because them and stick them in an SRAM immediately following the shadow area from which is running
so for people that are doing glitches so are we can out from the shadow area we can continue reading doing that but the matrix uh 2 you continue reading into us from and pull out like the now décrit somewhere from secure plots we only have 5 minutes left so I think we should go ahead I do
not have the status theory as well as you do some noise you do this this is the 1st all right all right so the you see that's what happens when you run on 1 machine the professor tragic if in doubt telephone away for to connect to thinking theorem patient wanting to dislike climate really section so they have a cable from previous rounds essentially this is issuing the use the request to the device and capturing the response and because we have limited time I haven't told that what a good response with a bad response so it's telling me every 1 of these responses has failed but realistically if you expand that out to you can see what's happening there for all the way down to the initial ones it it's worth mentioning that this is a actually a simulacrum of the device running the way it normally would normally when you clicking you actually stepped to lots of intervals in order to find a few glitches that work so because we don't have several hours to do this but in fact what this is actually a good thing for the modified to instead of always reading the correct descriptor a jump to different points negligence that that we found having to work for this particular device so what you see here is is we have a lot of a lot of responses that all of the standard response that what we expect to come out of it they are it's reading history dating bytes x 12 of of use the descriptor irritating bicycle facing buys but this 1 here it appears to have got significantly more data and so on previous from earlier today as we set as a case of this is this is simulated because it is
not as quick as much when you actually run them on a previous
run we can done this to you but how to somewhere can you see that anyone read the little so perhaps but paternal font size of appreciated I think so what you can see here is what we were able to read out of that file in and these um is of loyal to dump this file was just all the memory were able to read from the USB descriptor lication onwards and we are going through a looking yeah white when we haven't had chance to analyze again and then what we found with the over here faces use PCA and and there's there's USPS and another incredibly telling strings if you've in designed use pieces as before this is a USB commanded sent out to discuss as the command center over USB that's used in years people only storage and this is the type token that precedes a response status 1 of those commands executed so this significantly suggest that this from a letter happens to have inside of it some he was being necessary functionality analysis response was that's where wouldn't things had just enough storage and then we went back to the data xi and rewrite and adults and it's not that we've done the code of of some of some of the functions hour the chips so you um we're able to to pull out um and XTs um wrong code for the LPC 40 300 serious um and and of so you build the go-ahead analysis and and in the beginning of will you together with GDP as well but yes yes no the the most novel but if if we were to continue doing this work 1 of the theories that we have is that how we can let this go for that 1 wouldn't have had a much data and I don't have any secure mode ships on me but the theory is that after this kind of thing yes renewed grab would have theoretically a decree did from sending from image over USB city can the users an oracle to take incomplete from more images and generated the candidate
ones that we're we're now completely out
of time to be 2 of those so will take questions outside um and even of the questions will be outside standard here where the reward following in literature and the meaning of the absolute beginning or just 1 of the great thing about the channel on freenode if you want false questions there uh uh and um thank you very much for listening
if you have to have a clear sky was just wpst
this the office in so don't take this the top 2
Telekommunikation
Binärcode
Vererbungshierarchie
PASS <Programm>
Zahlenbereich
Gasströmung
Systemprogrammierung
Dijkstra-Algorithmus
Gittermodell
GRASS <Programm>
Bit
Geschlossenes System
Framework <Informatik>
Datenverarbeitungssystem
Offene Menge
Abgeschlossene Menge
Unordnung
Umsetzung <Informatik>
Subtraktion
Open Source
Computersicherheit
Versionsverwaltung
Mailing-Liste
Kombinatorische Gruppentheorie
Datenfluss
Ereignishorizont
Videokonferenz
Streaming <Kommunikationstechnik>
Multiplikation
Geschlossenes System
Perspektive
Software
Rechter Winkel
Reverse Engineering
Stichprobenumfang
Firmware
Speicherabzug
Projektive Ebene
Kantenfärbung
Information
Hacker
Bit
Punkt
Befreundete Zahl
Mikrocontroller
Iteration
Geräusch
Störungstheorie
Mikrocontroller
Äquivalenzklasse
Ein-Ausgabe
Framework <Informatik>
Intel
Service provider
Dämpfung
Computerspiel
Geschlossenes System
Serielle Schnittstelle
Firmware
Derivation <Algebra>
Booten
Hacker
Analogieschluss
Telekommunikation
Web log
Booten
Klasse <Mathematik>
Vektorraum
Computerunterstütztes Verfahren
Binder <Informatik>
Elektronische Publikation
Whiteboard
Motion Capturing
Metadaten
Flash-Speicher
Firmware
Gamecontroller
Dateiformat
Tabelle <Informatik>
Leistung <Physik>
Punkt
Dokumentenserver
Symboltabelle
Komplex <Algebra>
Metadaten
Spezialrechner
Puls <Technik>
Einheit <Mathematik>
Charakteristisches Polynom
Font
Polytop
Gruppe <Mathematik>
Softwarewerkzeug
Konditionszahl
Computersicherheit
MIDI <Musikelektronik>
Hacker
Figurierte Zahl
Computersicherheit
Firmware
Mikrocontroller
Temperaturstrahlung
Exploit
Frequenz
Polstelle
Datenfeld
Polarisation
Funktion <Mathematik>
Rechter Winkel
Einheit <Mathematik>
Ein-Ausgabe
Dateiformat
Zeichenkette
Stabilitätstheorie <Logik>
Wasserdampftafel
Code
Wurm <Informatik>
Puffer <Netzplantechnik>
Spannweite <Stochastik>
Software
Endogene Variable
Datenstruktur
Bildgebendes Verfahren
Leistung <Physik>
Schreib-Lese-Kopf
Modul
Tabelle <Informatik>
Fundamentalsatz der Algebra
Elektronische Publikation
Validität
Mikrocontroller
Bildauflösung
Frequenz
Parametersystem
Resultante
Wiki
Verzweigendes Programm
Umsetzung <Informatik>
Subtraktion
Stabilitätstheorie <Logik>
Gewichtete Summe
Punkt
Puls <Technik>
MIMD
Computerunterstütztes Verfahren
Open Source
Deskriptive Statistik
Wechselsprung
Knotenmenge
Puls <Technik>
Fließgleichgewicht
Zeiger <Informatik>
Tropfen
Parallele Schnittstelle
Leistung <Physik>
Soundverarbeitung
Netzwerkbetriebssystem
Softwareentwicklung
Frequenz
Rechenschieber
Energiedichte
Forcing
Rechter Winkel
Zellularer Automat
Digitaltechnik
Leistung <Physik>
Hill-Differentialgleichung
Arithmetisches Mittel
Aggregatzustand
Ebene
Resultante
Punkt
Sampler <Musikinstrument>
RISC
Zahlenbereich
Inzidenzalgebra
Punktspektrum
Code
Internetworking
Puffer <Netzplantechnik>
Loop
Wechselsprung
Geschlossenes System
Bildschirmfenster
Mixed Reality
Ganze Funktion
Gerade
Soundverarbeitung
Lineares Funktional
Dicke
Mailing-Liste
Softwareentwicklung
Elektronische Publikation
Konfiguration <Informatik>
Rechenschieber
Diagramm
Loop
Rechter Winkel
Festspeicher
Dreiecksfreier Graph
ROM <Informatik>
Dezimalsystem
Codierung
Ordnung <Mathematik>
Schlüsselverwaltung
Nebenbedingung
Bit
Hardware
Existenzaussage
Adressraum
Softwareentwicklung
Mikrocontroller
Geschlossenes System
Rechter Winkel
Gamecontroller
Festspeicher
Vererbungshierarchie
Gamecontroller
Zeitrichtung
Speicherverwaltung
Hardware
Lesen <Datenverarbeitung>
Bit
Selbst organisierendes System
Klasse <Mathematik>
Adressraum
Zentraleinheit
Interrupt <Informatik>
Geschlossenes System
Gamecontroller
Minimum
Skript <Programm>
Gleitendes Mittel
Peripheres Gerät
Hardware
Pay-TV
Softwareentwicklung
Transaktionsverwaltung
Datenfeld
Betrag <Mathematik>
Einheit <Mathematik>
Pufferüberlauf
Benutzerschnittstellenverwaltungssystem
Festspeicher
Gamecontroller
Bus <Informatik>
Garbentheorie
Innerer Punkt
Speicherverwaltung
Lesen <Datenverarbeitung>
Fehlermeldung
Telekommunikation
Punkt
Hardware
Existenzaussage
Paarvergleich
Modul
Ereignishorizont
Synchronisierung
Summengleichung
Open Source
Whiteboard
Last
Software
Gamecontroller
Festspeicher
Firmware
Gamecontroller
Speicherverwaltung
Hardware
Analysis
Leistung <Physik>
Subtraktion
Kontrollstruktur
Quader
Matrizenrechnung
Datenmanagement
Bridge <Kommunikationstechnik>
Synchronisierung
Übergang
Datenmanagement
Webforum
Geschlossenes System
Software
Cluster <Rechnernetz>
Ereignishorizont
Peripheres Gerät
Bildgebendes Verfahren
Hilfesystem
Topologische Mannigfaltigkeit
Leistung <Physik>
Softwaretest
Hardware
Synchronisierung
Protokoll <Datenverarbeitungssystem>
Open Source
Konfigurationsraum
Konfiguration <Informatik>
Chipkarte
Diagramm
Funktion <Mathematik>
ATM
Gamecontroller
Leistung <Physik>
Routing
Partikelsystem
Ordnung <Mathematik>
Zentrische Streckung
Subtraktion
Punkt
Kontrollstruktur
Statisches RAM
Open Source
Konfigurationsraum
Matrizenrechnung
Einfache Genauigkeit
Mailing-Liste
Systemplattform
Modul
Whiteboard
Ereignishorizont
Spirale
ATM
Gamecontroller
Leistung <Physik>
Wort <Informatik>
Kontrast <Statistik>
Peripheres Gerät
Speicherverwaltung
Schreib-Lese-Kopf
Subtraktion
Punkt
Gemeinsamer Speicher
Familie <Mathematik>
Datenmanagement
Synchronisierung
Whiteboard
Task
Bildschirmmaske
Datenmanagement
Geschlossenes System
Wurzel <Mathematik>
Ereignishorizont
E-Mail
Widerspruchsfreiheit
Gerade
Leistung <Physik>
Analysis
Soundverarbeitung
Hardware
Synchronisierung
Ontologie <Wissensverarbeitung>
Booten
Statisches RAM
Mailing-Liste
Ereignishorizont
Quick-Sort
Funktion <Mathematik>
Menge
Rechter Winkel
Gamecontroller
Garbentheorie
Wort <Informatik>
Routing
Information
Ordnung <Mathematik>
Fitnessfunktion
Varietät <Mathematik>
Aggregatzustand
Turnier <Mathematik>
Punkt
Datensichtgerät
Datenmanagement
Komplex <Algebra>
Eins
Kernel <Informatik>
Netzwerktopologie
Geschlossenes System
Font
Hook <Programmierung>
RFID
Maskierung <Informatik>
Mustersprache
Gerade
Schnittstelle
Lineares Funktional
Synchronisierung
Gebäude <Mathematik>
Ein-Ausgabe
Ereignishorizont
Teilmenge
Polstelle
Funktion <Mathematik>
Forcing
Rechter Winkel
Festspeicher
Konditionszahl
Projektive Ebene
Routing
Information
Varietät <Mathematik>
Aggregatzustand
Lesen <Datenverarbeitung>
Web Site
EDV-Beratung
Code
Task
Flash-Speicher
Informationsmodellierung
Kugel
Flächentheorie
Ereignishorizont
Bildgebendes Verfahren
Analysis
Einfach zusammenhängender Raum
Softwarewerkzeug
Modul
Debugging
Mereologie
Gamecontroller
Bus <Informatik>
Speicherabzug
Wort <Informatik>
Boolesche Algebra
Matrizenrechnung
Bit
Hardware
Statistische Schlussweise
Open Source
Firmware
Ein-Ausgabe
Code
Übergang
Last
Korrelation
RFID
Tablet PC
Netz <Graphische Darstellung>
Gamecontroller
Fünf
Computerarchitektur
Information
Ordnung <Mathematik>
Benutzerführung
Leistung <Physik>
Schnittstelle
Lineares Funktional
Folge <Mathematik>
Extrempunkt
Güte der Anpassung
Firmware
Kontextbezogenes System
Skalarproduktraum
Deskriptive Statistik
Bildschirmmaske
Transaktionsverwaltung
Geschlossenes System
Forcing
Korrelation
Endogene Variable
ROM <Informatik>
Tablet PC
Bus <Informatik>
Ordnung <Mathematik>
Virtuelle Adresse
Zeichenkette
Aggregatzustand
Standardabweichung
Punkt
Wellenpaket
Extrempunkt
Adressraum
Wärmeübergang
Dicke
Homepage
Homepage
Pufferspeicher
Adressraum
Gamecontroller
Total <Mathematik>
Wärmeübergang
Mustersprache
Strom <Mathematik>
Virtuelle Adresse
Zeiger <Informatik>
Ganze Funktion
Konfigurationsraum
Zehn
Dicke
Protokoll <Datenverarbeitungssystem>
Mailing-Liste
Zeiger <Informatik>
Binder <Informatik>
Verdeckungsrechnung
Transaktionsverwaltung
Datenfeld
Festspeicher
Hauptidealring
Lesen <Datenverarbeitung>
Gamecontroller
Bus <Informatik>
URL
Körpertheorie
Ordnung <Mathematik>
Hardware
Punkt
Softwareentwicklung
Benutzerfreundlichkeit
Element <Mathematik>
Whiteboard
Synchronisierung
Dichte <Physik>
Videokonferenz
Rechenschieber
Open Source
Repository <Informatik>
Geschlossenes System
Menge
Rechter Winkel
Softwareschwachstelle
RFID
Tablet PC
Firmware
Gamecontroller
Projektive Ebene
Äquivalenzklasse
Umsetzung <Informatik>
Subtraktion
Punkt
Hardware
Code
Übergang
Bildschirmmaske
Rechter Winkel
Front-End <Software>
Code
Mereologie
Softwareentwickler
Spitze <Mathematik>
Datenmissbrauch
Punkt
Prozess <Physik>
Finite-Elemente-Methode
Open Source
Präkonditionierung
Programm/Quellcode
Keller <Informatik>
Raum-Zeit
Ereignishorizont
Whiteboard
Persönliche Identifikationsnummer
Magnettrommelspeicher
Menge
Einheit <Mathematik>
Konditionszahl
Datentyp
Konfigurationsraum
Term
Tabelle <Informatik>
Prozess <Physik>
Punkt
Sichtenkonzept
Datennetz
Open Source
Reihe
Zahlenbereich
Kartesische Koordinaten
Quellcode
Whiteboard
Office-Paket
Netzwerktopologie
Benutzerbeteiligung
Twitter <Softwareplattform>
Reverse Engineering
Rechter Winkel
Datennetz
Gamecontroller
Wort <Informatik>
Messprozess
Große Vereinheitlichung
Leistung <Physik>
PROM
Hydrostatik
Wasserdampftafel
Adressraum
Unrundheit
ROM <Informatik>
Flash-Speicher
Serielle Schnittstelle
Mapping <Computergraphik>
Abschattung
Flächeninhalt
Inhalt <Mathematik>
Bildgebendes Verfahren
Statisches RAM
ATM
Lineares Funktional
Computersicherheit
Statisches RAM
Abschattung
Dienst <Informatik>
SLAM-Verfahren
Emulation
Flächeninhalt
Mereologie
Gamecontroller
Garbentheorie
Information
Standardabweichung
Tabelle <Informatik>
Matrizenrechnung
Subtraktion
Punkt
Kreisring
Geräusch
Unrundheit
ROM <Informatik>
Physikalische Theorie
Eins
Virtuelle Maschine
Wechselsprung
Theorem
Serielle Schnittstelle
Endogene Variable
Mapping <Computergraphik>
Abschattung
Flächeninhalt
Statisches RAM
Plot <Graphische Darstellung>
Abschattung
Flächeninhalt
Einheit <Mathematik>
Rechter Winkel
Garbentheorie
Ordnung <Mathematik>
Lesen <Datenverarbeitung>
ATM
Lineares Funktional
Termersetzungssystem
Computersicherheit
Programm/Quellcode
Token-Ring
Elektronische Publikation
Physikalische Theorie
Code
Modallogik
Festspeicher
Endogene Variable
Funktionalanalysis
Speicher <Informatik>
Bildgebendes Verfahren
Orakel <Informatik>
Analysis
Zeichenkette
Synchronisierung
Statisches RAM
Taupunkt
Datenmanagement
ROM <Informatik>
Eins
Office-Paket
Arithmetisches Mittel
Hypermedia
Medianwert
Systemprogrammierung
Spezialrechner
SLAM-Verfahren
Funktion <Mathematik>
Serielle Schnittstelle
Mapping <Computergraphik>
Ereignishorizont
Standardabweichung

Metadaten

Formale Metadaten

Titel Opening Closed Systems with GlitchKit
Untertitel 'Liberating' Firmware from Closed Devices with Open Source Hardware
Serientitel 34th Chaos Communication Congress
Autor Temkin, Kate
Spill, Dominic
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34895
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Systems that hide their firmware-- often deep in readout-protected flash or hidden in encrypted ROM chips-- have long stymied reverse engineers, who often have to resort to inventive methods to understand closed systems. To help reduce the effort needed to get a foothold into a new system, we present GlitchKit-- an open source hardware and firmware solution that significantly simplifies the process of fault-injecting your way into a new system -- and of fault-injecting firmware secrets out! This talk presents the development completed thus far, demonstrates the use of GlitchKit in simple attacks, and invites participation in the development of our open-source tools.
Schlagwörter Hardware & Making

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback