attacks
play

Attacks August 28, 2019 Conference on Cryptographic Hardware and - PowerPoint PPT Presentation

Dec 08, 2022 •19 likes •369 views

Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on

  1. Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca’ Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems 2019

  2. Fau ault lt what? t? • Exploits hardware vulnerabilities to “create” new bugs • Influence (inject) a system with internal / external stimuli • Alter the intended execution flow / behavior • Skip instructions , influence branch decisions, corrupt memory locations, etc. • Bypass security checks, leak data or crypto material, create side- channels, etc. • Non-invasive to invasive techniques: clock, voltage, EM, FIB, laser, heat, flash, etc.

  3. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  4. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  5. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  6. Voltage Fault Injection… Th The MOSFET Way ay  The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

  7. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms DESIDERATA  Stable and repeatable results  High degree of freedom in glitch generation  Software managed attack parameters  Low-cost and easy to build setup

  8. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms

  9. DAC-based glitch generator Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms  Rising and falling edges affect V-FI performance [ZDCR14] ? What if different devices / attacks need different glitch waveforms ? ? How do we identify the best match ?

  10. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Need for automatic parameter search and optimization!

  11. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Genetic Algoritm (Selection, Crossover, Mutation, Replacement)

  12. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Cubic interpolation

  13. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Digital-to-Analog conversion

  14. AGW: : wit ith big big po power com omes lots lots of of par parameters • Power supply voltage with < 10mV resolution • Glitch shape and voltage in 2048 points • Injection timing with ~20ns accuracy • Glitch frequency / duration ➔ Precise glitch triggering

  15. Case ase Stu tudy: Ren enesas 78K K Fir Firmware Extr Extraction ● Widely used by the automotive industry ● 32 to 256KB integrated flash memory for firmware / data ● Internal bootloader for flash programming via PC ● No knowledge on the firmware / bootloader code → Blackbox ● Bootloader protocol exposes a set of API via serial interface ○ Program ○ Erase ○ Checksum ○ Verify ● Built-in security mechanisms : ○ Commands operate on 256 bytes aligned memory blocks ○ All programming and erasing commands can be disabled ○ Voltage Supervisor / BOR

  16. Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies No read command… Fail  ● Use FI to verify just one byte… Fail  ● Use FI to calculate the checksum of one byte… Fail  ● Use FI to calculate the checksum of 4 bytes (aligned)... ● Use FI to verify 4 bytes (aligned)... ● B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 ... ... B255 B256 Checksum(B1, B256) = 0x10000 - B1 - B2 - B3 - ... - B255 - B256

  17. Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies No read command… Fail  ● Use FI to verify just one byte… Fail  ● Use FI to calculate the checksum of one byte… Fail  ● Use FI to calculate the checksum of 4 bytes (aligned)... Success  ● Use FI to verify 4 bytes (aligned)... Success  ● 00 11 22 33 ? ? ? ? AA BB CC DD ? ? ? ? 0x10000 - {B1...B4} = 0xFF9A Verify(0xAA...0xDD) = True/False

  18. Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con ontent More leaks required  more faults ● Side-channel from the checksum computation? ● def checksum(start, end): if (end != start + 256): raise result = 0x10000 00 11 22 33 for i in range(start, end + 1): result = result - flash[i] return result 0x10000 - {B1...B4} = 0xFF9A

  19. Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con ontent More leaks required  more faults ● Side-channel from the checksum computation? ● def checksum(start, end): if (end != start + 256): raise result = 0x10000 00 11 22 33 for i in range(start, end + 1): result = result - flash[i] return result 0x10000 - B1 - B3 - B4 = 0xFFAB 0xFF9A - 0xFFAB = 0x11

  20. ● Just inject a fault for every byte, right? Nope . Step St ep III: De Deal With th Timi Timing Err Error ors • What is the extracted value for B3 ? • 0x22 with ~10% probability • 0x33 with ~4% probability • 0x11 with ~3% probability • 0x00 with <1% probability • 0x55 with <1% probability • Plus the false positives! Glitch trigger

  21. Step ep IV IV: Mou ount t the the Fu Full ll Attack ack ● 00 11 22 33 Calculate the sum of B1+B2+B3+B4 = 0x66 ● For each extracted candidate byte Bx : ○ Find all the 4-bytes permutations with Bx ○ Discard permutations which do not sum to 0x66 ○ Glitch the verify command to test each new permutation ○ Stop when the verify is successful ● Iterate for {B5…B8} {B9…B12} … until the flash is dumped! MANY hours later… Candidate #1 Candidate #2 Candidate #3 Candidate #4 11 33 00 22 00 00 22 78 01 32 00 33 00 11 22 33

  22. ● Let the attack go day and night, right? Not that easy. St Step ep V: : Co Comp mpensate for or Temp emperatu ture Err Error ors Bootloader runs from internal oscillator The RC oscillator drift with temperature The rate is about 0.1% / ◦ C With +6 ◦ C the trigger moved by > 4 us Solved by software compensation Glitch trigger

  23. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  24. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  25. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  26. Comparison of the Renesas attack performance for three major V-FI techniques. Just 60KB! Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  27. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

  28. Comparison of the Renesas attack performance for three major V-FI techniques. Evaluation & Comparison • Speed : our technique is 32% faster than PULSE and 63% faster than MOSFET • Efficiency : PULSE used ~2x the number of glitches and MOSFET ~5x • Reliability: AGW produces 30% the number of false positives than MOSFET

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van

LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van

LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020 1 Daniel Gruss, Daniel Moghimi, Jo Van Bulck National Geographic Processor security: Hardware

1.47k views • 120 slides
Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018 Carlin Senter, MD Associate Professor Co-Director UCSF Sports Concussion Program Primary Care Sports Medicine University of California San

159 views • 5 slides
EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline Introduction Template Engines SSTI SSTI Methodology Tplmap Demo Remediation What is a template engine? Helps

818 views • 16 slides
Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland Introduction Deral Heiland, CISSP, GWAPT: Senior Security Engineer at CDW, responsible for security assessments, penetration tests and consulting for

596 views • 58 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive

Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive

Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive and HPC systems need high resilience Need to evaluate resilience of applications Silent Data Corruption (SDC), Detected Unrecoverable Error (DUE)

368 views • 26 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides

More recommend