Attacks August 28, 2019 Conference on Cryptographic Hardware and - - PowerPoint PPT Presentation

attacks
SMART_READER_LITE
LIVE PREVIEW

Attacks August 28, 2019 Conference on Cryptographic Hardware and - - PowerPoint PPT Presentation

Dec 08, 2022 19 likes •372 views

Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on

slide-1
SLIDE 1

Shaping th the Glit litch: Optimizing Volt ltage Fault In Inje jection Attacks

Conference on Cryptographic Hardware and Embedded Systems 2019

Claudio Bozzato4 Riccardo Focardi12 Francesco Palmarini13

1Ca’ Foscari University of

Venice, 2Cryptosense,

3Yarix, 4Talos

August 28, 2019 Atlanta, USA

slide-2
SLIDE 2

Fau ault lt what? t?

  • Exploits hardware vulnerabilities to “create” new bugs
  • Influence (inject) a system with internal / external stimuli
  • Alter the intended execution flow / behavior
  • Skip instructions, influence branch decisions, corrupt memory

locations, etc.

  • Bypass security checks, leak data or crypto material, create side-

channels, etc.

  • Non-invasive to invasive techniques: clock, voltage, EM, FIB, laser,

heat, flash, etc.

slide-3
SLIDE 3

 The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

Voltage Fault Injection… Th The MOSFET Way ay

slide-4
SLIDE 4

Voltage Fault Injection… Th The MOSFET Way ay

 The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

slide-5
SLIDE 5

Voltage Fault Injection… Th The MOSFET Way ay

 The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

slide-6
SLIDE 6

Voltage Fault Injection… Th The MOSFET Way ay

 The most widespread Voltage Fault Injection setup [OC14]  Very easy to setup and low-cost × Low control over glitch parameters × Unpredictable: the glitch characteristics depends on circuit properties, MOSFET, etc.

slide-7
SLIDE 7

Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms

DESIDERATA

 Stable and repeatable results  High degree of freedom in

glitch generation

 Software managed attack

parameters

 Low-cost and easy to build

setup

DAC-based glitch generator

slide-8
SLIDE 8

Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms

DAC-based glitch generator

slide-9
SLIDE 9

Our Our Ide dea: Arbitr Arbitrary ry Glitch Waveforms

 Rising and falling edges

affect V-FI performance [ZDCR14]

? What if different devices /

attacks need different glitch waveforms?

? How do we identify the

best match?

DAC-based glitch generator

slide-10
SLIDE 10

AGW: : wit ith big big po power com

  • mes

lots lots of

  • f par

parameters

  • Power supply voltage with < 10mV resolution
  • Glitch shape and voltage in 2048 points
  • Injection timing with ~20ns accuracy
  • Glitch frequency / duration

➔ Need for automatic

parameter search and

  • ptimization!
slide-11
SLIDE 11

AGW: : wit ith big big po power com

  • mes

lots lots of

  • f par

parameters

➔ Genetic Algoritm (Selection,

Crossover, Mutation, Replacement)

  • Power supply voltage with < 10mV resolution
  • Glitch shape and voltage in 2048 points
  • Injection timing with ~20ns accuracy
  • Glitch frequency / duration
slide-12
SLIDE 12

AGW: : wit ith big big po power com

  • mes

lots lots of

  • f par

parameters

➔ Cubic interpolation

  • Power supply voltage with < 10mV resolution
  • Glitch shape and voltage in 2048 points
  • Injection timing with ~20ns accuracy
  • Glitch frequency / duration
slide-13
SLIDE 13

AGW: : wit ith big big po power com

  • mes

lots lots of

  • f par

parameters

➔ Digital-to-Analog conversion

  • Power supply voltage with < 10mV resolution
  • Glitch shape and voltage in 2048 points
  • Injection timing with ~20ns accuracy
  • Glitch frequency / duration
slide-14
SLIDE 14

AGW: : wit ith big big po power com

  • mes

lots lots of

  • f par

parameters

➔ Precise glitch triggering

  • Power supply voltage with < 10mV resolution
  • Glitch shape and voltage in 2048 points
  • Injection timing with ~20ns accuracy
  • Glitch frequency / duration
slide-15
SLIDE 15

Case ase Stu tudy: Ren enesas 78K K Fir Firmware Extr Extraction

  • Widely used by the automotive industry
  • 32 to 256KB integrated flash memory for firmware / data
  • Internal bootloader for flash programming via PC
  • No knowledge on the firmware / bootloader code → Blackbox
  • Bootloader protocol exposes a set of API via serial interface

○ Program ○ Erase ○ Checksum ○ Verify

  • Built-in security mechanisms:

○ Commands operate on 256 bytes aligned memory blocks ○ All programming and erasing commands can be disabled ○ Voltage Supervisor / BOR

slide-16
SLIDE 16

Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies

  • No read command… Fail 
  • Use FI to verify just one byte… Fail 
  • Use FI to calculate the checksum of one byte… Fail 
  • Use FI to calculate the checksum of 4 bytes (aligned)...
  • Use FI to verify 4 bytes (aligned)...

Checksum(B1, B256) = 0x10000 - B1 - B2 - B3 - ... - B255 - B256

B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 ... ...

B255 B256

slide-17
SLIDE 17

Step ep I: I: Fin Findin ing Vuln lnerabil ilit itie ies

0x10000 - {B1...B4} = 0xFF9A Verify(0xAA...0xDD) = True/False

  • No read command… Fail 
  • Use FI to verify just one byte… Fail 
  • Use FI to calculate the checksum of one byte… Fail 
  • Use FI to calculate the checksum of 4 bytes (aligned)... Success 
  • Use FI to verify 4 bytes (aligned)... Success 

00 11 22 33 ? ? ? ? AA BB CC DD ? ? ? ?

slide-18
SLIDE 18

Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con

  • ntent

def checksum(start, end): if (end != start + 256): raise result = 0x10000 for i in range(start, end + 1): result = result - flash[i] return result

0x10000 - {B1...B4} = 0xFF9A

00 11 22 33

  • More leaks required  more faults
  • Side-channel from the checksum computation?
slide-19
SLIDE 19

Step ep II II: : Leak eakin ing Fla Flash Mem emory ry Con

  • ntent
  • More leaks required  more faults
  • Side-channel from the checksum computation?

def checksum(start, end): if (end != start + 256): raise result = 0x10000 for i in range(start, end + 1): result = result - flash[i] return result

0x10000 - B1 - B3 - B4 = 0xFFAB 0xFF9A - 0xFFAB = 0x11

00 11 22 33

slide-20
SLIDE 20

St Step ep III: De Deal With th Timi Timing Err Error

  • rs
  • What is the extracted value for B3?
  • 0x22 with ~10% probability
  • 0x33 with ~4% probability
  • 0x11 with ~3% probability
  • 0x00 with <1% probability
  • 0x55 with <1% probability
  • Plus the false positives!

Glitch trigger

  • Just inject a fault for every byte, right? Nope.
slide-21
SLIDE 21

Step ep IV IV: Mou

  • unt

t the the Fu Full ll Attack ack

  • Calculate the sum of B1+B2+B3+B4 = 0x66
  • For each extracted candidate byte Bx:

Find all the 4-bytes permutations with Bx

Discard permutations which do not sum to 0x66

Glitch the verify command to test each new permutation

Stop when the verify is successful

  • Iterate for {B5…B8} {B9…B12} … until the flash is dumped! MANY hours later…

11 33 00 22 00 00 22 78 01 32 00 33 00 11 22 33

Candidate #1 Candidate #2 Candidate #3 Candidate #4

00 11 22 33

slide-22
SLIDE 22

St Step ep V: : Co Comp mpensate for

  • r

Temp emperatu ture Err Error

  • rs

Bootloader runs from internal oscillator The RC oscillator drift with temperature The rate is about 0.1% / ◦C With +6 ◦C the trigger moved by > 4 us Solved by software compensation

  • Let the attack go day and night, right? Not that easy.

Glitch trigger

slide-23
SLIDE 23

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-24
SLIDE 24

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-25
SLIDE 25

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-26
SLIDE 26

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

Just 60KB!

slide-27
SLIDE 27

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-28
SLIDE 28

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-29
SLIDE 29

Evaluation & Comparison

  • Speed: our technique is 32% faster than PULSE and 63% faster than MOSFET
  • Efficiency: PULSE used ~2x the number of glitches and MOSFET ~5x
  • Reliability: AGW produces 30% the number of false positives than MOSFET

Comparison of the Renesas attack performance for three major V-FI techniques.

slide-30
SLIDE 30

Evaluation and comparison

Verify 4-bytes Checksum 4-bytes Checksum leak

Different glitch waveforms provide the best performance for different vulnerabilities.

slide-31
SLIDE 31

Evaluation and comparison

Comparison of the glitch waveforms / techniques for the Renesas attack.

Verify 4-bytes Checksum 4-bytes Checksum leak

slide-32
SLIDE 32

Con

  • ntributio

ions

  • Studied the effects of Arbitrary Glitch Waveforms on the performance
  • f V-FI
  • Investigated on the feasibility of automatic attack parameter selection

and optimization using Genetic Algorithms

  • Found unpublished vulnerabilities that enable firmware extraction

attacks for six microcontrollers from by three major silicon manufacturers:

STMicroelectronics - STM32F1 & STM32F3

Texas Instruments

  • MSP430 F5xx & MSP430 FRAM

Renesas Electronics - 78K0/Kx2 & 78K0R/Kx3-L

  • In-depth analysis and evaluation of the attack performance compared

to other V-FI techniques

slide-33
SLIDE 33

THANK YOU!

slide-34
SLIDE 34

References

  • [BFP19] C. Bozzato, R. Focardi, F. Palmarini. Shaping the Glitch: Optimizing

Voltage Fault Injection Attacks. TCHES 2019.

  • [ZDCR14] L. Zussa, J. Dutertre, J. Clediere, B. Robisson. Analysis of the fault

injection mechanism related to negative and positive power supply glitches using an on-chip Voltmeter. HOST 2014.

  • [OC14] C. O’Flynn, Z. Chen. ChipWhisperer. An Open-Source Platform for

Hardware Embedded Security Research. COSADE 2014.

slide-35
SLIDE 35

pal palmarini ni@unive.it .it