bio
play

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! - PowerPoint PPT Presentation

Apr 03, 2024 •386 likes •1.11k views

Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# ! Involved#from#sample#prepara>on#to#report#wri>ng# ! Op>cal#systems#setup## ! Sample#prepara>on# ! Delayering# ! Imagery# ! SoCware#developments #

  2. Bio$ ! 8#years#in#a#security#lab# ! Technology#lover# ! Analysis#techniques#//#exploits# ! Involved#from#sample#prepara>on#to#report#wri>ng# ! Op>cal#systems#setup## ! Sample#prepara>on# ! Delayering# ! Imagery# ! SoCware#developments #

  3. Bio$ ! Semi!invasive#aDacks# ! Invasive#aDacks#–#circuit#edit# ! Micro!probing# ! Various#experiments# ! Photoemission# ! AFM#techniques# ! Electrical#glitch#

  4. Talk$Descrip/on$ ! Focus#on#Hardware#reverse#engineering# ! Evolu>on#of#the#all#process# ! Sample#prepara>on# ! Imaging# ! Study# ! Change#in#evalua>on#criterias# Talk# descrip>on# context# ! Future#evolu>ons# Future# HRTs#as#the# developments# next#step# HRT#outcomes#

  5. Context$ ! ADacks#summary# # ! Chip#classifica>on# # context# HRTs#as#the# next#step# HRT#outcomes# Future# developments#

  6. Context$–$A6acks$summary$ Non#invasive#aDacks#!#VCC#and#Clk#glitch# ! Take#advantage#of#the#RTL#technology# ! Used#to#skip#instruc>ons#or#to#disturb#the# normal#execu>on# ⇒ Finding#the#glitch#paDern#is#empirical# ⇒ The#real#effect#stays#hidden#

  7. Context$–$A6acks$summary$ Semi!invasive#aDacks#!#Sample#prepara>on#techniques# Par/al$opening$<$frontside$

  8. Context$–$A6acks$summary$ Semi!invasive#aDacks#!#Sample#prepara>on#techniques# Repackaging$

  9. Context$–$A6acks$summary$ Semi!invasive#aDacks#!#Sample#prepara>on#techniques# In$situ:$

  10. Context$–$A6acks$summary$ Semi!invasive#aDacks#–#Principle# # ! 1064#nm#laser#spot#can#induce#transistor#switch# ! Silicon#is#«#transparent#»#@1064#nm# ! Metal#planes#prevent#laser#fault#injec>on# ! Fault#is#injected#at#a#precise#given#loca>on# #

  11. Semi!invasive#aDacks#–#Tests# Context$–$A6acks$summary$ Fishing$:$ .#Unknown#>ming# # .#Vague#localiza>on# # .#Trial#and#Error# # # =>#Working#;!)#

  12. Context$–$A6acks$summary$ Semi!invasive#aDacks#–#Tests# Automated$fishing$ (a$first$step$toward$laser$scan) $:$ .#XY#stages#for#chip#posi>oning# # .#One#posi>on#–#several#laser#pulses# # .#Pass!fail#from#data#returned#by#the#device# # .#One#scan#per#>ming#of#interest# # =>#Different#effects#

  13. Semi!invasive#aDacks#–#Tests# Context$–$A6acks$summary$ Targeted$shot$:$ .#Precise#localiza>on#from#laser#scan#image# # .#Timing#s>ll#cri>cal# #

  14. Invasive#aDacks# Context$–$A6acks$summary$ Get#access#to#the#circuitry#itself#and#apply# modifica>on#for# # ! Shield#bypass# ! Embedded#counter!measures#deac>va>on# ! Data#extrac>on#

  15. Invasive#aDacks# Context$–$A6acks$summary$ The$process$:$delayering$and$imaging$ ! Delayering#requires#skills#and#machinery# ! Op>cal#and#/#or#SEM#scan# # ! Pictures#s>tching#is#key# ! Alignment#of#layers#must#be#precise#

  16. Invasive#aDacks# Context$–$Imaging$techniques$ The$process$:$op/cal$imaging$ Op>cal#scans#are#fast#to#perform#but#:# ! Good#>lt#setup#for#high#resolu>on#scan# is#a#nightmare#(narrow#depth#of#field)# ! Small#features#become#invisible#with# technology#size#reduc>on# ! Oxide#layers#are#light#transparent# (every#deeper#layer#is#visible)# ! Pictures#lack#informa>on#such#as#vias#

  17. Invasive#aDacks# Context$–$Imaging$techniques$ The$process$:$SEM$imaging$ SEM#scan#are#slow#(hours#range)#and# pictures#are#distorted#but#:# ! Depth#of#field#is#bigger# ! Resolu>on#is#higher# ! Oxide#layers#are#not#transparent# (one#visible#layer#at#a#>me)#

  18. Context$–$A6acks$summary$ Invasive#aDacks# The$process$:$“Reverse<engineering”$ ! Intensive#use#of#pictures# ! Generate#a#test#procedure# # ! Localize#points#of#interests# #

  19. Invasive#aDacks# Context$–$A6acks$summary$ The$process$:$Fib$edit$

  20. Invasive#aDacks# Context$–$A6acks$summary$ The$process$:$Micro<probing$

  21. Invasive#aDacks# Context$–$A6acks$summary$ Linear$Code$Extrac/on$ ! 2#major#types#of#instruc>ons#:#sequen>al#/#jumps# ! Provide#only#one#instruc>on#to#the#core#of#sequen>al#type# ! Core#will#execute#something#useless# ! Address#will#be#incremented## ! The#en>re#code#will#be#outpuDed#from#NVM#memory# # =>#Most#successful#invasive#aDack#

  22. Invasive#aDacks# Context$–$A6acks$summary$ Linear$Code$Extrac/on$ ! Cut#and#setup#an#instruc>on#for#the#core#(ex.#nop)# ! Read#data#before#the#cut#

  23. Invasive#aDacks# Context$–$A6acks$summary$ Linear$Code$Extrac/on$:$Less$FIBing$–$more$op/ons$ ! Use#buffer#or#register#/#latch# signal#to#prevent#read#buffer# output#update# ! Read#data#before#the#buffer# (register#/#latch)# ⇒ Running#code#extrac>on#is# straight#forward# ⇒ Modifica>on#of#the#code#is# possible# ⇒ Skipping#instruc>on#is# possible#(jumps…)#

  24. Context$–$Chip$classifica/on$ 3#different#kind#of#security#levels#:# # ! Weak% :#code#can#be#extracted#by#old#techniques#or#LCE# ! Adequate% :#old#techniques#do#not#work#//#LCE#can#be#done#at#the#costs# of#Hardware#Reverse!engineering# ! Advanced #:#Hardware#Reverse!engineering#is#mandatory#for#a#code# extrac>on#+#hardware#func>ons#have#to#be#found#and#studied#

  25. Context$–$Chip$classifica/on$ 3#different#kind#of#security#levels#:# Chip#manufacturer# Pirates# Customer# Weak# Trivial# Dangerous## No#way# cheap# Adequate# Tricky# Balanced# Dangerous# cheap# Advanced# Headache# Overkill# Mandatory# provider# expensive# expensive#

  26. HRTs#as#the# next#step# HRT#outcomes# Future# developments#

  27. HRTs$as$the$next$step$ Analysis#techniques#evolu>on#:# ! Laser#fault#injec>on# ! ROM#code#extrac>on# ! LCE# ! Other#techniques# Sample#prepara>on#and#imaging#evolu>on#:# ! Sample#prepara>on# ! SEM#imaging# ! Accurate#correla>on# ! All#chip#features#become#visible#and#usable# #

  28. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ Laser$fault$injec/on$ Usual#tests#target#registers#or#memory#output# ! Where#are#the#working#registers?# ! Is#the#memory#encrypted?# ⇒ Results#can#be#achieved#but#hardly#exploited# Fishing#tests#are#also#effec>ve# ! Needed#equipment#price#can#be#quite#low# ! Effect#can#not#be#predicted# ! Timing#and#spot#localiza>on#have#to#be#found# ⇒ Results#can#be#achieved#but#can’t#be#fully#understood#therefore# exploits#are#difficult#to#build# ⇒ Fishing#is#a#real#threat#

  29. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ Laser$fault$injec/on$:$examples$ ! Reading#extra#bytes#from#RAM#while# glitching#during#the#ATR#rou>ne# ! Number#of#extra#bytes#depends#on# glitch#loca>on# # ! Change#mode#of#execu>on# ! Effect#is#“stored”# ! Original#mode#can#be#restored# ! Instruc>on#skip# # ⇒ Registers#can#be#found#by#fishing# ⇒ Fault#injected#inside#the#core#–#what# happened?#

  30. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$ ! Principle#does#not#change# ! Memory#encryp>on# ! Mul>plexers#mixed#with#the# core#

  31. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$:$hidden$mux$ 8#bits#processor# 32#bits#FLASH#output#going#to#the#core#

  32. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$:$hidden$mux$ Lines#have#to#be#traced#inside#the# core#to#find#the#8#bits#data#bus.#

  33. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$:$hidden$mux$ 3#paths#can#be#followed#:# 2#of#them#can#not#be#exploited#

  34. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$:$hidden$mux$ ! Finding#the#correct#spot#took#some#>me# ! Mul>plexers#were#hidden# ! Data#was#not#encrypted#

  35. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ LCE$evolu/on$:$state$of$the$art$$ ! Mul>plexers#are#hidden# ! NVM#content#is#scrambled# ! NVM#content#is#encrypted# ! Hardware#custom#func>ons#are#implemented#as#part#of#the#core# ! Several#thousands#gates#have#to#be#reversed#

  36. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ ROM$reading$:$ROM$“op/cal$reading”$

  37. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ ROM$reading$:$principle$ ! Define#4#corners#for#alignment# ! Affine#transforma>on#to# compensate#“>lt#deforma>on”# ! Define#horizontal#bit#spacing# ! Define#ver>cal#bit#spacing# 00100111# 10101001# 10001101# 00011101# ! Choose#criteria#for#bit#value# 00001111# 11100000# 11111101# 11111110# 11010101# 00011101# ! Extract#defined#zone# 00001111# 11100000# 11111101# 00011101# 00001111# 11100000#

  38. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ ROM$reading$:$correla/on$issue$ As#ROMs#are#gerng#bigger,#correla>on#errors#have#to#be#considered# 4700#pictures#have#to#be#s>tched#

  39. Analysis#techniques#evolu>on#:# HRTs$as$the$next$step$ ROM$reading$:$correla/on$issue$ Smarter#procedure#:# ! Do#not#try#correla>ng#pictures#(especially#SEM# pics)#of#a#large#scan# ! Do#not#try#to#tell#your#script#where#the#bits#are# ! Find#bits#corresponding#to#a#no>ceable#value# ! Extract#a#grid#from#their#posi>on# ! From#the#grid,#recover#the#missing#bits# ! Correlate#bits#from#an#image#with#those#of#the# adjacent#one#and#so#on#

  40. Sample#prepara>on#and#imaging#evolu>on#:# HRTs$as$the$next$step$ Deprocessing$:$ By#using#plasma#etching#as#the#only#technique#for#deprocessing,#picture# quality#is#poor##

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single Event Effects in SRAM based FPGA for space applications Analysis and Mitigation

Single Event Effects in SRAM based FPGA for space applications Analysis and Mitigation

Single Event Effects in SRAM based FPGA for space applications Analysis and Mitigation Diagnostic Services in Network-on-Chips (DSNOC09) Roland Weigand David Merodio Codinachs European Space Agency Microelectronics Section

572 views • 30 slides
Ecosystem, Specifications and Framework March, 2016 OIC Presenters: Ravi Subramaniam Standard

Ecosystem, Specifications and Framework March, 2016 OIC Presenters: Ravi Subramaniam Standard

Open Internet Consortium (OIC) Ecosystem, Specifications and Framework March, 2016 OIC Presenters: Ravi Subramaniam Standard Working Group Open Interconnect Consortium Open Interconnect Consortium, Inc. Table of Contents Internet of

775 views • 52 slides
how to fix them Mahdi Roozbahani Lecturer, Computational Science and Engineering, Georgia Tech

how to fix them Mahdi Roozbahani Lecturer, Computational Science and Engineering, Georgia Tech

CX4242: Common visualization Issues &amp; how to fix them Mahdi Roozbahani Lecturer, Computational Science and Engineering, Georgia Tech Student of Edward Tufte 5 http://a.co/6BhlPfZ Also Highly Recommended: Bar Charts The color scheme

856 views • 59 slides
LHC Synchrotron-Light Monitors: Status and Possible Upgrades Alan Fisher SLAC LARP CM15 SLAC

LHC Synchrotron-Light Monitors: Status and Possible Upgrades Alan Fisher SLAC LARP CM15 SLAC

LARP LHC Synchrotron-Light Monitors: Status and Possible Upgrades Alan Fisher SLAC LARP CM15 SLAC 2010 November 2 CERN Collaborators LARP Stphane Bart-Pedersen Andrea Boccardi Enrico Bravin Stphane Burger Grard

1.08k views • 42 slides
ME Supervisors Mtg Joe Silber 2012-04-12 4/12/2012 Silber 1 About me At LBNL now for 2

ME Supervisors Mtg Joe Silber 2012-04-12 4/12/2012 Silber 1 About me At LBNL now for 2

ME Supervisors Mtg Joe Silber 2012-04-12 4/12/2012 Silber 1 About me At LBNL now for 2 yrs. Main projects: STAR HFT ~60% ATLAS Upgrade ~10% BigBOSS ~30% Grad work was in composite materials Built race cars at Cal

386 views • 36 slides
OSVGAN: Generative Adversarial Networks for Data Scarce Online Signature Verification Chandra

OSVGAN: Generative Adversarial Networks for Data Scarce Online Signature Verification Chandra

OSVGAN: Generative Adversarial Networks for Data Scarce Online Signature Verification Chandra Sekhar Vorugunti Sai Sasikanth Indukuri Viswanath Pulabaigari Rama Krishna Sai Gorthi IIIT SriCity

86 views • 5 slides
merlin : Mixed effects regression for linear, non-linear and user-defined models Stata Nordic and

merlin : Mixed effects regression for linear, non-linear and user-defined models Stata Nordic and

the motivation the past the goal the example the family the surprise the future merlin : Mixed effects regression for linear, non-linear and user-defined models Stata Nordic and Baltic Meeting Oslo, 12th September 2018 Michael J. Crowther

505 views • 50 slides
Social Media Fundraising Tips for Animal Welfare Organizations www.lapafundraising.com 1 Tips

Social Media Fundraising Tips for Animal Welfare Organizations www.lapafundraising.com 1 Tips

Social Media Fundraising Tips for Animal Welfare Organizations www.lapafundraising.com 1 Tips for Social Media Fundraising Quick Facts Different platforms will attract different audiences: Instagram &amp; Twitter: Donors Age (15-34)

326 views • 8 slides
Tips for Moderators: Making Your Session an Outstanding Learning Experience Produced by the

Tips for Moderators: Making Your Session an Outstanding Learning Experience Produced by the

Tips for Moderators: Making Your Session an Outstanding Learning Experience Produced by the Management and Personal Development Section Why This is Important Session participants attend to learn They want to feel that their time is

432 views • 19 slides
POWERPOINT TIPS 1 PREZI PRESENTER TELL A STORY MIND THE FONT VIEW TEXT TO THE BRANDING USE

POWERPOINT TIPS 1 PREZI PRESENTER TELL A STORY MIND THE FONT VIEW TEXT TO THE BRANDING USE

10/09/19 POWERPOINT TIPS 1 PREZI PRESENTER TELL A STORY MIND THE FONT VIEW TEXT TO THE BRANDING USE IMAGES LEFT 2 1 10/09/19 PREZI LIMIT TEXT USE ICONS MORPH CAPTIONS 3 PREZI BEST PRACTICES USE VIDEO CREATIVELY 4 2 10/09/19

609 views • 14 slides
EXPERIENCE IN YOUR ORGANIZATION Michele Ide-Smith Red Gate Software As their usability

EXPERIENCE IN YOUR ORGANIZATION Michele Ide-Smith Red Gate Software As their usability

WINNING HEARTS &amp; MINDS: TIPS FOR EMBEDDING USER EXPERIENCE IN YOUR ORGANIZATION Michele Ide-Smith Red Gate Software As their usability approach matures, organisations typically progress through the same sequence of stages, from initial

979 views • 87 slides
youth pqa external methods? What might create an obstacle to assessor reliability your being

youth pqa external methods? What might create an obstacle to assessor reliability your being

Before we Assess Check your bias! What triggers your judgment? What styles of instruction do you tend to like or not like? What about youth pqa external methods? What might create an obstacle to assessor reliability your being able

372 views • 4 slides
Online Fundraising Certification Training Email Fundraising Donation &amp; Landing Pages

Online Fundraising Certification Training Email Fundraising Donation &amp; Landing Pages

Online Fundraising Certification Training Email Fundraising Donation &amp; Landing Pages Facebook Donor Acquisition NEXTAFTER.COM/TRAINING The Essential Conference for Online Fundraising And Digital Marketing 2 Days 16+

1.47k views • 114 slides
CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by

CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by

CSE 154 Review/Exam Tips Exam Kane 110 5:15-6:15 We will be checking IDs Please be there by 5:05 Dont worry about use strict General Exam Only shorthand functions are $ and qsa. tips We are not grading on

198 views • 15 slides
Tips for Obtaining a Security Clearance Information obtained from Partnership for Public Service

Tips for Obtaining a Security Clearance Information obtained from Partnership for Public Service

Tips for Obtaining a Security Clearance Information obtained from Partnership for Public Service and SPP Career Development Provides authorization for access to sensitive national security information. Required for federal &amp;

613 views • 9 slides
MySQL Replication and HA at Facebook Part-II Jeff Jiang Production Engineer Facebook, Inc

MySQL Replication and HA at Facebook Part-II Jeff Jiang Production Engineer Facebook, Inc

MySQL Replication and HA at Facebook Part-II Jeff Jiang Production Engineer Facebook, Inc jjj@fb.com Agenda MySQL HA: theory and Facebook solutions Facebook MySQL HA Automations MySQL replication management at Facebook FB MySQL

449 views • 41 slides
Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp; Ida Toivonen Carleton University LAGB 2007, Kings College London 1 Copy raising 1. Louise seems like shes had a rough day. 2. The lawyer

752 views • 43 slides
Echoicity and contrast in Spanish conditionals Elena Castroviejo and Laia Mayol Ikerbasque and

Echoicity and contrast in Spanish conditionals Elena Castroviejo and Laia Mayol Ikerbasque and

Echoicity and contrast in Spanish conditionals Elena Castroviejo and Laia Mayol Ikerbasque and UPV/EHU UPF Non-At-Issue Meaning and Information Structure University of Oslo May 9th, 2017 Introduction The phenomenon The conditional

692 views • 35 slides
Just tired of endless loops! or parallel : Stata module for parallel computing George G. Vega Yon 1

Just tired of endless loops! or parallel : Stata module for parallel computing George G. Vega Yon 1

Just tired of endless loops! or parallel : Stata module for parallel computing George G. Vega Yon 1 Brian Quistorff 2 1 University of Southern California vegayon@usc.edu 2 Microsoft AI and Research Brian.Quistorff@microsoft.com Stata Conference

857 views • 62 slides
Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof.

Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof.

Local search algorithms CS271P, Winter 2018 Introduction to Artificial Intelligence Prof. Richard Lathrop Reading: R&amp;N 4.1-4.2 Local search algorithms In many optimization problems, the path to the goal is irrelevant; the goal state

388 views • 34 slides
A Command-Line Driver Generator or What I did when I got tired of writing command-line

A Command-Line Driver Generator or What I did when I got tired of writing command-line

Using a generated command-line driver Using the tool How the tool works Future work A Command-Line Driver Generator or What I did when I got tired of writing command-line interfaces myself... Jacob Sparre Andersen JSA Research &amp;

717 views • 16 slides
Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science

Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science

Population Protocols and Predicates Pierre Ganty IMDEA Software Institute The computer science debate: Journals vs Conferences Tired Rested Journals Conferences The computer science debate: Journals vs Conferences Tired Rested Journals

1.29k views • 73 slides
A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1

A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1

A Fixed Point Theorem for Non-Monotonic Functions Esik 1 and P. Rondogiannis 2 an Zolt 1 University of Szeged, Hungary 2 University of Athens, Greece July 15-18, 2013 (Szeged and Athens) PLS9 1 / 23 Outline Outline 1 Negation in Logic

350 views • 23 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides

More recommend