how the analysis of electrical current
play

How the analysis of electrical current consumption of embedded - PowerPoint PPT Presentation

Dec 31, 2022 •256 likes •979 views

How the analysis of electrical current consumption of embedded systems could lead to code reversing ? Code extraction via Power analysis Focus on Embedded systems Yann ALLAIN / Julien MOINARD AGENDA Who we are Research

  1. How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” Focus on “Embedded systems” Yann ALLAIN / Julien MOINARD

  2. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  3. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  4. WHO WE ARE? • From France – @OPALE SECURITY Company – IT Security & Embedded System Security • Yann ALLAIN – 18 Years in IT security and electronic industry – Former CSO of application domain for an Hotel company – CEO and Owner of OPALE SECURTY • Julien MOINARD – Electronic specialist – In charge of most technical implementation regarding this research

  5. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  6. Research context • An another way to audit some Embedded system • Classical audit approach is done via – External pentest (IP Connexion , Web Interfaces…) – Hardware hacking stuff (Defeating anti tampering system, Opening the box – Etc… • …but we want more…

  7. Research context • There always another access available on all Embedded system: – The electric power line ! • Power cable connectors is always accessible !

  8. Research context • As Security auditor, may we use this access to do something ? • This our research & experimentation starting point • Please remind that this is an ‘ in progress research project ’

  9. So… • As security guys, we wondered if “ Is there a way to extract the code executed on an embedded system from its current/power consumption ?” (≈ From the Power connector…)

  10. Our wishlist • Be pragmatic • Keep it simple as possible • No math and complex stuff • Cheap approach (as much as possible)

  11. Existing research on this area? • Yes…(many!) but with different goals • Power analysis technics (DPA, SPA) and researchers seems to focus on extracting the cipher keys of sensitive device (Crypto system, Credit Card…)

  12. Existing research Cool ! . ..but researcher only on this area? focus on finding intructions … we need to access • But … Few papers related to code extraction via Power analysis to Data also …(But great Paper!) • We only find 3 available papers using the power consumption for finding instructions – Identification of instructions managed by a PIC Too specific : Javacards (Thomas Eisenbarth, http://math.fau.edu/~eisenbarth) – Discovery of information on the encryption keys (Valette ,http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/dalemuva05.pdf) – Example adapted to JAVACARDS (Vermoen, Some chapters dedicated to our http://ce.et.tudelft.nl/publicationfiles/1162_634_thesis_Dennis.pdf) goals but no so much information disclosed (Gouv.fr closed to ‘sort of’ military domain ?...)

  13. Already existing research on this area? • But these publications are full of mathematical formulae • which are more or less complex ( from our point of view !) • Not for us…. ; -)

  14. Back to our goals… Question Answer • A fondamental and basic “What is the link between electronic component…. the power consumption • Used everywhere ! and instruction and data • Please gentlemen welcome executed to, our friends: On most of embedded Transistors systems based on microcontroller (or other stuff like that)?”

  15. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  16. Electronic 101 • Embedded systems are (could be) composed of microcontrollers (µC) that contain : – MEMORIES ( Ram, Rom,.. ) – ALU ( Arithmetic logic Unit ) – TIMER ( Counter ) – SERIAL INTERFACES – I/O BUS ( Latch )

  17. Electronic 101 • Each basic functions Logical view included in µC are designed @electronic level with transistors Electronic view (used only few transistors) • For example , see how a “NAND” is designed Physical @electronic level Electric signal (simplification view of) associated

  18. Electronic 101 • When a transistor “process” a bit @ physical level (Current, Voltage) , it “commutes” • Transistor = sort of digital switch

  19. Electronic 101 • When a Transistor “ commutes ”, there is a current peak ! • Let see what going on in practice (Labs…)

  20. Electronic 101 • Labs #1 – Screenshot 1 – Hardware stuff

  21. Electronic 101 • Labs #1 – Screenshot 2 – One Transistor !

  22. Electronic 101 current peak ! • Labs #1 – Screenshot 3

  23. Electronic 101 • Labs #1 – Screenshot 4 Zoom of current peak !

  24. Brief • Transistors everywhere in µC • When a transistor “process” a bit, there is a current peak “We just find the link between the power consumption and bits processed” • Information leakage from power consumption validated ! 

  25. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  26. Proof of concept • How to move from one bit grabbed (step1) to a set of data & instructions code (step2) with our approach ? • We have designed a proof of concept tool to analyze the electrical current consumption of embedded systems to extract the code it executes

  27. Proof of concept • We need to acquire more bits…via a current consumption analysis • “Acquiring current consumption” : How?

  28. Proof of concept • What we need : A “homemade” embedded system (the target…) • Based on PIC18F4620 µC

  29. Proof of concept – What we need : An Agilent oscilloscope for acquiring current consumption • AGILENT Dso3024a

  30. Proof of concept – What we need : A programmer /Debugger (Microchip Real Ice)

  31. Proof of concept • What we need : A current probe – Very expensive Professional tools (magnetic or electromagnetic current probe ) > 400$ each Or – a simple resistor which cost less than 1 $ – We choose the resistor !

  32. Proof of concept • What we need : A bit of software – Homemade code (VB.NET…sorry  ) used to control and pilot the oscilloscope – The code used the Standard protocol: VISA COM 3.0 – It’s a Free Library that let us communicate with agilent oscilloscope with simple set of commands • Get datum measurement, Launch voltage or current acquisition process, Send numerical value of current acquired,…

  33. Proof of concept • What we need : A GUI Command/Data GUI of our Proof of concept tool

  34. Proof of concept • Our acquisition chain looks like that :

  35. Proof of concept • In practice, it looks like that…

  36. How we proceed to grab the current and extract the code? Step 1 send a dummy code to µC PC 1 Embedded System Embedded system is Ready to use Programmer

  37. Proof of concept Step 2 , In lab Embedded System with probes Oscilloscope (Measure) Our tool try to find instruction & data executed from the current consumption Current Consumption PC 2 (Lab machine)

  38. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  39. Our Experiments #1: Does the code really impacts the power consumption? #2: Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? #3: Why μC’s instructions Pipeline impact current consumption? #4: How to overcome Pipeline issues for our goals? #5: Could we create a (sort of) ‘disassembler’ over electricity?

  40. Does the code really impacts the power consumption? (Experiment #1)

  41. Does the code really impacts the power consumption? ( Experiment #1) • Result #1 : We have a current consumption related with nop instructions In Red  Current during the execution In Blue  Synchronization signal In Green  Clock embedded system

  42. Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? (Experiment #2)

  43. Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? ( Experiment #2) • Note : to limit impacts of parasites, our system take differential analysis • @First time, we measured the difference between – Current consumption of 4 nop instructions – Current consumption of movlw 0xFF with 3 nop • @Second time, we measured the difference between – Current consumption of 4 nop instructions – Current consumption of movlw 0x00 with 3 nop

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Electrical Electrical Requirements Permit Application OVERVIEW Required Plans

Electrical Electrical Requirements Permit Application OVERVIEW Required Plans

Electrical Electrical Requirements Electrical Requirements Presented by: Mark Izzo Electrical Plan Examiner 1 C I T Y O F C H I C A G O D E P A R T M E N T O F B U I L D I N G S Electrical Electrical

331 views • 8 slides
Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT

Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT

Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT Very accurate CURRENT SENSORS Very stable Low noise Patented Solutions High Dynamic MAGNETOMETERS Response

137 views • 13 slides
Electronics Summary Voltage is a measure of electrical potential energy Current is moving

Electronics Summary Voltage is a measure of electrical potential energy Current is moving

CS/ECE 5710/6710 Digital VLSI Design Electronics Summary Voltage is a measure of electrical potential energy Current is moving charge caused by voltage Resistance reduces current flow Ohms Law: V = I R Energy (joules): work

722 views • 24 slides
V = IR V : electrical potential difference (voltage) in volts (V) I : current in amperes (A) R :

V = IR V : electrical potential difference (voltage) in volts (V) I : current in amperes (A) R :

Voltage, current, and resistance in a circuit are related by Ohms law. Ohms Law The electrical potential difference between two points in a circuit is equal to the current times the resistance between those two points. V = IR V :

710 views • 5 slides
Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical

Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical

Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical characterization PhD student: Samir RACHIDI PhD Director : Sergue Martemianov CEA tutors: Ludovic Rouillon, Jol Pauchet PhD program: October 2008 to

323 views • 15 slides
Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical

Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical

Norwegian Embassy Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical Engineer-NTUA, Scientific Expert Coordinator of RES Auction Team Director, Press & Public Relations Office Regulatory Authority

690 views • 32 slides
Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery

Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery

Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery Carbon + - Electrolyte: mixture of ammonium Zinc chloride & case manganese Battery dioxide symbol electrical converter...

350 views • 20 slides
Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC)

Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC)

Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC) or Continuous DC or Smooth DC Pulsed Direct Current (PDC) many forms Alternating Current (AC) many forms Direct

373 views • 24 slides
Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science

Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science

Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science www.eecs.umich.edu/~rajnrao Joint work with Hao Wu Funding by ONR, DARPA, ARO 1 Free Component Analysis (FCA) An experiment in pictures 2 I1 = Hedgehog 3 I2

864 views • 59 slides
Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED

Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED

Thermal Simulation of LED- Powered Luminaire With Coupled Electrical Circuit Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED Context The LED Thermal-Electrical Challenge The LED Thermal-Electrical

572 views • 21 slides
Electrical Program RCW-The Law Revised Code of Washington 19.28 ELECTRICIANS AND ELECTRICAL

Electrical Program RCW-The Law Revised Code of Washington 19.28 ELECTRICIANS AND ELECTRICAL

Electrical Laws & Rules Permits Licensing Electrical Inspections Work Scope RCW 19.28 Access Administrator WAC 296-46B Duties Description Certification Directions Supervision Comments

771 views • 36 slides
Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site

Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site

Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site Prefabrication of Interior Wall Panels Electrical design and modifications needed for solar panel installation Installation of Solar Panels Structural

606 views • 36 slides
DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

A.R. Djordjevi 1 , D.I. Ol an 1 , B.M. Kolundija 1 , J.R. Mosig 2 , I.M. Stevanovi 3 DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering, University of Belgrade, Serbia 2 Ecole Polytechnique

420 views • 20 slides
Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects

Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects

Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects of Resistive Metals Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects This presentation covers: Transient 3D

284 views • 12 slides
ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical

ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical

ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical Engineering and Computer Science Washington State University References Provost et al., The Case Against Accuracy Estimation for Comparing

339 views • 12 slides
Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline

Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline

Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline Introduction Cause & Effect Identifying the Problem Bearing life Bearing examples Protection Methods Janelle Hammes Electric Motor

511 views • 30 slides
Slides on Kaplan and Violante A Model of the Consumption Response to Fiscal Stimulus

Slides on Kaplan and Violante A Model of the Consumption Response to Fiscal Stimulus

Slides on Kaplan and Violante A Model of the Consumption Response to Fiscal Stimulus Payments, Econometrica 2014. 1. Introduction A. Overview Paper develops model to explain the estimated responses of consumers to tax rebates.

467 views • 15 slides
14.54 International Trade Lecture 3: Preferences and Demand 14.54 Week 2 Fall 2016 14.54 (Week

14.54 International Trade Lecture 3: Preferences and Demand 14.54 Week 2 Fall 2016 14.54 (Week

14.54 International Trade Lecture 3: Preferences and Demand 14.54 Week 2 Fall 2016 14.54 (Week 2) Preferences and Demand Fall 2016 1 / 29 Todays Plan Utility maximization 1 Budget set 1 Preferences 2 Solution 3 Relative demand 4

554 views • 29 slides
Documento di sintesi sullIntelligenza Artificiale per argomento Table of contents 1. Courses

Documento di sintesi sullIntelligenza Artificiale per argomento Table of contents 1. Courses

Documento di sintesi sullIntelligenza Artificiale per argomento Table of contents 1. Courses related to AI 2. Predictable AI 3. AI for robotics 4. AI for automotive 5. AI for cloud computing 6. AI for industrial manufacturing 7. AI for

599 views • 13 slides
Taxation and Economic Efficiency Alan J. Auerbach University of California, Berkeley and NBER

Taxation and Economic Efficiency Alan J. Auerbach University of California, Berkeley and NBER

Taxation and Economic Efficiency Alan J. Auerbach University of California, Berkeley and NBER James R. Hines Jr. University of Michigan and NBER February 2001 This paper has been prepared for a forthcoming volume of the Handbook of Public

1.19k views • 117 slides
q tt

q tt

q tt r Prs t tr P

1.19k views • 68 slides
Energy Consumption Anatomy of 802.11 Devices and its Implication on Modeling and Design A. Banchs

Energy Consumption Anatomy of 802.11 Devices and its Implication on Modeling and Design A. Banchs

Energy Consumption Anatomy of 802.11 Devices and its Implication on Modeling and Design A. Banchs 1,2 , G. Bianchi 3 1: Universidad Carlos III de Madrid 2: Institute IMDEA Networks 3: CNIT / Universit Tor Vergata A. Garca-Saavedra 1 , P.

454 views • 24 slides
Health, Consumption and Inequality Josep Pijoan-Mas and Jos e V ctor R os-Rull CEMFI

Health, Consumption and Inequality Josep Pijoan-Mas and Jos e V ctor R os-Rull CEMFI

Health, Consumption and Inequality Josep Pijoan-Mas and Jos e V ctor R os-Rull CEMFI and Penn February 2016 VERY PRELIMINARY Pijoan-Mas & R os-Rull Health, Consumption and Inequality 1 / 37 How to Assess Inequality We

384 views • 37 slides
Energy Consumption Using Program Analysis Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh

Energy Consumption Using Program Analysis Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh

Estimating Mobile Application Energy Consumption Using Program Analysis Shuai Hao, Ding Li, William G.J. Halfond, and Ramesh Govindan University of Southern California Motivation Smartphones are popular Batteries dont last that long

498 views • 26 slides

More recommend