Cypherock Assessment (1).pdf

Title: Embedded Security Analysis Task:
Side Channel Analysis and Fault
Injection
Objective:
The objective of this task is to assess your ability to work with Python tools, C programming,
Computer Architecture, and apply side channel analysis and fault injection techniques to
uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will
use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve
the hidden flag.
Requirements:
1. Proficiency in Python programming.
2. Basic understanding of side channel analysis and fault injection concepts.
3. Familiarity with ELF file format and embedded systems.
Task Description:
Setup and Familiarization:
1. Clone the Ledger's repository containing Lascar and Rainbow tools.
2. Install the necessary dependencies and set up the environment as per the provided
documentation.
3. Review the documentation and examples to understand how Lascar and Rainbow tools
are used for side channel analysis and fault injection.
Binary Analysis:
1. You will be provided with an ELF file compiled for an STM32 processor.
2. Study the provided stubbed source code for the binary to understand its functionality and
potential vulnerabilities.
Side Channel Analysis/ Fault Injection:
1. Choose a specific side channel analysis technique or fault injection technique based on
your analysis of the binary.
2. Implement the chosen technique using Lascar or Rainbow tools to extract information
from the binary.
3. Document your approach, code snippets, and any findings from the side channel
analysis.
4. Provide a detailed explanation of your fault injection methodology, along with relevant
code snippets and observations.
Flag Retrieval:
1. Apply the insights gained from side channel analysis and fault injection to uncover the
hidden secret embedded within the binary.
2. Document the process you followed to successfully retrieve the secret.
3. Provide the extracted secret as proof of completion.

Evaluation Criteria:
You will be evaluated based on the following criteria:
1. Understanding of side channel analysis and fault injection concepts.
2. Proficiency in understanding the assignment and applying conceptual knowledge in
practice.
3. Explanation of the approach taken.
4. Successful retrieval of the hidden flag.
Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock.
Cypherock Assessment
Title: Embedded Security Analysis Task: Side Channel Analysis and
Fault Injection
Understanding of side channel analysis and fault
injection concepts
Side channel analysis
According to my understanding the side channel analysis methods are utilized to find out the
potential unintentional leaked information through physical implementations that may provide
some information to get into a system.
Fault injection
Fault injection techniques are used to exploit a system's design vulnerabilities. This helps the
developer understand the potential system crash and faults.
Proficiency in understanding the assignment and
applying conceptual knowledge in practice.
1. Downloaded the lascar and rainbow repos
2. Went through the examples about elf file and also checked their object dump.

3. In each example I checked how the binary files are being analyzed
4. In lascar, read the trace and batch containers generation, their filtering and various
processing applied over them to get the keys
5. In rainbow, read the leakage and fault models
6. Tried applying the hamming model to detect the leakage in the file
Explanation of the approach taken.
1. File Analysis
a. Checked the elf file structure: In readelf.txt
b. Checked the given arm elf file object dump; In objdump.txt
c. Findings in the disassembled code:
i. Only .text had executable permissions
ii. Found out the sections and functions used in the file and the entry point
that was in the
iii. In objdump few key words like pin, secret, key etc in recursive mutex
function in .data section:

iv. From the entry point tracked where the code is started and where it is
going to end

2. Decompiled file analysis
a. Setup Ghidra
b. Found the entered_pin and secret_output variables
3. Tried creating a fault on HAL_GPIO_EXTI_Callback with the entered_pin=”0xd9”, but did
not work
#!/usr/bin/env python3
# UINT aes(UCHAR Mode, STRUCT_AES* struct_aes, const UCHARp key,
const UCHARp input, UCHARp output, const UCHARp random_aes, const
UCHARp random_key)
# aes( 0xb, ...)
import numpy as np
from visplot import plot
from binascii import hexlify
from rainbow import TraceConfig, HammingWeight, Print

from Crypto.Cipher import AES
from rainbow.generics import rainbow_arm
def f_aes(e, key, input_):
e.reset()
# mode : 0xb = MODE_ENC | MODE_AESINIT_ENC | MODE_KEYINIT
e['r0'] = 0xb
# struct_aes
struct_aes_p = 0xcafe0000
e[struct_aes_p] = 0
# struct is huge so we need to map another page
e[struct_aes_p + e.PAGE_SIZE] = 0
e['r1'] = struct_aes_p
# key
key_p = 0xcafe1000
e[key_p] = key
e['r2'] = key_p
# input
input_p = 0xcafe2000
e[input_p] = input_
e['r3'] = input_p
# output
output_p = 0xdead0000
e[output_p] = 0
# ARM calling convention : 4th+ parameter is on stack
e[e['sp']] = output_p
# rest stays to 0
e.start(e.functions['HAL_GPIO_EXTI_Callback'] | 1, 0)
if e['r0']:
print('ERROR !')
res = e[output_p:output_p + 16]

aes_c = AES.new(key, AES.MODE_ECB)
ref = aes_c.encrypt(input_)
if ref != res:
print("Nope :")
print(hexlify(res))
print(hexlify(ref))
return res
import secrets
def randbytes(n):
return secrets.token_bytes(n)
if __name__ == "__main__":
e = rainbow_arm(print_config=Print.Code | Print.Functions,
trace_config=TraceConfig(register=HammingWeight()))
e.load('stm.elf')
e.setup()
return_addr = 0
# map it to prevent an unmapped fetch exception
e[return_addr] = 0
key = b"xd9" * 16
traces = []
for i in range(5):
print(".", end='')
f_aes(e, key, randbytes(16))
traces.append(np.fromiter(map(lambda event:
event["register"], e.trace), dtype=np.float32))
traces = np.array(traces)
traces += np.random.normal(0, 1, size=traces.shape)
v = plot(traces, dontrun=True)
v.multiple_select(0)
v.run()

4. Tried making doing the pin fault on main function, was able to found 1 fault i.e. when the
key matched to the original one
#!/usr/bin/env python3
import numpy as np
from rainbow import HammingWeight, TraceConfig
from rainbow.devices.stm32 import rainbow_stm32f215 as rainbow_stm32
from rainbow.fault_models import fault_skip
from rainbow.utils.plot import viewer
# Pick any reference pin (STORED_PIN) and a different input pin
# Goal is to make 'storage_containsPin' function return a non-null
# value, which would mean the code executes as if the user PIN
# was correct although it was not
STORED_PIN = "1874"
INPUT_PIN = "0000"

print("Setting up emulator")
e = rainbow_stm32()
e.load("stm.elf")
e.setup()
def result(u):
""" Test whether execution was faulted """
return u['r0'] != 0 and u['pc'] == 0xaaaaaaaa
# as in the side-channel example, this is the location of the reference
# pin in Flash
e[0x08008110 + 0x189] = bytes(STORED_PIN + "x00", "ascii")
# Pick any address for the input pin...
e[0xcafecafe] = bytes(INPUT_PIN + "x00", "ascii")
N = 57
total_faults = 0
total_crashes = 0
fault_trace = [0] * N
crash_trace = [0] * N
print("Loop on all possible skips")
print("r0 should be 0 at the end of the function if no fault occurred")
for i in range(1, N):
e.reset()
# The first fault might not actually work depending
# on the value of r5 when calling. Remove comment to observe
# e['r5'] = 0x60000000
e['r0'] = 0xcafecafe
e['lr'] = 0xaaaaaaaa
pc = 0
try:

# Run i instruction, then inject skip, then run
pc = e.start_and_fault(fault_skip, i, e.functions['main'],
0xaaaaaaaa, count=100)
except RuntimeError:
# Fault crashed the emulation
total_crashes += 1
crash_trace[i] = 1
d = e.disassemble_single(pc, 4)
e.print_asmline(pc, d[2], d[3])
pc += d[1]
print("crashed")
continue
except IndexError:
pass
# Print current instruction
d = e.disassemble_single(pc, 4)
e.print_asmline(pc, d[2], d[3])
pc += d[1]
if result(e):
# Successful fault
total_faults += 1
fault_trace[i] = 1
print(" <-- r0 =", hex(e['r0']), end="")
print(f"n=== {total_faults} faults found ===")
print(f"=== {total_crashes} crashes ===")
# get an 'original' side channel trace
e = rainbow_stm32(trace_config=TraceConfig(register=HammingWeight(),
instruction=True))
e.load("stm.elf")
e.setup()
e['r0'] = 0xcafecafe
e['lr'] = 0xaaaaaaaa
e.start(e.functions['main'], 0xaaaaaaaa)

trace = np.array([event["register"] for event in e.trace if "register" in
event], dtype=np.uint8)
fault_trace = trace.max() - np.array(fault_trace,
dtype=np.uint8)[:trace.shape[0]] * trace.max()
viewer([event["instruction"] for event in e.trace], np.array([trace,
fault_trace]))

Retrieval of the hidden flag.
Entered pin = 0xd9
Secret output = 0xda
// Online C compiler to run C program online
#include <stdio.h>
int main() {
// Write C code here
printf("Hello worldn");
unsigned char entered_pin = 0xd9;
unsigned char DAT_20000451 = 0x62;
unsigned char DAT_20000453 = 0;
unsigned char DAT_20000454 = 0xcc;
unsigned char DAT_20000455 = 0xcc;
unsigned char bVar1, DAT_20000457;
bVar1 = DAT_20000457 == 0x66;
if (1) {
unsigned char secret_output = (entered_pin ^ 0xde) - 0x2d;

unsigned char DAT_20000459 = (DAT_20000451 ^ 0xad) - 0x24;
unsigned char DAT_2000045a = (DAT_20000452 ^ 0xbe) - 0xd;
unsigned char DAT_2000045c = (DAT_20000454 ^ 0xfe) + 0xb3;
unsigned char DAT_2000045b = (DAT_20000453 ^ 0xef) - 0x16;
unsigned char DAT_2000045d = (DAT_20000455 ^ 0xed) + 0x9c;
unsigned char DAT_2000045e = (DAT_20000456 ^ 0xfa) + 0x17;
unsigned char DAT_2000045f = (DAT_20000457 ^ 0xce) + 99;
printf("%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x", entered_pin,
DAT_20000451, DAT_20000452, DAT_20000453, DAT_20000454, DAT_20000455,
DAT_20000456, DAT_20000457, secret_output, DAT_20000459, DAT_2000045a,
DAT_2000045b, DAT_2000045c, DAT_2000045d, DAT_2000045e, DAT_2000045f);
}
return 0;
}
Output (16 bit Key):
d9 62 39 0 cc cc 99 c5 da ab 7a d9 e5 bd 7a 6e

Cypherock Assessment (1).pdf

More Related Content

Similar to Cypherock Assessment (1).pdf

More from PARNIKA GUPTA

Recently uploaded

Cypherock Assessment (1).pdf