SlideShare a Scribd company logo

Exploring Hardware Security

Speck&Tech
Speck&Tech

ABSTRACT: Studying and breaking secure hardware is not something that only state-sponsored attackers or highly-funded research groups can perform. Tools are becoming more accessible and you can start learning hardware security at home. Hardware hacking is perceived as black magic or something not important: let's change this misconception, learn about new classes of attacks and how to design secure hardware. BIO: Federico is passionate about IT security and a CTF player with team Tasteless. He is from Trentino, an alumnus of UniTN and EIT Digital, and currently works as Site Reliability Engineer at Google in Munich. Sometimes you can find him playing badly on the ukulele, trying to pronounce Streichholzschachtel, or baking sourdough bread.

Technology
1 of 28
Download to read offline
Exploring Hardware Security Federico Scrinzi Speck & Tech - October 2019 @foxTN
$ whoami Hello! I'm Federico :) Past: FBK, Spaziodati, Riscure Now: Senior SRE at Google - Authorization systems / BeyondCorp - CI and other devtools Interested in infosec CTF player with Tasteless Practicing German, Yoga, Ukulele, ... Note: opinions are my own, not of my current or previous employers. This is not a sponsored talk.
Why this talk? Hardware security is perceived as black magic!
Why should I care about hardware? I'm a software person! Source: WIkipedia
Software relies on guarantees given by the hardware
By knowing the limitations of the hardware you can build better products
Why do we need secure hardware? So many use cases: ● Smart cards (e.g. credit cards, bus tickets/subscriptions) ● Pay-TV systems ● Gaming consoles ● IoT sensors ● Cryptocurrency wallets ● Security keys (e.g. U2F) ● ...
Why do we need secure hardware? Many of these devices: ● contain secrets that would be interesting to extract ● might have protections to restrict their use case ...and they are computers on a small scale essentially How can their security properties get broken?
Be creative with the attack surface It's not only finding bugs in the firmware or design flaws in the production (e.g. accessible pins, debug modes, etc..) If we have physical access to the target we can do much more! ● What if we measure power / heat / electromagnetic emissions? ● How does a CPU react to a strong light source / laser? What if we cut the power at a given time? Or give a different clock? Or put the device in the oven?
Side channel attacks The main idea is to measure side effects of the hardware to extract secrets Power consumption is the most common side channel but there are also temperature, sound, electromagnetic emissions, etc... Source: P. Kocher et al. "Introduction to differential power analysis"c
Fault injection / glitching Trigger unexpected behavior by putting the hardware in non-standard conditions ● Voltage glitching: ● Clock glitching: ● but also lasers, ovens, and more esoteric stuff This allows to generate bugs even if the software is perfect! int debug = 0; if (debug) { printf(secret_key); ← how can we execute this? }
But c'mon, these attacks are impractical ● The equipment must cost a lot of money! ● They must require some state agency level lab! ● I will never be able to do that! It's too complicated! ● It must be just theoretical stuff that will never work in practice!
But c'mon, these attacks are impractical ● The equipment must cost a lot of money! ○ noopwafel@ and Albert at 35c3: side channel attacks with 5€ of equipment ○ chip.fail at BHUSA'19: glitching equipment for 5$ ● They must require some state agency level lab! ○ You can get a Chipwhisperer for 250$ and some basic electronic supply and do security research at home ● I will never be able to do that! It's too complicated! ○ Check LiveOverflow videos on the topic ● It must be just theoretical stuff that will never work in practice! ○ Many recent attacks: Nintendo Switch, various security keys, Wacom tablets, etc...
Demo: ChipWhisperer https://newae.com/tools/chipwhisperer/ About 250$ for the Chipwhisperer Lite. It looks like a Nano version will be cheaper. Made by Colin O'Flynn (kudos to him for providing the hardware for tonight) ● Open Source toolchain ● Essentially a FPGA (Spartan 6 LX9) and an ADC ● Can do power analysis, voltage and clock glitching
Demo 1: timing uint8_t passbad = 0; for (uint8_t i = 0; i < sizeof(correct_passwd); i++){ if (correct_passwd[i] != passwd[i]){ passbad = 1; break; } } if (passbad) { puts("PASSWORD FAILn"); } else { puts("Access granted, Welcome!n") }
DEMO
Power traces "XXXXX" "SXXXX" S
S p e c kS p e c "SpecX" "Speck"
Demo 2: Clock glitching int passok = 1; for (cnt = 0; cnt < 5; cnt++){ if (inp[cnt] != passwd[cnt]){ passok = 0; } } if (!passok){ puts("Deniedn"); } else { puts("Welcomen"); }
Clock? Digital hardware usually needs some kind of reliable clock Source: Chipwhisperer documentation
Clock glitching! If the clock is "wrong" we can trigger undefined behavior There is not enough time to execute #1. The instruction might be skipped! Source: Chipwhisperer documentation
DEMO
Attack plan 1. Try every possible clock delay / time offset combination in given ranges 2. Send "x" as password and perform the attack 3. .... wait ... 4. At some point the CPU might misbehave and skip instructions!
Profit!
Tying this back to software With these techniques we treat hardware as a black box and study how it interacts with the external world. Why not doing the same for heavily obfuscated software? (e.g.: DRM, malware, ...) DES entropy and randomness Source: F. Scrinzi - "Behavioral analysis of obfuscated code" AES-128 - Autocorrelation
Countermeasures ● Spurious logic / capacitors to flatten power consumption ● Random jitters ● Voltage sensors ● Own clock generators ● Tamper-resistant enclosures ● Hardened software ○ Use 10101010 for True and 01010101 for False values ○ Extra integrity checks ○ Sensitive code in the "else" branch ○ ...
Summary: ● When dealing with hardware we have to think differently ● Hardware-related attacks are cheap and easy ● There are many tools out there that you can play with ● Countermeasures can substantially raise the attack cost Thanks for listening :) Kudos to Colin O'Flynn, chip.fail crew, noopwafel, Riscure folks, and everyone out there that enables hardware security research

Recommended

Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...jamieayre
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 

Recommended

Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...jamieayre
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Arduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonnArduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonnMax Kleiner
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Movie-Style Hardware Hacking
Movie-Style Hardware HackingMovie-Style Hardware Hacking
Movie-Style Hardware Hackingarchwisp
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchDimitry Snezhkov
 
Messing around avs
Messing around avsMessing around avs
Messing around avsShubham Mittal
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Soviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks YouSoviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks YouPriyanka Aash
 
What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresSpeck&Tech
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Speck&Tech
 

More Related Content

Similar to Exploring Hardware Security

Arduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonnArduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonnMax Kleiner
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Movie-Style Hardware Hacking
Movie-Style Hardware HackingMovie-Style Hardware Hacking
Movie-Style Hardware Hackingarchwisp
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Daniel Luxemburg
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchDimitry Snezhkov
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacPriyanka Aash
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Soviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks YouSoviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks YouPriyanka Aash
 

Similar to Exploring Hardware Security (20)

Arduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonnArduino delphi 2014_7_bonn
Arduino delphi 2014_7_bonn
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Movie-Style Hardware Hacking
Movie-Style Hardware HackingMovie-Style Hardware Hacking
Movie-Style Hardware Hacking
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)Getting Started with iBeacons (Designers of Things 2014)
Getting Started with iBeacons (Designers of Things 2014)
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, TouchLST Toolkit: Exfiltration Over Sound, Light, Touch
LST Toolkit: Exfiltration Over Sound, Light, Touch
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 
Soviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks YouSoviet Russia Smartcard Hacks You
Soviet Russia Smartcard Hacks You
 

More from Speck&Tech

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresSpeck&Tech
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Speck&Tech
 
AWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaAWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaSpeck&Tech
 
Praticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesPraticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesSpeck&Tech
 
Data Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designData Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designSpeck&Tech
 
Data Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerData Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerSpeck&Tech
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsSpeck&Tech
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Speck&Tech
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Speck&Tech
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with careSpeck&Tech
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsSpeck&Tech
 
Privacy in the era of quantum computers
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computersSpeck&Tech
 
Machine learning with quantum computers
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computersSpeck&Tech
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsSpeck&Tech
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologySpeck&Tech
 
Innovating Wood
Innovating WoodInnovating Wood
Innovating WoodSpeck&Tech
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXSpeck&Tech
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceSpeck&Tech
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right routeSpeck&Tech
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Speck&Tech
 

More from Speck&Tech (20)

What should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futuresWhat should 6G be? - 6G: bridging gaps, connecting futures
What should 6G be? - 6G: bridging gaps, connecting futures
 
Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"Creare il sangue artificiale: "buon sangue non mente"
Creare il sangue artificiale: "buon sangue non mente"
 
AWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scalaAWS: gestire la scalabilità su larga scala
AWS: gestire la scalabilità su larga scala
 
Praticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web ServicesPraticamente... AWS - Amazon Web Services
Praticamente... AWS - Amazon Web Services
 
Data Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information designData Sense-making: navigating the world through the lens of information design
Data Sense-making: navigating the world through the lens of information design
 
Data Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as powerData Activism: data as rhetoric, data as power
Data Activism: data as rhetoric, data as power
 
Delve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomicsDelve into the world of the human microbiome and metagenomics
Delve into the world of the human microbiome and metagenomics
 
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
Home4MeAi: un progetto sociale che utilizza dispositivi IoT per sfruttare le ...
 
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
Monitorare una flotta di autobus: architettura di un progetto di acquisizione...
 
Why LLMs should be handled with care
Why LLMs should be handled with careWhy LLMs should be handled with care
Why LLMs should be handled with care
 
Building intelligent applications with Large Language Models
Building intelligent applications with Large Language ModelsBuilding intelligent applications with Large Language Models
Building intelligent applications with Large Language Models
 
Privacy in the era of quantum computers
Privacy in the era of quantum computersPrivacy in the era of quantum computers
Privacy in the era of quantum computers
 
Machine learning with quantum computers
Machine learning with quantum computersMachine learning with quantum computers
Machine learning with quantum computers
 
Give your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUsGive your Web App superpowers by using GPUs
Give your Web App superpowers by using GPUs
 
From leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technologyFrom leaf to orbit: exploring forests with technology
From leaf to orbit: exploring forests with technology
 
Innovating Wood
Innovating WoodInnovating Wood
Innovating Wood
 
Behind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIXBehind the scenes of our everyday Internet: the role of an IXP like MIX
Behind the scenes of our everyday Internet: the role of an IXP like MIX
 
Architecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for scienceArchitecting a 35 PB distributed parallel file system for science
Architecting a 35 PB distributed parallel file system for science
 
Truck planning: how to certify the right route
Truck planning: how to certify the right routeTruck planning: how to certify the right route
Truck planning: how to certify the right route
 
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
Break it up! 5G, cruise control, autonomous vehicle cooperation, and bending ...
 

Recently uploaded

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Exploring Hardware Security

  • 1. Exploring Hardware Security Federico Scrinzi Speck & Tech - October 2019 @foxTN
  • 2. $ whoami Hello! I'm Federico :) Past: FBK, Spaziodati, Riscure Now: Senior SRE at Google - Authorization systems / BeyondCorp - CI and other devtools Interested in infosec CTF player with Tasteless Practicing German, Yoga, Ukulele, ... Note: opinions are my own, not of my current or previous employers. This is not a sponsored talk.
  • 3. Why this talk? Hardware security is perceived as black magic!
  • 4. Why should I care about hardware? I'm a software person! Source: WIkipedia
  • 5. Software relies on guarantees given by the hardware
  • 6.
  • 7. By knowing the limitations of the hardware you can build better products
  • 8. Why do we need secure hardware? So many use cases: ● Smart cards (e.g. credit cards, bus tickets/subscriptions) ● Pay-TV systems ● Gaming consoles ● IoT sensors ● Cryptocurrency wallets ● Security keys (e.g. U2F) ● ...
  • 9. Why do we need secure hardware? Many of these devices: ● contain secrets that would be interesting to extract ● might have protections to restrict their use case ...and they are computers on a small scale essentially How can their security properties get broken?
  • 10. Be creative with the attack surface It's not only finding bugs in the firmware or design flaws in the production (e.g. accessible pins, debug modes, etc..) If we have physical access to the target we can do much more! ● What if we measure power / heat / electromagnetic emissions? ● How does a CPU react to a strong light source / laser? What if we cut the power at a given time? Or give a different clock? Or put the device in the oven?
  • 11. Side channel attacks The main idea is to measure side effects of the hardware to extract secrets Power consumption is the most common side channel but there are also temperature, sound, electromagnetic emissions, etc... Source: P. Kocher et al. "Introduction to differential power analysis"c
  • 12. Fault injection / glitching Trigger unexpected behavior by putting the hardware in non-standard conditions ● Voltage glitching: ● Clock glitching: ● but also lasers, ovens, and more esoteric stuff This allows to generate bugs even if the software is perfect! int debug = 0; if (debug) { printf(secret_key); ← how can we execute this? }
  • 13. But c'mon, these attacks are impractical ● The equipment must cost a lot of money! ● They must require some state agency level lab! ● I will never be able to do that! It's too complicated! ● It must be just theoretical stuff that will never work in practice!
  • 14. But c'mon, these attacks are impractical ● The equipment must cost a lot of money! ○ noopwafel@ and Albert at 35c3: side channel attacks with 5€ of equipment ○ chip.fail at BHUSA'19: glitching equipment for 5$ ● They must require some state agency level lab! ○ You can get a Chipwhisperer for 250$ and some basic electronic supply and do security research at home ● I will never be able to do that! It's too complicated! ○ Check LiveOverflow videos on the topic ● It must be just theoretical stuff that will never work in practice! ○ Many recent attacks: Nintendo Switch, various security keys, Wacom tablets, etc...
  • 15. Demo: ChipWhisperer https://newae.com/tools/chipwhisperer/ About 250$ for the Chipwhisperer Lite. It looks like a Nano version will be cheaper. Made by Colin O'Flynn (kudos to him for providing the hardware for tonight) ● Open Source toolchain ● Essentially a FPGA (Spartan 6 LX9) and an ADC ● Can do power analysis, voltage and clock glitching
  • 16. Demo 1: timing uint8_t passbad = 0; for (uint8_t i = 0; i < sizeof(correct_passwd); i++){ if (correct_passwd[i] != passwd[i]){ passbad = 1; break; } } if (passbad) { puts("PASSWORD FAILn"); } else { puts("Access granted, Welcome!n") }
  • 17. DEMO
  • 19. S p e c kS p e c "SpecX" "Speck"
  • 20. Demo 2: Clock glitching int passok = 1; for (cnt = 0; cnt < 5; cnt++){ if (inp[cnt] != passwd[cnt]){ passok = 0; } } if (!passok){ puts("Deniedn"); } else { puts("Welcomen"); }
  • 21. Clock? Digital hardware usually needs some kind of reliable clock Source: Chipwhisperer documentation
  • 22. Clock glitching! If the clock is "wrong" we can trigger undefined behavior There is not enough time to execute #1. The instruction might be skipped! Source: Chipwhisperer documentation
  • 23. DEMO
  • 24. Attack plan 1. Try every possible clock delay / time offset combination in given ranges 2. Send "x" as password and perform the attack 3. .... wait ... 4. At some point the CPU might misbehave and skip instructions!
  • 26. Tying this back to software With these techniques we treat hardware as a black box and study how it interacts with the external world. Why not doing the same for heavily obfuscated software? (e.g.: DRM, malware, ...) DES entropy and randomness Source: F. Scrinzi - "Behavioral analysis of obfuscated code" AES-128 - Autocorrelation
  • 27. Countermeasures ● Spurious logic / capacitors to flatten power consumption ● Random jitters ● Voltage sensors ● Own clock generators ● Tamper-resistant enclosures ● Hardened software ○ Use 10101010 for True and 01010101 for False values ○ Extra integrity checks ○ Sensitive code in the "else" branch ○ ...
  • 28. Summary: ● When dealing with hardware we have to think differently ● Hardware-related attacks are cheap and easy ● There are many tools out there that you can play with ● Countermeasures can substantially raise the attack cost Thanks for listening :) Kudos to Colin O'Flynn, chip.fail crew, noopwafel, Riscure folks, and everyone out there that enables hardware security research