Utilizing Programmable Logic for Analyzing Hardware Targets Dmitry Nedospasov <dmitry@h.rdw.re> SHORT DESCRIPTION Hardware security analysis differs from software security analysis primarily in the tools and techniques required for the task at hand. However, many security researchers overestimate the learning curve required to begin successfully performing embedded hardware analysis. This training is specifically designed for security researchers who wish to improve their familiarity with hardware security and hardware implementations in particular. The training is built as a set of Capture the Flag (CTF) style assignments designed to familiarize students with common flaws in hardware implementations. In this training, students will learn to develop custom hardware implementations utilizing programmable logic, i.e. Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). Students will thoroughly understand the advantages of building tools based on programmable logic, understand how hardware implementations are realized and exploit several common hardware security flaws.
FULL DESCRIPTION Until recently the tool of choice for security professionals working in the area of hardware security was expensive test and measurement equipment designed for engineers. However, in large part due to the recent Open Source Hardware revolution many hardware analysis platforms are now freely available for a reasonable price. Nevertheless, these platforms are generally quite limited in terms of scope and also have inherent deficiencies due to their implementations. As a result, it is often necessary for security professionals to design custom hardware analysis tools for successfully analyzing hardware targets. One of the most powerful tools for implementing custom analysis platforms are Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs and CPLDs provide a predictable timing behavior and substantially better timing resolution than microcontrollers based analysis platforms. They also offer a level of parallelism that is normally absent in microcontroller architectures. Moreover, since custom hardware implementations can be realized on programmable logic platforms it is even possible to perform real-time analysis of proprietary algorithms. This training is organized like a Capture the Flag (CTF) event with sufficient assignments for any skill level, i.e. complete novices to experienced hardware security professionals. During the course, students will be provided the necessary test and measurement equipment, a programmable logic platform as well as the target platform with a vulnerable hardware implementation. Each day features a common class of hardware vulnerability and varying levels of difficulty. Students will need to isolate and identify the vulnerability on the target platform, design a custom implementation capable of exploiting the vulnerability and successfully exploit the hardware platform to advance to the next level. By experiencing the development workflow and designing their own hardware implementations, students will also become well aware of the kinds of hardware errata that may exist in a target platform. DAY 1: INTRODUCTION Theory/Basics Recommended literature Machine-To-Machine Communication Logic 101 Combinatorics Sequential & combinatorial logic Finite State machines (FSM) Logical functions & arithmetic computation Logic optimization!2
Verilog 101 UART FSM HDL equivalent for FSM Testing and verification of RX/TX Hardware Logic Implementation Electronics 101 ASICs, TTL-Logic FPGAs, CPLDs Hard vs. Soft Macros I/O, Tristates FPGA/ASIC Development Workflow 1. Behavioral simulation 2. Synthesis 3. Place and Route 4. Timing simulation Gotchas Design constraints Optimization Best practices Safety and electronics DAY 1 ASSIGNMENT: GLITCHING The goal of this assignment is to teach students that the security of the target platform can be compromised by manipulating the operating state of the target. The target is realized as a system requiring that a valid pin be entered on a pin pad for access. Students will have to identify ways in which the operating state of the device can be determined and change it accordingly. 1. Identify and analyze the communications protocol. 2. Design a hardware implementation capable of brute forcing the system PIN. 3. Identify valid triggers for the operating state of the system. 4. Modify the hardware implementation to be able to cope with a penalty for 3 consecutive invalid PIN entries. 5. Cope with a penalty flag hardware flag being set in Non Volatile Memory (NVM)!3
DAY 2 ASSIGNMENT: TIMING ANALYSIS The goal of this assignment is to familiarize students with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Students must implement a hardware implementation capable of sending the target platform a password and measuring the response time. 1. Identify and analyze the communications protocol. 2. Design a hardware implementation capable of sending a password and measuring the response time. 3. Perform adaptive timing analysis against the target platform. 4. Perform adaptive timing analysis against an optimized implementation. 5. Perform adaptive timing analysis against a system which uses hashes instead. TOPICS COVERED DURING THE COURSE Common hardware vulnerabilities, HDL development, FPGA implementation and debugging, Glitching, Fuzzing, Protocol sniffing CLASS REQUIREMENTS A notebook capable of running a VMware image. Participants should have some familiarity with scripting languages, i.e. Python. This course is suitable for people that are new to hardware security and electronics. All the theory and concepts related to electronics, HDL and debugging will be explained during course. MINIMUM SOFTWARE TO INSTALL VMware Player, VMware Workstation, VMware Fusion or Virtualbox. Please ensure that your virtualization solution supports USB in the Virtual Machine.!4
TRAINER BIO Dmitry Nedospasov studied Computer Engineering (CE) and recently finished his PhD in the field of Security of Integrated Circuit (IC) at the Berlin University of Technology (TU Berlin). Dmitry's research includes several novel physical attacks against ICs and embedded systems. The techniques were primarily developed to cope with modern manufacturing and packaging techniques of current and future generation semiconductor devices. This included adapting several Failure Analysis techniques to ensure device function throughout the analysis process. Dmitry has also been involved in studying modern IC countermeasures and obfuscation techniques. As part of this research several techniques were developed for correctly identifying and circumventing defensive mechanisms on modern ICs. Most recently, Dmitry was involved in identifying vulnerabilities in next-generation protection mechanisms known as Phyiscally Unclonable Functions (PUFs). Due to the nature of these techniques Dmitry has been involved in developing several hardware tools to facilitate IC analysis. Together with Thorsten Schroder, Dmitry created Die Datenkrake (DDK) an open-source hardware platform for hardware reverse-engineering. Website: http://nedos.net!5