Utilizing Programmable Logic for Hardware Reverse-Engineering


Instructors: Dmitry Nedospasov and Thorsten Schroeder
Dates: 17-20 June 2013
Availability: 15 Seats


Off the shelf solutions for high-level hardware reverse engineering inevitably fall short when it comes to analyzing proprietary protocols or where accurate timing is necessary. Sooner or later, one is faced with the situation that custom hardware can do the job much more efficiently. Extremely versatile hardware comparable in function to custom ASICs can be implemented by utilizing programmable logic in conjunction with an ARM microcontroller and standard peripheral interfaces. Custom logic can be effectively used to process proprietary communications protocols and implement additional functionality in resource constrained environments and timing critical applications.


The main goal of this course is to familiarize participants with the concepts necessary to implement custom logic. The course will cover several techniques for hardware reverse-engineering such as firmware extraction, fuzzing and glitching. Participants will implement coprocessors on a Field Programmable Gate Array (FPGA) in Verilog HDL and interface them to the ARM microcontroller (MCU) using the C programming language. The DDK is a low-cost opensource hardware platform consisting of an Actel FPGA and an NXP LPC1700 family ARM Cortex-M3 MCU. Each participant will receive a DDK board for building custom HW reverse-engineering tools for specific targets.


Participants will become acquainted with the standard FPGA/ASIC development cycle, from simulation to place and route and the resulting netlist timing analysis. Participants will also gain hands-on experience by applying the techniques introduced in the course to several embedded hardware targets. One of the primary goals is for students of this course to become familiar with professional development workflows used by real world engineers. Participants will also be provided an opportunity to work with professional test equipment, such as professional oscilloscopes and logic analyzers, for debugging their hardware and logic.


Day 1: Introduction
* Theory/Basics
- Recommended literature
- Number systems and representations
* Machine-To-Machine Communication

* Logic 101
- Combinatorics
- Sequential & combinatorial logic
- State machines
- Logical functions & arithmetic computation
- Logic optimization


Day 2: FPGA Development
* Hardware Logic Implementation
- Electronics 101
- ASICs, TTL-Logic
- FPGAs, CPLDs
- Hard vs. Soft Macros

* Verilog 101

* FPGA/ASIC Development Workflow
- Introduction to typical FPGA toolchain
    1. Behavioural simulation
    2. Synthesis
    3. Place and Route
    4. Timing simulation
- Design constraints and optimization
- Best practices

* Hands-on (Simulation and Synthesis)
    1. Combinatorial arithmetic logic
    2. Sequential logic
    3. State machines
    4. Implement bus-connected peripheral


Day 3: Embedded ARM Development
* Introduction to embedded ARM
- Introduction to the LPC176x on DDK
- Features
- Using compiler & debugger
- Communication between ARM and FPGA

* Real-time OS
- Tasks on an RTOS
- Examples of parallel tasks (DDK)

* HW debugging 101
- Introduction to test equipment (how it works)
    - Multimeters
    - Oscilloscopes
    - Logic analysers
- High Level Embedded Hacking Tools

* Hands-on (ARM Development)
1. Debug previous day's assignments
    - Use oscilloscope and logic analyzer
2. Implement C-code for coprocessor


Day 4: Hardware Hacking
* HW attack vectors
- DDK as an attack & RE platform
- Typical fault-classes
- Attack scenarios
- Attack mitigation
- Targets (t.b.a.)

* Hands-On (Attack Targets)
- Several targets will be provided (t.b.a)
- Using the FPGA and ARM together will yield best results


Covered topics:
HDL development, FPGA implementation and debugging, ARM development and debugging, Glitching, Fuzzing, Protocol sniffing, Extracting firmware and data from embedded devices

Class Requirements

Prerequisites:
A notebook capable of running a VMware image.
Participants should be familiar with the C programming language.

This course is suitable for people that are unfamiliar with embedded development. All the theory and concepts behind the electronics, HDL and debugging will be taught during course.


Minimum Software to install:
VMware Player, Workstation or Fusion.

Bio

Dmitry Nedospasov:


Dmitry Nedospasov is a PhD student and researcher in the field of IC security at the Security in Telecommunications (SECT) research group at the Berlin University of Technology (TU Berlin) and the Telekom Innovation Laboratories. Dmitry's research interests include hardware and IC reverse-engineering as well as physical attacks against ICs and embedded systems. His academic research focuses on developing new and novel techniques for semi and fully-invasive IC analysis. Most recently, Dmitry was involved in identifying vulnerabilities in the most wide-spread Phyiscally Unclonable Function (PUF) schemes.

Website: http://nedos.net


Thorsten Schroder


Thorsten Schroder has been active as a technical consultant in the field of applied IT-Security for many years. His areas of expertise lie in the verification of software in either source or binary form. More recently, Thorsten's research has resulted in several open source hardware projects, most notably the "Keykeriki", an RF-analysis tool for sniffing and attacking 2.4GHz based radio devices such as wireless keyboards. Thorsten has also been involved in several software reverse-engineering projects such as the CCC's analysis of the German Federal Trojan known as "0zapftis". Thorsten is the co-founder of the Swiss modzero AG, established in 2011, as well as the German branch, modzero GmbH, established in January 2013.

Website: http://www.modzero.ch/