Utilizing Programmable Logic for Analyzing Hardware Targets

Instructors: Dmitry Nedospasov and Sam Collinson
Dates: 15-18 June 2015
Capacity: 18 Seats

Until recently the tool of choice for security professionals working in the area of hardware security was expensive test and measurement equipment designed for engineers. However, in large part due to the recent Open Source Hardware revolution many hardware analysis platforms are now freely available for a reasonable price. Nevertheless, these platforms are generally quite limited in terms of scope and also have inherent deficiencies due to their implementations. As a result, it is often necessary for security professionals to design custom hardware analysis tools for successfully analyzing hardware targets. One of the most powerful tools for implementing custom analysis platforms are Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs and CPLDs provide a predictable timing behavior and substantially better timing resolution than microcontrollers based analysis platforms. They also offer a level of parallelism that is normally absent in microcontroller architectures. Moreover, since custom hardware implementations can be realized on programmable logic platforms it is even possible to perform real-time analysis of proprietary algorithms.

This training is organized like a Capture the Flag (CTF) event with sufficient assignments for any skill level, i.e. complete novices to experienced hardware security professionals. During the course, students will be provided the necessary test and measurement equipment, a programmable logic platform as well as the target platform with a vulnerable hardware implementation. Each day features a common class of hardware vulnerability and varying levels of difficulty. Students will need to isolate and identify the vulnerability on the target platform, design a custom implementation capable of exploiting the vulnerability and successfully exploit the hardware platform to advance to the next level. By experiencing the development workflow and designing their own hardware implementations, students will also become well aware of the kinds of hardware errata that may exist in a target platform.

Day 1: Introduction

• * Theory/Basics
  • - Recommended literature
  • - Machine-To-Machine Communication
• * Logic 101
  • - Combinatorics
  • - Sequential & combinatorial logic
  • - Finite State machines (FSM)
  • - Logical functions & arithmetic computation
  • - Logic optimization
• * Verilog 101
  • - UART FSM
  • - HDL equivalent for FSM
  • - Testing and verification of RX/TX
• * Hardware Logic Implementation
  • - Electronics 101
  • - ASICs, TTL-Logic
  • - FPGAs, CPLDs
  • - Hard vs. Soft Macros
  • - I/O, Tristates
• * FPGA/ASIC Development Workflow
  • 1. Behavioral simulation
  • 2. Synthesis
  • 3. Place and Route
  • 4. Timing simulation
• * Gotchas
  • - Design constraints
  • - Optimization
  • - Best practices
  • - Safety and electronics

Day 1 Assignment: Invalid Protocol States

The goal of this assignment is to familiarize students with the hardware analysis techniques required for performing the assignments. Students will have to analyze the target platform and subsequently identify and understand the communications protocol. The protocol will require students to design a hardware implementation capable of decoding the communication in real time and injecting malicious data.

• 1. Identify and analyze the communications protocol.
• 2. Design a hardware implementation capable of reading/injecting data.
• 3. Implement a Denial of Service (DoS) attack against the protocol.
• 4. Perform a replay attack against the protocol.
• 5. Cope with an obfuscated protocol implementation.

Day 2 Assignment: Timing Analysis

The goal of this assignment is to familiarize students with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Students must implement a hardware implementation capable of sending the target platform a password and measuring the response time.

• 1. Identify and analyze the communications protocol.
• 2. Design a hardware implementation capable of sending a password and measuring the response time.
• 3. Perform adaptive timing analysis against the target platform.
• 4. Perform adaptive timing analysis against an optimized implementation.
• 5. Perform adaptive timing analysis against a system which uses hashes instead.

Day 3 Assignment: Glitching

The goal of this assignment is to teach students that the security of the target platform can be compromised by manipulating the operating state of the target. The target is realized as a system requiring that a valid pin be entered on a pin pad for access. Students will have to identify ways in which the operating state of the device can be determined and change it accordingly.

• 1. Identify and analyze the communications protocol.
• 2. Design a hardware implementation capable of brute forcing the system PIN.
• 3. Identify valid triggers for the operating state of the system.
• 4. Modify the hardware implementation to be able to cope with a penalty for 3 consecutive invalid PIN entries.
• 5. Cope with a penalty flag hardware flag being set in Non Volatile Memory (NVM)

Day 4 Assignment: Unauthenticated Media

The goal of this assignment is to familiarize students with strategies for bypassing media authentication on target platforms. Students will have to analyze the target and identify the multiple communications protocols required for reading the media. Subsequently they will have to devise strategies for bypassing the media authentication and force the target system to accept arbitrary media.

• 1. Identify and analyze the communications protocol.
• 2. Perform a replay attack capable of bypassing the media authentication.
• 3. Perform a ToCToU attack against a system that verifies media signatures.
• 4. Bypass the system completely and stream media directly to the audio codec.

Topics Covered during the course:

Common hardware vulnerabilities, HDL development, FPGA implementation and debugging, Glitching, Fuzzing, Protocol sniffing

Class Requirements

Prerequisites:

A notebook capable of running a VMware image.

Participants should have some familiarity with scripting languages, i.e. Python.

This course is suitable for people that are new to hardware security and electronics.

All the theory and concepts related to electronics, HDL and debugging will be explained during course.

Minimum Software to install:

VMware Player, VMware Workstation, VMware Fusion or Virtualbox.

Please ensure that your virtualization solution supports USB in the Virtual Machine.

Bio

Dmitry Nedospasov studied Computer Engineering (CE) and recently finished his PhD in the field of Security of Integrated Circuit (IC) at the Berlin University of Technology (TU Berlin). Dmitry's research includes several novel physical attacks against ICs and embedded systems. The techniques were primarily developed to cope with modern manufacturing and packaging techniques of current and future generation semiconductor devices. This included adapting several Failure Analysis techniques to ensure device function throughout the analysis process. Dmitry has also been involved in studying modern IC countermeasures and obfuscation techniques. As part of this research several techniques were developed for correctly identifying and circumventing defensive mechanisms on modern ICs. Most recently, Dmitry was involved in identifying vulnerabilities in next-generation protection mechanisms known as Phyiscally Unclonable Functions (PUFs). Due to the nature of these techniques Dmitry has been involved in developing several hardware tools to facilitate IC analysis. Together with Thorsten Schroder, Dmitry created Die Datenkrake (DDK) an open-source hardware platform for hardware reverse-engineering.

Website: http://nedos.net

Twitter: @nedos

Sam Collinson studied Computer Systems Engineering and recently finished his PhD in the field of Ray Tracing Acceleration at The University of Auckland. Sam presented at Kiwicon 2013 and Syscan 2014 together with @snare about utilising FPGAs to preform DMA attacks over Thunderbolt against Apple laptops, bypassing counter-measures previously put in place to prevent FireWire DMA attacks. Sam created the FPGA proof-of-concept, using his low-level knowledge of the protocols to implement a PCI Express endpoint and Microblaze soft-processor that when connected via a PCIE-to-Thunderbolt adapter would preform DMA reads and writes to unlock a protected laptop. Sam's university research involved development of a flexible platform to easily and efficiently explore parallelism in ray tracing on FPGAs. The platform integrated high-speed PCI Express communication and DDR3 memory interfaces on large FPGAs and required heavy optimisation to meet demanding performance requirements.

Twitter: @_rezin_

To Register

Click here to register.