Hardware Hacking (Advanced)
Instructor:
Dmitry Nedospasov
Dates:
13-16 June 2016
Capacity:
18 Seats ( SOLD OUT )
Price:
4200$ CAD before May 1,
5000$ CAD after.
The analysis of hardware targets can often be hampered by the fact that a compatible peripheral is not available. However, through a combination of hardware and software it is possible to rapidly prototype and design such peripherals. This training is specifically designed for security researchers who wish to improve their familiarity with hardware security as well as the underlying implementations. The training is built as a set of Capture the Flag (CTF) style assignments, each designed to familiarize students with a common flaw in hardware implementations. Students will learn an efficient workflow for designing such peripherals. This workflow utilizes a combination of programmable logic (CPLDs, FPGAs) and corresponding python code to solve each assignment. Students that complete the course will thoroughly understand the advantages of building tools based on programmable logic. Additionally, students will understand how hardware implementations are realized and exploit several common hardware security flaws. Most importantly, students will learn the necessary skills for real-time analysis of complex undocumented proprietary protocols.
Until recently the tool of choice for security professionals working in the area of hardware security was expensive test and measurement equipment designed for engineers. However, in large part due to the recent Open Source Hardware revolution many hardware analysis platforms are now freely available for a reasonable price. Nevertheless, these platforms are generally quite limited in terms of scope and also have inherent deficiencies due to their implementations. As a result, custom hardware analysis tools are necessary for successful hardware analysis. One of the most powerful tools for implementing custom analysis platforms are Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs and CPLDs provide a predictable timing behavior and substantially better timing resolution than microcontrollers based analysis platforms. They also offer a level of parallelism that is normally absent in microcontroller architectures. Moreover, since custom hardware implementations can be realized on programmable logic platforms it is even possible to perform real-time analysis of proprietary algorithms.
This training is organized like a Capture the Flag (CTF) event with sufficient assignments for any skill level, i.e. complete novices to experienced hardware security professionals. During the course, students will be provided the necessary test and measurement equipment, a programmable logic platform as well as the target platform with a vulnerable hardware implementation. Each day features a common class of hardware vulnerability and varying levels of difficulty. Students will need to isolate and identify the vulnerability on the target platform, design a custom implementation capable of exploiting the vulnerability and successfully exploit the hardware platform to advance to the next level. By experiencing the development workflow and designing their own hardware implementations, students will also become well aware of the kinds of hardware errata that may exist in a target platform.
CLASS OUTLINE
Day 1: Introduction
• Theory/Basics
• Recommended literature
• Machine-To-Machine Communication
• Logic 101
• Combinatorics
• Sequential & combinatorial logic
• Finite State machines (FSM)
• Logical functions & arithmetic computation
• Logic optimization
• Verilog 101
• UART FSM
• HDL equivalent for FSM
• Testing and verification of RX/TX
• Hardware Logic Implementation
• Electronics 101
• ASICs, TTL-Logic
• FPGAs, CPLDs
• Hard vs. Soft Macros
• I/O, Tristates
• FPGA/ASIC Development Workflow
• Behavioral simulation
• Synthesis
• Place and Route
• Timing simulation
• Gotchas
• Design constraints
• Optimization
• Best practices
• Safety and electronics
Day 1 Assignment: FPGA bring up
At the end of Day 1 students will have an opportunity to program create a design that utilizes the state machines written throughout the day. Subsequently students will load their bitstreams onto an FGPA and verify that they work. This assignment ensures that students have fully the process of simulation, synthesis and have fully understood the workflow with the FPGA tools.
Day 2 Assignment: Invalid Protocol States
The goal of this assignment is to familiarize students with the hardware analysis techniques required for performing the assignments. Students will have to analyze the target platform and subsequently identify and understand the communications protocol. The protocol will require students to design a hardware implementation capable of decoding the communication in real time and injecting malicious data.
- Identify and analyze the communications protocol.
- Design a hardware implementation capable of reading/injecting data.
- Implement a Denial of Service (DoS) attack against the protocol.
- Perform a replay attack against the protocol.
- Cope with an obfuscated protocol implementation.
Day 3 Assignment: Glitching
The goal of this assignment is to teach students that the security of the target platform can be compromised by manipulating the operating state of the target. The target is realized as a system requiring that a valid pin be entered on a pin pad for access. Students will have to identify ways in which the operating state of the device can be determined and change it accordingly.
- Identify and analyze the communications protocol.
- Design a hardware implementation capable of brute forcing the system PIN.
- Identify valid triggers for the operating state of the system.
- Modify the hardware implementation to be able to cope with a penalty for 3 consecutive invalid PIN entries.
- Cope with a penalty flag hardware flag being set in Non Volatile Memory (NVM)
Day 4 Assignment: Timing Analysis
The goal of this assignment is to familiarize students with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Students must implement a hardware implementation capable of sending the target platform a password and measuring the response time.
- Identify and analyze the communications protocol.
- Design a hardware implementation capable of sending a password and measuring the response time.
- Perform adaptive timing analysis against the target platform.
- Perform adaptive timing analysis against an optimized implementation.
- Perform adaptive timing analysis against a system which uses hashes instead.
Topics Covered during the course
Common hardware vulnerabilities, HDL development, FPGA implementation and debugging, Glitching, Fuzzing, Protocol sniffing
CLASS REQUIREMENTS
Prerequisites
Participants should have some familiarity with scripting languages, i.e. Python.
This course is suitable for people that are new to hardware security and electronics. All the theory and concepts related to electronics, HDL and debugging will be explained during course.
Hardware
- A notebook capable of running a VMware image.
Minimum Software to Install
- VMware Player, VMware Workstation, VMware Fusion or Virtualbox.
- Please ensure that your virtualization solution supports USB in the Virtual Machine.
BIO
Dmitry Nedospasov studied Computer Engineering (CE) and recently finished his PhD in the field of Security of Integrated Circuit (IC) at the Berlin University of Technology (TU Berlin). Currently he is a consultant in the field of hardware security and secure design. He is also involved in a startup that is designing security peripherals for end-users. Dmitry’s PhD research included several novel physical attacks against ICs and embedded systems. This included adapting several Failure Analysis techniques to ensure device function throughout the analysis process. Dmitry has also been involved in studying modern IC countermeasures and obfuscation techniques. As part of this research several techniques were developed for correctly identifying and circumventing defensive mechanisms on modern ICs. To support his research, Dmitry has been involved in developing several hardware analysis tools to facilitate IC analysis. Together with Thorsten Schroder, Dmitry created Die Datenkrake (DDK) an open-source hardware platform for hardware reverse-engineering.
Website: http://nedos.net
TO REGISTER
Click here to register.