Advanced Hands-on Hardware Security Training
Dmitry is a hardware design engineer, security researcher, trainer and speaker. Dmitry recieved his PhD (Dr-Ing.) in 2014 in the field of IC Security with the Security in Telecommunications Research Group of TU Berlin and the Telekom Innovation Laboratories. Dmitry is a scholar of the Helmholtz Research School for Security Technologies doctoral program. His research interests include hardware and IC reverse-engineering as well as physical attacks against ICs and embedded systems. Dmitry’s academic research focused primarily on developing new and novel techniques for semi- and fully-invasive IC analysis. Most recently, Dmitry was involved in identifying vulnerabilities in the most wide-spread Phyiscally Unclonable Function (PUF) schemes.
25 - 29 March 2016
The analysis of hardware targets can often be hampered by the fact that a compatible peripheral is not available. However, through a combination of hardware and software it is possible to rapidly prototype and design such peripherals. This training is specifically designed for security researchers who wish to improve their familiarity with hardware security as well as the underlying implementations. The training is built as a set of Capture the Flag (CTF) style assignments, each designed to familiarize students with a common flaw in hardware implementations. Students will learn an efficient workflow for designing such peripherals. This workflow utilizes a combination of programmable logic (CPLDs, FPGAs) and corresponding python code to solve each assignment. Students that complete the course will thoroughly understand the advantages of building tools based on programmable logic. Additionally, students will understand how hardware implementations are realized and exploit several common hardware security flaws. Most importantly, students will learn the necessary skills for real-time analysis of complex undocumented proprietary protocols.
Until recently the tool of choice for security professionals working in the area of hardware security was expensive test and measurement equipment designed for engineers. However, in large part due to the recent Open Source Hardware revolution many hardware analysis platforms are now freely available for a reasonable price. Nevertheless, these platforms are generally quite limited in terms of scope and also have inherent deficiencies due to their implementations. As a result, custom hardware analysis tools are necessary for successful hardware analysis. One of the most powerful tools for implementing custom analysis platforms are Field-Programmable Gate Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs and CPLDs provide a predictable timing behavior and substantially better timing resolution than microcontrollers based analysis platforms. They also offer a level of parallelism that is normally absent in microcontroller architectures. Moreover, since custom hardware implementations can be realized on programmable logic platforms it is even possible to perform real-time analysis of proprietary algorithms.
This training is organized like a Capture the Flag (CTF) event with sufficient assignments for any skill level, i.e. complete novices to experienced hardware security professionals. During the course, students will be provided the necessary test and measurement equipment, a programmable logic platform as well as the target platform with a vulnerable hardware implementation. Each day features a common class of hardware vulnerability and varying levels of difficulty. Students will need to isolate and identify the vulnerability on the target platform, design a custom implementation capable of exploiting the vulnerability and successfully exploit the hardware platform to advance to the next level. By experiencing the development workflow and designing their own hardware implementations, students will also become well aware of the kinds of hardware errata that may exist in a target platform.
Day 1 - Introduction
- Recommended literature
- Machine-To-Machine Communication
- Logic 101
- Sequential & combinatorial logic
- Finite State machines (FSM)
- Logical functions & arithmetic computation
- Logic optimization
- Verilog 101
- UART FSM
- HDL equivalent for FSM
- Testing and verification of RX/TX
- Hardware Logic Implementation
- Electronics 101
- ASICs, TTL-Logic
- FPGAs, CPLDs
- Hard vs. Soft Macros
- I/O, Tristates
- FPGA/ASIC Development Workflow
- Behavioral simulation
- Place and Route
- Timing simulation
- Design constraints
- Best practices
- Safety and electronics
Day 1 Assignment: FPGA Bring Up
At the end of Day 1 students will have an opportunity to program create a design that utilizes the state machines written throughout the day. Subsequently students will load their bitstreams onto an FGPA and verify that they work. This assignment ensures that students have fully the process of simulation, synthesis and have fully understood the workflow with the FPGA tools.
Day 2 Assignment: Invalid Protocol States
The goal of this assignment is to familiarize students with the hardware analysis techniques required for performing the assignments. Students will have to analyze the target platform and subsequently identify and understand the communications protocol. The protocol will require students to design a hardware implementation capable of decoding the communication in real time and injecting malicious data. Identify and analyze the communications protocol. Design a hardware implementation capable of reading/injecting data. Implement a Denial of Service (DoS) attack against the protocol. Perform a replay attack against the protocol. Cope with an obfuscated protocol implementation.
Day 3 Assignment: Basic Glitching
The goal of this assignment is to teach students that the security of the target platform can be compromised by manipulating the operating state of the target. The target is realized as a system requiring that a valid pin be entered on a pin pad for access. Students will have to identify ways in which the operating state of the device can be determined and change it accordingly. Identify and analyze the communications protocol. Design a hardware implementation capable of brute forcing the system PIN. Identify valid triggers for the operating state of the system. Modify the hardware implementation to be able to cope with a penalty for 3 consecutive invalid PIN entries. Cope with a penalty flag hardware flag being set in Non Volatile Memory (NVM)
Day 4 Assignment: Timing Analysis
The goal of this assignment is to familiarize students with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Students must implement a hardware implementation capable of sending the target platform a password and measuring the response time. Identify and analyze the communications protocol. Design a hardware implementation capable of sending a password and measuring the response time. Perform adaptive timing analysis against the target platform. Perform adaptive timing analysis against an optimized implementation. Topics Covered during the course Common hardware vulnerabilities, HDL development, FPGA implementation and debugging, Glitching, Fuzzing, Protocol sniffing
Day 5 Assignment: Bootloader Bypass
This assignment is designed to familiarize students with the workflow necessary for analyzing hardware targets in practice. Students will need to extract the bootloader from the device, analyze its contents, identify vulnerable instructions and glitch these instructions bypassing the protection mechanisms of the platform. Extract the bootloader from a standard ARM microcontroller. Analyze the bootloader and identify vulnerabilities. Implement a programmable logic design capable of glitching a protected target. Glitch a protected target and extract the firmware.
Student RequirementsParticipants should have some familiarity with scripting languages, i.e. Python. This course is suitable for people that are new to hardware security and electronics. All the theory and concepts related to electronics, HDL and debugging will be explained during course.
Software RequirementsVMware Player, VMware Workstation, VMware Fusion or Virtualbox. Please ensure that your virtualization solution supports USB in the Virtual Machine.
Hardware RequirementsA notebook capable of running a VMware image.