# Hands on with Non-Invasive Hardware Security Tooling

Colin O'Flynn

New England Hardware Security Day 2022

#### About Me & This Talk



- Started ChipWhisperer project
  - Power analysis, fault injection, including hardware & software.
  - Variety of open-source & not tools
  - Now a company supporting 6 people with some local connection coming soon (Cambridge/Boston area), *if you are looking for work please get in touch!*
- Was assistant professor at Dalhousie University (now adjunct to do ChipWhisperer stuff full-time instead)
- Co-author of "The Hardware Hacking Handbook" alongside *Jasper Van Woudenberg* 
  - Published with No Starch Press (physical book Nov / 2021)

Links to material on blog post at oflynn.com

#### Topics in this demo-focused talk

- Fault injection on Raspberry Pi 3 Model B+:
  - Faulting RSA signing operation to recover private key
  - EMFI

• RISC-V Soft Core

ECC / FPGA Attacks

## Fault Injection on Raspberry Pi 3 Model B+

Objective: DFA on RSA (from Python!)

#### R-Pi as Target & Platform



We're going to run some Python code on a Raspberry Pi Model 3 B+.

## R-Pi as Target & Platform



We're going to inject faults into a Raspberry Pi Model B 3+

#### R-Pi as Target & Platform

```
File Edit Tabs Help
0420895023661639019862379495017645342037849044552993181579153946523138430957
1531401
/home/pi/test.py:20: RuntimeWarning: This channel is already in use, continu
anyway. Use GPIO.setwarnings(False) to disable warnings.
 GPIO.setup(18, GPIO.OUT)
90it [00:02, 40.91it/s]Segmentation fault
pi@raspberrypi:~ $ python test.py
oaded SECRET KEY:
 SECRET KNOWN p: 1788107990298414946671967110934214587143749134127334670831
\underline{3684912304200886921}616116985742675702264935591014320723665337337364594593189
5426194549782361944128411813898647264854490487760581514957368381732096873188
4932063996016520501500404278313382014833619235366660782099460518722814218677
2484399
 SECRET KNOWN q: 1525233919984401138266712359184211726799434776074544683725
6962992737838645557814780634407331711145095262404962808185168935226577111189
4851442900723066606393548273284332009648923418389843103328117385347056908523
0420895023661639019862379495017645342037849044552993181579153946523138430957
1531401
/home/pi/test.py:20: RuntimeWarning: This channel is already in use, continu
anyway. Use GPIO.setwarnings(False) to disable warnings.
 GPIO.setup(18, GPIO.OUT)
925it [00:22, 40.75it/s]free(): invalid pointer
Aborted
```

We're going to crash a Raspberry Pi Model B 3+



#### My Code for R-Pi



https://github.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/tree/master/rpi-glitching

#### Follow Along with Co-Lab / Python

```
while True:
31
32
       GPIO.output(18, GPIO.LOW)
       GPIO.output(18, GPIO.HIGH)
33
34
       output = p.sign(h)
       GPIO.output(18, GPIO.LOW)
35
36
       37
38
       39
```

These are example *faulty* outputs – if you uncomment this code acts as if you received such a faulty output!

See if you can get the p/q recovery. If so you can run this yourself.

WATCH ENVIRONMENT SETUP: Need specific version of pycryptodome!

The issue is fixed in any recent version.

# Cheap EMFI Tooling

#### Initial "Safe" Version



Hackaday Remoticon 2021

https://github.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/tree/master/dangerous-emfi

#### PicoEMP





## RISC-V Soft-Core Attack





## Example – Simple AES Attack

### Rebuilding your RISC-V Core

```
Info: Slack histogram:
Info: legend: * represents 21 endpoint(s)
              + represents [1,21) endpoint(s)
Info:
Info: [ 39029. 41053) |*+
Info: [ 41053, 43077)
Info: [ 43077, 45101)
Info: [ 45101, 47125)
                        ********
Info:
      [ 47125,
               49149)
              51173)
                        *****
Info: [ 49149.
Info: [ 51173,
               53197)
                        ****
Info: [ 53197, 55221)
                        ***+
Info: [ 55221,
               57245)
                        ****
                       ******
Info: [ 57245, 59269)
Info: [ 59269,
                        *********
               61293)
Info: [ 61293, 63317)
                        ************
Info: [ 63317,
               65341)
                        *********
Info: [ 65341. 67365)
                       | *****************
     [ 67365,
               69389)
                        ********
Info: [ 69389.
               71413)
                       **********
Info: [ 71413,
               73437)
                        *******
Info: [ 73437, 75461)
                        ****************
                        *********
Info: [ 75461, 77485)
Info: [ 77485, 79509)
                       | **********************************
6 warnings, 0 errors
Info: Program finished normally.
icepack neorv32_iCE40CW312_MinimalBoot.asc neorv32_iCE40CW312_MinimalBoot.bit
make[3]: Leaving directory '/c/dev/neorv32-setups/osflow' IMPL="${BITSTREAM%%.*}"; for item in ".bit" ".svf"; do \
 if [ -f "./$IMPL$item" ]; then \
   mv "./$IMPL$item" ./; \
 fi \
done
make[2]: Leaving directory '/c/dev/neorv32-setups/osflow'
make[1]: Leaving directory '/c/dev/neorv32-setups/osflow'
```

#### Rebuilding your Firmware

```
Creating load file for EEPROM: simpleserial-aes-CW308 NEORV32.eep
riscv32-unknown-elf-objcopy -j .eeprom --set-section-flags=.eeprom="alloc,load" \
 -change-section-lma .eeprom=0 --no-change-warnings -0 ihex simpleserial-aes-CW308 NEORV32.elf simpleserial-aes
ORV32.eep || exit 0
Creating Extended Listing: simpleserial-aes-CW308 NEORV32.lss
riscv32-unknown-elf-objdump -h -S -z simpleserial-aes-CW308 NEORV32.elf > simpleserial-aes-CW308 NE
Creating Symbol Table: simpleserial-aes-CW308 NEORV32.sym
riscv32-unknown-elf-nm -n simpleserial-aes-CW308 NEORV32.elf > simpleserial-aes-CW308 NEORV32.sym
Size after:
                                    hex filename
  text
          data
                   bss
                            dec
  5784
           272
                  5696 11752
                                  2de8 simpleserial-aes-CW308 NEORV32.elf
 Default target does full rebuild each time.
 Specify buildtarget == allquick == to avoid full rebuild
 Built for platform iCE40 Target with neorv softcore with:
 CRYPTO TARGET = TINYAES128C
 CRYPTO OPTIONS = AES128C
```

### What can you do?

- Change the code.
- Change the core parameters.
- Add custom core instructions.
- Totally open source!

## FPGA ECC Attack

#### About ECC FPGA Attacks



You know it's ECC because I used this figure.



#### How bad is it to know this?

#### iPhone hacker publishes secret Sony PlayStation 3 key

By Jonathan Fildes Technology reporter, BBC News

③ 6 January 2011



20 E SER 20

Figure 3: Google Titan Security Key PCB, with NXP A7005a die visible after wet chemical attack of its package

prove cumbersome. We had to find a workaround to study the implementation in a more convenient setting.



Figure 4: EM Probe Positions on Titan (left) and Rhea (right)



Figure 5: Titan ECDSA Signature EM Trace

Steal your games.

https://www.bbc.com/news/technology-12116051

Steal your auth tokens.

https://www.usenix.org/conference/usenixsecurity21/presentation/roche

## High-Level Setup





https://github.com/newaetech/chipwhisperer-jupyter/blob/master/demos/CW305\_ECC

### Following Along

#### Ark of the ECC

An open-source ECDSA power analysis attack on a FPGA based Curve P-256 implementation

Jean-Pierre Thibault<sup>1</sup>, Colin O'Flynn<sup>1,2</sup>, and Alex Dewar<sup>1</sup>

NewAE Technology Inc, Canada <sup>2</sup> Dalhousie University, Canada {jpthibault,coflynn,adewar}@newae.com

Abstract. Power analysis attacks on ECC have been presented since almost the very beginning of DPA itself, even before the standardization of AES. Given that power analysis attacks against AES are well known and have a large body of practical artifacts to demonstrate attacks on both software and hardware implementations, it is surprising that these artifacts are generally lacking for ECC. In this work we begin to remedy this by providing a complete open-source ECDSA attack artifact, based on a high-quality hardware ECDSA core from the CryP Tech project. We demonstrate an effective power analysis attack against an FPGA implementation of this core. As many recent secure boot solutions are using ECDSA, efforts into building open-source artifacts to evaluate attacks on ECDSA are highly relevant to ongoing academic and industrial research programs. To demonstrate the value of this evaluation platform, we implement several countermeasures and show that evaluating leakage on hardware is critical to understand the effectiveness of a countermeasure.

Keywords: power analysis · ECDSA · FPGA evaluation

#### 1 Introduction

Side-channel power analysis attacks against cryptographic implementations are well-known in practice, starting with their seminal introduction in 1999 [16]. Since then, a considerable amount of work has been focused on symmetric algorithms, and in particular AES. Power analysis against AES has been demonstrated in real-life examples of software and hardware [21,22,28,18,25,8,32] attacks, and a reader can refer to widely available material such as published books [20], training courses, community driven tutorials such as part of the

#### Detailed write-up:

https://eprint.iacr.org/2021/1520.pdf



#### Full notebooks:

https://github.com/newaetech/chipwhispererjupyter/blob/master/demos/CW305\_ECC

#### More Stuff

Follow me on Twitter:

@colinoflynn

Send me an e-mail:

coflynn@newae.com

Occasional blog posts:

www.oflynn.com

Updates on new tools & tutorials:

www.newae.com (subscribe to newsletter)

www.chipwhisperer.com