1 / 80

“Code extraction via Power analysis” f ocus on Embedded systems Yann ALLAIN / Julien MOINARD

How the analysis of electrical current consumption of embedded systems could lead to code reversing ?. “Code extraction via Power analysis” f ocus on Embedded systems Yann ALLAIN / Julien MOINARD. AGENDA. Who we are Research context & goals Electronic 101 for Security Guys

adanna
Télécharger la présentation

“Code extraction via Power analysis” f ocus on Embedded systems Yann ALLAIN / Julien MOINARD

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded systems Yann ALLAIN / Julien MOINARD

  2. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  3. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  4. WHO WE ARE? • From France • @OPALE SECURITY Company • IT Security & Embedded System Security • Yann ALLAIN • 18 Years in IT security and electronic industry • Former CSO of application domain for an Hotel company • CEO and Owner of OPALE SECURTY • JulienMOINARD • Electronic specialist • In charge of most technical implementation regarding this research

  5. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  6. Researchcontext • Embedded system Audit ? • It’s all about to find a way to access inside the system without the privilege to do that ! • With or without Physical access • Through the IP interfaces (Web Service exposed, TCP service, etc…)

  7. Researchcontext • Auditors could focus on Ethernet Access, web interfaces, …

  8. Researchcontext • Auditors could try to open the ‘box’ • Defeating anti tampering system • Teardown • Accessing Electronic circuit • Dumping Firmware, analyze it…etc

  9. Researchcontext • But …. an existing access is always available • The Power line connectors!

  10. Researchcontext As security auditors, may we use this access to do something ?

  11. In fact, • We want to “extract the code executed on an embedded system from its current/power consumption?” (≈ from the Power connector…)

  12. Our wishlist • Be pragmatic • Keep it simple • No math and complex stuff • Cheap approach (as much as possible) • Don’t re invent the wheel

  13. Existing research on this area?

  14. Existingresearchon this area? • Yes…(many!) but with different goals • Power analysis technics (DPA, SPA) and researchers seems to focus only on extracting the cipher keys of sensitive device (Crypto system, Credit Card…)

  15. Existingresearchon this area? • We want more than some cipher keys…. • We want to extract the code via Power Analysis methods • We are looking for Instructions & Data without opening the box!

  16. Existingresearchon this area? Cool ! . ..but researcheronly focus on findingintructions…weneed to access to Data also…(But greatPaper!) • Few papers related to code extraction via Power analysis • We only find 3 available papers using the power consumption to find instructions • Identification of instructions managed by a PIC (Thomas Eisenbarth, http://math.fau.edu/~eisenbarth) • Discovery of information on the encryption keys (Valette ,http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/dalemuva05.pdf) • Example adapted to JAVACARDS (Vermoen, http://ce.et.tudelft.nl/publicationfiles/1162_634_thesis_Dennis.pdf) Toospecific : Javacards Somechaptersdedicated to our goals but no somuch information disclosed (Gouv.fr closed to ‘sort of’ militarydomain ?...)

  17. Existingresearchon this area? • But these publications are full of mathematical formulae • which is more or less complex (from our point of view!) • Not for us…. ;-)

  18. Extract de code!? How? Question • What is the link between the power consumption and instruction and data executed ? (@ Hardware Level)

  19. Extract de code!? How? Answer • A fondamental and basic electronic component…. • Usedeverywhere ! • Please gentlemen welcome to, ourfriends:

  20. Extract de code!? How? Answer Transistors

  21. Extract de code!? How? How we can extract the code from transistors!? We need some electronic 101 information

  22. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  23. Electronic 101 • Embedded systems are (could be) composed of microcontrollers (µC) that contain : • MEMORIES (Ram, Rom,..) • ALU (Arithmetic logic Unit) • TIMER (Counter) • SERIAL INTERFACES • I/O BUS (Latch )

  24. Electronic 101 • Each basic functions included in µC are designed @electronic level with transistors • For example , see how a “NAND” is designed @electronic level (simplification view of) Logical view Electronic view (used only few transistors) Physical Electric signal associated

  25. Electronic 101 • When a transistor “process” a bit @ physical level (Current, Voltage) , it “commutes” • Transistor = sort of digital switch

  26. Electronic 101 • When a Transistor “commutes”, there is a current peak ! • Let see what going on in practice (Labs…)

  27. Electronic 101 • Labs #1 – Hardware stuff

  28. Electronic 101 • Labs #1– One Transistor !

  29. Electronic 101 current peak ! • Labs #1 – On each transition

  30. Electronic 101 Zoom of current peak ! • Labs #1 – Zoom in

  31. With more thanone Transitor µC/FPGA based embedded system used a lot of transitors

  32. µC used a lot of Transitors • µCs circuit implement more than 100K to 10M transistors @ Hardware level • Each Time a transistor “process” a bit, there is a current peak • All transistors are linked to the power line • All current peaks will be ‘send’ to the power line (due to Physical law regarding current inside electronic connection) We use this “physical feature” to link the power consumption with bits processed

  33. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  34. Proof of concept • How to move from one bit grabbed (step1) to a set of data & instructions code (step2) with our approach ? • We have designed a proof of concept tool to analyze the electrical current consumption of embedded systems to extract the code it executes

  35. Proof of concept • We need to acquire more bits…via a current consumption analysis • “Acquiring current consumption” : How?

  36. Proof of concept • What we need : A “homemade” embedded system (the target…) • Based on PIC18F4620 µC

  37. Proof of concept • What we need : An Agilent oscilloscope for acquiring current consumption • AGILENT Dso3024a

  38. Proof of concept • What we need : A programmer /Debugger (Microchip Real Ice)

  39. Proof of concept • What we need : A current probe • Very expensive Professional tools (magnetic or electromagnetic current probe ) > 400$ each Or • a simple resistor which cost less than 1 $ • We choose the resistor !

  40. Proof of concept • What we need : A bit of software • Homemade code (VB.NET…sorry ) used to control and pilot the oscilloscope • The code used the Standard protocol: VISA COM 3.0 • It’s a Free Library that let us communicate with agilent oscilloscope with simple set of commands • Get data measurement, Launch voltage or current acquisition process, Send numerical value of current acquired,…

  41. Proof of concept • What we need : A GUI Command/Data GUI of our Proof of concept tool

  42. Proof of concept • Our acquisition chain looks like that :

  43. Proof of concept • In practice, it looks like that…

  44. How we proceed to grab the current and extract the code? Step 1 send a dummy code to µC PC 1 Embedded System Embedded system is Ready to use Programmer

  45. Proof of concept Step 2 , In lab Embedded System with probes Oscilloscope (Measure) Our tool try to find instruction & data executed from the current consumption Current Consumption PC 2 (Lab machine)

  46. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, …) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  47. Our Experiments #1: Does the code really impacts the power consumption? #2: Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? #3: Why μC’s instructions Pipeline impact current consumption? #4: How to overcome Pipeline issues for our goals? #5: Could we create a (sort of) ‘disassembler’ over electricity?

  48. Does the code really impacts the power consumption? (Experiment #1)

  49. Does the code really impacts the power consumption?(Experiment #1) • Result #1 : We have a current consumption related with nop instructions • In Red Current during the execution • In Blue Synchronization signal • In Green Clock embedded system

  50. Does the code really impacts the power consumption?(Experiment #1) • Result #1 : Some values of our measurement • Max Variation of current is around 0.1 mA = 0,0001 A • Low level of variation > difficult to catch

More Related