 Kaj smo tako? J일an Francesco Palmyrany ponjela do eternalno pl해서 crabito in do vseh vstavljeno. Na razdaj, da smo priječili mikrokontroller, ki je površnja taj pravdu, bez noželjne in vsečenih, in stil bi smo jaz tudi težične in izgledati izgledaj vsečenih, da se tako zgradi, ne se boješ težične. To, in kako je vstavljeno, je viške zpravljene, in vsečenih konštena vsečenih, z taj vsečenji. Kaj se ako ga poglasit? Eko tudi se zelo nače začelši sestu vsez, zčetnco in vse gurj ste zelo začelši, je jezala glasba v teknikničke in vsezelo nače da je便čov letov. Zelo, in pastel. In snadi, that usually you have to look up the chip and pro board temper with the silicon itself. I zelo si zdaj Grandma, the Voltage, the EM, boja, laser, kaj je tega sila lajt. Iž w CPU, da mislite in ostavlj, you corrupt some memory registers, you change the decisions, depends on theแต and the techniques. Of,'course you do this to bypass security measures, to lick A ou to create some side channels. Again depends on what ti上ar. spin indicator bolts机. whether stock is speaking about the bullet injured killer. It's one of the first techniques, but still je jaznan je značno odpolivno, bo je zelo bavno, je vsočen, da je to zelo, lezno je hrata Krobar, nekaj je je najvej vsočen, je velika, klasika hrata. Ja, je več basi, in vse je so vse izgledati, vse je to začelite. Kaj vse je nekaj, kaj je bo, je vidjeto posvetov, je tukaj, nekaj je vse vsi, vse je kaj na vrstih vrstih. in zelo se vse negativne vsoje vse prv. In tukaj je tukaj glitch in tukaj nekaj je spremljena in zelo se vse vse je vse vse. Tukaj, je zelo je vse dobro. Prepoziraj, da je vse vse vse so poželili glitchi. To zelo se vse ni zelo, da se vse poglješajo vse glitchi. Poziraj, da sem zelo poželil, da se vse glitchi, v tem, da zelo izgovorite glijč, v svek bodo je zelo pejno. Proste pa nečo nekaj, in vse upit pinch je zelo naredite, v slajde, da videlš, da je to načo načo zelo delas. Vse zelo je uročila, načo načo, tako je tako. In se je, da se je naprejčeno, zelo počke, da se je nečo, da je ta vsočil, that you don't know what to expect until you try. It changes with the MOSFET that you use, the PCB capacitance in ductance of the traces, and so on, so forth. So, the point, the main, one of the first motivation behind this work was that, yes, I know, voltage fault injection is all the pouring, there are better techniques. We all know that, still it is widely used. So, you should not underestimate that also, bo je beli za tudi. Svojo pače je, da bo si početno, da bo se dobro naredi, ne applause in reče, ne boš počešno, da se je počešno. Prokazanje reče, sekurete reče, je nekaj ne vrčo, ne boš početno dobro vrča. In se ta technika ne zelo držaj, ni odliči vrča. Na vrča dobro se bila početno, ne boš početno, da se početno dobro ne zelo, kot nekaj način. Na荈왔i Ken Brug, bo no prema svoji iličnie, bo je od companies in znojnočno, kako se osavil, vsak očenja, nami so nekaj doba, iskri za kot glič, in pripravimo soLetu, nekaj pristim počkamo, da je se pozna koriče, in želimo lageti, kako bi se prevljessi, da izvojajo, moh bo kot nekično, jo, če bo nekično, nekaj nekaj usava, in ko se da pa rečilo moj FoC, je to to bila za visi tudi na obočenj kroni, kako sem vse bo potrebna in tudi je se pesalo, nekaj sa nekaj kunem, 150 dolari z такšim poštym, so je pošlozno. Proč je s im. digitalally domelje, lebo je bilo jen take tako nekonek, beto in take voltega, ima te glige, ima te glige, čekaj pa pošli, tako smo so potrebe v vsevene in zelo, jad naredi, In v rentrišku, ker počutim ponikljaj bila, beto da so discurstkino večen, z kvaliko sa se boljlo beli, da se tem tudi so všibilo je jedna bitva. Sama tega chipa je nekaj, da se počutu, da bo to bilo ta velik pri vabivala. Tudi ne mortiš smo tako, ker si svečemo, jazzno je, porobno počutim, da se je čudno ošelja, da je počut, očorge svečen z vstajen, ma so počuti in svoji bov, ko je objev. Live, this can be a glitch. This is soft and gentle, you didn't think about this as a glitch. But actually, it worked in the paper. We used this kind of glitch for attacking a target, and there is a very specific reason for this, and you can find detail in the paper, but the point is that at the time we knew, by the literature, that rising and falling edges does affect the performance of the attack, the rising and falling edges of the glitch. In se greš, da nekaj sem kareda posledal v odpečnih. Svolg si da je bil vse vse zilj�ap zemi, v tom svoj dobri, vse je prič otvoril. Vse ješ je to ca više, ki so jih ne pa tudi. Hopast posleda drugstvih vse, do objah, ki je zelo tudi, ali Sad sem različilo pa ta hypothesis. To je broj vse pa vse je, da sem različila svoj dobri in vzice za vzice per meter, ali je pa, da smo vzice pošli, da sem jezitejno pošli, jezitejno jezitejno što je zelo več več svate, da jezitejno se obtimizat v zelo, zato ne zelo smo nežal pomembniti. In nek so postočili, nek so postočil genetik, ljubi, kjer je ti nezal pošli, kursovrmutaj, tudi, leženje stratage, nek so je odrečal, tašnja. Kaj je vse, da se vse zelo odpovrjajte vse pošli vzelo, da je vse učenje vse zelo in tudi zelo je zelo vse na vse, ko je zelo vse zelo, da je zelo vse na zelo, da je zelo vse zelo, da je zelo vse zelo, da je zelo vse zelo,� Guess idea a separate microphone to handle all the load level notification with the target to边 synchronize the trigger becah' no been just done that you want precise triggering. You want target specific instruction and time. Ad engineers at this point we had a set up and we had a way to optimize the parameter in inefficient way and at this time we had to test our two... I think one of the hypothesis was that the shape of the glitch affects the Wilk skill of the attack In po drugi, da se pričo svoje zrča komplek tegvje vsega tegvje, tako vzelo. A za to, da se vzelo, zelo smo vseh kajsokradov vsega, kaj je vsega, če je, da je dobro, ker je najvorej vsega, ker je vsega, ko je, da je zelo začel, in da je začel se kod, in začel se zdi, ker je da so vsega, nekaj je in tegvje. In pred 놓čenje, to je menej favoričen odbočenje pripočanje, je pri odpusti renesu 70k-ročnimi vse obremov, nekaj zelo včetno nas moraš vse tko automotijev. Imala tako dodal nRatim, ljudi vzolj, to je obrom vsega vkričena otebolj, zato je in zelenjna bolj Croider, pokazal nrachovana, zelo v pomevedenj taj pohvor selo. The problem, the first problem is that the bootloader code is in mass Chrome and we couldn't access it. It wasn't mapped to memory for the user. So we proceeded with a fully black box approach in the sense that we didn't know the bootloader code nor the code that was running on the micro. We just knew that we had this set of API available which was program arrays due to checksum and verify. In me additional security mechanism built in in in in all commands must operate on 256 aligned by memory. Align because you cannot move, you cannot shift the window, so it will be too easy. Or in production device we verify this, all the programming are disabled. So, actually what you have, you have just a check, and verify, and of course there is e-voltage supervisor to reset the chip. So, how do we manage to dump the flash? Well, the main problem is that there is no read command. As there is in other microcontrollers. And this is a problem because even if the device is unlocked, you cannot read back what you have just written. You can just verify it. So we try to use fold injection. We said, let's try to verify it just one by at a time. So it's easy, you first one by at a time and it goes on. Fail, of course. Then we try to use fold injection again to calculate the checksum of one byte. And it's easy, because as you can see, the checksum is just a subtraction from a constant, which is then x1000. So, basically the checksum of one byte itself failed. Then, again, we tried with two bytes, three bytes, until we ended up with four bytes. And we succeeded in calculating the checksum, still aligned, so we couldn't move the window by one byte at a time. I don't know actually why four bytes, because I don't have access to the code. Maybe there is some checks that we were able to bypass, but we tried a lot and a lot. And we were also able to verify four bytes at a time. So now we have an oracle, which is not enough to extract information and we have the sum of four bytes. This is not enough to extract the full flash memory. So we now have to lick some bytes from the flash memory itself, right? So we have to create some side channel and we're from, of course, the checksum computation, because this is the only function that gives you a result based on what is stored on the memory. So the first glitch, as I said, was used to bypass the check and let it run on four bytes only. And the second glitch was used to temper with skipping or corrupting the subtraction of just one byte of the four in the loop. So now we have the sum of three bytes, the sum of four bytes, and it's easy to get the missing one. So now you might say, okay, it's not that difficult attack. You just iterate for this over and over all the bytes and you're done, except it's not the case because we had a lot of timing errors. Some of them was probably caused by the clock differences, clock issues, but mainly I guess it was caused by the synchronization with the microcontroller because we synchronized on the bootloader commands that we are sending to the microcontroller. And the point is that if you get this 10 microsecond window, okay, if you inject a glitch in there, usually you get a result, which is one of the bytes extracted with a given probability. So again, you might say, okay, use statistic metrics, just to you get the right one in the right place, okay. The problem is that we had a lot of false positives because when you have timing errors, sometimes you target the wrong instruction, you corrupt something, and you get a value that might not be even in the flash memory itself, okay. So we cannot distinguish if we have good values, bad values, and where they belong to. So this is a problem. So how did we solve this? Well, first of all, we calculate the sum of the first four bytes, which like in this case, in this example is x66 using fault injection, and again, we move the trigger position in that window, okay, over and over, glitching again, again, and for every bytes that we extracted, okay, and this window, we find all the four bytes permutation with the new bytes and the previous one, of course, and the point is that we can do an early out by discarding those permutation with does not sum to x66. This is an effect, okay, and then for the other, we just have to iterately, you know, glitching every time, the verify command to test all the other combination and you stop this process when you, of course, get a verify that is successful and you have found the four bytes. Then you move along for the next four, and next four, again, this process takes hours because lots of glitches are involved, but it works. Anyway, I think, okay, just script it, let it on day and night, and this is what we did, but during the day it worked well, during the night it stopped working, I always say, come on, who is temporary with my attack during the night at the university? That wasn't the case because we realized that, yeah, the bootloader was running from the internal oscillator, maybe because it was avoiding, you know, the clock glitching attacks, and it is known that our oscillators drift with temperature, the rate in this case is 0.1% per degree Celsius, so if during the day you have a temperature and then during the night it raises by, let's say in this example, six degrees Celsius, which is common if you turn off the cooling, the trigger moved by four microsecond, and this is quite a lot if you look at the chart because you can see that you move over this window, so you're not getting any bytes anymore, so we could have put all the setup in a controlled temperature environment, but it was much more easy for us just to measure the temperature, characterize the variation, and compensate for the glitch continuously for the temperature variation. This worked quite well because, I mean, we were able to automatically dump the whole flash memory. The problem is that, yes, here you can see we compared the times in the performance for our technique and the MOSFET that I showed you before, the pulse one that actually you can think about as our technique, so generating the glitch, but not with an arbitrary waveform, but a fixed one, just pulse, okay, and our technique, of course. The point is that for just 60 kilobytes, the MOSFET takes six days and a half to complete, and our technique takes two days and a half, which is quite a lot, but still it is a 63% improvement, which is not bad if you consider that we are talking about the same fault injection techniques, so this is on optimization, and we are also much more efficient, five time more efficient, because on the MOSFET it takes 18 million glitches to complete the process on our techniques, 3.3 million, which is a lot, and this is particularly important because, yes, this is a very complex attack, and also in the process you might damage the target, damage the chip, and it happened, so you want sometimes to reduce the number of glitches because your target might be expensive or difficult to get on the market, okay, and we are also more reliable in the sense that we produce less false positive, less false positive means less combination to test, and less combination to test mean that you have to inject less glitches to verify them, okay, so we are faster, more efficient, and more reliable with respect to the other technique, and here you can see we compare the, okay, the point was now we have kind of shown that there is a correlation between, you know, specific glitch waveform and the performance of the attack, okay, and here we can see that also different vulnerabilities that we use the best perform with their own specific glitch waveform, and all this waveform was automatically found out with the genetic algorithm, so there might be better one, of course, but these work quite well, and it is interesting to compare them with the shapes from the other techniques, and you can see that, you know, there is some similarities, the lowest peak is kind of similar, but there are also differences before and after, so I guess that confirm that the fact that, you know, rising up falling edges does affect the performance of the attack, we actually don't know how the mechanism, how does it work, this is left as a future work because we need some more specific equipment because you have to measure the propagation of the signal inside the chip, the silicon and things like that, but now we were, at least we are able to say, yes, there is still a correlation, so our contribution summing up are, yes, we studied the effect of using arbitrary glitch waveform, not just pulse or square waves for the performance of voltage fault injection attacks, and yeah, we also provided a method using genetic algorithm to automatically, you know, calculate and derive and optimize all the attack parameters, which are a lot, because you have to find also an actual waveform, and we didn't just found one attack on the renaissance, we were able to jump the flash of six microcontrollers from pre-manufacturer, ST Micro, Texas, and renaissance, and finally, we did a comparison with the other voltage fault injection techniques, as I show you. So, thank you very much. We have time for a couple of questions. Temperature affecting not only your setup, but people are freezing. I have a question. Do you plan to open source the setup? So, if someone want to replicate this setup, is it possible, it's easy? Yeah, yeah, it's quite easy. Sam has already emailed me asking about that. We had a plan, the problem is on one side that we are on NDA with a company about, you know, the actual code, which is expiring now, and also I have been a little bit busy because I wanted to do before, but before the end of the year, I plan to, you know, provide the schematic and the code and everything on GitHub, so, yes. Okay. Question? Thank you for presentation. And I think that your arbitrary wave generator gradient injection system have a low impedance amplifier to inject the power line, power line. So, I want to know the frequency response of the amplifier and output impedance of the amplifier. Can you repeat, sorry, because last part, just. Output impedance, impedance. Yeah, sure. The value of the output impedance, you mean? Impedence, yeah, so. Actually, I don't recall the exact number, okay, of the output impedance. Well, in our experiment, we didn't use the full PCB, we soldered the chip and used a smaller board to, you know, avoid long traces and things like that. And in the chip that actually you can, that expose you, the internal voltage regulator, we bypassed it, okay, to avoid, you know, because of course anything that is put in between the generator and the core itself is altering the waveform, of course, yes. This was, I mean, a very chip set up, it can be do absolutely better. Okay. Also, if you want to raise in frequency and. So, the schematic of the amplifier system is available online? Yeah, it actually based on application note from TI. If I'm not wrong, I can tell you later, but it will be part of the published material online. I'll tell you later, yes. Thank you. You're welcome. Thanks the speaker again. Thank you.