Applied Glitching of Real-World Hardware Targets
Learn how to glitch real-world hardware targets in this four day live training.
This course is designed as the most comprehensive overview of glitching as it applies to modern hardware platforms. This course is entirely practical and the techniques and targets covered in this course can be applied to millions of products around the world. This is due to the fact that the targets are so popular, but also because of how applicable these techniques are in practice.
This course will demonstrate low-level glitching attacks against four popular hardware targets. The targets will have increasing security and complexity, hence, the attacks will grow in terms of complexity as well. All targets will be instrumented and attacked live as part of the course. The targets include some of the world’s most popular microcontroller families, glitching and defeating TrustZone, as well as, attacking a popular SoC. This course is ideally suited for both hardware engineers who wish to better understand potential security issues that may exist in hardware implementations and software security engineers who may lack experience in analyzing hardware and embedded systems.
Physical attacks against secure embedded systems are extremely effective because hardware vendors and more importantly component manufacturers fail to take them into consideration. Vulnerabilities such as those that are exploited by clock and voltage glitching attacks lie within the underlying hardware components and cannot be patched in the device firmware. Often these vulnerabilities exist with the device's ROM which can no longer be altered after manufacturing. Most importantly such attacks can be leveraged for extracting a device's firmware even if the underlying hardware security has been enabled.
On many platforms it is not only possible to extract the firmware using this methodology but it's also possible to extract the underlying ROM firmware that is executed during boot. This firmware is commonly referred to as the device or component BootROM. Because the BootROM cannot be patched, software vulnerabilities identified within the BootROM can lead to a permanent compromise of devices in the field. Some notable BootROM exploits include the iPhone Checkm8 exploit as well as the Nintendo Switch hack.
Although it is not absolutely required, participants are encouraged to attend Introduction to Hardware Hacking and Reverse Engineering and Hardware Hacking and Instrumentation with FPGAs prior attending this course. These courses cover many of the basics that are required for developing and exploiting the vulnerabilities covered during this course. Nevertheless, this course will cover all the steps required to perform the attacks against the targets listed below and does provide several concrete examples of these attacks against real targets. Hence, this course is also encouraged for design engineers and system architects that are not yet familiar with these attacks. As part of the Advanced Security Training online platform, students will be provided recordings of the course, should they decide to try any of these attacks at a later date.
- Glitching theory
- Supply voltage versus device performance
- Clock glitching
- Voltage glitching
- Power Analysis of targets
- Devices with multiple power supply rails
- Clock sources, internal oscillators and PLLs
- Alternative BootROM extraction techniques
- System boot flow and BootROM
- JTAG, low-level Bootloaders and BootROM bootloaders
- Fuses, Option Bytes, Read-out Protection and other security configuration bits
- Necessary lab equipment
- Instrumentation techniques
- Resetting and power-cycling targets
- FPGA instrumentation techniques
- Proprietary and Open-source FPGA workflows
- Optimization through HDL code generation
- Common pitfalls
In addition to a case-study on the first day will cover all the necessary theory behind glitching, instrumentation and the underlying BootROM firmware. Each day will include a case study which will involve a live demo of developing, setting up and executing a glitch attack against a particular target. Students will be encouraged to follow along with the interactive live demos and will be provided all the materials to be able to subsequently perform these attacks themselves. The targets will include a common microcontroller with an extremely vulnerable bootloader, a microcontroller requiring multiple glitches to exploit the firmware, a common microcontroller with TrustZone, as well as a popular SoC.
The first day is designed as a crash course in glitching theory, how clock and voltage affect the devices performance and behavior as well as all the necessary equipment and steps to interface and communicate with devices. Additionally, this day will examine a target with arguably the most documented vulnerabilities of the targets analyzed during the course, namely the NXP LPC13 and the NXP LPC17 families of microcontrollers. In addition to voltage glitching, the LPC17 family is also susceptible to clock glitching. This case study will demonstrate the effectiveness of both methods of glitching, as well as potential mitigation techniques.
The STMicroelectronics STM32 family of microcontrollers is arguably the most popular ARM Cortex M3 microcontroller family on the market. The STM32 has been a popular microcontroller in devices ranging from IoT and automotive to Industrial Control Systems (ICS) and hardware wallets. The STM32F2 is an interesting case study as it has a similar supply circuit to larger System-on-Chips (SoCs). Additionally, it contains multiple vulnerabilities in it's BootROM. By chaining multiple vulnerabilities together it is possible to downgrade the security level of the device, re-enable debugging, as well as, bypass the device's protection mechanisms to readout the device's firmware from flash.
More and more CPUs and microcontrollers now implement privileged execution environments. One of the most prominent one's is ARM's Trustzone. The Microchip SAML11 is one of the first and most popular ARM Cortex-M microcontrollers to include TrustZone-M. Because much of the context switching and enforcement is implemented in the underlying BootROM firmware, it is also vulnerable to glitching. This day will cover how glitching can be applied to secure systems implementing Trustzone and in particular how the security offered by TrustZone can be broken with physical attacks.
Many people assume that SoCs are less susceptible to physical attacks due to their complexity, this is not necessarily true in practice. Although the additional complexity of the silicon allows for more mitigations, these can have adverse effects on performance and/or cause devices to fail in the field. Many IC vendors do not offer a high enough level of security during boot. This is compounded with the fact that system integrators may choose to leave security completely disabled, even in a production scenario. As a result, most SoCs boot with many security features disabled. Moreover, important features such as the PLL are not enabled in the BootROM, but significantly later during boot. A case study of the NVIDIA Tegra X1 BootROM vulnerability will be demonstrated on the last day.
- An HTML5 compatible browser for live streaming and playing recordings
- A PC or Mac capable of running virtual machines (VMware Workstation, Fusion and Player are encouraged, but other VM software will work as well).
- A VM provided by the trainers will be sufficient to participate in all interactive parts of the live class.
- A VM with all the tools required for the course (the VM will be distributed 1-2 days before the start of the course).
- A list of hardware used during the class that is required for the attacks will be provided to students. The hardware is necessary for students who wish to reproduce the attacks demonstrated during the course themselves.
- Binaries of all the test firmware used during the course.