Hardware Hacking with FPGAs

Learn how to instrument hardware from python and attack and analyze other hardware targets using Xilinx 7-series FPGAs.

Training starting at

$1,800.00

with one of our subscriptions

Language

English

Embark on an immersive learning adventure in hardware security that caters to information security professionals and engineers. This course is designed to uncover hardware vulnerabilities, enhance your black-box analysis skills, and explore low-level hardware attacks against secure embedded systems. It offers a unique hybrid hardware/software workflow, leveraging a combination of Python and FPGAs to identify and exploit hardware security vulnerabilities in various domains such as embedded devices, automotive systems, and IoT.

Throughout the course, you'll integrate RiscV softcores into your designs and learn to implement timing-critical components using Verilog HDL. You'll also gain hands-on experience in instrumenting, analyzing and exploiting hardware with FPGAs and with Python, facilitated by the free and open-source Spearf1sh Embedded Linux Distribution. This comprehensive training will broaden your skill set and familiarize you with techniques such as instrumenting brute-force attacks, side-channels and timing analysis, glitching and reverse-engineering. The course includes practical assignments that allow you to work on real hardware, providing valuable insights into the intricacies of hardware security.

No specific prerequisites are needed to enroll in this course, apart from a basic programming background. The course covers essential electrical engineering knowledge, ensuring you'll have all the skills necessary to instrument targets effectively. With a focus on hands-on learning, you'll explore FPGA development, Verilog HDL, RiscV, Hardware Brute-Forcing, Side-Channel Attacks, Glitching and more! By the end of the course, you'll have a comprehensive toolkit of skills, empowering you to analyze and attack any hardware device.

Topics

  • Common hardware vulnerabilities
  • FPGA Implmentation and Debugging
  • HDL Development
  • Block-Design Flow
  • Generation and Integration of IP
  • RiscV Soft Cores
  • RiscV Implementation and debugging
  • Test and Measurement Equipment (Oscilloscopes, Logic Analyzers)
  • Brute-Forcing Embedded Protocols
  • Man-in-The-Middle (MITM) of protocols
  • Side-Channel Analysis via a Timing Side-Channel
  • Glitching

Theory and Introduction

Day 1 will cover all the theory and background required for participants to complete the course. The theory will be accompanied by multiple-choice assignments for participants to self-evaluate their understanding of the the theory.

  1. Theory/Basics

    • Recommended literature
    • Machine-To-Machine Communication
    • Logic 101
  2. Combinatorics

    • Sequential & combinatorial logic
    • Finite State machines (FSM)
    • Logical functions & arithmetic computation
    • Logic optimization
  3. Verilog 101

    • UART FSM
    • HDL equivalent for FSM
    • Testing and verification of RX/TX
  4. Hardware Logic Implementation

    • Electronics 101
    • ASICs, TTL-Logic
    • FPGAs, CPLDs
    • Hard vs. Soft Macros
    • I/O, Tristates
  5. FPGA/ASIC Development Workflow

    • Behavioral simulation
    • Synthesis
    • Place and Route
    • Timing simulation
  6. Gotchas

    • Design constraints
    • Optimization
    • Best practices
    • Safety and electronics
Assignment 1: Blinkies

At the end of Day 1 participants will implement a number of small of assigments to fully understand how to translate the thoery and programming constrcuts into synthesizable bitstreams to run on the FPGA.

Assignment 2: Brute-Forcing

On Day 2, Students will brute-force a PIN using the FPGA. Students must identify the vulnerability in the implementation allowing them to bypass the timeout during a password prompt. Students will implement a solution using a combination of the FPGA + Python, just the FPGA in HDL and RiscV running their application to Brute-Force the PIN.

Assignment 3: Timing Analysis of strcmp

The goal of this assignment is to familiarize participants with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Participants will analyze a vulnerable RiscV application prompting the user for the password and retrieve the password by performing a timing analysis attack against the target.

Assignment 4: Clock Glitching

The final assignment will familiarize participants with clock glitching and glitching in general. Participants will devise and implement an attack to synchronize based on the input they generate in python. Participants will implement the glitching logic in HDL.

Class Requirements

Participants should have some familiarity with scripting languages, i.e. Python. This course is suitable for people that are new to hardware security and electronics. All the theory and concepts related to electronics, HDL and debugging will be explained during course.

Hardware Requirements

Students without the hardware can complete most of the assignments either by using the Virtual Machine provided during the class or by running the Vivado Development environment locally on their systems. We do however, encourage people to purchase one of the Spearf1sh Compatible Platforms.

Spearf1sh Compatible Platforms

The Spearf1sh Linux has been tested and is supported by the following Xilinx Zynq 7020 based platforms. These can be purchased via multiple vendors and are regularly available on the Digilent store, Digikey, Farnell and Element 14, Mouser and sometimes on Amazon, Ebay and Aliexpress.

  1. Digilent Pynq Z1 (Recommended)
  2. Digilent Arty Zynq Z7-20 (only the Arty Z7-20 is supported, the Arty Z7-10 is not!)
  3. TUL Pynq Z2

Additional Requirements

  • A machine capable of running virtual machines or a machine where they've installed the Xilinx Vivado/Vitis IDE (instructions will be provided before the class).
  • 8GB RAM required, at a minimum.
  • Approximately 80-120GB of free space for the FPGA development tools.
Training by Dmitry Nedospasov

Dmitry is a hardware hacker, hardware design engineer, security researcher, speaker, and reverse-engineerer. Dmitry did his PhD in the field of IC security and PUFs.

Feedback by

Dan

24 June 2020

Advanced Security Training was great for me and my team. It’s rare to see a training that, within a few days, teaches the practical techniques to actually hack common devices AND the background concepts to understand what you're doing and why it works. The virtual format seemed like it might be a hurdle but I found myself enjoying the added flexibility more than the in-person variant thanks to the careful preparation of the training team.

Feedback by @red5heep

19 May 2020

I took the "Introduction to FPGA" training as a newbie in the field. Dmitry started from the basics, bringing me to a level to allow me to experiment by myself: the training touched all the most important concepts and gave a lot of practical tips and tricks: funny and challenging at the same time. The "2-days" format was perfect for me: it gave me a great overview and now it's up to me to deep dive into the technology.

Feedback by

Subu

21 May 2020

The streaming format was flawless. The chat was effective. Dmitry is adaptive to the needs of the students and spent an inordinate amount of time till the basic concepts of Verilog were drilled in with many, many exercises. This was never mentioned in the class description but something that will prove more useful than anything else.

Feedback by

Subu

07 June 2020

Dmitry's enthusiasm for the subject matter is boundless. He makes sure that the concept is first drilled in and explains everything in detail. He doesn't treat any question as stupid. I particularly liked that he wrote all the code from scratch, live -- instead of just dumping some power point slides and just reading through them. The live online format was exceedingly smooth and access to complete recordings of the sessions is an added bonus.

Feedback by

Anonymous

03 June 2021

This course started from basic to use FPGA to glitch the chips. I was looking to join this type of training for long time. Highly recommended

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.