Hardware Hacking with FPGAs

Embark on an immersive learning adventure in hardware security that caters to information security professionals and engineers. This course is designed to uncover hardware vulnerabilities, enhance your black-box analysis skills, and explore low-level hardware attacks against secure embedded systems. It offers a unique hybrid hardware/software workflow, leveraging a combination of Python and FPGAs to identify and exploit hardware security vulnerabilities in various domains such as embedded devices, automotive systems, and IoT.

Throughout the course, you'll integrate RiscV softcores into your designs and learn to implement timing-critical components using Verilog HDL. You'll also gain hands-on experience in instrumenting, analyzing and exploiting hardware with FPGAs and with Python, facilitated by the free and open-source Spearf1sh Embedded Linux Distribution. This comprehensive training will broaden your skill set and familiarize you with techniques such as instrumenting brute-force attacks, side-channels and timing analysis, glitching and reverse-engineering. The course includes practical assignments that allow you to work on real hardware, providing valuable insights into the intricacies of hardware security.

No specific prerequisites are needed to enroll in this course, apart from a basic programming background. The course covers essential electrical engineering knowledge, ensuring you'll have all the skills necessary to instrument targets effectively. With a focus on hands-on learning, you'll explore FPGA development, Verilog HDL, RiscV, Hardware Brute-Forcing, Side-Channel Attacks, Glitching and more! By the end of the course, you'll have a comprehensive toolkit of skills, empowering you to analyze and attack any hardware device.

Topics

• Common hardware vulnerabilities
• FPGA Implmentation and Debugging
• HDL Development
• Block-Design Flow
• Generation and Integration of IP
• RiscV Soft Cores
• RiscV Implementation and debugging
• Test and Measurement Equipment (Oscilloscopes, Logic Analyzers)
• Brute-Forcing Embedded Protocols
• Man-in-The-Middle (MITM) of protocols
• Side-Channel Analysis via a Timing Side-Channel
• Glitching

Theory and Introduction

Day 1 will cover all the theory and background required for participants to complete the course. The theory will be accompanied by multiple-choice assignments for participants to self-evaluate their understanding of the the theory.

1. Theory/Basics

   • Recommended literature
   • Machine-To-Machine Communication
   • Logic 101

2. Combinatorics

   • Sequential & combinatorial logic
   • Finite State machines (FSM)
   • Logical functions & arithmetic computation
   • Logic optimization

3. Verilog 101

   • UART FSM
   • HDL equivalent for FSM
   • Testing and verification of RX/TX

4. Hardware Logic Implementation

   • Electronics 101
   • ASICs, TTL-Logic
   • FPGAs, CPLDs
   • Hard vs. Soft Macros
   • I/O, Tristates

5. FPGA/ASIC Development Workflow

   • Behavioral simulation
   • Synthesis
   • Place and Route
   • Timing simulation

6. Gotchas

   • Design constraints
   • Optimization
   • Best practices
   • Safety and electronics

Assignment 1: Blinkies

At the end of Day 1 participants will implement a number of small of assigments to fully understand how to translate the thoery and programming constrcuts into synthesizable bitstreams to run on the FPGA.

Assignment 2: Brute-Forcing

On Day 2, Students will brute-force a PIN using the FPGA. Students must identify the vulnerability in the implementation allowing them to bypass the timeout during a password prompt. Students will implement a solution using a combination of the FPGA + Python, just the FPGA in HDL and RiscV running their application to Brute-Force the PIN.

Assignment 3: Timing Analysis of strcmp

The goal of this assignment is to familiarize participants with the advantages of utilizing programmable logic platforms for their predictable timing behavior. Participants will analyze a vulnerable RiscV application prompting the user for the password and retrieve the password by performing a timing analysis attack against the target.

Assignment 4: Clock Glitching

The final assignment will familiarize participants with clock glitching and glitching in general. Participants will devise and implement an attack to synchronize based on the input they generate in python. Participants will implement the glitching logic in HDL.

Class Requirements

Participants should have some familiarity with scripting languages, i.e. Python. This course is suitable for people that are new to hardware security and electronics. All the theory and concepts related to electronics, HDL and debugging will be explained during course.

Hardware Requirements

Students without the hardware can complete most of the assignments either by using the Virtual Machine provided during the class or by running the Vivado Development environment locally on their systems. We do however, encourage people to purchase one of the Spearf1sh Compatible Platforms.

Spearf1sh Compatible Platforms

The Spearf1sh Linux has been tested and is supported by the following Xilinx Zynq 7020 based platforms. These can be purchased via multiple vendors and are regularly available on the Digilent store, Digikey, Farnell and Element 14, Mouser and sometimes on Amazon, Ebay and Aliexpress.

1. Digilent Pynq Z1 (Recommended)
2. Digilent Arty Zynq Z7-20 (only the Arty Z7-20 is supported, the Arty Z7-10 is not!)
3. TUL Pynq Z2

Additional Requirements

• A machine capable of running virtual machines or a machine where they've installed the Xilinx Vivado/Vitis IDE (instructions will be provided before the class).
• 8GB RAM required, at a minimum.
• Approximately 80-120GB of free space for the FPGA development tools.