Glitching and Fault Injection

This course is designed to be a comprehensive introduction to fault injection and glitching as it applies to modern hardware platforms. This course is largely practical and will cover all of the steps required to perform fault injection techniques and targets covered in this course can be applied to millions of products around the world. This is due to the fact that the targets are so popular, but also because of how applicable these techniques are in practice.

Course Description

This course will demonstrate low-level glitching attacks against two popular hardware targets. The targets will have increasing hardware and security complexity and thus will require increasing complexity for the attack. All targets will be instrumented and attacked live as part of the course. This course will utilize the Spearf1sh embedded analysis platform to perform the attacks. It is recommended that participants use this course as a reference for performing the attacks at a later date. This course is ideally suited for both hardware engineers who wish to better understand potential security issues that may exist in hardware implementations and software security engineers who may lack experience in analyzing hardware and embedded systems.

Who Should Participate

Although it is not absolutely required, participants are encouraged to attend Introduction to Hardware Hacking and Reverse Engineering and Hardware Hacking and Instrumentation with FPGAs prior to attending this course. These courses cover many of the basics that are required for developing and exploiting the vulnerabilities covered during this course. Nevertheless, this course will cover all the steps required to perform the attacks against the targets listed below and does provide several concrete examples of these attacks against real targets. Hence, this course is also encouraged for design engineers and system architects that are not yet familiar with these attacks. As part of the Advanced Security Training online platform, students will be provided recordings of the course, should they decide to try any of these attacks at a later date.

Topics covered during this course

• Glitching theory
• Supply voltage versus device performance
• Clock glitching
• Voltage glitching
• Power Analysis of targets
• Devices with multiple power supply rails
• Clock sources, internal oscillators and PLLs
• Alternative BootROM extraction techniques
• System boot flow and BootROM
• JTAG, low-level Bootloaders and BootROM bootloaders
• Fuses, Option Bytes, Read-out Protection and other security configuration bits
• Necessary lab equipment
• Instrumentation techniques
• Resetting and power-cycling targets
• FPGA instrumentation techniques
• Proprietary and Open-source FPGA workflows
• Optimization through HDL code generation
• Common pitfalls

Course Outline

In addition to a case-study on the first day will cover all the necessary theory behind glitching, instrumentation and the underlying BootROM firmware. Each day will include a case study which will involve a live demo of developing, setting up and executing a glitch attack against a particular target. Students will be encouraged to follow along with the interactive live demos and will be provided all the materials to be able to subsequently perform these attacks themselves. The targets will include a common microcontroller with an extremely vulnerable bootloader, a microcontroller requiring multiple glitches to exploit the firmware, a common microcontroller with TrustZone, as well as a popular SoC.

All theory behind glitching and fault injection will be covered as part of the course.

List of Targets Covered

This 3 Day course will focus on identifying, analyzing and exploiting vulnerabilities on the following targets.

• NXP LPC13
• STM32F2/STM32F4
• Nordic Semi NRF52

Each of the practical assignments will focus on enabling security on the target, identifying how this can be bypassed and subsequently building a glitcher to exploit this.

Requirements

No hardware is required for taking this course. We recommend that you completely watch the course before performing the hands-on attacks yourself. A list of hardware used for the demos will be provided as part of the class.

What We will Provide Participants

• A VM with all the tools required for the course (the VM will be distributed during the course).
• A list of hardware used during the class that is required for the attacks will be provided to students. The hardware is necessary for students who wish to reproduce the attacks demonstrated during the course themselves.
• Binaries of all the test firmware used during the course.

Additional Requirements for Reproducing Results at a later date

• A PC or Mac capable of running virtual machines (VMware Workstation, Fusion and Player are encouraged, but other VM software will work as well).
• A VM provided by the trainers will be sufficient to participate in all interactive parts of the live class.