how the analysis of electrical current
play

How the analysis of electrical current consumption of embedded - PowerPoint PPT Presentation

Dec 31, 2022 •256 likes •979 views

How the analysis of electrical current consumption of embedded systems could lead to code reversing ? Code extraction via Power analysis Focus on Embedded systems Yann ALLAIN / Julien MOINARD AGENDA Who we are Research

  1. How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” Focus on “Embedded systems” Yann ALLAIN / Julien MOINARD

  2. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  3. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  4. WHO WE ARE? • From France – @OPALE SECURITY Company – IT Security & Embedded System Security • Yann ALLAIN – 18 Years in IT security and electronic industry – Former CSO of application domain for an Hotel company – CEO and Owner of OPALE SECURTY • Julien MOINARD – Electronic specialist – In charge of most technical implementation regarding this research

  5. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  6. Research context • An another way to audit some Embedded system • Classical audit approach is done via – External pentest (IP Connexion , Web Interfaces…) – Hardware hacking stuff (Defeating anti tampering system, Opening the box – Etc… • …but we want more…

  7. Research context • There always another access available on all Embedded system: – The electric power line ! • Power cable connectors is always accessible !

  8. Research context • As Security auditor, may we use this access to do something ? • This our research & experimentation starting point • Please remind that this is an ‘ in progress research project ’

  9. So… • As security guys, we wondered if “ Is there a way to extract the code executed on an embedded system from its current/power consumption ?” (≈ From the Power connector…)

  10. Our wishlist • Be pragmatic • Keep it simple as possible • No math and complex stuff • Cheap approach (as much as possible)

  11. Existing research on this area? • Yes…(many!) but with different goals • Power analysis technics (DPA, SPA) and researchers seems to focus on extracting the cipher keys of sensitive device (Crypto system, Credit Card…)

  12. Existing research Cool ! . ..but researcher only on this area? focus on finding intructions … we need to access • But … Few papers related to code extraction via Power analysis to Data also …(But great Paper!) • We only find 3 available papers using the power consumption for finding instructions – Identification of instructions managed by a PIC Too specific : Javacards (Thomas Eisenbarth, http://math.fau.edu/~eisenbarth) – Discovery of information on the encryption keys (Valette ,http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/dalemuva05.pdf) – Example adapted to JAVACARDS (Vermoen, Some chapters dedicated to our http://ce.et.tudelft.nl/publicationfiles/1162_634_thesis_Dennis.pdf) goals but no so much information disclosed (Gouv.fr closed to ‘sort of’ military domain ?...)

  13. Already existing research on this area? • But these publications are full of mathematical formulae • which are more or less complex ( from our point of view !) • Not for us…. ; -)

  14. Back to our goals… Question Answer • A fondamental and basic “What is the link between electronic component…. the power consumption • Used everywhere ! and instruction and data • Please gentlemen welcome executed to, our friends: On most of embedded Transistors systems based on microcontroller (or other stuff like that)?”

  15. AGENDA • Who we are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  16. Electronic 101 • Embedded systems are (could be) composed of microcontrollers (µC) that contain : – MEMORIES ( Ram, Rom,.. ) – ALU ( Arithmetic logic Unit ) – TIMER ( Counter ) – SERIAL INTERFACES – I/O BUS ( Latch )

  17. Electronic 101 • Each basic functions Logical view included in µC are designed @electronic level with transistors Electronic view (used only few transistors) • For example , see how a “NAND” is designed Physical @electronic level Electric signal (simplification view of) associated

  18. Electronic 101 • When a transistor “process” a bit @ physical level (Current, Voltage) , it “commutes” • Transistor = sort of digital switch

  19. Electronic 101 • When a Transistor “ commutes ”, there is a current peak ! • Let see what going on in practice (Labs…)

  20. Electronic 101 • Labs #1 – Screenshot 1 – Hardware stuff

  21. Electronic 101 • Labs #1 – Screenshot 2 – One Transistor !

  22. Electronic 101 current peak ! • Labs #1 – Screenshot 3

  23. Electronic 101 • Labs #1 – Screenshot 4 Zoom of current peak !

  24. Brief • Transistors everywhere in µC • When a transistor “process” a bit, there is a current peak “We just find the link between the power consumption and bits processed” • Information leakage from power consumption validated ! 

  25. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  26. Proof of concept • How to move from one bit grabbed (step1) to a set of data & instructions code (step2) with our approach ? • We have designed a proof of concept tool to analyze the electrical current consumption of embedded systems to extract the code it executes

  27. Proof of concept • We need to acquire more bits…via a current consumption analysis • “Acquiring current consumption” : How?

  28. Proof of concept • What we need : A “homemade” embedded system (the target…) • Based on PIC18F4620 µC

  29. Proof of concept – What we need : An Agilent oscilloscope for acquiring current consumption • AGILENT Dso3024a

  30. Proof of concept – What we need : A programmer /Debugger (Microchip Real Ice)

  31. Proof of concept • What we need : A current probe – Very expensive Professional tools (magnetic or electromagnetic current probe ) > 400$ each Or – a simple resistor which cost less than 1 $ – We choose the resistor !

  32. Proof of concept • What we need : A bit of software – Homemade code (VB.NET…sorry  ) used to control and pilot the oscilloscope – The code used the Standard protocol: VISA COM 3.0 – It’s a Free Library that let us communicate with agilent oscilloscope with simple set of commands • Get datum measurement, Launch voltage or current acquisition process, Send numerical value of current acquired,…

  33. Proof of concept • What we need : A GUI Command/Data GUI of our Proof of concept tool

  34. Proof of concept • Our acquisition chain looks like that :

  35. Proof of concept • In practice, it looks like that…

  36. How we proceed to grab the current and extract the code? Step 1 send a dummy code to µC PC 1 Embedded System Embedded system is Ready to use Programmer

  37. Proof of concept Step 2 , In lab Embedded System with probes Oscilloscope (Measure) Our tool try to find instruction & data executed from the current consumption Current Consumption PC 2 (Lab machine)

  38. AGENDA • Who We Are • Research context & goals • Electronic 101 for Security Guys • Proof of concept (soft, hard, … ) • Our experiments • Results & Limits • Further researches (Prospective) • How to limit the risk • Conclusion

  39. Our Experiments #1: Does the code really impacts the power consumption? #2: Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? #3: Why μC’s instructions Pipeline impact current consumption? #4: How to overcome Pipeline issues for our goals? #5: Could we create a (sort of) ‘disassembler’ over electricity?

  40. Does the code really impacts the power consumption? (Experiment #1)

  41. Does the code really impacts the power consumption? ( Experiment #1) • Result #1 : We have a current consumption related with nop instructions In Red  Current during the execution In Blue  Synchronization signal In Green  Clock embedded system

  42. Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? (Experiment #2)

  43. Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis? ( Experiment #2) • Note : to limit impacts of parasites, our system take differential analysis • @First time, we measured the difference between – Current consumption of 4 nop instructions – Current consumption of movlw 0xFF with 3 nop • @Second time, we measured the difference between – Current consumption of 4 nop instructions – Current consumption of movlw 0x00 with 3 nop

Recommend

Electrical Electrical Requirements Permit Application OVERVIEW Required Plans

Electrical Electrical Requirements Permit Application OVERVIEW Required Plans

Electrical Electrical Requirements Electrical Requirements Presented by: Mark Izzo Electrical Plan Examiner 1 C I T Y O F C H I C A G O D E P A R T M E N T O F B U I L D I N G S Electrical Electrical

331 views • 8 slides
Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT

Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT

Sasa Spasic, COO We enable you to accurately measure & MAGNETIC FIELDS ELECTRICAL CURRENT Very accurate CURRENT SENSORS Very stable Low noise Patented Solutions High Dynamic MAGNETOMETERS Response

137 views • 13 slides
Electronics Summary Voltage is a measure of electrical potential energy Current is moving

Electronics Summary Voltage is a measure of electrical potential energy Current is moving

CS/ECE 5710/6710 Digital VLSI Design Electronics Summary Voltage is a measure of electrical potential energy Current is moving charge caused by voltage Resistance reduces current flow Ohms Law: V = I R Energy (joules): work

722 views • 24 slides
V = IR V : electrical potential difference (voltage) in volts (V) I : current in amperes (A) R :

V = IR V : electrical potential difference (voltage) in volts (V) I : current in amperes (A) R :

Voltage, current, and resistance in a circuit are related by Ohms law. Ohms Law The electrical potential difference between two points in a circuit is equal to the current times the resistance between those two points. V = IR V :

710 views • 5 slides
Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical

Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical

Current distribution in PEMFC: I-Validation step by ex-situ and in-situ electrical characterization PhD student: Samir RACHIDI PhD Director : Sergue Martemianov CEA tutors: Ludovic Rouillon, Jol Pauchet PhD program: October 2008 to

323 views • 15 slides
Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical

Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical

Norwegian Embassy Offshore in Greece: Current situation and perspectives Dr. Dionysios Papachristou Electrical Engineer-NTUA, Scientific Expert Coordinator of RES Auction Team Director, Press & Public Relations Office Regulatory Authority

690 views • 32 slides
Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery

Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery

Direct Current Circuits Electric Current A few, simple, direct current circuits The Battery Carbon + - Electrolyte: mixture of ammonium Zinc chloride & case manganese Battery dioxide symbol electrical converter...

350 views • 20 slides
Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC)

Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC)

Electrical Waveforms Description and Fish Catching Attributes Main Types Direct Current (DC) or Continuous DC or Smooth DC Pulsed Direct Current (PDC) many forms Alternating Current (AC) many forms Direct

373 views • 24 slides
Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science

Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science

Free Component Analysis Raj Rao Dept. of Electrical Engg. & Computer Science www.eecs.umich.edu/~rajnrao Joint work with Hao Wu Funding by ONR, DARPA, ARO 1 Free Component Analysis (FCA) An experiment in pictures 2 I1 = Hedgehog 3 I2

864 views • 59 slides
Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED

Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED

Thermal Simulation of LED- Powered Luminaire With Coupled Electrical Circuit Analysis Introductions Pier Angelo Favarelo Zumtobel Ruben Bons Director, Electronics LED Context The LED Thermal-Electrical Challenge The LED Thermal-Electrical

572 views • 21 slides
Electrical Program RCW-The Law Revised Code of Washington 19.28 ELECTRICIANS AND ELECTRICAL

Electrical Program RCW-The Law Revised Code of Washington 19.28 ELECTRICIANS AND ELECTRICAL

Electrical Laws & Rules Permits Licensing Electrical Inspections Work Scope RCW 19.28 Access Administrator WAC 296-46B Duties Description Certification Directions Supervision Comments

771 views • 36 slides
Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site

Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site

Breadth Topics Analysis Topics Silverado Senior Living Brookfield, WI Electrical On-site Prefabrication of Interior Wall Panels Electrical design and modifications needed for solar panel installation Installation of Solar Panels Structural

606 views • 36 slides
DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

A.R. Djordjevi 1 , D.I. Ol an 1 , B.M. Kolundija 1 , J.R. Mosig 2 , I.M. Stevanovi 3 DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering, University of Belgrade, Serbia 2 Ecole Polytechnique

420 views • 20 slides
Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects

Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects

Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects Self Heating Effects of Resistive Metals Coupled Thermal-Electrical Transient Analysis of 3D Fuses and Interconnects This presentation covers: Transient 3D

284 views • 12 slides
ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical

ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical

ROC Analysis for Evaluation of Machine Learning Algorithms Larry Holder School of Electrical Engineering and Computer Science Washington State University References Provost et al., The Case Against Accuracy Estimation for Comparing

339 views • 12 slides
Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline

Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline

Motor Electrical Fluting Using Vibration Analysis to Detect & Prevent Outline Introduction Cause & Effect Identifying the Problem Bearing life Bearing examples Protection Methods Janelle Hammes Electric Motor

511 views • 30 slides
Electronics Summary CS/ECE 5710/6710 Digital VLSI Design Voltage is a measure of electrical

Electronics Summary CS/ECE 5710/6710 Digital VLSI Design Voltage is a measure of electrical

Electronics Summary CS/ECE 5710/6710 Digital VLSI Design Voltage is a measure of electrical potential energy Current is moving charge caused by voltage Resistance reduces current flow Ohms Law: V = I R Energy (joules): work

121 views • 8 slides
Workshop on the Current State of the UDRP Overview & Analysis of the Preliminary Issue

Workshop on the Current State of the UDRP Overview & Analysis of the Preliminary Issue

Workshop on the Current State of the UDRP Overview & Analysis of the Preliminary Issue Report 22 June 2011 Moderators: Mary Wong Jonathan Cohen Background & Current Approach Issue Report Request ed by t he GNS O Council on 3

363 views • 22 slides
On the WEAK MEASUREMENT of the ELECTRICAL THz CURRENT: a NEW SOURCE of NOISE? Damiano Marian 1 ,

On the WEAK MEASUREMENT of the ELECTRICAL THz CURRENT: a NEW SOURCE of NOISE? Damiano Marian 1 ,

2015, July 17 th UPoN 2015 On the WEAK MEASUREMENT of the ELECTRICAL THz CURRENT: a NEW SOURCE of NOISE? Damiano Marian 1 , Nino Zangh` 2 , Xavier Oriols 1 1 Autonomous University of Barcelona 2 University of Genoa Barcelona - 2015, July 17

1.07k views • 77 slides
Identification, Prevention and Mitigation of Electrical Hazards Mitigation of Electrical Hazards

Identification, Prevention and Mitigation of Electrical Hazards Mitigation of Electrical Hazards

Identification, Prevention and Mitigation of Electrical Hazards Mitigation of Electrical Hazards Workshop on Managing Electrical Safety Risks April 2018, Kolkata Mudit Maheshwari Corporate EHS, ITC Limited, Kolkata Electrical Mishaps &

764 views • 57 slides
MODE 0 AND MODE 1 ELECTRICAL WORK RESTART AT PSC MAKEUP SESSION PAUL ROSSI, GEORGE

MODE 0 AND MODE 1 ELECTRICAL WORK RESTART AT PSC MAKEUP SESSION PAUL ROSSI, GEORGE

22 AUGUST 2017 MODE 0 AND MODE 1 ELECTRICAL WORK RESTART AT PSC MAKEUP SESSION PAUL ROSSI, GEORGE DOKTORCZYK CURRENT STATUS What can we do, what is still on hold Non-hazardous Electrical Work < 50VAC or > 50 volts AC and

294 views • 11 slides
Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop

Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop

Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop circuit). Kirchhoffs Rules: junction and loop rules. Thvenins theorem. Introduction: definitions Electrical network: Set of

147 views • 10 slides
Community Analysis of Current and Future Housing Needs August 28, 2014 Goals of the Housing

Community Analysis of Current and Future Housing Needs August 28, 2014 Goals of the Housing

Housing a Diverse and Inclusive Community Analysis of Current and Future Housing Needs August 28, 2014 Goals of the Housing Needs Analysis To describe the characteristics of Arlington Countys population To analyze demographic,

784 views • 41 slides
A market analysis for commercial ISRU production Market Analysis What is the product?

A market analysis for commercial ISRU production Market Analysis What is the product?

Damon Ellender, PhD Candidate, UNSW School of Electrical Engineering, ACSER A market analysis for commercial ISRU production Market Analysis What is the product? Where is it needed? Who is the customer? What is the value of the

451 views • 8 slides

More recommend