security failures in secure devices
play

Security Failures In Secure Devices Black Hat DC February 21, 2008 - PowerPoint PPT Presentation

Mar 25, 2023 •46 likes •586 views

February 21, 2008 Security Failures In Secure Devices Black Hat DC February 21, 2008 Christopher Tarnovsky Flylogic Engineering, LLC. chris@flylogic.net www.flylogic.net February 21, 2008 Who am I? Last 10 years with NDS

  1. February 21, 2008 Security Failures In Secure Devices Black Hat DC – February 21, 2008 Christopher Tarnovsky Flylogic Engineering, LLC. chris@flylogic.net – www.flylogic.net

  2. February 21, 2008 Who am I? • Last 10 years with NDS – Anti-piracy effort – IC design – Software engineer – Reverse-engineer expert – One patent, one pending

  3. February 21, 2008 Purpose of this briefing? • Awareness • Understanding • Improve

  4. February 21, 2008 How are failures found? • Decapsulation of the substrate • Microscopy • Invasive probing • Electrical glitches • Optical glitches

  5. February 21, 2008 Decapsulation • Hot Plate • Acetone • Fuming Nitric Acid • Fuming Sulfuric Acid • Tweezers • Dropper

  6. February 21, 2008 Typical Decap Session

  7. February 21, 2008 Microscopy • Use of brightfield optical microscopes • Zeiss Axiotron (I/II): – Good for general imaging to plan attack • Mitutoyo FS-[50-70]: – Good to use for execution of an attack

  8. February 21, 2008 Invasive Probing • Physical connection to substrate • Use low-capacitance buffered driver • Tri-stated buffer is desired- • Allow eavesdropping • Overdrive the signal on an event (a trigger)

  9. February 21, 2008 Probing: Typical bus action (listening) YELLOW : Databus signal GREEN : Clock PURPLE : Reset BLUE : Trigger

  10. February 21, 2008 Overdriving last slides databus with a logic ‘0’ YELLOW : Databus signal GREEN : Clock PURPLE : Reset BLUE : Trigger

  11. February 21, 2008 Electrical Glitches • Lower input voltage • Increase clock frequency Q: Desired result? A: Lengthen propagation delay!!!

  12. February 21, 2008 Optical Glitches • Triggered pulses of light • Hope for latching of something other than, “good” (e.g. dptr change)

  13. February 21, 2008 Most devices claim some type of security • Cryptographic Memories • Smartcard MCU’s • Off-the-shelf (OTS) MCU’s

  14. February 21, 2008 Cryptographic Memories • Atmel “CryptoMemory” • Microchip “Keeloq”

  15. February 21, 2008 Atmel CryptoMemory • Two common dies available- 350nm and 500nm • Fuses determine which family member Below: 500nm die (e.g. AT88SC0204) Below: 350nm die (e.g. AT88SC25616C)

  16. February 21, 2008 Atmel CryptoMemory Claims • Master (Write7) password is only readable once it has been presented. • There is a try limit and once it reaches zero, the part is forever locked from changes to its configuration memory. • OTP Fuses protect the configuration memory.

  17. February 21, 2008 Write7 Password • Address bus attack allows read back of the Write7 password in the clear. • Databus attack allows read back of Write7 password after 64 samples have been taken.

  18. February 21, 2008 ?OTP? Fuse Protection • Fuses are “resettable” to an unprogrammed state via UV light. • Watch out for “booby-trap” fuse! If set, part will no longer communicate. Below: 500nm FUSE – Output in RED Below: 350nm FUSE – Output in GREEN

  19. February 21, 2008 More CryptoMemory issues • Contents contained in “user memory” is stored in the clear (a commonly found problem). • Exposure of the fuses to UV allows reset allowing changes to config memory if write7 password is known.

  20. February 21, 2008 User Memory stored in the clear • Configuration memory “rules” determine if readout of an area requires Crypto. • A successful attack means: – Reset “OTP Perm” fuse to a ‘1’. – Learn Write7 password. – Apply Write7 password and clear Crypto requirements. – Readout memory in the CLEAR !!!!

  21. February 21, 2008 Microchip Keeloq [HCS201..362] • Used around the globe in products such as: – Keyless entry on vehicles – Garage door openers (Genie) – Identity tokens – Burglar alarms

  22. February 21, 2008 Some are ASICs • Devices such as HCS201, 300, and 362 are ASICs designed as small state-machines with micro-coded ROM for behavior Below: HCS201 Below: HCS362

  23. February 21, 2008 And some are not!!! • Products such as HCS512-515 are actually PIC MCU’s with EEPROM!! Below: Ford keyless entry remote is actually 14-Pin PIC MCU bonded out as an 8 pin SOIC part. EEPROM is self-contained on the substrate.

  24. February 21, 2008 HCSxxx simple to extract secrets • Programming documentation claims device will auto- erase previous secrets. • Only then can you program new secrets. • Verification of newly programmed secrets can only be done ONCE.

  25. February 21, 2008 What if bulk-erase didn’t occur? • Microchip forgot something. How about checking if the memory really erased itself! • The theory behind this is too: – Mess up bulk-erase – Send in static 00’s or FF’s (201 or 362?) – Read back original data that was NOT erased!!!!!

  26. February 21, 2008 Motorola SC27/28 Smartcard MCU • Used heavily in GSM (SC28 mostly) • 6805 Core • 12.8 KB Masked ROM, 240 Bytes SRAM, 8 KB of EEPROM • Nothing special inside- – Sit on bus anywhere inside and you can see what’s going on. – Bus ordering was: cpu_latch[7:0] = dbus[7,6,5,4,3,2,1,0]; – Glitchable: Optically and Electrically

  27. February 21, 2008 Motorola SC49 Smartcard MCU • Tried out in GSM SIM cards sometime in late 90’s • 6805 Core • Hardware Cryptographic engine • 11.3KB Masked ROM, 512 Bytes of SRAM, 4 KB of EEPROM • Scrambled databus to confuse an attacker – Operands remain the same – Instructions needed be bit swapped – An eavesdropper needs to understand the core implementation.

  28. February 21, 2008 Scrambling the bus? Why? • Typical areas of probing are – Memory bus drivers. – Data bus itself where lines are organized in proper CPU bus width. – Bus lines are 99.9% of the time in order (0..7 or 7..0) and rarely swapped around! – Swapping the outputs of the memory is too easy to spot.

  29. February 21, 2008 Implementation: Scrambled Bus • As show in the photo below. Databus runs across the picture and is laid out from top to bottom as D7-D0. • As shown by the red dots, connections into the instruction latches swap the lines to the properly decoded state for a 6805. • Bit swap order is: cpu_latch[7:0] = dbus[6,2,4,1,0,7,3,5]; • Databus continues into the ALU to the right like other 6805’s.

  30. February 21, 2008 Infineon SLE66C160S/SLE66C320S • Found to be used in- – GSM SIM cards (32 KB version) – Gemplus GEMSAFE (16 KB w/Crypto) • Infineon quick spec states: – Security optimized layout and layout scrambling – Irreversible Lock - Out of test mode – Non standard dedicated Smart Card CPU–Core – Above statements taken from Infineon “Short Product Info., 10.01, SLE 66C160S” (Page 3)

  31. February 21, 2008 Infineon SLE66 “S” Die Image Below: Uncommented 100x image Below: Commented 100x image

  32. February 21, 2008 Infineon SLE66 “S” ROM • ROM Databus output and Address input latches. • Lower 8 bits of Address is multiplexed (shared) with Databus. • No scrambling on ROM outputs nor address inputs!!

  33. February 21, 2008 Infineon SLE66 “S” Main Databus • “Security optimized layout and layout scrambling” • ? Where ? We got here from the ROM outputs…

  34. February 21, 2008 Infineon SLE66 “S” Core Databus • Below the horizontal solid red line is the CLEAR databus. • Ordering of the bits is 0,1,2,3,4,5,6,7 and any encryption of the fetch has been decrypted by the MED above out of view. Below: Short red stripes represent clear databus bits 0..7

  35. February 21, 2008 Infineon SLE66CX322P • Found in GSM SIM cards • 32 KB EEPROM • Advanced Crypto Engine (ACE)

  36. February 21, 2008 Infineon SLE66 “P” Secure? • 4 conductor “active” mesh as top metal • Began in 220nm 3+1 metal process

  37. February 21, 2008 Infineon SLE66 “P” Databus • Below the horizontal solid red line is the CLEAR databus. • Ordering of the bits is 0,1,2,3,4,5,6,7. • Opcode must be decrypted at this state in time!

  38. February 21, 2008 ST Series Smartcards • ST16CF54: Crypto engine, 4 KB EEP • ST16SF4x: No Crypto, 1-16 KB EEP • ST19CF68: Crypto engine, 8 KB EEP • ST19AF08: 20 pin SOIC, 8 KB EEP • Enhanced 6805 MCU • Pioneer of the “Mesh” principle

  39. February 21, 2008 ST Mesh's 1 st gen: • Ground plane with holes (checker-board pattern) » Opening is okay without device knowing • Generations 2-4 are all “Serpentine” active sense with ground fingers 2 nd gen: • Mesh break results in stopped CPU » Active sense is tied to VDD of the device 3 rd gen: • Mesh break results in BULK erase of EEPROM » Active sense is tied to VDD of the device 4 th gen: • Mesh break results in BULK erase of EEPROM » Active sense is a circuit now coming from opposite side of the device.

  40. February 21, 2008 ST Mesh Images Gen 1 – 4 Meshes

  41. February 21, 2008 ST16XYZ Series • Crypto engine available on ST16CF54A/B • 1/2/4/8/16 KB EEPROM • Customizable access rules aka firewall • Filtered clock

  42. February 21, 2008 ST19XYZ Die Images • Began in 600nm 2+1 metal process • 10-12 MHz internal frequency (VDD dependent)

  43. February 21, 2008 ST19XYZ Series • Has anything really changed? • No better than the older ST16 series

Recommend

Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky

Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky

March 27, 2008 Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky Flylogic Engineering, LLC. chris@flylogic.net www.flylogic.net March 27, 2008 Who am I? Last 10 years with NDS

811 views • 54 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms

Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms

Embedded Security Group Secure Logic Styles ECRYPT II summer school on Design and Security of Cryptographic Algorithms and Devices 1. June 2011 Amir Moradi Embedded Security Group Agenda Power Consumption Characteristics of CMOS Circuits

387 views • 24 slides
Continuing to secure the Internet of Things Connected embedded devices Everything in our

Continuing to secure the Internet of Things Connected embedded devices Everything in our

Safety & Security for the Connected World Continuing to secure the Internet of Things Connected embedded devices Everything in our embedded world is becoming connected to The Internet Other connected devices Personal devices

248 views • 11 slides
CONFIDENTIAL 1 How to Secure Devices in a Smart City IoT devices in a Zero-Trust manufacturing

CONFIDENTIAL 1 How to Secure Devices in a Smart City IoT devices in a Zero-Trust manufacturing

CONFIDENTIAL 1 How to Secure Devices in a Smart City IoT devices in a Zero-Trust manufacturing and operational environment. CONFIDENTIAL 2 IoT market Gartner predicts: 20.4 billion connected things by 2020 7.4 billion of these are

330 views • 8 slides
Advanced Network Security 6. Agreement and consensus II: Byzantine failures Jaap-Henk Hoepman

Advanced Network Security 6. Agreement and consensus II: Byzantine failures Jaap-Henk Hoepman

Advanced Network Security 6. Agreement and consensus II: Byzantine failures Jaap-Henk Hoepman Digital Security (DS) Radboud University Nijmegen, the Netherlands @xotoxot // * jhh@cs.ru.nl // 8 www.cs.ru.nl/~jhh Byzantine failures are real

477 views • 30 slides
Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication:

SSL 1 Web Security Secure Socket Layer (SSL) December 7, 2000 SSL 2 Web Security authentication: basic, digest often supplemented by cookies access control via network addresses multi-layered: SHTTP (secure HTTP) = just

713 views • 32 slides
Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA Secure Elect ronic Transact ions An applicat ion-layer secur it y

483 views • 24 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu

Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu

Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu Computer Science Emerging Smart Devices Need an OS Multiple cores GPIOs PWM Virtualization support Integrated Graphics

547 views • 52 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch

Principles for Secure Software Following these doesnt guarantee security But they touch on the most commonly seen security problems Thinking about them is likely to lead to more secure code Lecture 13 Page 1 CS 236 Online 1.

439 views • 22 slides
SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE)

SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE)

SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE) Act of 2019 (H.R. 1994) Introduced in the House March 29, 2019 Passed House Ways & Means Committee April 2, 2019 Passed House

354 views • 12 slides
A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal

A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal

A Lightweight Secure Cyber Foraging Infrastructure for Resource-Constrained Devices Sachin Goyal and John Carter School of Computing University of Utah 1 Todays Computing Environments Small, embedded, mobile devices Ubiquitous

245 views • 22 slides
Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the

Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the

Social Security www.socialsecurity.gov Save for a Secure Future Social Security is the foundation for a secure retirement, but you also will need other savings and investments. If you want to learn more about how and why to save, visit

352 views • 33 slides
Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 13 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce supported by almost all transactions browsers, web

570 views • 21 slides
Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL:

Lecture 14 Transport Layer Security/ Secure Socket Layer (TLS/SSL) (Chapter 9 in KPS) SSL: Secure Sockets Layer v widely deployed security v original goals: protocol Web e-commerce transactions supported by almost all browsers,

609 views • 21 slides
Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5

Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5

Fault Tolerance and Security Heechul Yun 1 Safety Failures in CPS Therac 25 Arian 5 Computer controlled medical X-ray 7 billion dollar rocket was destroyed after 40 treatments secs (6/4/1996) Six people died/injured due to

354 views • 23 slides
Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY Silvie Schmidt Competence Centre for IT- Security at FH Campus Wien Project ELVIS Embedded Lab Vienna for IoT & Security Agenda

811 views • 37 slides
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Trusted Systems Research Conduct and sponsor research to provide information assurance for national

775 views • 38 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan Luo, Tongbo Luo CCS 2020 IoT Pairing Pairing is supposed to establish a secure communication channel IoT pairing is important for adding

345 views • 21 slides

More recommend