SlideShare uma empresa Scribd logo

Cypherock Assessment (1).pdf

P
PARNIKA GUPTA

Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion. Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock.

Engenharia
1 de 14
Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion.
Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock. Cypherock Assessment Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Understanding of side channel analysis and fault injection concepts Side channel analysis According to my understanding the side channel analysis methods are utilized to find out the potential unintentional leaked information through physical implementations that may provide some information to get into a system. Fault injection Fault injection techniques are used to exploit a system's design vulnerabilities. This helps the developer understand the potential system crash and faults. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 1. Downloaded the lascar and rainbow repos 2. Went through the examples about elf file and also checked their object dump.
3. In each example I checked how the binary files are being analyzed 4. In lascar, read the trace and batch containers generation, their filtering and various processing applied over them to get the keys 5. In rainbow, read the leakage and fault models 6. Tried applying the hamming model to detect the leakage in the file Explanation of the approach taken. 1. File Analysis a. Checked the elf file structure: In readelf.txt b. Checked the given arm elf file object dump; In objdump.txt c. Findings in the disassembled code: i. Only .text had executable permissions ii. Found out the sections and functions used in the file and the entry point that was in the iii. In objdump few key words like pin, secret, key etc in recursive mutex function in .data section:
iv. From the entry point tracked where the code is started and where it is going to end
2. Decompiled file analysis a. Setup Ghidra b. Found the entered_pin and secret_output variables 3. Tried creating a fault on HAL_GPIO_EXTI_Callback with the entered_pin=”0xd9”, but did not work #!/usr/bin/env python3 # UINT aes(UCHAR Mode, STRUCT_AES* struct_aes, const UCHARp key, const UCHARp input, UCHARp output, const UCHARp random_aes, const UCHARp random_key) # aes( 0xb, ...) import numpy as np from visplot import plot from binascii import hexlify from rainbow import TraceConfig, HammingWeight, Print
from Crypto.Cipher import AES from rainbow.generics import rainbow_arm def f_aes(e, key, input_): e.reset() # mode : 0xb = MODE_ENC | MODE_AESINIT_ENC | MODE_KEYINIT e['r0'] = 0xb # struct_aes struct_aes_p = 0xcafe0000 e[struct_aes_p] = 0 # struct is huge so we need to map another page e[struct_aes_p + e.PAGE_SIZE] = 0 e['r1'] = struct_aes_p # key key_p = 0xcafe1000 e[key_p] = key e['r2'] = key_p # input input_p = 0xcafe2000 e[input_p] = input_ e['r3'] = input_p # output output_p = 0xdead0000 e[output_p] = 0 # ARM calling convention : 4th+ parameter is on stack e[e['sp']] = output_p # rest stays to 0 e.start(e.functions['HAL_GPIO_EXTI_Callback'] | 1, 0) if e['r0']: print('ERROR !') res = e[output_p:output_p + 16]
aes_c = AES.new(key, AES.MODE_ECB) ref = aes_c.encrypt(input_) if ref != res: print("Nope :") print(hexlify(res)) print(hexlify(ref)) return res import secrets def randbytes(n): return secrets.token_bytes(n) if __name__ == "__main__": e = rainbow_arm(print_config=Print.Code | Print.Functions, trace_config=TraceConfig(register=HammingWeight())) e.load('stm.elf') e.setup() return_addr = 0 # map it to prevent an unmapped fetch exception e[return_addr] = 0 key = b"xd9" * 16 traces = [] for i in range(5): print(".", end='') f_aes(e, key, randbytes(16)) traces.append(np.fromiter(map(lambda event: event["register"], e.trace), dtype=np.float32)) traces = np.array(traces) traces += np.random.normal(0, 1, size=traces.shape) v = plot(traces, dontrun=True) v.multiple_select(0) v.run()
4. Tried making doing the pin fault on main function, was able to found 1 fault i.e. when the key matched to the original one #!/usr/bin/env python3 import numpy as np from rainbow import HammingWeight, TraceConfig from rainbow.devices.stm32 import rainbow_stm32f215 as rainbow_stm32 from rainbow.fault_models import fault_skip from rainbow.utils.plot import viewer # Pick any reference pin (STORED_PIN) and a different input pin # Goal is to make 'storage_containsPin' function return a non-null # value, which would mean the code executes as if the user PIN # was correct although it was not STORED_PIN = "1874" INPUT_PIN = "0000"
print("Setting up emulator") e = rainbow_stm32() e.load("stm.elf") e.setup() def result(u): """ Test whether execution was faulted """ return u['r0'] != 0 and u['pc'] == 0xaaaaaaaa # as in the side-channel example, this is the location of the reference # pin in Flash e[0x08008110 + 0x189] = bytes(STORED_PIN + "x00", "ascii") # Pick any address for the input pin... e[0xcafecafe] = bytes(INPUT_PIN + "x00", "ascii") N = 57 total_faults = 0 total_crashes = 0 fault_trace = [0] * N crash_trace = [0] * N print("Loop on all possible skips") print("r0 should be 0 at the end of the function if no fault occurred") for i in range(1, N): e.reset() # The first fault might not actually work depending # on the value of r5 when calling. Remove comment to observe # e['r5'] = 0x60000000 e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa pc = 0 try:
# Run i instruction, then inject skip, then run pc = e.start_and_fault(fault_skip, i, e.functions['main'], 0xaaaaaaaa, count=100) except RuntimeError: # Fault crashed the emulation total_crashes += 1 crash_trace[i] = 1 d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] print("crashed") continue except IndexError: pass # Print current instruction d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] if result(e): # Successful fault total_faults += 1 fault_trace[i] = 1 print(" <-- r0 =", hex(e['r0']), end="") print(f"n=== {total_faults} faults found ===") print(f"=== {total_crashes} crashes ===") # get an 'original' side channel trace e = rainbow_stm32(trace_config=TraceConfig(register=HammingWeight(), instruction=True)) e.load("stm.elf") e.setup() e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa e.start(e.functions['main'], 0xaaaaaaaa)
trace = np.array([event["register"] for event in e.trace if "register" in event], dtype=np.uint8) fault_trace = trace.max() - np.array(fault_trace, dtype=np.uint8)[:trace.shape[0]] * trace.max() viewer([event["instruction"] for event in e.trace], np.array([trace, fault_trace]))
Retrieval of the hidden flag. Entered pin = 0xd9 Secret output = 0xda // Online C compiler to run C program online #include <stdio.h> int main() { // Write C code here printf("Hello worldn"); unsigned char entered_pin = 0xd9; unsigned char DAT_20000451 = 0x62; unsigned char DAT_20000452 = 0x39; unsigned char DAT_20000453 = 0; unsigned char DAT_20000454 = 0xcc; unsigned char DAT_20000455 = 0xcc; unsigned char DAT_20000456 = 0x99; unsigned char bVar1, DAT_20000457; bVar1 = DAT_20000457 == 0x66; if (1) { unsigned char secret_output = (entered_pin ^ 0xde) - 0x2d;
unsigned char DAT_20000459 = (DAT_20000451 ^ 0xad) - 0x24; unsigned char DAT_2000045a = (DAT_20000452 ^ 0xbe) - 0xd; unsigned char DAT_2000045c = (DAT_20000454 ^ 0xfe) + 0xb3; unsigned char DAT_2000045b = (DAT_20000453 ^ 0xef) - 0x16; unsigned char DAT_2000045d = (DAT_20000455 ^ 0xed) + 0x9c; unsigned char DAT_2000045e = (DAT_20000456 ^ 0xfa) + 0x17; unsigned char DAT_2000045f = (DAT_20000457 ^ 0xce) + 99; printf("%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x", entered_pin, DAT_20000451, DAT_20000452, DAT_20000453, DAT_20000454, DAT_20000455, DAT_20000456, DAT_20000457, secret_output, DAT_20000459, DAT_2000045a, DAT_2000045b, DAT_2000045c, DAT_2000045d, DAT_2000045e, DAT_2000045f); } return 0; } Output (16 bit Key): d9 62 39 0 cc cc 99 c5 da ab 7a d9 e5 bd 7a 6e

Recomendados

Csdfsadf
CsdfsadfCsdfsadf
Csdfsadf
Atul Setu
 
C
CC
C
Khan Rahimeen
 
C
CC
C
Anuja Lad
 
C Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comC Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.com
M-TEC Computer Education
 
Os lab final
Os lab finalOs lab final
Os lab final
LakshmiSarvani6
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Mouse programming in c
Mouse programming in cMouse programming in c
Mouse programming in c
gkgaur1987
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
javaTpoint s
 

Recomendados

Csdfsadf
CsdfsadfCsdfsadf
Csdfsadf
Atul Setu
 
C
CC
C
Khan Rahimeen
 
C
CC
C
Anuja Lad
 
C Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comC Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.com
M-TEC Computer Education
 
Os lab final
Os lab finalOs lab final
Os lab final
LakshmiSarvani6
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Mouse programming in c
Mouse programming in cMouse programming in c
Mouse programming in c
gkgaur1987
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial
javaTpoint s
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
Emilio Coppa
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
amol_chavan
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
Stefan
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdf
Tigabu Yaya
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
Ankit Dixit
 
OOP project report cipher c++ .docx
OOP project report cipher c++ .docxOOP project report cipher c++ .docx
OOP project report cipher c++ .docx
Muhammadbilal432440
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
Jen Yee Hong
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
Structures-2
Structures-2Structures-2
Structures-2
arshpreetkaur07
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptx
jzyNick
 
srgoc
srgocsrgoc
srgoc
Gaurav Singh
 
UNIT-II CP DOC.docx
UNIT-II CP DOC.docxUNIT-II CP DOC.docx
UNIT-II CP DOC.docx
JavvajiVenkat
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manual
Sami Said
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
Priyanka Aash
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
wkyra78
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
PVS-Studio
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
PARNIKA GUPTA
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)
PARNIKA GUPTA
 

Mais conteúdo relacionado

Semelhante a Cypherock Assessment (1).pdf

Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
Emilio Coppa
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
amol_chavan
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
Stefan
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdf
Tigabu Yaya
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
Ankit Dixit
 
OOP project report cipher c++ .docx
OOP project report cipher c++ .docxOOP project report cipher c++ .docx
OOP project report cipher c++ .docx
Muhammadbilal432440
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
Jen Yee Hong
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
Structures-2
Structures-2Structures-2
Structures-2
arshpreetkaur07
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptx
jzyNick
 
srgoc
srgocsrgoc
srgoc
Gaurav Singh
 
UNIT-II CP DOC.docx
UNIT-II CP DOC.docxUNIT-II CP DOC.docx
UNIT-II CP DOC.docx
JavvajiVenkat
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manual
Sami Said
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
Priyanka Aash
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
wkyra78
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
PVS-Studio
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 

Semelhante a Cypherock Assessment (1).pdf (20)

Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdf
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
OOP project report cipher c++ .docx
OOP project report cipher c++ .docxOOP project report cipher c++ .docx
OOP project report cipher c++ .docx
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Structures-2
Structures-2Structures-2
Structures-2
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptx
 
srgoc
srgocsrgoc
srgoc
 
UNIT-II CP DOC.docx
UNIT-II CP DOC.docxUNIT-II CP DOC.docx
UNIT-II CP DOC.docx
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manual
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 

Mais de PARNIKA GUPTA

INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
PARNIKA GUPTA
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)
PARNIKA GUPTA
 
IISC CPDM Task 2 Report
IISC CPDM Task 2 ReportIISC CPDM Task 2 Report
IISC CPDM Task 2 Report
PARNIKA GUPTA
 
IISC CPDM Task 1 Report
IISC CPDM Task 1 ReportIISC CPDM Task 1 Report
IISC CPDM Task 1 Report
PARNIKA GUPTA
 
Remote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardousRemote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardous
PARNIKA GUPTA
 
Beam forming- New Technology
Beam forming- New TechnologyBeam forming- New Technology
Beam forming- New Technology
PARNIKA GUPTA
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gases
PARNIKA GUPTA
 
Human Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language TranslationHuman Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language Translation
PARNIKA GUPTA
 
GIS application in Defense
GIS application in DefenseGIS application in Defense
GIS application in Defense
PARNIKA GUPTA
 
Transceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalinkTransceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalink
PARNIKA GUPTA
 
HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)
PARNIKA GUPTA
 
HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018) HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018)
PARNIKA GUPTA
 

Mais de PARNIKA GUPTA (12)

INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)
 
IISC CPDM Task 2 Report
IISC CPDM Task 2 ReportIISC CPDM Task 2 Report
IISC CPDM Task 2 Report
 
IISC CPDM Task 1 Report
IISC CPDM Task 1 ReportIISC CPDM Task 1 Report
IISC CPDM Task 1 Report
 
Remote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardousRemote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardous
 
Beam forming- New Technology
Beam forming- New TechnologyBeam forming- New Technology
Beam forming- New Technology
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gases
 
Human Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language TranslationHuman Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language Translation
 
GIS application in Defense
GIS application in DefenseGIS application in Defense
GIS application in Defense
 
Transceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalinkTransceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalink
 
HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)
 
HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018) HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018)
 

Último

Applications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdfApplications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdf
Atif Razi
 
TIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptxTIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptx
CVCSOfficial
 
Blood finder application project report (1).pdf
Blood finder application project report (1).pdfBlood finder application project report (1).pdf
Blood finder application project report (1).pdf
Kamal Acharya
 
Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...
Prakhyath Rai
 
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
upoux
 
Call For Paper -3rd International Conference on Artificial Intelligence Advan...
Call For Paper -3rd International Conference on Artificial Intelligence Advan...Call For Paper -3rd International Conference on Artificial Intelligence Advan...
Call For Paper -3rd International Conference on Artificial Intelligence Advan...
ijseajournal
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
uqyfuc
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
Kamal Acharya
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
nedcocy
 
Pressure Relief valve used in flow line to release the over pressure at our d...
Pressure Relief valve used in flow line to release the over pressure at our d...Pressure Relief valve used in flow line to release the over pressure at our d...
Pressure Relief valve used in flow line to release the over pressure at our d...
cannyengineerings
 
Mechatronics material . Mechanical engineering
Mechatronics material . Mechanical engineeringMechatronics material . Mechanical engineering
Mechatronics material . Mechanical engineering
sachin chaurasia
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
ElakkiaU
 
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
sydezfe
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
shadow0702a
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
Paris Salesforce Developer Group
 
Open Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surfaceOpen Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surface
Indrajeet sahu
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
b0754201
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptxSCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptx
harshapolam10
 
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENTNATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
Addu25809
 

Último (20)

Applications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdfApplications of artificial Intelligence in Mechanical Engineering.pdf
Applications of artificial Intelligence in Mechanical Engineering.pdf
 
TIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptxTIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptx
 
Blood finder application project report (1).pdf
Blood finder application project report (1).pdfBlood finder application project report (1).pdf
Blood finder application project report (1).pdf
 
Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...
 
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
一比一原版(osu毕业证书)美国俄勒冈州立大学毕业证如何办理
 
Call For Paper -3rd International Conference on Artificial Intelligence Advan...
Call For Paper -3rd International Conference on Artificial Intelligence Advan...Call For Paper -3rd International Conference on Artificial Intelligence Advan...
Call For Paper -3rd International Conference on Artificial Intelligence Advan...
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Accident detection system project report.pdf
Accident detection system project report.pdfAccident detection system project report.pdf
Accident detection system project report.pdf
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
一比一原版(爱大毕业证书)爱荷华大学毕业证如何办理
 
Pressure Relief valve used in flow line to release the over pressure at our d...
Pressure Relief valve used in flow line to release the over pressure at our d...Pressure Relief valve used in flow line to release the over pressure at our d...
Pressure Relief valve used in flow line to release the over pressure at our d...
 
Mechatronics material . Mechanical engineering
Mechatronics material . Mechanical engineeringMechatronics material . Mechanical engineering
Mechatronics material . Mechanical engineering
 
An Introduction to the Compiler Designss
An Introduction to the Compiler DesignssAn Introduction to the Compiler Designss
An Introduction to the Compiler Designss
 
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
一比一原版(uoft毕业证书)加拿大多伦多大学毕业证如何办理
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
 
Open Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surfaceOpen Channel Flow: fluid flow with a free surface
Open Channel Flow: fluid flow with a free surface
 
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptxSENTIMENT ANALYSIS ON PPT AND Project template_.pptx
SENTIMENT ANALYSIS ON PPT AND Project template_.pptx
 
SCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptxSCALING OF MOS CIRCUITS m .pptx
SCALING OF MOS CIRCUITS m .pptx
 
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENTNATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
NATURAL DEEP EUTECTIC SOLVENTS AS ANTI-FREEZING AGENT
 

Cypherock Assessment (1).pdf

  • 1. Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion.
  • 2. Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock. Cypherock Assessment Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Understanding of side channel analysis and fault injection concepts Side channel analysis According to my understanding the side channel analysis methods are utilized to find out the potential unintentional leaked information through physical implementations that may provide some information to get into a system. Fault injection Fault injection techniques are used to exploit a system's design vulnerabilities. This helps the developer understand the potential system crash and faults. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 1. Downloaded the lascar and rainbow repos 2. Went through the examples about elf file and also checked their object dump.
  • 3. 3. In each example I checked how the binary files are being analyzed 4. In lascar, read the trace and batch containers generation, their filtering and various processing applied over them to get the keys 5. In rainbow, read the leakage and fault models 6. Tried applying the hamming model to detect the leakage in the file Explanation of the approach taken. 1. File Analysis a. Checked the elf file structure: In readelf.txt b. Checked the given arm elf file object dump; In objdump.txt c. Findings in the disassembled code: i. Only .text had executable permissions ii. Found out the sections and functions used in the file and the entry point that was in the iii. In objdump few key words like pin, secret, key etc in recursive mutex function in .data section:
  • 4. iv. From the entry point tracked where the code is started and where it is going to end
  • 5. 2. Decompiled file analysis a. Setup Ghidra b. Found the entered_pin and secret_output variables 3. Tried creating a fault on HAL_GPIO_EXTI_Callback with the entered_pin=”0xd9”, but did not work #!/usr/bin/env python3 # UINT aes(UCHAR Mode, STRUCT_AES* struct_aes, const UCHARp key, const UCHARp input, UCHARp output, const UCHARp random_aes, const UCHARp random_key) # aes( 0xb, ...) import numpy as np from visplot import plot from binascii import hexlify from rainbow import TraceConfig, HammingWeight, Print
  • 6. from Crypto.Cipher import AES from rainbow.generics import rainbow_arm def f_aes(e, key, input_): e.reset() # mode : 0xb = MODE_ENC | MODE_AESINIT_ENC | MODE_KEYINIT e['r0'] = 0xb # struct_aes struct_aes_p = 0xcafe0000 e[struct_aes_p] = 0 # struct is huge so we need to map another page e[struct_aes_p + e.PAGE_SIZE] = 0 e['r1'] = struct_aes_p # key key_p = 0xcafe1000 e[key_p] = key e['r2'] = key_p # input input_p = 0xcafe2000 e[input_p] = input_ e['r3'] = input_p # output output_p = 0xdead0000 e[output_p] = 0 # ARM calling convention : 4th+ parameter is on stack e[e['sp']] = output_p # rest stays to 0 e.start(e.functions['HAL_GPIO_EXTI_Callback'] | 1, 0) if e['r0']: print('ERROR !') res = e[output_p:output_p + 16]
  • 7. aes_c = AES.new(key, AES.MODE_ECB) ref = aes_c.encrypt(input_) if ref != res: print("Nope :") print(hexlify(res)) print(hexlify(ref)) return res import secrets def randbytes(n): return secrets.token_bytes(n) if __name__ == "__main__": e = rainbow_arm(print_config=Print.Code | Print.Functions, trace_config=TraceConfig(register=HammingWeight())) e.load('stm.elf') e.setup() return_addr = 0 # map it to prevent an unmapped fetch exception e[return_addr] = 0 key = b"xd9" * 16 traces = [] for i in range(5): print(".", end='') f_aes(e, key, randbytes(16)) traces.append(np.fromiter(map(lambda event: event["register"], e.trace), dtype=np.float32)) traces = np.array(traces) traces += np.random.normal(0, 1, size=traces.shape) v = plot(traces, dontrun=True) v.multiple_select(0) v.run()
  • 8.
  • 9. 4. Tried making doing the pin fault on main function, was able to found 1 fault i.e. when the key matched to the original one #!/usr/bin/env python3 import numpy as np from rainbow import HammingWeight, TraceConfig from rainbow.devices.stm32 import rainbow_stm32f215 as rainbow_stm32 from rainbow.fault_models import fault_skip from rainbow.utils.plot import viewer # Pick any reference pin (STORED_PIN) and a different input pin # Goal is to make 'storage_containsPin' function return a non-null # value, which would mean the code executes as if the user PIN # was correct although it was not STORED_PIN = "1874" INPUT_PIN = "0000"
  • 10. print("Setting up emulator") e = rainbow_stm32() e.load("stm.elf") e.setup() def result(u): """ Test whether execution was faulted """ return u['r0'] != 0 and u['pc'] == 0xaaaaaaaa # as in the side-channel example, this is the location of the reference # pin in Flash e[0x08008110 + 0x189] = bytes(STORED_PIN + "x00", "ascii") # Pick any address for the input pin... e[0xcafecafe] = bytes(INPUT_PIN + "x00", "ascii") N = 57 total_faults = 0 total_crashes = 0 fault_trace = [0] * N crash_trace = [0] * N print("Loop on all possible skips") print("r0 should be 0 at the end of the function if no fault occurred") for i in range(1, N): e.reset() # The first fault might not actually work depending # on the value of r5 when calling. Remove comment to observe # e['r5'] = 0x60000000 e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa pc = 0 try:
  • 11. # Run i instruction, then inject skip, then run pc = e.start_and_fault(fault_skip, i, e.functions['main'], 0xaaaaaaaa, count=100) except RuntimeError: # Fault crashed the emulation total_crashes += 1 crash_trace[i] = 1 d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] print("crashed") continue except IndexError: pass # Print current instruction d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] if result(e): # Successful fault total_faults += 1 fault_trace[i] = 1 print(" <-- r0 =", hex(e['r0']), end="") print(f"n=== {total_faults} faults found ===") print(f"=== {total_crashes} crashes ===") # get an 'original' side channel trace e = rainbow_stm32(trace_config=TraceConfig(register=HammingWeight(), instruction=True)) e.load("stm.elf") e.setup() e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa e.start(e.functions['main'], 0xaaaaaaaa)
  • 12. trace = np.array([event["register"] for event in e.trace if "register" in event], dtype=np.uint8) fault_trace = trace.max() - np.array(fault_trace, dtype=np.uint8)[:trace.shape[0]] * trace.max() viewer([event["instruction"] for event in e.trace], np.array([trace, fault_trace]))
  • 13. Retrieval of the hidden flag. Entered pin = 0xd9 Secret output = 0xda // Online C compiler to run C program online #include <stdio.h> int main() { // Write C code here printf("Hello worldn"); unsigned char entered_pin = 0xd9; unsigned char DAT_20000451 = 0x62; unsigned char DAT_20000452 = 0x39; unsigned char DAT_20000453 = 0; unsigned char DAT_20000454 = 0xcc; unsigned char DAT_20000455 = 0xcc; unsigned char DAT_20000456 = 0x99; unsigned char bVar1, DAT_20000457; bVar1 = DAT_20000457 == 0x66; if (1) { unsigned char secret_output = (entered_pin ^ 0xde) - 0x2d;
  • 14. unsigned char DAT_20000459 = (DAT_20000451 ^ 0xad) - 0x24; unsigned char DAT_2000045a = (DAT_20000452 ^ 0xbe) - 0xd; unsigned char DAT_2000045c = (DAT_20000454 ^ 0xfe) + 0xb3; unsigned char DAT_2000045b = (DAT_20000453 ^ 0xef) - 0x16; unsigned char DAT_2000045d = (DAT_20000455 ^ 0xed) + 0x9c; unsigned char DAT_2000045e = (DAT_20000456 ^ 0xfa) + 0x17; unsigned char DAT_2000045f = (DAT_20000457 ^ 0xce) + 99; printf("%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x", entered_pin, DAT_20000451, DAT_20000452, DAT_20000453, DAT_20000454, DAT_20000455, DAT_20000456, DAT_20000457, secret_output, DAT_20000459, DAT_2000045a, DAT_2000045b, DAT_2000045c, DAT_2000045d, DAT_2000045e, DAT_2000045f); } return 0; } Output (16 bit Key): d9 62 39 0 cc cc 99 c5 da ab 7a d9 e5 bd 7a 6e