Fault Injection attacks are increasingly used to break into devices, especially when software vulnerabilities are unknown. Students will use NewAE’s ChipWhisperer-Lite or Husky, along with hardware tools (debugger, oscilloscope), to create Fault Injection exploits on the Espressif ESP32 SoC.
The Art of Fault Injection: Advanced Techniques and Attacks // Niek Timmers
In-Person | March 18-21 | 4 Days
BOOK NOWABSTRACT
While Fault Injection attacks are now common, concepts, techniques, and attacks are often not sufficiently understood. While simply glitching a target can yield results,this approach alone doesn't create innovative attacks. In this training students experience and appreciate the Art of Fault Injection (TAoFI) to exploit the full potential of Fault Injection attacks.
This training assumes prior experience with performing Fault Injection attacks, either obtained at work, at home, or at a previously attended training (e.g., from Colin, Joe, or Thomas). Students are encouraged to work together in teams of two, sharing their experiences. Though not recommended, students may work individually as well.
Students will be using advanced techniques to characterize the effects of voltage glitches on the Espressif ESP32 System-on-Chip (SoC). The faults resulting from these voltage glitches are carefully analyzed and de-scribed to build a thorough understanding of the target's susceptibility to voltage glitches through building fault injection exploits. Rather than focusing on a specific set of tools, the students will focus more on the concepts, methodologies, techniques, and attacks relevant to Fault Injection attacks.
Students will perform real-world Fault Injection attacks, that were either disclosed by Raelize or other security researchers. Students will be using the NewAE ChipWhisperer-Husky, typical hardware lab tooling like an oscilloscope and a hardware debugger. Students are provided with a virtual machine (VM) with all the required tooling installed, as well as access to the required hardware.
Upon completing training students will be proficient in executing sophisticated Fault Injection attacks on real-world targets using commercially available tooling. The knowledge gained from understanding the underlying concepts, methodologies, techniques, and attacks, can be used by the students to perform novel Fault Injection attacks on other targets of interest.
The Art of Fault Injection: Advanced Techniques and Attacks // Niek Timmers
In-Person | March 18-21 | 4 Days
INTENDED AUDIENCE
- Security Analysts, Researchers and Enthusiasts
- Forensic Investigators
- Anyone else interested in advanced Fault Injection techniques and attacks
KEY LEARNING OBJECTIVES
- Understand Fault Injection techniques and attacks like an expert
- Identify non-trivial vulnerabilities using advanced Fault Injection techniques
- Create advanced Fault Injection exploits using commercially available tooling
- Reproduce top-notch security research from Fault Injection experts
- Format: 25% lectures, 75% hands-on exercises
COURSE DETAILS
The course is 75% practical exercises and 25% presentations. Most exercises are use a custom development board based on the Espressif ESP32 System-on-Chip (SoC).
This training starts by building up a solid understanding of the typical concepts and methodologies used in Fault Injection. Then, students dive straight into advanced techniques and attacks used in Fault Injection exploits.
Fundamentals
- Overview of Fault Injection
- Raelize’s Fault Injection Reference Model (FIRM)
- Get familiar with the target (Espressif ESP32). e.g.
- Building a custom bootloader
- Understanding its security features
- Get familiar with the tooling, e.g.:
- NewAE ChipWhisperer-Husky
- PicoScope 2000 Series Oscilloscope
- Espressif ESP-PROG
- Raspberry Pi Pico
- RK6006 Bench Power Supply
Advanced Techniques
- Target characterization (i.e., with custom code)
- Target characterization in the dark (i.e., without custom code)
- Analyzing faults to identify target behavior
- Plotting results to identify target behavior
- Modeling faults to build attack primitives
- Advanced triggering for timing (GPIO, UART, SPI and Power)
- Vulnerability identification by reverse engineering
- Vulnerability verification with hardware debugger
- Effective glitch parameter selection strategies
Advanced Attacks
- Bypassing Secure Boot on ESP32 (CVE-2019-15894)
- Controlling the Program Counter on ESP32
- Glitching the OTP Transfer on ESP32 (CVE-2019-17391)
- Bypassing Encrypted Secure Boot on ESP32 (CVE-2020-13629)
Raelize used Riscure's ElectroMagnetic Fault Injection (EMFI) tooling to perform the research. The students will perform these attacks using the NewAE ChipWhipserer-Husky.
Knowledge Prequisites
- Basic familiarity wtih Fault Injection attacks
- Comfortable communicating with embedded devices
- Familiarity with typical hardware lab tooling
- Reasonable Python and C coding knowledge
- Familiarity with reverse engineering software
- Understanding of common cryptography (RSA, AES, and SHA)
System Requirements
The students of this training are expected to bring a modern laptop or workstation:
- with x86-64 architecture
- with sufficient memory (at least 8 GB)
- with at least four (4) available USB-A ports (i.e., use a USB hub)
- Raelize will have extra USB hubs available during the training (USB-C / USB-A)
- installed with a modern browser (i.e., Google Chrome)
- installed with VMware Player/Workstation (or VirtualBox)
YOUR INSTRUCTOR: Niek Timmers
Niek Timmers @tieknimmers is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.