SlideShare a Scribd company logo

Cypherock Assessment (1).pdf

P
PARNIKA GUPTA

Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion. Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock.

Engineering
1 of 14
Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion.
Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock. Cypherock Assessment Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Understanding of side channel analysis and fault injection concepts Side channel analysis According to my understanding the side channel analysis methods are utilized to find out the potential unintentional leaked information through physical implementations that may provide some information to get into a system. Fault injection Fault injection techniques are used to exploit a system's design vulnerabilities. This helps the developer understand the potential system crash and faults. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 1. Downloaded the lascar and rainbow repos 2. Went through the examples about elf file and also checked their object dump.
3. In each example I checked how the binary files are being analyzed 4. In lascar, read the trace and batch containers generation, their filtering and various processing applied over them to get the keys 5. In rainbow, read the leakage and fault models 6. Tried applying the hamming model to detect the leakage in the file Explanation of the approach taken. 1. File Analysis a. Checked the elf file structure: In readelf.txt b. Checked the given arm elf file object dump; In objdump.txt c. Findings in the disassembled code: i. Only .text had executable permissions ii. Found out the sections and functions used in the file and the entry point that was in the iii. In objdump few key words like pin, secret, key etc in recursive mutex function in .data section:
iv. From the entry point tracked where the code is started and where it is going to end
2. Decompiled file analysis a. Setup Ghidra b. Found the entered_pin and secret_output variables 3. Tried creating a fault on HAL_GPIO_EXTI_Callback with the entered_pin=”0xd9”, but did not work #!/usr/bin/env python3 # UINT aes(UCHAR Mode, STRUCT_AES* struct_aes, const UCHARp key, const UCHARp input, UCHARp output, const UCHARp random_aes, const UCHARp random_key) # aes( 0xb, ...) import numpy as np from visplot import plot from binascii import hexlify from rainbow import TraceConfig, HammingWeight, Print
from Crypto.Cipher import AES from rainbow.generics import rainbow_arm def f_aes(e, key, input_): e.reset() # mode : 0xb = MODE_ENC | MODE_AESINIT_ENC | MODE_KEYINIT e['r0'] = 0xb # struct_aes struct_aes_p = 0xcafe0000 e[struct_aes_p] = 0 # struct is huge so we need to map another page e[struct_aes_p + e.PAGE_SIZE] = 0 e['r1'] = struct_aes_p # key key_p = 0xcafe1000 e[key_p] = key e['r2'] = key_p # input input_p = 0xcafe2000 e[input_p] = input_ e['r3'] = input_p # output output_p = 0xdead0000 e[output_p] = 0 # ARM calling convention : 4th+ parameter is on stack e[e['sp']] = output_p # rest stays to 0 e.start(e.functions['HAL_GPIO_EXTI_Callback'] | 1, 0) if e['r0']: print('ERROR !') res = e[output_p:output_p + 16]
aes_c = AES.new(key, AES.MODE_ECB) ref = aes_c.encrypt(input_) if ref != res: print("Nope :") print(hexlify(res)) print(hexlify(ref)) return res import secrets def randbytes(n): return secrets.token_bytes(n) if __name__ == "__main__": e = rainbow_arm(print_config=Print.Code | Print.Functions, trace_config=TraceConfig(register=HammingWeight())) e.load('stm.elf') e.setup() return_addr = 0 # map it to prevent an unmapped fetch exception e[return_addr] = 0 key = b"xd9" * 16 traces = [] for i in range(5): print(".", end='') f_aes(e, key, randbytes(16)) traces.append(np.fromiter(map(lambda event: event["register"], e.trace), dtype=np.float32)) traces = np.array(traces) traces += np.random.normal(0, 1, size=traces.shape) v = plot(traces, dontrun=True) v.multiple_select(0) v.run()
4. Tried making doing the pin fault on main function, was able to found 1 fault i.e. when the key matched to the original one #!/usr/bin/env python3 import numpy as np from rainbow import HammingWeight, TraceConfig from rainbow.devices.stm32 import rainbow_stm32f215 as rainbow_stm32 from rainbow.fault_models import fault_skip from rainbow.utils.plot import viewer # Pick any reference pin (STORED_PIN) and a different input pin # Goal is to make 'storage_containsPin' function return a non-null # value, which would mean the code executes as if the user PIN # was correct although it was not STORED_PIN = "1874" INPUT_PIN = "0000"
print("Setting up emulator") e = rainbow_stm32() e.load("stm.elf") e.setup() def result(u): """ Test whether execution was faulted """ return u['r0'] != 0 and u['pc'] == 0xaaaaaaaa # as in the side-channel example, this is the location of the reference # pin in Flash e[0x08008110 + 0x189] = bytes(STORED_PIN + "x00", "ascii") # Pick any address for the input pin... e[0xcafecafe] = bytes(INPUT_PIN + "x00", "ascii") N = 57 total_faults = 0 total_crashes = 0 fault_trace = [0] * N crash_trace = [0] * N print("Loop on all possible skips") print("r0 should be 0 at the end of the function if no fault occurred") for i in range(1, N): e.reset() # The first fault might not actually work depending # on the value of r5 when calling. Remove comment to observe # e['r5'] = 0x60000000 e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa pc = 0 try:
# Run i instruction, then inject skip, then run pc = e.start_and_fault(fault_skip, i, e.functions['main'], 0xaaaaaaaa, count=100) except RuntimeError: # Fault crashed the emulation total_crashes += 1 crash_trace[i] = 1 d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] print("crashed") continue except IndexError: pass # Print current instruction d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] if result(e): # Successful fault total_faults += 1 fault_trace[i] = 1 print(" <-- r0 =", hex(e['r0']), end="") print(f"n=== {total_faults} faults found ===") print(f"=== {total_crashes} crashes ===") # get an 'original' side channel trace e = rainbow_stm32(trace_config=TraceConfig(register=HammingWeight(), instruction=True)) e.load("stm.elf") e.setup() e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa e.start(e.functions['main'], 0xaaaaaaaa)
trace = np.array([event["register"] for event in e.trace if "register" in event], dtype=np.uint8) fault_trace = trace.max() - np.array(fault_trace, dtype=np.uint8)[:trace.shape[0]] * trace.max() viewer([event["instruction"] for event in e.trace], np.array([trace, fault_trace]))
Retrieval of the hidden flag. Entered pin = 0xd9 Secret output = 0xda // Online C compiler to run C program online #include <stdio.h> int main() { // Write C code here printf("Hello worldn"); unsigned char entered_pin = 0xd9; unsigned char DAT_20000451 = 0x62; unsigned char DAT_20000452 = 0x39; unsigned char DAT_20000453 = 0; unsigned char DAT_20000454 = 0xcc; unsigned char DAT_20000455 = 0xcc; unsigned char DAT_20000456 = 0x99; unsigned char bVar1, DAT_20000457; bVar1 = DAT_20000457 == 0x66; if (1) { unsigned char secret_output = (entered_pin ^ 0xde) - 0x2d;
unsigned char DAT_20000459 = (DAT_20000451 ^ 0xad) - 0x24; unsigned char DAT_2000045a = (DAT_20000452 ^ 0xbe) - 0xd; unsigned char DAT_2000045c = (DAT_20000454 ^ 0xfe) + 0xb3; unsigned char DAT_2000045b = (DAT_20000453 ^ 0xef) - 0x16; unsigned char DAT_2000045d = (DAT_20000455 ^ 0xed) + 0x9c; unsigned char DAT_2000045e = (DAT_20000456 ^ 0xfa) + 0x17; unsigned char DAT_2000045f = (DAT_20000457 ^ 0xce) + 99; printf("%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x", entered_pin, DAT_20000451, DAT_20000452, DAT_20000453, DAT_20000454, DAT_20000455, DAT_20000456, DAT_20000457, secret_output, DAT_20000459, DAT_2000045a, DAT_2000045b, DAT_2000045c, DAT_2000045d, DAT_2000045e, DAT_2000045f); } return 0; } Output (16 bit Key): d9 62 39 0 cc cc 99 c5 da ab 7a d9 e5 bd 7a 6e

Recommended

Csdfsadf
CsdfsadfCsdfsadf
CsdfsadfAtul Setu
 
C
CC
CAnuja Lad
 
C
CC
CKhan Rahimeen
 
C Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comC Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comM-TEC Computer Education
 
Os lab final
Os lab finalOs lab final
Os lab finalLakshmiSarvani6
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Mouse programming in c
Mouse programming in cMouse programming in c
Mouse programming in cgkgaur1987
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial javaTpoint s
 

Recommended

Csdfsadf
CsdfsadfCsdfsadf
CsdfsadfAtul Setu
 
C
CC
CAnuja Lad
 
C
CC
CKhan Rahimeen
 
C Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comC Programming Tutorial - www.infomtec.com
C Programming Tutorial - www.infomtec.comM-TEC Computer Education
 
Os lab final
Os lab finalOs lab final
Os lab finalLakshmiSarvani6
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Mouse programming in c
Mouse programming in cMouse programming in c
Mouse programming in cgkgaur1987
 
C programming language tutorial
C programming language tutorial C programming language tutorial
C programming language tutorial javaTpoint s
 
Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Emilio Coppa
 
Introduction to c
Introduction to cIntroduction to c
Introduction to camol_chavan
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdfTigabu Yaya
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - englishJen Yee Hong
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
Structures-2
Structures-2Structures-2
Structures-2arshpreetkaur07
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxjzyNick
 
srgoc
srgocsrgoc
srgocGaurav Singh
 
UNIT-II CP DOC.docx
UNIT-II CP DOC.docxUNIT-II CP DOC.docx
UNIT-II CP DOC.docxJavvajiVenkat
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manualSami Said
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxwkyra78
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...PVS-Studio
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbsSystem Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbsashukiller7
 
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfPARNIKA GUPTA
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)PARNIKA GUPTA
 

More Related Content

Similar to Cypherock Assessment (1).pdf

Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Emilio Coppa
 
Introduction to c
Introduction to cIntroduction to c
Introduction to camol_chavan
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdfTigabu Yaya
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - englishJen Yee Hong
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxjzyNick
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manualSami Said
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysPriyanka Aash
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxwkyra78
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...PVS-Studio
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbsSystem Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbsashukiller7
 

Similar to Cypherock Assessment (1).pdf (20)

Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)Symbolic Execution (introduction and hands-on)
Symbolic Execution (introduction and hands-on)
 
Introduction to c
Introduction to cIntroduction to c
Introduction to c
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
C_and_C++_notes.pdf
C_and_C++_notes.pdfC_and_C++_notes.pdf
C_and_C++_notes.pdf
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Structures-2
Structures-2Structures-2
Structures-2
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptx
 
srgoc
srgocsrgoc
srgoc
 
UNIT-II CP DOC.docx
UNIT-II CP DOC.docxUNIT-II CP DOC.docx
UNIT-II CP DOC.docx
 
Lex tool manual
Lex tool manualLex tool manual
Lex tool manual
 
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-daysHow Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
How Automated Vulnerability Analysis Discovered Hundreds of Android 0-days
 
Program Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docxProgram Assignment Process ManagementObjective This program a.docx
Program Assignment Process ManagementObjective This program a.docx
 
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ..."Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
"Why is there no artificial intelligence yet?" Or, analysis of CNTK tool kit ...
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbsSystem Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
System Calls.pptxnsjsnssbhsbbebdbdbshshsbshsbbs
 

More from PARNIKA GUPTA

INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfPARNIKA GUPTA
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)PARNIKA GUPTA
 
IISC CPDM Task 2 Report
IISC CPDM Task 2 ReportIISC CPDM Task 2 Report
IISC CPDM Task 2 ReportPARNIKA GUPTA
 
IISC CPDM Task 1 Report
IISC CPDM Task 1 ReportIISC CPDM Task 1 Report
IISC CPDM Task 1 ReportPARNIKA GUPTA
 
Remote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardousRemote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardousPARNIKA GUPTA
 
Beam forming- New Technology
Beam forming- New TechnologyBeam forming- New Technology
Beam forming- New TechnologyPARNIKA GUPTA
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesPARNIKA GUPTA
 
Human Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language TranslationHuman Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language TranslationPARNIKA GUPTA
 
GIS application in Defense
GIS application in DefenseGIS application in Defense
GIS application in DefensePARNIKA GUPTA
 
Transceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalinkTransceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalinkPARNIKA GUPTA
 
HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)PARNIKA GUPTA
 
HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018) HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018) PARNIKA GUPTA
 

More from PARNIKA GUPTA (12)

INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdfINTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
INTEGRATION_ASPECTS_OF_TELEMETRY_SYSTEM_FOR_A_SURVEILLANCE_UAV.pdf
 
Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)Swadeshi Microprocessor Quiz 2020 (Start-up India)
Swadeshi Microprocessor Quiz 2020 (Start-up India)
 
IISC CPDM Task 2 Report
IISC CPDM Task 2 ReportIISC CPDM Task 2 Report
IISC CPDM Task 2 Report
 
IISC CPDM Task 1 Report
IISC CPDM Task 1 ReportIISC CPDM Task 1 Report
IISC CPDM Task 1 Report
 
Remote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardousRemote sensing and gis based identification of hazardous
Remote sensing and gis based identification of hazardous
 
Beam forming- New Technology
Beam forming- New TechnologyBeam forming- New Technology
Beam forming- New Technology
 
LoRa application for detecting the harmful gases
LoRa application for detecting the harmful gasesLoRa application for detecting the harmful gases
LoRa application for detecting the harmful gases
 
Human Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language TranslationHuman Computer Interface Glove for Sign Language Translation
Human Computer Interface Glove for Sign Language Translation
 
GIS application in Defense
GIS application in DefenseGIS application in Defense
GIS application in Defense
 
Transceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalinkTransceiver System requirement specifications for 20 km range UAV video datalink
Transceiver System requirement specifications for 20 km range UAV video datalink
 
HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)HAPTIC SUIT- Project Report(2018)
HAPTIC SUIT- Project Report(2018)
 
HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018) HAPTIC SUIT presentation (2018)
HAPTIC SUIT presentation (2018)
 

Recently uploaded

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 

Recently uploaded (20)

Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 

Cypherock Assessment (1).pdf

  • 1. Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Objective: The objective of this task is to assess your ability to work with Python tools, C programming, Computer Architecture, and apply side channel analysis and fault injection techniques to uncover a hidden flag embedded within an ELF file compiled for an STM32 processor. You will use the Lascar and Rainbow tools from Ledger's repository to analyze the binary and retrieve the hidden flag. Requirements: 1. Proficiency in Python programming. 2. Basic understanding of side channel analysis and fault injection concepts. 3. Familiarity with ELF file format and embedded systems. Task Description: Setup and Familiarization: 1. Clone the Ledger's repository containing Lascar and Rainbow tools. 2. Install the necessary dependencies and set up the environment as per the provided documentation. 3. Review the documentation and examples to understand how Lascar and Rainbow tools are used for side channel analysis and fault injection. Binary Analysis: 1. You will be provided with an ELF file compiled for an STM32 processor. 2. Study the provided stubbed source code for the binary to understand its functionality and potential vulnerabilities. Side Channel Analysis/ Fault Injection: 1. Choose a specific side channel analysis technique or fault injection technique based on your analysis of the binary. 2. Implement the chosen technique using Lascar or Rainbow tools to extract information from the binary. 3. Document your approach, code snippets, and any findings from the side channel analysis. 4. Provide a detailed explanation of your fault injection methodology, along with relevant code snippets and observations. Flag Retrieval: 1. Apply the insights gained from side channel analysis and fault injection to uncover the hidden secret embedded within the binary. 2. Document the process you followed to successfully retrieve the secret. 3. Provide the extracted secret as proof of completion.
  • 2. Evaluation Criteria: You will be evaluated based on the following criteria: 1. Understanding of side channel analysis and fault injection concepts. 2. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 3. Explanation of the approach taken. 4. Successful retrieval of the hidden flag. Submit all scripts, analysis, images, documentation in form of a zip file directly to Cypherock. Cypherock Assessment Title: Embedded Security Analysis Task: Side Channel Analysis and Fault Injection Understanding of side channel analysis and fault injection concepts Side channel analysis According to my understanding the side channel analysis methods are utilized to find out the potential unintentional leaked information through physical implementations that may provide some information to get into a system. Fault injection Fault injection techniques are used to exploit a system's design vulnerabilities. This helps the developer understand the potential system crash and faults. Proficiency in understanding the assignment and applying conceptual knowledge in practice. 1. Downloaded the lascar and rainbow repos 2. Went through the examples about elf file and also checked their object dump.
  • 3. 3. In each example I checked how the binary files are being analyzed 4. In lascar, read the trace and batch containers generation, their filtering and various processing applied over them to get the keys 5. In rainbow, read the leakage and fault models 6. Tried applying the hamming model to detect the leakage in the file Explanation of the approach taken. 1. File Analysis a. Checked the elf file structure: In readelf.txt b. Checked the given arm elf file object dump; In objdump.txt c. Findings in the disassembled code: i. Only .text had executable permissions ii. Found out the sections and functions used in the file and the entry point that was in the iii. In objdump few key words like pin, secret, key etc in recursive mutex function in .data section:
  • 4. iv. From the entry point tracked where the code is started and where it is going to end
  • 5. 2. Decompiled file analysis a. Setup Ghidra b. Found the entered_pin and secret_output variables 3. Tried creating a fault on HAL_GPIO_EXTI_Callback with the entered_pin=”0xd9”, but did not work #!/usr/bin/env python3 # UINT aes(UCHAR Mode, STRUCT_AES* struct_aes, const UCHARp key, const UCHARp input, UCHARp output, const UCHARp random_aes, const UCHARp random_key) # aes( 0xb, ...) import numpy as np from visplot import plot from binascii import hexlify from rainbow import TraceConfig, HammingWeight, Print
  • 6. from Crypto.Cipher import AES from rainbow.generics import rainbow_arm def f_aes(e, key, input_): e.reset() # mode : 0xb = MODE_ENC | MODE_AESINIT_ENC | MODE_KEYINIT e['r0'] = 0xb # struct_aes struct_aes_p = 0xcafe0000 e[struct_aes_p] = 0 # struct is huge so we need to map another page e[struct_aes_p + e.PAGE_SIZE] = 0 e['r1'] = struct_aes_p # key key_p = 0xcafe1000 e[key_p] = key e['r2'] = key_p # input input_p = 0xcafe2000 e[input_p] = input_ e['r3'] = input_p # output output_p = 0xdead0000 e[output_p] = 0 # ARM calling convention : 4th+ parameter is on stack e[e['sp']] = output_p # rest stays to 0 e.start(e.functions['HAL_GPIO_EXTI_Callback'] | 1, 0) if e['r0']: print('ERROR !') res = e[output_p:output_p + 16]
  • 7. aes_c = AES.new(key, AES.MODE_ECB) ref = aes_c.encrypt(input_) if ref != res: print("Nope :") print(hexlify(res)) print(hexlify(ref)) return res import secrets def randbytes(n): return secrets.token_bytes(n) if __name__ == "__main__": e = rainbow_arm(print_config=Print.Code | Print.Functions, trace_config=TraceConfig(register=HammingWeight())) e.load('stm.elf') e.setup() return_addr = 0 # map it to prevent an unmapped fetch exception e[return_addr] = 0 key = b"xd9" * 16 traces = [] for i in range(5): print(".", end='') f_aes(e, key, randbytes(16)) traces.append(np.fromiter(map(lambda event: event["register"], e.trace), dtype=np.float32)) traces = np.array(traces) traces += np.random.normal(0, 1, size=traces.shape) v = plot(traces, dontrun=True) v.multiple_select(0) v.run()
  • 8.
  • 9. 4. Tried making doing the pin fault on main function, was able to found 1 fault i.e. when the key matched to the original one #!/usr/bin/env python3 import numpy as np from rainbow import HammingWeight, TraceConfig from rainbow.devices.stm32 import rainbow_stm32f215 as rainbow_stm32 from rainbow.fault_models import fault_skip from rainbow.utils.plot import viewer # Pick any reference pin (STORED_PIN) and a different input pin # Goal is to make 'storage_containsPin' function return a non-null # value, which would mean the code executes as if the user PIN # was correct although it was not STORED_PIN = "1874" INPUT_PIN = "0000"
  • 10. print("Setting up emulator") e = rainbow_stm32() e.load("stm.elf") e.setup() def result(u): """ Test whether execution was faulted """ return u['r0'] != 0 and u['pc'] == 0xaaaaaaaa # as in the side-channel example, this is the location of the reference # pin in Flash e[0x08008110 + 0x189] = bytes(STORED_PIN + "x00", "ascii") # Pick any address for the input pin... e[0xcafecafe] = bytes(INPUT_PIN + "x00", "ascii") N = 57 total_faults = 0 total_crashes = 0 fault_trace = [0] * N crash_trace = [0] * N print("Loop on all possible skips") print("r0 should be 0 at the end of the function if no fault occurred") for i in range(1, N): e.reset() # The first fault might not actually work depending # on the value of r5 when calling. Remove comment to observe # e['r5'] = 0x60000000 e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa pc = 0 try:
  • 11. # Run i instruction, then inject skip, then run pc = e.start_and_fault(fault_skip, i, e.functions['main'], 0xaaaaaaaa, count=100) except RuntimeError: # Fault crashed the emulation total_crashes += 1 crash_trace[i] = 1 d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] print("crashed") continue except IndexError: pass # Print current instruction d = e.disassemble_single(pc, 4) e.print_asmline(pc, d[2], d[3]) pc += d[1] if result(e): # Successful fault total_faults += 1 fault_trace[i] = 1 print(" <-- r0 =", hex(e['r0']), end="") print(f"n=== {total_faults} faults found ===") print(f"=== {total_crashes} crashes ===") # get an 'original' side channel trace e = rainbow_stm32(trace_config=TraceConfig(register=HammingWeight(), instruction=True)) e.load("stm.elf") e.setup() e['r0'] = 0xcafecafe e['lr'] = 0xaaaaaaaa e.start(e.functions['main'], 0xaaaaaaaa)
  • 12. trace = np.array([event["register"] for event in e.trace if "register" in event], dtype=np.uint8) fault_trace = trace.max() - np.array(fault_trace, dtype=np.uint8)[:trace.shape[0]] * trace.max() viewer([event["instruction"] for event in e.trace], np.array([trace, fault_trace]))
  • 13. Retrieval of the hidden flag. Entered pin = 0xd9 Secret output = 0xda // Online C compiler to run C program online #include <stdio.h> int main() { // Write C code here printf("Hello worldn"); unsigned char entered_pin = 0xd9; unsigned char DAT_20000451 = 0x62; unsigned char DAT_20000452 = 0x39; unsigned char DAT_20000453 = 0; unsigned char DAT_20000454 = 0xcc; unsigned char DAT_20000455 = 0xcc; unsigned char DAT_20000456 = 0x99; unsigned char bVar1, DAT_20000457; bVar1 = DAT_20000457 == 0x66; if (1) { unsigned char secret_output = (entered_pin ^ 0xde) - 0x2d;
  • 14. unsigned char DAT_20000459 = (DAT_20000451 ^ 0xad) - 0x24; unsigned char DAT_2000045a = (DAT_20000452 ^ 0xbe) - 0xd; unsigned char DAT_2000045c = (DAT_20000454 ^ 0xfe) + 0xb3; unsigned char DAT_2000045b = (DAT_20000453 ^ 0xef) - 0x16; unsigned char DAT_2000045d = (DAT_20000455 ^ 0xed) + 0x9c; unsigned char DAT_2000045e = (DAT_20000456 ^ 0xfa) + 0x17; unsigned char DAT_2000045f = (DAT_20000457 ^ 0xce) + 99; printf("%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x", entered_pin, DAT_20000451, DAT_20000452, DAT_20000453, DAT_20000454, DAT_20000455, DAT_20000456, DAT_20000457, secret_output, DAT_20000459, DAT_2000045a, DAT_2000045b, DAT_2000045c, DAT_2000045d, DAT_2000045e, DAT_2000045f); } return 0; } Output (16 bit Key): d9 62 39 0 cc cc 99 c5 da ab 7a d9 e5 bd 7a 6e