![Page 1: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/1.jpg)
How the analysis of electrical current consumption of embedded systems could lead to code reversing ?
“Code extraction via Power analysis”focus on Embedded systems
Yann ALLAIN / Julien MOINARD
![Page 2: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/2.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 3: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/3.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 4: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/4.jpg)
WHO WE ARE?
• From France– @OPALE SECURITY Company– IT Security & Embedded System Security
• Yann ALLAIN – 18 Years in IT security and electronic industry– Former CSO of application domain for an Hotel company– CEO and Owner of OPALE SECURTY
• Julien MOINARD – Electronic specialist– In charge of most technical implementation regarding this research
![Page 5: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/5.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 6: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/6.jpg)
Research context
• Embedded system Audit ?
• It’s all about to find a way to access inside the system without the privilege to do that !
• With or without Physical access
• Through the IP interfaces (Web Service exposed, TCP service, etc…)
![Page 7: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/7.jpg)
Research context
• Auditors could focus on Ethernet Access, web interfaces, …
![Page 8: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/8.jpg)
Research context
• Auditors could try to open the ‘box’–Defeating anti tampering system–Teardown–Accessing Electronic circuit–Dumping Firmware, analyze it…etc
![Page 9: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/9.jpg)
Research context
• But …. an existing access is always available
• The Power line connectors!
![Page 10: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/10.jpg)
Research context
As security auditors, may we use this access to do
something ?
![Page 11: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/11.jpg)
In fact,
• We want to
“extract the code executed on an embedded system
from its current/power consumption ?”
(≈ from the Power connector…)
![Page 12: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/12.jpg)
Our wishlist
• Be pragmatic• Keep it simple • No math and complex stuff• Cheap approach (as much as possible)• Don’t re invent the wheel
![Page 13: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/13.jpg)
Existing research on this area?
![Page 14: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/14.jpg)
Existing research on this area?
• Yes…(many!) but with different goals
• Power analysis technics (DPA, SPA) and researchers seems to focus only on extracting the cipher keys of sensitive device (Crypto system, Credit Card…)
![Page 15: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/15.jpg)
Existing research on this area?
• We want more than some cipher keys….
• We want to extract the code via Power Analysis methods
• We are looking for Instructions & Data without opening the box!
![Page 16: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/16.jpg)
Existing research on this area?
• Few papers related to code extraction via Power analysis
• We only find 3 available papers using the power consumption to find instructions
– Identification of instructions managed by a PIC (Thomas Eisenbarth, http://math.fau.edu/~eisenbarth)
– Discovery of information on the encryption keys (Valette ,http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lcr/dalemuva05.pdf)
– Example adapted to JAVACARDS (Vermoen, http://ce.et.tudelft.nl/publicationfiles/1162_634_thesis_Dennis.pdf)
Cool ! . ..but researcher only focus on finding intructions…we
need to access to Data also…(But great Paper!)
Some chapters dedicated to our goals but no so much
information disclosed (Gouv.fr closed to ‘sort of’ military
domain ?...)
Too specific : Javacards
![Page 17: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/17.jpg)
Existing research on this area?
• But these publications are full of mathematical formulae
• which is more or less complex (from our point of view!)
• Not for us…. ;-)
![Page 18: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/18.jpg)
Extract de code!? How?
Question
• What is the link between the power consumption and instruction and data executed ?
(@ Hardware Level)
![Page 19: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/19.jpg)
Extract de code!? How?
Answer
• A fondamental and basic electronic component….• Used everywhere !• Please gentlemen welcome to, our
friends :
![Page 20: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/20.jpg)
Extract de code!? How?
Answer
Transistors
![Page 21: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/21.jpg)
Extract de code!? How?
How we can extract the code from transistors!?
We need some electronic 101 information
![Page 22: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/22.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 23: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/23.jpg)
Electronic 101
• Embedded systems are (could be) composed of microcontrollers (µC) that contain :
– MEMORIES (Ram, Rom,..)– ALU (Arithmetic logic Unit)– TIMER (Counter)– SERIAL INTERFACES– I/O BUS (Latch )
![Page 24: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/24.jpg)
Electronic 101
• Each basic functions included in µC are designed @electronic level with transistors
• For example , see how a “NAND” is designed @electronic level (simplification view of)
Logical view
Electronic view (used only few transistors)
Physical Electric signal associated
![Page 25: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/25.jpg)
Electronic 101
• When a transistor “process” a bit @ physical level (Current, Voltage) , it “commutes”
• Transistor = sort of digital switch
![Page 26: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/26.jpg)
Electronic 101
• When a Transistor “commutes”, there is a current peak !
• Let see what going on in practice (Labs…)
![Page 27: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/27.jpg)
Electronic 101
• Labs #1 – Hardware stuff
![Page 28: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/28.jpg)
Electronic 101
• Labs #1– One Transistor !
![Page 29: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/29.jpg)
Electronic 101
• Labs #1 – On each transition current peak !
![Page 30: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/30.jpg)
Electronic 101
• Labs #1 – Zoom inZoom of current peak !
![Page 31: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/31.jpg)
With more than one Transitor
µC/FPGA based embedded system used a lot of transitors
![Page 32: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/32.jpg)
µC used a lot of Transitors
• µCs circuit implement more than 100K to 10M transistors @ Hardware level
• Each Time a transistor “process” a bit, there is a current peak
• All transistors are linked to the power line• All current peaks will be ‘send’ to the power line (due to
Physical law regarding current inside electronic connection)
We use this “physical feature” to link the power consumption with bits processed
![Page 33: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/33.jpg)
AGENDA
• Who We Are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 34: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/34.jpg)
Proof of concept
• How to move from one bit grabbed (step1) to a set of data & instructions code (step2) with our approach ?
• We have designed a proof of concept tool to analyze the electrical current consumption of embedded systems to extract the code it executes
![Page 35: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/35.jpg)
Proof of concept
• We need to acquire more bits…via a current consumption analysis
• “Acquiring current consumption” : How?
![Page 36: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/36.jpg)
Proof of concept
• What we need : A “homemade” embedded system (the target…)
• Based on PIC18F4620 µC
![Page 37: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/37.jpg)
Proof of concept
– What we need : An Agilent oscilloscope for acquiring current consumption • AGILENT Dso3024a
![Page 38: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/38.jpg)
Proof of concept
– What we need : A programmer /Debugger (Microchip Real Ice)
![Page 39: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/39.jpg)
Proof of concept
• What we need : A current probe– Very expensive Professional tools (magnetic or
electromagnetic current probe ) > 400$ each Or – a simple resistor which cost less than 1 $
– We choose the resistor !
![Page 40: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/40.jpg)
Proof of concept
• What we need : A bit of software– Homemade code (VB.NET…sorry ) used to
control and pilot the oscilloscope– The code used the Standard protocol: VISA COM
3.0 – It’s a Free Library that let us communicate with
agilent oscilloscope with simple set of commands• Get data measurement, Launch voltage or current
acquisition process, Send numerical value of current acquired,…
![Page 41: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/41.jpg)
Proof of concept
• What we need : A GUI
Command/Data
GUI of our Proof of concept tool
![Page 42: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/42.jpg)
Proof of concept
• Our acquisition chain looks like that :
![Page 43: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/43.jpg)
Proof of concept
• In practice, it looks like that…
![Page 44: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/44.jpg)
How we proceed to grab the current and extract the code?
PC 1
Programmer
Embedded System
Embedded system is
Ready to use
Step 1 send a dummy code to µC
![Page 45: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/45.jpg)
Proof of concept
PC 2 (Lab machine)
Embedded System with probes
Step 2 , In lab
Oscilloscope (Measure)
Current Consumption
Our tool try to find instruction & data executed from the
current consumption
![Page 46: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/46.jpg)
AGENDA
• Who We Are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Our experiments• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 47: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/47.jpg)
Our Experiments
#1: Does the code really impacts the power consumption?
#2: Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences in power analysis?
#3: Why μC’s instructions Pipeline impact current consumption?
#4: How to overcome Pipeline issues for our goals?
#5: Could we create a (sort of) ‘disassembler’ over electricity?
![Page 48: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/48.jpg)
Does the code really impacts the power consumption?
(Experiment #1)
![Page 49: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/49.jpg)
• Result #1 : We have a current consumption related with nop instructions
In Red Current during the executionIn Blue Synchronization signalIn Green Clock embedded system
Does the code really impacts the power consumption?
(Experiment #1)
![Page 50: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/50.jpg)
• Result #1 : Some values of our measurement
–Max Variation of current is around 0.1 mA = 0,0001 A –Low level of variation > difficult to catch
Does the code really impacts the power consumption?
(Experiment #1)
![Page 51: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/51.jpg)
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?
(Experiment #2)
![Page 52: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/52.jpg)
• Note : to limit impacts of parasites, our system take differential analysis
• @First time, we measured the difference between– Current consumption of 4 nop instructions– Current consumption of movlw 0xFF with 3 nop
• @Second time, we measured the difference between– Current consumption of 4 nop instructions– Current consumption of movlw 0x00 with 3 nop
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 53: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/53.jpg)
• Result #2 : Current Trace related to Movlw 0xFF
In Red Difference of currentIn Blue Synchronization signalIn Green Clock embedded system
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 54: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/54.jpg)
• Result #2 : Current Trace related to Movlw 0x00
In Red Difference of currentIn Blue Synchronization signalIn Green Clock embedded system
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 55: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/55.jpg)
• Result #2 : We have a correlation between different value of data and amplitude of current consumption
MOVLW 0xFFMOVLW 0x00
Encoding of the movlw 0x00 instruction 0000 1110 0000 0000
Encoding of the movlw 0xFF instruction 0000 1110 1111 1111
More bits transitions (1 to 0 or 0 to 1) -> More current
consumption !
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 56: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/56.jpg)
• In fact,the current value measured depend on the hamming weight groups of the data & instruction processed
• Example below (0x24 is in a hamming group of 2)
Hamming Group
Number of instruction or data value by hamming groups
0 11 82 283 564 705 566 287 88 1
0 0 1 0 0 1 0 0
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 57: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/57.jpg)
• The hamming weight groups limits!
Description Instruction Coding instruction Instruction Hamming WeightNo Operation NOP 0000 0000 0
Multiply W with f MULWF 0000 0010 1
Subtract W from Literal SUBLW 0000 1000 1
Negate f NEGF 0110 1100 4
Move W to f MOVWF 0110 1110 5
Move Literal to W MOVLW 0000 1110 3
Set f SETF 0110 1000 3
Some instructions have the same Hamming weight (Collision) so we aren’t able to differentiate MOVLW and SETF for example. It’s a limit of our analyze.
Do a MOVLW 0xFF & a MOVLW 0x00 lead to measurable differences
in power analysis?(Experiment #2)
![Page 58: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/58.jpg)
Why μC’s instructions Pipeline impact current consumption?
(Experiment #3)
![Page 59: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/59.jpg)
• Back to the current graph…
MOVLW 0x00
• But why we have two overshoots of current when the code only have one instruction that has been changed ?
MOVLW 0xFF
Why μC’s instructions Pipeline impact current consumption?
(Experiment #3)
![Page 60: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/60.jpg)
• BECAUSE, there is a decoding instruction Pipeline inside μC– Pipeline is designed to speed up the instruction
decoding process– Pipeline are used by almost μC manufturers
C1 C2 C3 C4
DecodingRead data here 0x00
(movlw 0x00)
ALU Calculation
ALU write the word in
registers
Why μC’s instructions Pipeline impact current consumption?
(Experiment #3)
![Page 61: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/61.jpg)
• Influence of Pipeline
Pipeline is not our friend because the current consumption of next instruction depend of previous instructions.
Why μC’s instructions Pipeline impact current consumption?
(Experiment #3)
![Page 62: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/62.jpg)
How to overcome Pipeline issues for our goals?
(Experiment #4)
![Page 63: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/63.jpg)
• The main idea is use the principal of pre-calculated hash table
• The idea is to memorize a signature of electricity consumption for each pair of consecutive instructions in an exhaustive way. The idea is to create a sort of dictionary.
• We can now compare the current consumption of any (uncontrolled) executed code with the dictionary
How to overcome Pipeline issues for our goals?
(Experiment #4)
![Page 64: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/64.jpg)
• Generation of the dictionaryPC 2
(Lab machine)Embedded System
Our tool grabs measures
A current consumptionIs measured for each
pair of instruction
Programmer
And create and save dictionary
Send a code with 2 instructions and
data with a specifichamming code
Nop+movlw 0x1, Nop+movlwx0x3…
How to overcome Pipeline issues for our goals?
(Experiment #4)
![Page 65: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/65.jpg)
• One button in our GUI
How to overcome Pipeline issues for our goals?
(Experiment #4)
How to overcome Pipeline issues for our goals?
![Page 66: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/66.jpg)
Could we create a (sort of) ‘disassembler’ over electricity?
(Experiment #5)
![Page 67: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/67.jpg)
• We will try to find an instruction and data
• On PC 1, We sent to microcontroller a program with a movlw 0x57 (example)
Could we create a (sort of) ‘disassembler’ over electricity?
(Experiment #5)
![Page 68: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/68.jpg)
•On PC2, we use our tool to find instructions & data
Could we create a (sort of) ‘disassembler’ over electricity?
(Experiment #5)
![Page 69: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/69.jpg)
•Result of the acquiring process with our tool•Perfect, the instruction was found !
MOVLW 0x57
Could we create a (sort of) ‘disassembler’ over electricity?
(Experiment #5)
![Page 70: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/70.jpg)
•Video demo
Could we create a (sort of) ‘disassembler’ over electricity?
(Experiment #5)
![Page 71: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/71.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 72: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/72.jpg)
Results & Limits• Extracting part of the code with current consumption seems to be a
validated approach
• But limits exist !
• Limited by hamming group / Collision of instructions• Some issues regarding several specific set of instructions:
• Branch and Jump instructions, I/O manipulation instruction, • more than 1 cycle instruction. • The influence on current consumption for those later would be different for sure (further
investigation need to be scheduled!)
•Dictionary imply that our method could only be adapted to reverse the code of embedded system based on well know board or ready to use system (FGPA based board, Development board, Pre designed embedded system board…).
![Page 73: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/73.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 74: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/74.jpg)
Prospective
• We based our approach on current amplitude measurement
• May be , we could add a temporal dimension to our measure to extract more information from the current consumption– Spot when the transistors commute – to be able to make a distinction of what bits is set to 1 (To be
tested soon!)
• We may also measure the electromagnetism waves create by the μC when code is executed
![Page 75: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/75.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 76: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/76.jpg)
How to limit the risk
• Create a complementary current consumption (via soft or hardware) to hide the true power consumption
(source : http://scholar.lib.vt.edu/theses/available/etd-04302007-134556/unrestricted/Thesis.pdf )
• The μC manufacturers must be careful when designing the microcontroller instructions encoding table
![Page 77: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/77.jpg)
AGENDA
• Who we are• Research context & goals• Electronic 101 for Security Guys• Proof of concept (soft, hard, …)• Results & Limits• Further researches (Prospective)• How to limit the risk• Conclusion
![Page 78: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/78.jpg)
Conclusion
• #1: Does the code really impacts the power consumption? -> YES
• #2: Do different instructions & Data could be retrieved via power analysis? -> YES
• #3: Could we create a (sort of) ‘disassembler’ over electricity? -> YES but with limits…
![Page 79: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/79.jpg)
Conclusion
• Cheap approach – 4500$ oscilloscope– 10$ Programmer / Debugger– 2$ Embedded system– 1$ Resistor
• Our code is open source … Download it ! Use it ! Improve it (and send us an update ;-p)
![Page 80: How the analysis of electrical current consumption of embedded systems could lead to code reversing ? “Code extraction via Power analysis” focus on Embedded](https://reader038.vdocument.in/reader038/viewer/2022102923/551bbae7550346b4588b4690/html5/thumbnails/80.jpg)
Q/A?
• To contact us : – Yann.allain @ opale-security.com– Julien.moinard @ opale-security.com