INSIGHTS | October 3, 2011
Category: INSIGHTS
INSIGHTS |
Easy and Quick Vulnerability Hunting in Windows
I’m glad to start this new blog for IOA Labs by publishing the video demonstrations and updated slides of my Black Hat USA 2011 workshop. I hope you like it, please send me your feedback, questions, etc. We will continue posting cool materials from our researchers very soon, keep tuned!
INSIGHTS | March 20, 2011
Blackhat TPM Talk Follow-up
Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.
Here are some issues that should be pointed out:
We have heard, “..it took 6 months to succeed..“
The reality is it took 4 months to tackle obsticles found in any <200nm device such as:
- Capitance/load of probe needles when chip is running.
- Powering the device inside the chamber of a FIB workstation.
- Level-shifting a 1.8v core voltage following what we learned in #1 above.
- Cutting out metal layers without creating electrical shorts.
- Other more minute issues regarding the physical size of the die.
Upon overcoming the points above, the actual analysis required no more than approximately 2 months time.
In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).
We have heard, “…you said the Infineon SLE66 was the best device out there in the market…“
The Infineon SLE66PE is a very secure device however, it (as do it’s competitors) all have their strengths and weaknesses.
Some examples of weaknesses are
- Layout of all Infineon SLE50/66 ‘P’ or ‘PE’ are very modular by design
- Lack of penalty if active shield is opened
- Begin runtime from a CLEAR (unencrypted) ROM which is ‘invisible’ to the user
- CPU core is based on a microcode/PLA type implementation
- Power-on-reset always begins running from the externally supplied clock
- Current design is based on a previous 600nm version designed around 1998
- 3 metal layer design for “areas of interest” (4th layer is the active shield)
Some examples of strengths are:
- ‘PE’ family used bond-pads located up the middle of the device.
- ROMKey must be loaded before begin attacked (else you just see their clear ROM content).
- MED is quite powerful if used properly for EEPROM content.
- Mesh is consistent across the device and divided into sections.
- Auto-increment of memory base address.
- Mixing of physical vs. virtual address space for MED / memory fetch.
No device is perfect. All devices have room for improvement. Some things to consider when choosing a smartcard are:
- Does CPU ever run on external clock?
- What is the penalty for an active-shield breach?
- What is the fabrication process geometry?
- How many metal layers is the device?
- List of labs who might have evaluated this device and their capabilities.
Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools. This is a common-oversight.
There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!! This makes a person scratch there head and say, “WTH????”
We have some new content to post soon on the blog. Be sure and tune in for that. We will tweet an alert as well.
INSIGHTS | August 9, 2010
Atmel ATMEGA2560 Analysis (Blackhat follow-up)
At this years Blackhat USA briefings, the ATMEGA2560 was shown as an example of an unsecure vs. secure device. We have received a few requests for more information on this research so here it goes…
The device did not even need to be stripped down because of designer lazyness back at Atmel HQ. All we did was look for the metal plates we detailed back in our ATMEGA88 teardown last year and quickly deduced which outputs were the proper outputs in under 20 minutes.
Atmel likes to cover the AVR ‘important’ fuses with metal plating. We assume to prevent the floating gate from getting hit with UV however the debunk to this theory is that UV will SET the fuses not clear them!
For those who must absolutely know how to unlock the device, just click on the, “Money Shot!”
INSIGHTS | August 7, 2010
Parallax Propeller P8X32A Quick Teardown
Parallax has a really neat 8 core 32 bit CPU called the ‘Propeller’. It’s been out for a few years but it is gaining popularity. There is no security with the device as it boots insecurely via a UART or I2C EEPROM. None the less, we thought it was interesting to see an 8 core CPU decapsulated!
One can clearly see 8 columns that appear almost symmetric (except in the middle region). The upper 8 squares are each ‘cogs’ 512 * 32 SRAMs as described in the manual. The middle left 4 and right 4 squares are the ROM’s Parallax describes. The 8 rectangular objects are the 32KB SRAM as described. The 8 cores are basically the 8 columns above the middle ROM’s to include the 512 * 32 SRAMs because they describe each cog as having it’s own 512 * 32 SRAM :).
Last but not least is the logo by Parallax. Nice job Parallax on this beast! We have one favor- implement some flash on the next generation with a security bit ;).
INSIGHTS | August 6, 2010
Echostar v NDS appellate court ruling update
Normally, I would not mix non-technical with the blog however I thought this deserved a little more attention that it has received.
The ruling which states that NDS has won the lawsuit, vindicates myself and puts Echostar owing NDS almost 18,000,000.00 USD has come down as of 2 days ago.
As well I thought it nice to mention that neither Flylogic nor myself works for/or with Echostar, Nagra, NDS or any other conditional access company in any way or form.
I wish all persons whom this lawsuit effects the best (yes even you Charlie),
Christopher Tarnovsky
INSIGHTS | February 14, 2010
Infineon / ST Mesh Comparison
Given all the recent exposure from our Infineon research, we have had numerous requests regarding the ST mesh architecture and how Infineon’s design compares to the ST implementation.
Both devices are a 4 metal ~140 nanometer process. Rather than have us tell you who we think is stronger (it’s pretty obvious), we’d like to see your comments on what you the readers think!
The Infineon mesh consists of 5 zones with 4 circuits per zone. This means the surface of the die is being covered by 20 different electrical circuits.
The ST mesh consists of a single wire routed zig-zag across the die. It usually begins next to the VDD pad and ends at the opposite corner of the die. The other wires are simply GND aka ground fingers. On recent designs, we have caught ST using a few of the grounds to tie gates low (noise isolation of extra, unused logic we believe).
Zooming in at 15,000 magnification, the details of each mesh really begin to show. Where at lower resolutions, the Infineon mesh looked dark and solid but as you can see, it is not.
In the Infineon scheme above, each colored wire is the same signal (4 of them per zone). Each color will be randomly spaced per chip design and is connected at either the top or bottom of the die via Metal 3 inter-connects.
The ST simply has the single conductor labeled in red. All green are the fingers of ground which can be usually cut away (removed) without penalty. The latest ST K7xxx devices have a signal present that appears analog. A closer look and a few minutes of testing proved it to simply need to be held high (logic ‘1’) at the sampling side of the line. Interesting how ST tried to obscure the signal.
Infineon does not permanently penalize you if the mesh is not properly repaired and the device is powered up.
ST will permanently penalize you with a bulk-erase of the non-volatile memory (NVM) areas if the sense line (red) is ever a logic low (‘0’) with power applied (irrelevant of reset/clock condition).
You tell us your opinion what you think security wise.
INSIGHTS | February 12, 2010
We are now on Twitter too!
We probably should have been tweeting (sic?) for some time now but we are finally doing it!
You can join/follow us here: https://x.com/semiconduktor
As well, you can always get to Flylogic through Semiconduktor.com or Semiconduktor.net :).
INSIGHTS | January 13, 2009
Blackhat USA 2009 Poll – Rev Eng Class
During last years Blackhat and Defcon conferences, several individuals asked me about possibly giving classes on the security model of commonly found microcontrollers. Jeff Moss’ group setup a poll here. Given today’s Silicon technology has become so small yet so large, it would be best to determine which architecture and which devices everyone is most interested in. The current poll will determine which brand micro to target (Atmel AVR or Microchip PIC) and after this is decided, we will need more input to narrow the class down to a few devices of the chosen family.
While the classes are not cheap, all participants will learn and understand the chosen targets security model. Armed with such knowledge will help you to understand and recognize potential risks in future design work allowing you to avoid the possibility of compromise (and I suppose this would also enhance job security :). Full mosaic blowups of the targets, decapsulated devices, use of a probe station and all users will “modify” the security model of their devices themselves (unless they ask for some help). I don’t believe such a class has ever been given and seating will be limited per class.
Feel free to comment here but Blackhat really needs the feedback.
Thank you,
-Christopher Tarnovsky
INSIGHTS | September 13, 2008
Reverse-Engineering Custom Logic (Part 1)
Today we are taking you one step deeper into a microchip than we usually go. We look at transistors and the logic functions they compose, which helps us understand custom ASICs now found in some secured processors.
To reverse-engineer the secret functionality of an ASIC, we identify logic blocks, map out the wiring between the blocks, and reconstruct the circuit diagram. Today, we’ll only be looking at the first step: reading logic. And we start with the easiest example of a logic function: the inverter.
To read logic, you first have to find the transistors and decide where Vcc (+) and ground (-) are located. Transistors are easy to spot. They will always look very similar to those two transistors marked in the picture: A rectangle shape with a line in the middle. Vcc is always next to the larger transistors (PMOS) and ground is closer to the smaller ones (NMOS).
Once you identified the transistors, you draw a small circuit diagram that shows how they are connected to each other. In the example, the inputs of the two transistors are connected and so are their outputs on the left side. From this circuit diagram you can read that whatever you assert at the input, the output will be forced to the opposite state — an inverter.
Every gate will follow these basic principles, but vary in the number and constellation of transistors. A 2-NOR gate (Y = !(A|B) ), for instance, is composed of 4 transistors in this setup:
Once you figured out a gate, you can recognize every occurrence of that function on the whole chip because the exact same shape is always used for the same function. Generally, you only need to read a few dozens gates at most to generate a map of functions across whole chip. Get a head start on reading logic and check out the logic gate collection at The Silicon Zoo.
Here is a challenge for you to try (open in GIMP or Photoshop and toggle between the different layers):
