Changes

Tutorial B3-1 Timing Analysis with Power for Password Bypass

705 bytes removed, 18:52, 10 October 2018
no edit summary
== Manual Communications with the Target ==
Assuming you have ChipWhisperer-Capture setup when you programmed the target (if not, run ''connect_cwlite_simpleserial.py'' and the ''setup_*.py'' script relevant to your target), you can continue by selecting ''Tools --> Terminal'', and pressing ''Connect''. You should see a window such as this:<p>[[File:Termconn.png|image]]</p>At this pointwe need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. If your target doesn't have a programmer in ChipWhisperer Capture, you can manually toggle the reset pin. This is typically the ''nrst'' pin. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:<p>[[File:Checksig_print.png|image]]</p>'''Note a few warnings about the terminal emulator:'''* The on-board buffer is fairly small, and can be able to configure easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!* You can uncheck the target &quot;Show non-ASCII as hex&quot; to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the previous tutorialshex character for a newline. Rather than tediously going through Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default. We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the setup process againcorrect password is <code>h0px3</code>.<p>'''tip'''</p> <p>In real systems, weyou may often know ''ll simply use one '' of the scripts built into passwords, which is sufficient to investigate the ChipWhisperer-Capture softwarepassword checking routines as we will do. This You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will demonstrate how be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we can have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</p><p>Using the terminal emulator, write the correct password in, and press <code>&lt;enter&gt;</code>. You should be greeted by a script as a starting point welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:</p><p>[[File:Passok.png|image]]</p>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to simplify our setupagain perform a ''Check Signature'' or ''Read Signature'' operation.
<ol style="list-style-type: decimal;"><li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li><li>Start ChipWhisperer-Capture</li><li>Under the ''Python Console'' tab, find the ''connect_cwlite_simpleserial.py'' script and double-click.</li><li>Check there are no errors on the connection.</li><li>Under the ''Python Console'' tab, find the ''setup_cwlite_xmega.py'' script and double-click.</li><li>Both the Target &amp; Scope should switch to ''CON'' and be green circles.</li><li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li><li><p>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:</p><blockquote><p>[[File:Termconn.png|image]]</p></blockquote></li><li><p>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:</p><blockquote><p>[[File:Checksig_print.png|image]]</p></blockquote><dl><dt>Note a few warnings about the terminal emulator:</dt><dd><ul><li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li><li>You can uncheck the &quot;Show non-ASCII as hex&quot; to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul></dd></dl></li><li><p>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.</p><blockquote><p>'''tip'''</p><p>In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</p></blockquote></li><li><p>Using the terminal emulator, write the correct password in, and press <code>&lt;enter&gt;</code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:</p><p>[[File:Passok.png|image]]</p></li><li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li><li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol>
== Recording Power Traces ==
<ol style="list-style-type: decimal;">
<li> Scroll down the list of scripts, and you'll find one labeled "aux_reset_cw1173.py". This script has a simple function of attempting to reset If you're not using the XMEGA device using target, you'll need to edit the programmerscript to use the ''nrst'' pin instead of <u>''pdic''</u>:
<br>
[[File:auxreset_test1.png|600px]]
== Performing the Timing Attack ==
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.
 
If you're comfortable with python scripting, you may want to use a standalone script utilizing ChipWhisperer's python module. See [[Making Scripts]] for examples on recording and interacting with traces.
=== Scripting the Setup ===
Approved_users, administrator
366
edits