Changes

Tutorial A2 Introduction to Glitch Attacks (including Glitch Explorer)

4,987 bytes added, 15:20, 5 October 2018

→‎Using the Glitch Explorer

{{Warningbox|This ~~advanced~~ tutorial ~~will demonstrate clock glitch attacks using the~~ has been updated for ChipWhisperer ~~system~~4. ~~This will introduce~~ 0.0 release. If you ~~to many required features of~~ are using 3.x.x see the ~~ChipWhisperer system when it comes to glitching. This will be built on~~ "V3" link in ~~later tutorials to generate voltage glitching attacks, or when you wish to attack other targets~~the sidebar.}}

~~You can follow along with this video for details of this page too~~{{Infobox tutorial|name = A2:Introduction to Glitch Attacks (including Glitch Explorer)|image = |caption = |software versions =|capture hardware = CW-Lite|Target Device = |Target Architecture = XMEGA/Arm|Hardware Crypto = No|Purchase Hardware = }} This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.

~~[[File:youtube-glitch~~'''If you're working on an STM32F3/CW303 Arm target, it's recommended that you have the latest updates from the develop branch.~~png|YouTubeGlitch]]_~~Recent firmware changes have made glitching far more reliable.'''

== Background on Clock Glitching ==

Digital hardware devices almost always expect some form of reliable clock. We can manipulate the clock being presented to the device to cause unintended behaviour. We'll be concentrating on microcontrollers here, however other digital devices (e.g. hardware encryption accelerators) can also have faults injected using this technique.

This is the login code for the Linux OS. Note that if we could skip the check of <code>if (uid != 0)</code> and simply branch to the end, we could avoid having to enter a password. This is the power of glitch attacks - not that we are breaking encryption, but simply bypassing the entire authentication module!

== Glitch Hardware ==

The ChipWhisperer Glitch system uses the same synchronous methodology as it's Side Channel Analysis (SCA) capture. A system clock (which can come from either the ChipWhisperer or the Device Under Test (DUT)) is used to generate the glitches. These glitches are then inserted back into the clock, although it's possible to use the glitches alone for other purposes (i.e. for voltage glitching, EM glitching).

[[File:glitchgen-mux.png|frame|none]]

=== Hardware Support ===

The phase shift blocks use the Digital Clock Manager (DCM) blocks within the FPGA. These blocks have limited support for run-time configuration of parameters such as phase delay and frequency generation, and for maximum performance the configuration must be fixed at design time. The Xilinx-provided run-time adjustment can shift the phase only by about +/- 5nS in 30pS increments (exact values vary with operating conditions).

If in the course of following this tutorial you find the FPGA appears to stop responding (i.e. certain features no longer work correctly), it could be the partial reconfiguration data is incorrect.

=== Python GUI Interface ===

The portion of the GUI of interest to us is primarily located in this section:

If the Partial Reconfiguration system has been disabled (due to missing PR files or files differing from the FPGA bitstream) the two fields marked that say (as % of period) will be disabled. Only the fields labeled (fine adjust) will be available.

== Setting up Glitch Example ==

=== Firmware Setup ===For this example, we'll be using the <code>glitch-simple</code> firmware. {{CollapsibleSection|intro = ==== Building for CWLite with XMEGA Target ====|content= Building for XMEGA}}

The glitch examples requires you to program the target device. The software to program is located at <code>chipwhisperer\hardware\victims\firmware\glitch-simple</code> of your ChipWhisperer release or GIT clone. As before, open the <code>Makefile</code> and be sure to uncomment the appropriate target to reflect your hardware:{{CollapsibleSection|intro = ==== Building for CWLite with Arm Target ====|content= Building for Arm}}

~~<pre>#Multi-Target Board, AVR Device (ATMega328P)~~{{CollapsibleSection~~#PLATFORM~~ |intro = ~~CW301_AVR~~==== Building for Other Targets ====|content= Building for Other Targets}}

~~#CW-Lite XMEGA Target Device (XMEGA128D4)~~

~~PLATFORM = CW303</pre>~~

~~You can build the software by running the make command as follows:~~

~~<pre>make</pre>~~

You should also open the file <code>glitchsimple.c</code> which is the source code. The subroutine being glitched in this example looks like this:

return 1;

}</pre>

~~Once the AVR/XMEGA is programmed (see previous tutorials), you may need to setup a few jumpers depending on your hardware.~~

=== Hardware Setup ==={{CollapsibleSection|intro = ==== CW1173 (Lite) Hardware Setup ====|content= CWLite HW Setup}}

{{CollapsibleSection|intro === ~~XMEGA Target~~ == CW1200 (~~CW1173 + CW303~~Pro) Hardware Setup ====|content=CW1200 HW Setup}}

~~The XMEGA target on the ChipWhisperer-Lite requires no configuration. If you have separated the boards, you can attach them with the 20-pin cable.~~{{CollapsibleSection|intro = ==== CW308 (UFO) Hardware Setup ====|content= CW308 HW Setup}}

==== Multi-Target Board, AVR (CW301) ====

The hardware is almost as in previous incarnations. The difference is the 'FPGAOUT' is bridged to the AVR clock. This example will use the CLKGEN feature.

[[File:glitchhw.jpg|image]]

== ~~Software Setup~~ =Programming the Target ==={{CollapsibleSection|intro = === Programming the XMEGA Target ===|content = Programming XMEGA}}{{CollapsibleSection|intro = === Programming the Arm Target ===|content = Programming Arm}}{{CollapsibleSection|intro = === Programming Other Targets ===|content = Programming Other}}

~~<ol style~~=== Software Setup ===~~"list-style-type: decimal;"><li>Connect to the~~ Assuming you still have ChipWhisperer ~~device~~setup as described in the programming step (aka have run connect_simpleserial.py and the setup script for your target), there's only a few modifications we need to make to be able to glitch:~~<blockquote>~~<ol style="list-style-type: decimal;"><li>~~As the ''Scope Module'', select the ''ChipWhisperer/OpenADC'' option~~<~~/li~~p>~~<li>As the ''Target Module'', select the ''Simple Serial'' option</li><li>Switch to the~~ Under ''Scope Settings'' ~~tab~~, ~~and as the~~ change ''~~connection'', select the ''ChipWhisperer Rev2'' or ''ChipWhisperer~~CW Extra Settings>Target HS IO-~~Lite~~Out'' ~~option</li><li>Switch~~ to ~~the~~ ''~~Target Settings~~Glitch Module'' ~~tab,~~ and ~~as the~~ ''~~connection'', select the ''ChipWhisperer Rev2'' or ''ChipWhisperer-Lite'' option</li><li>Run connect on both the Scope & Target. They should both switch to green circles indicating the system is connected.</li></ol></blockquote></li><li>Setup the CLKGEN~~ Glitch Module ~~to Generate a 7.37 MHz clock and route it through the Glitch Generator</p~~>~~<blockquote><ol style="list-style-type: decimal;"><li>Switch the ''Freq Counter Src~~Clock Source'' to ~~the~~ ''CLKGEN ~~Output~~''~~</li><li>Set the ''Desired Frequency'' to 7~~.~~37 MHz. Note you should only adjust~~ This routes the ~~'frequency' portion of this, if you highlight~~ clock source for the ~~entire field you may not be able to type the frequency into~~ microcontroller through the ~~system~~glitch module.</lip>~~<li>Confirm the ''DCM Locked'' checkbox is checked, if not hit the ''Reset CLKGEN DCM'' box. Check the ''Freq Counter'' to ensure the system is correctly generating a 7.37 MHz clock.~~</li><li>~~Under~~ From the ''~~Glitch Module~~Tools'' ~~set the~~ menu, select ''~~Clock Source~~Open Terminal'' as , and press ''~~CLKGEN~~Connect''~~:[[File:glitchgen-clkgen~~on the terminal.~~png|image]]</li><li>Under the~~ This will allow us to see what'~~'Target HS IO-Out'' option select~~ s being sent to and from the ~~''Glitch Module''~~microcontroller:[[File:~~targioout~~Termconn.png|~~image~~frameless|371x371px]]</li>~~</ol></blockquote></li>~~<li>~~Connect~~ Reset the ~~Serial Port<blockquote><ol style="list-style-type: decimal;"><li>For the XMEGA Target (including the CW-Lite integrated target), perform the following:<ol style="list-style-type: lower-alpha;"><li>Switch~~ device. You can do this by going to ~~the~~ ''Scope Settings'' ~~tab,~~ and ~~scroll down to~~ switching ''CW Extra Settings>Target IOn ~~Pins''</li~~GPIO Mode>~~<li>Switch the~~ nRST: GPIO''~~Target IO1~~(or '' ~~to be~~ PDIC: GPIO''~~Serial RXD''</li><li>Switch~~ , for the XMEGA target) to ''~~Target IO2~~Low'' , then back to be ''~~Serial TXD~~Default''~~</li></ol></li><li>From the ''Tools'' menu select ''Open Terminal'~~. If you're using a target that can be programmed from ChipWhisperer, ~~and press~~ running ''~~Connect~~Check Signature'' on from the ~~terminal:<blockquote>[[File:termconn.png|image]]</blockquote></li><li>The baud rate for this system is 38400, which should be the default for the ChipWhisperer serial port.</li><li>Using the target programmer~~ programming window~~, we~~ will ~~use the Read Signature or Check Signature button to~~ also reset the ~~target every time we want to restart the program~~device. ~~Confirm this works by pressing the Read Signature button, for example if using the ChipWhisperer-Lite integrated programmer, you would see this window:~~<p/li>~~[[File:xmegaprog_main.png|image]]~~</pli>~~But if using the external AVR Studio programmer for the ChipWhisperer Capture Rev2, you would~~ You should see ~~this window:[[File:readsig.png|image]]When you press this button~~ text populate the ~~AVR will display the Hello message, which should look something like this~~terminal:[[File:~~termhello~~Termhello.png|~~image~~frameless|506x506px]]~~<blockquote>'''tip'''If you uncheck the ''RX: Show non-ASCII as hex'' you will not see the red text with ASCII values of newline (<code>0a</code>).</blockquote><blockquote>'''hint'''~~Sometimes the "reset" message won't appear. This happens often on the virtual machine version, or if your host computer is slow or loaded. Generally you can ignore this error, for example in the video version the welcome message is never printed. You will just have to trust the system is reseting correctly.</blockquote></li></ol>~~</blockquote~~></li></ol>

We'll now look at glitching this routine. You should inspect the source code to determine that a simple series of calculations are performed:

If the routine works as expected, we would expect it to print <code>250000 500 500</code>. If a glitch interrupts the program flow, we would expect some of those values to be incorrect. This could be because a loop was skipped, an addition done incorrectly, or the program flow was exited unexpectedly.

== Manual Glitch Trigger ==

To begin with, you'll simply use the manual glitch triggering. This works well in the examples where we have a simple loop we are breaking out of. Doing so requires modifying the glitch width and glitch offset experimentally. The exact values will vary for every device and setup.

<li>Adjust the settings for ''Glitch Width (as % of period)'' , ''Glitch Offset (as % of period)'', and ''Repeat'' based on your target and the following table for different targets:

~~<blockquote>~~{|class="wikitable"

! Parameter

! AVR on Multi-Target (CW301)

! CW-Lite XMEGA Board

!CW-Lite Arm Board

|-

| Glitch Width (as % of period)

| 7.5

| 9.5| -10

|-

| Glitch Offset (as % of period)

| -10

| ~~26.6~~-2| -40

|-

| Repeat

| 5

| 105

|105

|}

~~</blockquote>~~</li>

<li>Ensure ''Glitch Trigger'' is ''Manual''</li>

<li>Hit the ''Manual Trigger'' button</li>

'''Be aware that you may crash the target!''' In the previous examples the target could have reset after each glitch. It may simply go into another infinite loop however, or even enter invalid states. Again force a hardware reset of the target in these cases. It may appear like the target was never glitched, whereas in reality it was glitched into some invalid state.

{{Warningbox|The boards are extremely sensitive to the glitch width and offset. You may have trouble finding settings that cause a glitch. Don't get too hung up on this; the following sections provide a more reliable method of glitching a target by determining the appropriate parameter settings.}} == Automatically Resetting Target ==

If we are going to start with the target at a pre-determined state, we need to reset the target. There are two ways of automatically performing this. The method used here will use the existing programmer interface to reset the device by performing that "read signature" operation we have already been using. The other method is to toggle a GPIO pin, which is more generic for future use.

This was introduced in [[Tutorial_B3-1_Timing_Analysis_with_Power_for_Password_Bypass#Reset_via_Auxiliary_Module]].

To setup the automatic reset, perform the following:

<ol ~~style="list-style-type: decimal;"~~><li>~~Switch~~ Scroll down the list of scripts, and you'll find one labeled "aux_reset_cw1173.py". Depending on your target, you may have to modify this script to change the reset pin. Most targets (except for the XMEGA) use ''~~General Settings~~nrst'' ~~tab~~, ~~and select~~ so if you're unsure, this is usually the ~~appropriate "Auxiliary Module"~~correct choice . This script sets up the aux module that attempts to reset the target device. Note:The aux module is only executed after capture is executed.</pb><~~ol style=~~br>[[File:auxreset_test1.png|600px]]</li><li>Hit the "Run" button. If you switch to the "Auxilary Module" tab, you'll see it's been added to the list~~-style-type~~of modules at the specified location.: ~~lower-alpha;"~~ [[File:auxreset_test2.png|400px]]</li>~~For ChipWhisperer-Lite~~ <li>Looking at the code of the script, you can see how this script is using an external module & linking it to a specific auxilary module trigger:<syntaxhighlight lang=python>from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173 # GUI compatibilitytry: aux_list = self.aux_listexcept NameError: pass # Delay between arming and resetting, in msdelay_ms = 1500 # Reset XMEGA deviceResetter = ResetCW1173(~~CW1173/CW1180~~pin='pdic', delay_ms=delay_ms)# Reset STM32Fx device#Resetter = ResetCW1173(pin='nrst', ~~select "~~delay_ms=delay_ms)# Reset AVR~~/XMEGA via CW-Lite"~~#Resetter = ResetCW1173(pin='nrst', delay_ms=delay_ms) # Reset before arming# avoids possibility of false triggers# need delay in target firmware to avoid race condition#aux_list.register(Resetter.resetThenDelay, "before_trace") # Reset after arming# scope can catch entire reset# avoids race condition# target reset can cause false triggers (usually not an issue)aux_list.register(Resetter.delayThenReset, "after_arm")</lisyntaxhighlight><li>~~For ChipWhisperer-Capture Rev 2, select~~ You can edit the values required such as reset time &~~quot;Reset AVR via ISP-MKII"~~location by changing the script (using an external editor). But an easier method is to insert it into our attack script itself. As a test we'll see if the default values work. We will later integrate this into a full example script.</li></ol>

~~[[File:glitching_aux_1.png|image]]</li>~~

<li>Switch to the ''Aux Settings'' tab. Depending on your module you will see different settings here, for example the ChipWhisperer-Lite lets you select between AVR and XMEGA targets. The defaults should be ok:

~~[[File:glitching_aux_2.png|image]]</li>~~

<li>Press the "Test Reset" button. This should reset the AVR target. Confirm this by monitoring the terminal emulator window, and check the startup message (of "hello") is printed again.</li></ol>

We can now confirm the reset works with the "Capture 1" button. This requires us to disable the normal routing of the output data to a file for analysis, as we want to just dump data to the terminal emulator. To do this:

}

}</pre></li>

<li>When you perform a ''Capture 1'', the terminal should print <code>hello\nA</code>, based on the above source code. Note the objective will be to glitch past the infinite loop, such that <code>1234</code> is printed. If using the ~~XMEGA target~~ CW303 board , this will also ~~turn~~ light the red LED on the ~~RED led~~board up.

<blockquote>'''hint'''

If the startup message isn't visible, it may be related to issues with the Capture software not being fast enough after reset to display the serial port contents on the terminal emulator. This happens often on the virtual machine environment, as can be seen in the demo video. You can ignore this error for now.</blockquote></li></ol>

== Automatically Triggering Glitch ==

The manual trigger used previously is suitable when the embedded system is waiting for further input. For example if the embedded system is waiting for a password, you could insert glitches without requiring accurate timing. We'll explore the use of the capture trigger for glitching here, which also improves the repeatability of your glitch attempts.

~~<li>Switch to the ''Scope Settings'' tab.</li>~~

~~<li>Switch the ''ADC Clock Source'' as being ''CLKGEN x4''.</li>~~

~~<li>Press ''Reset ADC DCM'', confirm the frequency is 29.5 MHz as expected.</li>~~

~~<li>Switch the ''Trigger Setup'' --> ''Mode'' to be ''Rising Edge''</li>~~

~~<li>Switch the ''Trigger Setup'' --> ''Total Samples'' to be ''1000''</li>~~

~~<li>Switch the ''Gain Setting'' --> ''Setting'' to be ''40''. You might need to adjust this for different hardware.</li>~~

<li>Press ''Capture 1'', confirm some waveform is displayed. For example with the XMEGA Target on the ChipWhisperer-Lite, the waveform looks like this:

[[File:basic_waveform.png|image]]</li>

<li>If this does't work: check the trigger in use is the ''Target IO4'' pin.</li><li>If this also does not work, and there are timeout issues, causing the trigger to be forced: create a copy of the "aux_reset_cw1173.py" script and change the <pre># Reset before arming - more stableaux_list.register(Resetter.resetThenDelay, "before_trace")# Reset after arming - scope can catch entire reset#aux_list.register(Resetter.delayThenReset, "after_arm")</pre>to<pre># Reset before arming - more stable#aux_list.register(Resetter.resetThenDelay, "before_trace")# Reset after arming - scope can catch entire resetaux_list.register(Resetter.delayThenReset, "after_arm")</pre>by commenting out the second line and un-commenting out the fourth line changing the chronological position of the reset to after the scope is armed. This should remove the timeout issue as the scope can now detect the trigger as it is armed before the trigger line is activated. Use this copy of the script instead of the original version by running the edited script once and disabling the aux module of the original script in ''Aux Settings'' under ''Before Trace''.</li></ol>

Finally, we can enable the trigger of the glitch to occur based on this external trigger pin. This can be accomplished by:

<li>Performing a ''Capture 1'', you'll notice that the waveform is now perturbed. This is due to the clock glitches causing odd power consumption behavior:

[[File:basic_waveform_glitchy.png|image]]</li>

<li>Play around a bit with the glitch width, offset, and repeat. You should see different effects in the power consumption traces.</li></ol>'''From this point on, you may want to disable displaying of traces, as this will speed up giltching significantly. To do this, go to ''Results>Trace Output Plot>Input'' and change it to ''None''.'''

== Using the Glitch Explorer ==

Now that we can automatically perform the glitching, we can use the ''glitch explorer'' to automatically vary glitch parameters while recording what the target device is doing. Before continuing with the tutorial, we'll go through an overview of the the glitch explorer.

=== Glitch Explorer ===

We'll first introduce the Glitch Monitor ("Glitch Explorer") before we go ahead and show you how to use it. The main window of the glitch explorer looks like this:

[[File:~~ge_main~~ge_overview.png~~|image~~]]

Where you can see the following parts

<blockquote># ~~In |1|~~ The top part is the output of the system combined with the parameters of the glitch is displayed (the 'output window').# In ~~|2|~~ the bottom part you can adjust general parameters of the glitching system, such as what counts as a successful glitch or not ~~and how many parameters to fiddle with.# In |3| you actually specify the parameters to adjust during the glitching attempts, and what range you would like to adjust them over~~.

</blockquote>

We'll be looking at each of these sections in more detail next.

==== The Output Window ====

[[File:ge_top.png|image]]

Glitches can also be flagged as 'normal', in which case there is no highlight as in |2|. Finally the glitch could be flagged as an error, in which case it will be highlighted in red.

In order for the glitch explorer to receive the output value, you must insert the special code <code>$GLITCH$</code> into the ''Target Settings'' --> ''Output Format'' settings. ~~This will mean data~~ Data is ~~no longer~~ still sent to the terminal emulator ~~when using the capture 1 or capture multi buttons~~so you can monitor what is happening, but ~~instead is logged~~ if you don't set the $GLITCH$ special string you won't see it in ~~the~~ glitch explorer ~~window~~.

==== The Main Settings ====

Details of the main settings:

[[File:~~ge_middle~~ge4_middle.png|image]]

The ~~number~~ response of ~~tuning parameters~~ the system during normal operation is set at ~~|1|~~''Normal response''. This defines ~~how many different parameters to adjust~~what happens when no glitching or unexpected behavior happened.

~~The response of the system during normal operation is set at |2|. This defines what happens when no glitching or unexpected behavior happened.~~ The desired response of the system if the glitch was successful is set at ~~|3|~~''Successful response''.

The expected and desired responses are expected to be Python expressions, where <code>s</code> is a str-type variable which contains the response of the system. The expression must evaulate to <code>True</code> or <code>False</code>. For example, the following shows examples of what you could use as possible expressions:

{|class="wikitable"

! Desired Behavior

! Parameter Expression

|-

| Check for "~~hellon~~hello\n" exactly.| s == "~~hellon~~hello\n"

|-

| Check for "~~hellon~~hello\n" at end of string.| s.endswith("~~hellon~~hello\n")

|-

| Check for hex 0xAF in last byte position.

Note that there is sometimes garbage in the first position. This occurs because if the target device is being reset before the glitch, you may see the serial lines floating. These floating lines may cause invalid characters to be recorded.

==== Parameter Settings ====

~~Details of~~ The actual parameters to change are set via a simple Python script. You will register this script to an appropriate section in the ~~parameter~~ system using the "auxiliary module". Using a script makes it easy to define all sorts of various settings:you might find of interest.

~~[[File~~For example the following script would insert code to cycle through width and offset settings:~~ge_bottom.png|image]]~~

~~The name of the parameter to be tuned is set at |1|. This name will be displayed in the table~~<syntaxhighlight lang=python>class IterateGlitchWidthOffset(object): def __init__(self, ~~so should be some useful reminder of the parameter name~~ge_window): self._starting_offset = -40 self._starting_width = 5 self.ge_window = ge_window

~~The ''Script Command'' at |2| defines what is modified. This string is simply copied from the ''Script Commands'' tab of the main window. This lets you modify ''any'' parameter of the GUI~~ def reset_glitch_to_default(self, ~~but most likely you will want to modify some of the~~ scope, target, project): """ Set glitch settings~~. The numeric value in this string is ignored - the numeric value will be automatically overwritten with the value of the parameter~~ to ~~try~~defaults. """ self.offset = self._starting_offset self.width = self._starting_width

~~The ''Data Format'' at |3| defines what type of data will be inserted into the parameter. For example for the ''Glitch Offset~~ def change_glitch_parameters(~~as % of period)'' used here~~self, ~~this would need to be set to ''Float''~~scope, ~~meaning fractional values such as "4~~target, project): """ Example of simple glitch parameter modification function.~~5" are allowed~~""" # This value is minimum clock offset/width increment self. ~~The data format should match the data format expected~~offset += 0.390625

~~The ''Range'' at |4| defines the range from the minimum to maximum that will be swept for the parameter. Valid values depend on the parameter being adjusted. For example~~ if ~~you are adjusting the ''Glitch Offset'' a negative and positive~~ self.offset ~~makes sense, but if you were adjusting the ''Repeat'' it would only make sense to adjust over the range <code>(1,255)</code~~>40: self.offset = self._starting_offset self.width += 0.390625

~~The ''Value'' at |5| defines the starting value of the sweep~~ if self. ~~This is '''NOT''' automatically set to the minimum value of your sweep~~width > 40: self. ~~If you want to perform the full sweep, you must manually set this to the minimum of the range~~width = self._starting_width

~~The ''Step'' at |6| defines the amount the value is incremented on each~~ # Write data to scope scope.glitch ~~attempt~~. ~~When the value reaches the maximum defined by the range, it will loop around to the minimum and continue incrementing~~width = self.width scope.glitch.offset = self.offset

~~The ''Repeat'' at |7| defines how many times to perform~~ #You MUST tell the ~~same value. This can be used to determine~~ glitch explorer about the ~~reliability of each~~ updated settings if self.ge_window: self.ge_window.add_data("Glitch Width", scope.glitch.width) self.ge_window.add_data("Glitch Offset",scope.glitch ~~value~~.offset)

~~If using multiple parameters~~glitch_iterator = IterateGlitchWidthOffset(self.glitch_explorer)self.aux_list.register(glitch_iterator.change_glitch_parameters, ~~they will be looped as shown in this pseudo-code:~~"before_trace")self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture")

<~~pre~~/syntaxhighlight>~~param_value_0 = starting_value_0param_value_1 = starting_value_1~~

~~while capture_in_progress:~~ ~~while param_value_1 < param_value_1_max:~~Note you can quickly cause very long captures to occur! To run the glitch explorer, you need to set the appropriate number of traces on the ''General Settings'' tab, and use the ''Capture Multi'' to run the glitch explorer.

~~while param_value_0 < param_value_0_max:~~ ~~param_value_0 += param_value_0_incr~~ ~~run_glitch_here()~~The ChipWhisperer system has no idea how many iterations are required with your code - it still uses a fixed number of captures by default. Later versions of the API will support an exit signal.

~~param_value_0~~ = ~~param_value_0_min~~ ~~param_value_1 += param_value_1_incr~~ ~~param_value_1 = param_value_1_min</pre>~~Note you can quickly cause very long captures to occur! To run the glitch explorer, you need to set the appropriate number of traces on the ''General Settings'' tab, and use the ''Capture Multi'' to run the glitch explorer. == Example Running the Glitch Explorer ===

==== XMEGA ====

This example will attempt to break out the loop in <code>glitch1()</code>. Moving ahead from where you were in [[#Automatically Triggering Glitch]], we will see how we can view the output of the target device in the glitch explorer.

<li>~~Change the~~ Make a new file called ''~~Tuning Parameters~~'ge_adjustment.py' ~~to be~~ '~~'1''.</li><li>Set the following in Parameter 0 options~~with these contents:~~~~ <~~blockquote~~syntaxhighlight lang=python>{|~~! Option~~class IterateGlitchParameters(object):~~! Value~~ def __init__(self, ge_window):| self._starting_offset = -10~~| Name~~ self.ge_window = ge_window~~| Offset~~|- def reset_glitch_to_default(self, scope, target, project):~~| Script Command~~ """ Set glitch settings to defaults. """~~| ['Glitch Module', 'Glitch Offset~~ self.offset = self._starting_offset def change_glitch_parameters(~~as % of period)'~~self, 0scope, target, project): """ Example of simple glitch parameter modification function.0]"""|- # This value is minimum clock offset/width increment~~| Data Format~~ self.offset += 0.390625~~| Float~~|- if self.offset > 40:~~| Range~~ self.offset = self._starting_offset~~| -30 : 30~~|- # Write data to scope~~| Value~~ scope.glitch.offset = self.offset~~| -30~~|- #You MUST tell the glitch explorer about the updated settings~~| Step~~ if self.ge_window:~~| 0~~ self.5ge_window.add_data("Glitch Offset",scope.glitch.offset)|-~~| Repeat~~glitch_iterator = IterateGlitchParameters(self.glitch_explorer)~~| 1~~self.aux_list.register(glitch_iterator.change_glitch_parameters, "before_trace")|}self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture")</~~blockquote~~syntaxhighlight></li><li>~~The ''Script Command'' option can be found by manually making an adjustment to~~ Assuming you still have the ~~''Glitch Offset (as % of period)'' in the GUI~~"Capture" working, you can simply find where you stored that script and ~~observing the string printed to the~~ hit ''~~Script Commands~~Run'' ~~tab~~. ~~The numeric value of~~ You should see it execute successfully on the command ~~is ignored (i~~line.e:[[File:ge_step1_register. png|1000px]]</li><li>Confirm you see the ~~third element of~~ modules loaded in the ~~array) by the glitch explorer, instead the tuning value will always be inserted~~''Aux Settings'' tab:[[File:ge_step2_checkregister.png]]</li>

<li>On the main GUI in the ''Scope Settings'' tab, change the following values for the ''Glitch Module'':

~~<blockquote>~~<ol style="list-style-type: lower-alpha;"><li>''Repeat'' set to 10105.</li>

<li>''Glitch Width (as % of period)'' set to 8.0.</li></ol>

~~</blockquote>~~

These values will be used during the glitch explorer run. We have not specified anything for the tuning, so they will not be changed from whatever is already in the GUI.</li>

<li>On the ''General Settings'' tab:

~~<blockquote>~~<ol style="list-style-type: lower-alpha;">~~<li>Ensure the ''Trace Format'' is set to ''None'' (i.e., no traces will be written to disk).</li~~>

<li>Set the ''Number of Traces'' to 121.</li></ol>

~~</blockquote></li><li>Press the ''Capture Multi'' button. You will get a warning as there is no trace writer, but can just hit ''Continue Anyway'', since we do not want to store traces to disk.~~</li>

<li>With any luck, at least one of the glitches will be successful:

If you get a reset (prints 'hello' again), you might need to reduce the "repeat" value. If you have no successful glitches, double-check all settings. You can continue to the next step anyway, as in that step we will also tune the "glitch width".</li></ol>

We may also need to tune the "Glitch Width". We can use knowledge of the successful glitch from the previous step to reduce our search space. In this case, assume we had a successful glitch with a width of 8.0 and offset of 17-2.5We'll search around those values to see if we can achieve a more successful glitch performance. ==== Arm ====This example will attempt to break out the loop in <code>glitch1()</code>. Moving ahead from where you were in [[#Automatically Triggering Glitch]], we will see how we can view the output of the target device in the glitch explorer.<ol style="list-style-type: decimal;"><li>Switch to the ''Target Settings'' tab, and set the ''Output Format'' to be <code>$GLITCH$</code>:[[File:output_glitch.png|image]]</li><li>From the ''Tools'' menu select ''Glitch Monitor'' to open the glitch explorer.</li><li>Press the ''Capture 1'' button a few times, and you should see the table populated with outputs:[[File:ge_setup1.png|image]]We want to mark them as "normal" or "glitch successful" to get the color-coding working appropriately.</li><li>Double-click on a normal response, and copy the text. In the ''Normal Response'' field, we need to compare the magic variable <code>s</code> with that copied text. Do this by setting the ''Normal Response'' to be: <code>s == '\x00hello\nA'</code>.</li><li>We want to mark a string ending with <code>1234</code> as a pass. Thus in the ''Successful Response'' field, set the test to be <code>s.endswith('1234')</code> (remember in Python both <code>'</code> and <code>"</code> are valid for string start/end characters).</li><li>Press ''Capture 1'' a few more times, and check the color-coding has changed:[[File:ge_setup2.png|image]]</li></ol> The next step is to tune the glitch offset to attempt to get a successful clock glitch. These steps are listed as follows: <ol style="list-style-type: decimal;"><li>Make a new file called '<nowiki/>''ge_adjustment.py'' with these contents: <syntaxhighlight lang="python">class IterateGlitchParameters(object): def __init__(self, ge_window): self._starting_offset = -45 self.ge_window = ge_window def reset_glitch_to_default(self, scope, target, project): """ Set glitch settings to defaults. """ self.offset = self._starting_offset def change_glitch_parameters(self, scope, target, project): """ Example of simple glitch parameter modification function. """ # This value is minimum clock offset/width increment self.offset += 0.390625 if self.offset > 40: self.offset = self._starting_offset # Write data to scope scope.glitch.offset = self.offset #You MUST tell the glitch explorer about the updated settings if self.ge_window: self.ge_window.add_data("Glitch Offset",scope.glitch.offset) glitch_iterator = IterateGlitchParameters(self.glitch_explorer)self.aux_list.register(glitch_iterator.change_glitch_parameters, "before_trace")self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture")</syntaxhighlight></li><li>Assuming you still have the "Capture" working, you can simply find where you stored that script and hit ''Run''. You should see it execute successfully on the command line.:[[File:ge_step1_register.png|1000px]]</li><li>Confirm you see the modules loaded in the ''Aux Settings'' tab:[[File:ge_step2_checkregister.png]]</li><li>On the main GUI in the ''Scope Settings'' tab, change the following values for the ''Glitch Module'':<ol style="list-style-type: lower-alpha;"><li>''Repeat'' set to 1.</li><li>''Glitch Width (as % of period)'' set to -10.</li></ol>These values will be used during the glitch explorer run. We have not specified anything for the tuning, so they will not be changed from whatever is already in the GUI.</li><li>On the ''General Settings'' tab:<ol style="list-style-type: lower-alpha;"><li>Set the ''Number of Traces'' to 121.</li></ol></li><li>With any luck, at least one of the glitches will be successful:If you start getting ADC timeouts and the device stops responding, you may have to reduce ''Glitch Width (as % of period)'' to be closer to 0.</li></ol> ==== Finishing the Tutorial ====We may also need to tune the "Glitch Width". We can use knowledge of the successful glitch from the previous step to reduce our search space. In this case, assume we had a successful glitch with a width of 8.0 and offset of -2. We'll search around those values to see if we can achieve a more successful glitch performance.

To continue the tutorial, the following steps will be taken:

<li>In Modify the ~~''Glitch Explorer'', set the ''Tuning Parameters''~~ glitch parameter script to ~~''2''.</li><li>Configure~~ also loop through the ~~second parameter with the following:<blockquote>{|! Option! Value~~|-~~| Name| Width~~|-~~| Script Command| ['Glitch Module', '~~Glitch Width . If you get stuck you can look at the example script earlier (~~as % of period~~in section [[#Parameter_Settings]])~~', 0~~.0]|-~~| Data Format| Float~~|-~~| Range| 5 : 15~~|-~~| Value| 5~~|-~~| Step| 0.5~~|-~~| Repeat| 1~~|}~~</blockquote>~~</li><li>~~Change~~ To make glitching more likely, you'll also want to change the ~~''Range''~~ range of ~~the first parameter~~ ''Glitch Offset'' to ~~span from 1 to 25~~use values around successful ones. For example, ~~since it appeared that negative~~ positive glitch offsets ~~were never successful in our previous attempts. Be sure to reset~~ typically work well for the ~~''Value'' of this parameter to your desired starting point (probably ''1''). This will reduce~~ XMEGA target, while negative ones work better for the ~~search time~~CW303 Arm target.</li><li>On the main GUI in the ''Scope Settings'' tab, adjust the ''Glitch Module'' repeat parameter to be 1. We are now attempting to ~~acheive~~ achieve success with a single clock cycle being glitched.</li>

<li>Still in the main GUI, adjust the number of traces per capture to be 1000. This reflects the number of iterations required to run through both loops (20 x 50).</li>

<li>Hit the ''Capture Multi'' button and cross your fingers! Hopefully you will see a successful glitch for some combination of glitch width and offset. We aren't quite done yet, as you will also need to do some fine-tuning to achieve high reliability on the glitch.</li></ol>

You might want to try seeing if there is an upper limit to this setting, and putting it mid-way between the lower and upper limits for generating a glitch.</li></ol>

Congrats! You've now performed some tuning to achieve a reliable glitch on the target device. The next step is to glitch something more fun - like a password check.

== Glitching a Password Check ==

This assumes you now have a set of parameters which caused a reliable glitch. We'll now glitch past a password check, initially using our trigger as a crutch. The function of interest compares a received password to some known password. The <code>glitch3()</code> function looks as follows:

<li>Close the glitch explorer.</li>

<li>Modify the file <code>glitchexample.c</code> to call <code>glitch3()</code> instead of <code>glitch1()</code>, which is to say simply change the main function called from <code>main()</code> to <code>glitch3()</code>.</li>

<li>~~Run~~ R<code>~~make</code> in~~ ebuild the ~~folder <code>chipwhisperer\hardware\victims\~~firmware~~\glitch-simple~~</code>.</li>

<li>Program the target device with your <code>.hex</code> file.</li>

<li>On the ''Target Settings'' tab, clear the ''Output Format'' field. That is remove the <code>$GLITCH$</code> text, as we are no longer using the glitch explorer. If you don't do this, you will not see any output of the device on the terminal emulator.</li>

</blockquote></li>

<li>Open the ''Glitch Explorer'', and press ''Capture 1''. You should see the ''Denied'' message come across.</li>

<li>~~In~~ Generate a script to modify the 'offset'~~Glitch Explorer'', adjust~~ parameter in the glitch generator. You can always dump the ~~following settings:<blockquote><ol style="list-style-type: lower-alpha;"><li>Set~~ scope parameters with ''~~Tuning Parameters~~scope'' at the command line in the ChipWhisperer-Capture to ~~1</li><li>Set Parameter 0 options to:~~{|~~! Option! Value~~|-~~| Name| Trigger Offset~~|-~~| Script Command| ['Glitch Module', 'Ext Trigger Offset', 97]~~|-~~| Data Format| Int~~|-~~| Range| 0 : 200~~|-~~| Value| 0~~|-~~| Step| 1~~|-~~| Repeat| 1~~|}~~</li></ol></blockquote>~~see all the fields.</li>

<li>Set the number of traces on the ''General Settings'' tab to 200.</li>

<li>On the main GUI, in the ''Scope Settings'' tab, ensure that you have the number of repeats on the ''Glitch Module'' set to 1. We will start with a single clock cycle glitched.</li>

You can also increase the repeat count in the glitch explorer, which simply tries the same settings multiple times. You will likely find that the successful glitch does not have 100% success rate, so using a repeat count of 2 or 3 is helpful to increase your chances of success.</li></ol>

== Glitching Onward ==

This basic tutorial has introduced you to glitch attacks. They are a powerful tool for bypassing authentication in embedded hardware devices. There are many ways to expand your knowledge with additional practice, such as:

* Use manual glitches to try simply glitching past the prompt in <code>glitch3()</code>.

* Completing [[Tutorial A3 VCC Glitch Attacks]], which introduces glitching via voltage instead of the clock.

* Using the ChipWhisperer Python API to make GUI-less scripts. For examples of using scripting, see [[Making Scripts]].

* Download some example source code (bootloaders, login prompts, etc) and port them to the AVR. See how you can glitch past security checks.

* Use one of the IO triggers discussed in [[Tutorial_A1_Synchronization_to_Communication_Lines]].

== Links ==

[[Category:Tutorials]]

Adewar

Approved_users, administrator

366

edits

Changes

Tutorial A2 Introduction to Glitch Attacks (including Glitch Explorer)

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Off-Wiki Links

Categories

Tools