As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Changes

Jump to: navigation, search

Tutorial B3-1 Timing Analysis with Power for Password Bypass

43 bytes removed, 18:57, 17 May 2016
Scripting Communications: Overhaul this section. TODO: fix "Running a Single Capture" to end
Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.
= Performing the Timing Attack =So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target. == Scripting Communications the Setup ==Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.
<ol style="list-style-type: decimal;">
<li>Make a copy of the an existing ChipWhisperer script. You can find it The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>, ; for example , the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code> for the XMEGA device. Copy Make a copy of this to another directory that you will use for the attackscript and put it somewhere memorable.</li><li><p>Rename the script something else - for example , <code>cwlite-passwordcrack.py</code>, - and open it for editing. You'll notice the following is that a main large chunk of the code, where is used to set the parameters are set:</p>
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
]</pre>
<p>Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice how when you change this tab logs all of the text for exampleparameter changes, it tells showing you how to change the required parameter name to do this via parameters through the API call:</p>
<blockquote><p>[[File:Scriptcommands.png|image]]</p></blockquote>
<p>Note that commands run via the script are also printed, so you can see where the values being set are coming from too. </p></li> <li><p>At this point , close the ''ChipWhisperer-Capture'' window, as so we will can confirm the script still works.</p></li><li><p>Run the new script (which doesn't have any changes yet)from the command line. You may have to open a console with Python in the path:</p>
<blockquote><ol style="list-style-type: lower-roman;">
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li>
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol>
</blockquote></li></ol>
 
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:
 
<blockquote><ol style="list-style-type: lower-roman;">
<li>Open ChipWhisperer-Capture regularly.</li>
<li>Under the &quot;FPGA .zip (Release)&quot;, hit the &quot;Find&quot; button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol>
</blockquote></blockquote>
 
<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab, delete the various commands. Note Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal.</li><li>Close ChipWhisperer-Capture.</li><li><p>Edit the Continue editing your script. First, first find the line setting the Trigger Offset:</p>
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>
<p>And set this to 0, which we were using previously:</p>
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li>
<li><p>Next, append the required commands to clear the simpleserial commandsand to enable the automatic resets:</p>
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
#Append your commands here
['Target ConnectionSimple Serial', 'Load Key Command', u''], ['Target ConnectionSimple Serial', 'Go Command', u''], ['Target ConnectionSimple Serial', 'Output Format', u''],   ['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'], ['Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]</pre></li>
<li><p>Next, we are going to &quot;hack in&quot; the Auxiliary module. While the following isn't great Python code, the idea is to demonstrate how we can rapidly iterate with the combination of GUI to explore options, and the script to write them into place. First, add the imports to the start of the Python script:</p>
<pre>from time import sleep
from chipwhisperer.capture.auxiliary.AuxiliaryTemplate import AuxiliaryTemplate</pre>
<p>Find the section of the file that sends the previous commands to the hardware. You will see a line like the following:</p>
<pre>#Download all hardware setup parameters
for cmd in lstexample: cap.setParameter(cmd)</pre>
<p>We will then hack in the script we tested previously, which will insert our custom Auxiliary module:</p>
<pre>#Download all hardware setup parameters
for cmd in lstexample: cap.setParameter(cmd)
def reset_device():
cap.scope.scopetype.cwliteXMEGA.readSignature()
sleep(0.8)
 
class resetClass(AuxiliaryTemplate):
def traceDone(self):
reset_device()
 
rc = resetClass()
cap.auxChanged(rc)</pre>
<p>Note we changed the references to &quot;self&quot; to &quot;cap&quot;, as we are no longer running from within the Capture environment. Otherwise we have used the ability of Python to declare classes inside of functions to avoid needing to think about how to properly declare everything.</p></li>
<li><p>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:</p>
<pre>cap.setParameter(['Target Connection', 'Go Command', u'h0px3\\n'])</pre>
<p>Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port.</p><p>Set that command at some point after in your call to <code>capscript.auxChanged()</codep><li>. Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</p></li>  == Running a Single Capture ==With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack. == Attacking a Single Letter ==Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password. == Attacking the Full Password ==The last step is to attack the entire password, one letter at a time.      
<li><p>Next, we will automatically start attacking the system. You needed to figure out where we will look to determine if the password check is working. Looking at an example of the power when 0 and 1 bytes are correct, we can see a good point that appears to shift forward in time:</p>
<blockquote><p>[[File:Passwordcrackerpts.png|image]]</p></blockquote>
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.
</blockquote>
 
= Conclusion =
Gdeon
Approved_users
510
edits
Retrieved from "http://wiki.newae.com/Special:MobileDiff/493"

Navigation menu