method of attack, physical access
DESCRIPTION
Method of Attack, Physical Access. Attacker has physical possession of the device Many devices are small and portable Assume that attacker has only external access Short access time Lacks knowledge about internals Attack through external interface Normal user interface - PowerPoint PPT PresentationTRANSCRIPT
Slides created by: Professor Ian G. Harris
Method of Attack, Physical Access Attacker has physical possession of the device
Many devices are small and portable Assume that attacker has only external access
Short access time Lacks knowledge about internals
Attack through external interface Normal user interface USB, SD card interface
Slides created by: Professor Ian G. Harris
Physical Access Attacks Attacker can do what user can do
Read numbers from a phone Examine digital pictures, etc.
USB/SD card allows large, fast data theft USB may be “bootable”
Device may automatically run code on USB key
Attacker can rewrite Flash memory Install arbitrary malware
Slides created by: Professor Ian G. Harris
Defenses Against Physical Attacks
Do not lose physical control of your device Enable password protection on the device
Can be inconvenient
Slides created by: Professor Ian G. Harris
Intrusive Physical Attacks
Attacker gains extended physical access to the device
Attacker knows about the design of the device Attacker opens the device and accesses internal
signals Requires unusual sophistication Normal users do not need to worry
Slides created by: Professor Ian G. Harris
Reading Internal Signals
Attacker can view data transferred between ICs Intellectual property (songs, videos, etc.) Secret keys, etc.
CPU RAM
Logic Analyzer
Slides created by: Professor Ian G. Harris
Reading Internal Signals, Defenses
Encrypt all data in transit between ICs Expensive and time consuming
Make device tamper-proof Very expensive
Use internal board layers for routing Layers can be sanded down
Epoxy over ICs to hide part numbers Epoxy is removable
Slides created by: Professor Ian G. Harris
Reprogramming FLASH Memory
Attacker can reprogram the entire device though its JTAG interface
CPUFlash JTAG
Slides created by: Professor Ian G. Harris
Reprogramming FLASH Defenses
Make flash unprogrammable Blow an internal fuse Updates become impossible
Require secret key to access JTAG Costly
Slides created by: Professor Ian G. Harris
“Super” Intrusive Attacks
Attacker gains access to the design of the ICs inside the device
Requires time, knowledge, and access Only large organizations could launch this type
of attack
Slides created by: Professor Ian G. Harris
Hardware Trojans
Attacker modifies IC design before fabrication Spy at the design and/or fabrication site IC includes altered functionality
CPU ASICTrojan Trojan
Slides created by: Professor Ian G. Harris
Side-Channel Attacks Examine “information leakage” via power and delay
analysis
If key[i] == 1 then power will be higher and delay will be longer
Requires precise knowledge of IC algorithm and implementation
if (key[I]) then {. . . }
Slides created by: Professor Ian G. Harris
IP Watermarking
Attacker steals IP design and sells it as his own Need to prove that a stolen design is actually
stolen Insert “markers” into the design which can be
recognized later Add extra logic that has no real function
Markers must not be apparent to the attacker
Slides created by: Professor Ian G. Harris
ATmega Assemblya = b + c;
lw $r1, ($s1)lw $r2, ($s2)add $r3, $r2, $r1sw $r3, ($s3)
Load b from memoryLoad c from memoryAdd b and cStore result a in memory
10010001000000110000001000000001add $r3 $r2 $r1
Compiler
Assembler
Slides created by: Professor Ian G. Harris
Assembly Instructions
Assembly instructions are a readable mnemonic for machine instructions
One-to-one mapping from assembly instructions to machine instructions• Except macros
ADD R0, R1 0000110000000001
Slides created by: Professor Ian G. Harris
ATmega Instruction Formats
16-bit machine instructions6-bit opcode2 5-bit register arguments (32 registers)Direct Register Addressing mode used
ADD instructionRd <- Rd + Rr
OOOO11RDDDDDRRRR
Slides created by: Professor Ian G. Harris
Instruction Format, 1 register
4-bit opcode1 4-bit register argument (only 16 registers)8-bit constant
ANDI instructionRd <- Rd && K
0111KKKKDDDDKKKK
Slides created by: Professor Ian G. Harris
Instruction Format, 1 register
11-bit opcode1 5-bit register argument
ASR (arithmetic shift right) instructionRd <- Rd >> 1
1001010DDDDD0101
Slides created by: Professor Ian G. Harris
Instruction Format, Branch
Assumes that comparison (sub) already performed9-bit opcode11 constant, PC offset addressingBranch distance is limited
BREQ (branch if equal) instructionZ == 1 then PC <- PC + K + 1
111100KKKKKKK001
Slides created by: Professor Ian G. Harris
Assembly Code Structure
An input line may take one of the four following forms:1. [label:] directive [operands] [Comment]2. [label:] instruction [operands] [Comment]3. Comment4. Empty line
Label is an alias for a line of code• Used for jumps/branches
Slides created by: Professor Ian G. Harris
Example Assembly Program
label: .EQU var1=100 ; Set var1 to 100 (Directive) .EQU var2=200 ; Set var2 to 200test: rjmp test ; Infinite loop (Instruction) ; Pure comment line
.EQU assigns a string to a constantSemicolon (;) sets off comments
Slides created by: Professor Ian G. Harris
Some Arithmetic Operations
Some instructions take immediate (constant) argumentsSome instructions use carry from previous operations
Slides created by: Professor Ian G. Harris
Some Logical Operations
Logical operations are bitwiseSome instructions take only one argument
Slides created by: Professor Ian G. Harris
Accessing Registers/Memory
All registers are memory mappedSpecial instructions are used to access non-register
memory
Slides created by: Professor Ian G. Harris
General Purpose Registers
General-purpose registers are written using: • LDI - Load Immediate LDI R16, 0xFF R16 <- 0xFF• MOV - Copy Register MOV R0, R1 R0 <- R1• SBR - Set Bits in Register SBR R0, 0xFF R0 <- R0 | 0xFF• CBR - Clear Bits in Register CBR R0, 0xAA R0 <- R0 & (0xFF -
0xAA)
Slides created by: Professor Ian G. Harris
LDI Instruction
LDI Rd, K8-bits for the immediate, K4-bits for the register, RdCan only access 16 registers (R16 - R31)SBR and CBR have the same limitation
Slides created by: Professor Ian G. Harris
MOV Instruction
MOV Rd, Rr5-bits for each register, can access all registersCan move from high regs to low regs
Slides created by: Professor Ian G. Harris
I/O Registers
I/O registers are written/read using: • IN - In Port IN R0, PORTB R0 <- PINB• OUT - Out Port OUT R0, PORTB PORTB <- R0• SBI - Set Bit in I/O Register SBI PORTB, 3 PORTB <- PORTB | 1<<3• CBI - Clear Bits in I/O Register CBI PORTB, 3 PORTB <- PORTB & !
(1<<3)
Slides created by: Professor Ian G. Harris
SBI Instruction
SBI A, b5 bits specify register, 3 bits specify bit to set
Slides created by: Professor Ian G. Harris
Addressing SRAM (Ext. I/O)
• Instructions are 16-bits long• SRAM addresses are 16-bits long• Address cannot fit in the instruction• Memory addresses are stored in special-purpose
registers• X, Y, and Z registers are each 2 bytes• LD, ST instructions are used to access SRAM
Slides created by: Professor Ian G. Harris
Data Indirect Addressing
LDI XH HIGH(0x01A8)LDI XL HIGH(0x01A8)LD R0, XST X, R0
• Registers X, Y, and Z can be used to address SRAM• XH (YH, ZH) and XL (YL, ZL) are low and high bytes
Slides created by: Professor Ian G. Harris
Branching
PC typically advances by 2 after each instruction• Instructions are 2 bytes long
Branching changes the PC counter to a new locationUnconditional Branches always occurConditional Branches occur only if a condition is
trueNeeded to implement conditional control flow (if,
then) and loops (while, for, etc.)Labels are used to name branch destination
Slides created by: Professor Ian G. Harris
Unconditional Branching
JMP k32-bit instructionNeed 22-bits to address 4M memory spaceAssembler substitutes label with address
Slides created by: Professor Ian G. Harris
Relative Jump (RJMP)
RJMP kOnly 16-bit instruction, address is 12 bits long (4K range)PC relative addressing used• Destination is PC + k + 1
Restricted to close jumps (+/- 2K)Not usually a problem (especially on small processors)
Slides created by: Professor Ian G. Harris
Conditional BranchesBranch occurs is appropriate condition is satisfiedConditions depend on results of previous
arithmetic operationsADD R0, R1BRVS dest..
dest: ADD R2, R3
BRVS is Branch is Overflow is SetBranch occurs if previous addition resulted in overflow
Slides created by: Professor Ian G. Harris
Status Register (SREG)
Bit 5 – H: Half Carry FlagBit 4 – S: Sign Bit, S = N ⊕ VBit 3 – V: Two’s Complement Overflow FlagBit 2 – N: Negative FlagBit 1 – Z: Zero FlagBit 0 – C: Carry Flag
SREG contains information about the results of arithmetic/logic operations
Slides created by: Professor Ian G. Harris
Conditional Branch Instructions
Test indicates the relationship between operands
Boolean shows values in SREG
Slides created by: Professor Ian G. Harris
Branch Conditions
SREG must be set before conditional branch instructionC code example: if x < y then x++; else y++;Assume x is in R0 and y is in R1
CP R0, R1BRLT then
else: INC R1RJMP done
then: INC R0done: …
Compare operation, CP, used to set SREG• Does not affect other regs
Slides created by: Professor Ian G. Harris
Skip Instructions
“Skip” instructions skip the next instruction if a condition is satisfied
Can be used as a mini conditional branchSBRC - Skip if bit in register is cleared (0)
SBRS R0, 0INC R0
Rounds R0 up to nearest even number
Slides created by: Professor Ian G. Harris
Subroutines
RCALL k calls a subroutine starting at label k• PC + 1 is pushed onto the stack
RET returns from a subroutine• PC is popped off of the stack
No other calling procedures are followed• Registers are not pushed/popped• Arguments are not pushed/popped• No local vars allocated on stack
Slides created by: Professor Ian G. Harris
Using the StackPUSH Rd places contents of Rd on the stack
Decrements stack pointer (SP)POP Rd places contents of stack in Rd• Increments (SP)
SP must be initialized to top of SRAM, RAMEND
LDI R0, LOW(RAMEND)OUT SPL, R0LDI R0, HIGH(RAMEND)OUT SPH, R0
Slides created by: Professor Ian G. Harris
Assembler Directives
Assembler directives give commands to the assemblerDo not generate machine code instructions
.DSEGvar1: .byte 1var2: .byte 2
.CSEGldi XL, LOW(var1)ldi XH, HIGH(var1)ld R0, X
.DSEG declares data segment• Placed in SRAM
.CSEG declares code segment• Placed in FLASH
.BYTE allocates space• Only in data segment
Slides created by: Professor Ian G. Harris
EEPROM Segment.ESEG
eeconsts:.db 0xff, 0x11.CSEG
fconsts: .dw 0xffff
.ESEG declares initialized data in EEPROM.DB declares a data byte in program memory (CSEG)
or EEPROM (ESEG).DW declares a word (16-bits) in CSEG or ESEG
Slides created by: Professor Ian G. Harris
Other Assembler Directives.DEF <symbol>=R<n>
Define a symbol to refer to a register Ex. .DEF i=R9 Placement in file should precede first use .UNDEF undefines the symbol
.EQU <constant>=<expression> Define a constant to refer to a constant value Ex. .EQU ZERO = 0 Constant cannot be redefined or undefined
.SET <variable>=<expression> Same as .EQU except variables can be changed later