[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:14.79,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:14.79,0:00:25.54,Default,,0000,0000,0000,,Herald: Our next speaker is way is paved\Nwith broken trust zones. He's no stranger
Dialogue: 0,0:00:25.54,0:00:31.60,Default,,0000,0000,0000,,to breaking ARM's, equipment or crypto\Nwallets or basically anything he touches.
Dialogue: 0,0:00:31.60,0:00:39.59,Default,,0000,0000,0000,,It just dissolves in his fingers. He's one\Nof Forbes, 30 under 30s in tech. And
Dialogue: 0,0:00:39.59,0:00:42.84,Default,,0000,0000,0000,,please give a warm round of applause to\NThomas Roth.
Dialogue: 0,0:00:42.84,0:00:48.10,Default,,0000,0000,0000,,{\i1}Applause.{\i0}
Dialogue: 0,0:00:48.10,0:00:54.68,Default,,0000,0000,0000,,Thomas: Test, okay. Wonderful. Yeah.\NWelcome to my talk. TrustZone-M: Hardware
Dialogue: 0,0:00:54.68,0:01:00.63,Default,,0000,0000,0000,,attacks on ARMv8-M security features. My\Nname is Thomas Roth. You can find me on
Dialogue: 0,0:01:00.63,0:01:05.86,Default,,0000,0000,0000,,Twitter. I'm @stacksmashing and I'm a\Nsecurity researcher, consultant and
Dialogue: 0,0:01:05.86,0:01:11.05,Default,,0000,0000,0000,,trainer affiliated with a couple of\Ncompanies. And yeah, before we can start,
Dialogue: 0,0:01:11.05,0:01:15.99,Default,,0000,0000,0000,,I need to to thank some people. So first\Noff, Josh Datko and Dimitri Nedospasov
Dialogue: 0,0:01:15.99,0:01:20.11,Default,,0000,0000,0000,,who've been super helpful at anytime I was\Nstuck somewhere, or just wanted some
Dialogue: 0,0:01:20.11,0:01:25.97,Default,,0000,0000,0000,,feedback. They immediately helped me. And\Nalso Colin O'Flynn, who gave me constant
Dialogue: 0,0:01:25.97,0:01:30.73,Default,,0000,0000,0000,,feedback and helped me with some troubles,\Ngave me tips and so on. And so without
Dialogue: 0,0:01:30.73,0:01:36.91,Default,,0000,0000,0000,,these people and many more who paved the\Nway towards this research, I wouldn't be
Dialogue: 0,0:01:36.91,0:01:41.52,Default,,0000,0000,0000,,here. Also, thanks to NXP and Microchip\Nwho I had to work with as part of this
Dialogue: 0,0:01:41.52,0:01:47.95,Default,,0000,0000,0000,,talk. And it was awesome. I had a lot of\Nvery bad vendor experiences, but these two
Dialogue: 0,0:01:47.95,0:01:54.80,Default,,0000,0000,0000,,were really nice to work with. Also some\Nprior work. So Colin O'Flynn and Alex
Dialogue: 0,0:01:54.80,0:01:59.50,Default,,0000,0000,0000,,Dewar released a paper, I guess last year\Nor this year "On-Device Power Analysis
Dialogue: 0,0:01:59.50,0:02:04.27,Default,,0000,0000,0000,,Across Hardware Security Domains". And\Nthey basically looked at TrustZone from a
Dialogue: 0,0:02:04.27,0:02:10.30,Default,,0000,0000,0000,,differential power analysis viewpoint and\Notherwise TrustZone-M is pretty new, but
Dialogue: 0,0:02:10.30,0:02:15.86,Default,,0000,0000,0000,,lots of work has been done on the big or\Nreal TrustZone and also lots and lots of
Dialogue: 0,0:02:15.86,0:02:21.44,Default,,0000,0000,0000,,works on fault injection would be far too\Nmuch to list here. So just google fault
Dialogue: 0,0:02:21.44,0:02:26.22,Default,,0000,0000,0000,,injection and you'll see what I mean.\NBefore we start, what is TrustZone-M? So
Dialogue: 0,0:02:26.22,0:02:31.89,Default,,0000,0000,0000,,TrustZone-M is the small TrustZone. It's\Nbasically a simplified version of the big
Dialogue: 0,0:02:31.89,0:02:35.94,Default,,0000,0000,0000,,TrustZone that you find on Cortex-A\Nprocessors. So basically if you have an
Dialogue: 0,0:02:35.94,0:02:40.28,Default,,0000,0000,0000,,Android phone, chances are very high that\Nyour phone actually runs TrustZone and
Dialogue: 0,0:02:40.28,0:02:44.95,Default,,0000,0000,0000,,that, for example, your key store of\NAndroid is backed by TrustZone. And
Dialogue: 0,0:02:44.95,0:02:50.62,Default,,0000,0000,0000,,TrustZone basically splits the CPU into a\Nsecure and a non-secure world. And so, for
Dialogue: 0,0:02:50.62,0:02:54.34,Default,,0000,0000,0000,,example, you can say that a certain\Nperipheral should only be available to the
Dialogue: 0,0:02:54.34,0:02:58.19,Default,,0000,0000,0000,,secure world. So, for example, if you have\Na crypto accelerator, you might only want
Dialogue: 0,0:02:58.19,0:03:03.99,Default,,0000,0000,0000,,to use it in the secure world. It also, if\Nyou're wondering what's the difference to
Dialogue: 0,0:03:03.99,0:03:10.87,Default,,0000,0000,0000,,an MPU - it also comes with two MPUs.\NSorry, not MMUs, MPUs. And so last year we
Dialogue: 0,0:03:10.87,0:03:14.65,Default,,0000,0000,0000,,gave a talk on bitcoin wallets. And so\Nlet's take those as an example on a
Dialogue: 0,0:03:14.65,0:03:19.73,Default,,0000,0000,0000,,bitcoin wallet you often have different\Napps, for example, for Bitcoin, Dogecoin
Dialogue: 0,0:03:19.73,0:03:24.59,Default,,0000,0000,0000,,or Monaro, and then underneath you have an\Noperating system. The problem is kind of
Dialogue: 0,0:03:24.59,0:03:28.62,Default,,0000,0000,0000,,this operating system is very complex\Nbecause it has to handle graphics
Dialogue: 0,0:03:28.62,0:03:33.06,Default,,0000,0000,0000,,rendering and so on and so forth. And\Nchances are high that it gets compromised.
Dialogue: 0,0:03:33.06,0:03:37.90,Default,,0000,0000,0000,,And if it gets compromised, all your funds\Nare gone. And so with TrustZone, you could
Dialogue: 0,0:03:37.90,0:03:43.38,Default,,0000,0000,0000,,basically have a second operating system\Nseparated from your normal one that
Dialogue: 0,0:03:43.38,0:03:47.25,Default,,0000,0000,0000,,handles all the important stuff like\Nfirmware update, key store attestation and
Dialogue: 0,0:03:47.25,0:03:52.93,Default,,0000,0000,0000,,so on and reduces your attack surface. And\Nthe reason I actually looked at
Dialogue: 0,0:03:52.93,0:03:57.28,Default,,0000,0000,0000,,TrustZone-M is we got a lot of requests\Nfor consulting on TrustZone-M. So
Dialogue: 0,0:03:57.28,0:04:02.51,Default,,0000,0000,0000,,basically, after our talk last year, a lot\Nof companies reached out to us and said,
Dialogue: 0,0:04:02.51,0:04:07.10,Default,,0000,0000,0000,,okay, we want to do this, but more\Nsecurely. And a lot of them try to use
Dialogue: 0,0:04:07.10,0:04:12.19,Default,,0000,0000,0000,,TrustZone-M for this. And so far there's\Nbeen, as far as I know, little public
Dialogue: 0,0:04:12.19,0:04:16.78,Default,,0000,0000,0000,,research into TrustZone-M and whether it's\Nprotected against certain types of
Dialogue: 0,0:04:16.78,0:04:21.25,Default,,0000,0000,0000,,attacks. And we also have companies that\Nstart using them as secure chips. So, for
Dialogue: 0,0:04:21.25,0:04:24.99,Default,,0000,0000,0000,,example, in the automotive industry, I\Nknow somebody who was thinking about
Dialogue: 0,0:04:24.99,0:04:28.81,Default,,0000,0000,0000,,putting them into car keys. I know about\Nsome people in the payment industry
Dialogue: 0,0:04:28.81,0:04:34.82,Default,,0000,0000,0000,,evaluating this. And as said, hardware\Nwallets. And one of the terms that come up
Dialogue: 0,0:04:34.82,0:04:40.47,Default,,0000,0000,0000,,again and again is this is a secure chip.\NBut I mean, what is the secure chip
Dialogue: 0,0:04:40.47,0:04:45.13,Default,,0000,0000,0000,,without a threat model? There's no such\Nthing as a secure chip because there are
Dialogue: 0,0:04:45.13,0:04:49.31,Default,,0000,0000,0000,,so many attacks and you need to have a\Nthreat model to understand what are you
Dialogue: 0,0:04:49.31,0:04:53.28,Default,,0000,0000,0000,,actually protecting against. So, for\Nexample, a chip might have software
Dialogue: 0,0:04:53.28,0:04:59.08,Default,,0000,0000,0000,,features or hardware features that make\Nthe software more secure, such as NX bit
Dialogue: 0,0:04:59.08,0:05:03.23,Default,,0000,0000,0000,,and so on and so forth. And on the other\Nhand, you have hardware attacks, for
Dialogue: 0,0:05:03.23,0:05:08.46,Default,,0000,0000,0000,,example, debug port side channel attacks\Nand fault injection. And often the
Dialogue: 0,0:05:08.46,0:05:14.29,Default,,0000,0000,0000,,description of a chip doesn't really tell\Nyou what it's protecting you against. And
Dialogue: 0,0:05:14.29,0:05:19.14,Default,,0000,0000,0000,,often I would even say it's misleading in\Nsome cases. And so you will see, oh, this
Dialogue: 0,0:05:19.14,0:05:22.85,Default,,0000,0000,0000,,is a secure chip and you ask marketing and\Nthey say, yeah, it has the most modern
Dialogue: 0,0:05:22.85,0:05:28.31,Default,,0000,0000,0000,,security features. But it doesn't really\Nspecify whether they are, for example,
Dialogue: 0,0:05:28.31,0:05:31.76,Default,,0000,0000,0000,,protecting against fault injection attacks\Nor whether they consider this out of
Dialogue: 0,0:05:31.76,0:05:37.53,Default,,0000,0000,0000,,scope. In this talk, we will exclusively\Nlook at hardware attacks and more
Dialogue: 0,0:05:37.53,0:05:42.44,Default,,0000,0000,0000,,specifically, we will look at fault\Ninjection attacks on TrustZone-M. And so
Dialogue: 0,0:05:42.44,0:05:47.18,Default,,0000,0000,0000,,all of the attacks we're going to see are\Nlocal to the device only you need to have
Dialogue: 0,0:05:47.18,0:05:52.47,Default,,0000,0000,0000,,it in your hands. And there's no chance,\Nnormally, of remotely exploiting them.
Dialogue: 0,0:05:52.47,0:05:58.60,Default,,0000,0000,0000,,Yeah. So this will be our agenda. We will\Nstart with a short introduction of
Dialogue: 0,0:05:58.60,0:06:01.99,Default,,0000,0000,0000,,TrustZone-M, which will have a lot of\Ntheory on like memory layouts and so on.
Dialogue: 0,0:06:01.99,0:06:05.61,Default,,0000,0000,0000,,We will talk a bit about the fault-\Ninjection setup and then we will start
Dialogue: 0,0:06:05.61,0:06:13.23,Default,,0000,0000,0000,,attacking real chips. These 3, as you will\Nsee. So on a Cortex-M processor you have a
Dialogue: 0,0:06:13.23,0:06:17.27,Default,,0000,0000,0000,,flat memory map. You don't have a memory\Nmanagement unit and all your peripherals,
Dialogue: 0,0:06:17.27,0:06:21.72,Default,,0000,0000,0000,,your flash, your ram, it's all mapped to a\Ncertain address in memory and TrustZone-M
Dialogue: 0,0:06:21.72,0:06:27.67,Default,,0000,0000,0000,,allows you to partition your flash or your\Nram into secure and non secure parts. And
Dialogue: 0,0:06:27.67,0:06:31.40,Default,,0000,0000,0000,,so, for example, you could have a tiny\Nsecure area because your secret code is
Dialogue: 0,0:06:31.40,0:06:36.91,Default,,0000,0000,0000,,very small and a big non secure area. The\Nsame is true for Ram and also for the
Dialogue: 0,0:06:36.91,0:06:42.57,Default,,0000,0000,0000,,peripherals. So for example, if you have a\Ndisplay and a crypto engine and so on. You
Dialogue: 0,0:06:42.57,0:06:48.60,Default,,0000,0000,0000,,can decide whether these peripherals\Nshould be secure or non secure. And so
Dialogue: 0,0:06:48.60,0:06:53.42,Default,,0000,0000,0000,,let's talk about these two security\Nstates: secure and non secure. Well, if
Dialogue: 0,0:06:53.42,0:06:57.95,Default,,0000,0000,0000,,you have code running in secure flash or\Nyou have secure code running, it can call
Dialogue: 0,0:06:57.95,0:07:02.73,Default,,0000,0000,0000,,anywhere into the non secure world. It's\Nbasically the highest privilege level you
Dialogue: 0,0:07:02.73,0:07:08.01,Default,,0000,0000,0000,,can have. And so there's no protection\Nthere. However, the opposite, if we tried
Dialogue: 0,0:07:08.01,0:07:12.48,Default,,0000,0000,0000,,to go from the non secure world and to the\Nsecure world would be insecure because,
Dialogue: 0,0:07:12.48,0:07:15.47,Default,,0000,0000,0000,,for example, you could jump to the parts\Nof the code that are behind certain
Dialogue: 0,0:07:15.47,0:07:20.33,Default,,0000,0000,0000,,protections and so on. And so that's why,\Nif you tried to jump from an unsecured
Dialogue: 0,0:07:20.33,0:07:26.75,Default,,0000,0000,0000,,code into a secure code, it will cause an\Nexception. And to handle that, there's a
Dialogue: 0,0:07:26.75,0:07:32.25,Default,,0000,0000,0000,,third memory state which is called non\Nsecure callable. And as the name implies,
Dialogue: 0,0:07:32.25,0:07:37.91,Default,,0000,0000,0000,,basically you're non secure code can call\Ninto the non secure callable code. More
Dialogue: 0,0:07:37.91,0:07:43.21,Default,,0000,0000,0000,,specifically, it can only call to non\Nsecure callable code addresses where
Dialogue: 0,0:07:43.21,0:07:49.57,Default,,0000,0000,0000,,there's an SG instruction which stands for\NSecure Gateway. And the idea behind the
Dialogue: 0,0:07:49.57,0:07:53.54,Default,,0000,0000,0000,,secure gateway is that if you have a non\Nsecure kernel running, you probably also
Dialogue: 0,0:07:53.54,0:07:57.61,Default,,0000,0000,0000,,have a secure kernel of running. And\Nsomehow this secure kernel will expose
Dialogue: 0,0:07:57.61,0:08:02.52,Default,,0000,0000,0000,,certain system calls, for example. And so\Nwe want to somehow call from the non
Dialogue: 0,0:08:02.52,0:08:09.07,Default,,0000,0000,0000,,secure kernel into these system calls, but\Nas I've just mentioned, we can't do that
Dialogue: 0,0:08:09.07,0:08:15.04,Default,,0000,0000,0000,,because this will unfortunately cause an\Nexception. And so the way this is handled
Dialogue: 0,0:08:15.04,0:08:19.73,Default,,0000,0000,0000,,on TrustZone-M is that you create so-\Ncalled secure gateway veneer functions.
Dialogue: 0,0:08:19.73,0:08:24.69,Default,,0000,0000,0000,,These are very short functions in the non\Nsecure callable area. And so if we want,
Dialogue: 0,0:08:24.69,0:08:29.65,Default,,0000,0000,0000,,for example, to call the load key system\Ncall, we would call the load key veneer
Dialogue: 0,0:08:29.65,0:08:35.37,Default,,0000,0000,0000,,function, which in turn would call the\Nreal load key function. And these veneer
Dialogue: 0,0:08:35.37,0:08:40.20,Default,,0000,0000,0000,,functions are super short. So if you look\Nat the disassembly of them, it's like two
Dialogue: 0,0:08:40.20,0:08:44.12,Default,,0000,0000,0000,,instructions. It's the secure gateway\Ninstruction and then a branch instruction
Dialogue: 0,0:08:44.12,0:08:51.63,Default,,0000,0000,0000,,to what's your real function. And so if we\Ncombine this, we end up with this diagram
Dialogue: 0,0:08:51.63,0:08:57.20,Default,,0000,0000,0000,,secure can call into non secure, non\Nsecure, can call into NSC and NSC can call
Dialogue: 0,0:08:57.20,0:09:04.19,Default,,0000,0000,0000,,into your secure world. But how do we\Nmanage these memory states? How do we know
Dialogue: 0,0:09:04.19,0:09:09.30,Default,,0000,0000,0000,,what security state does an address have?\NAnd so for this in TrustZone-M, we use
Dialogue: 0,0:09:09.30,0:09:13.94,Default,,0000,0000,0000,,something called attribution units and\Nthere're by default there are two
Dialogue: 0,0:09:13.94,0:09:19.09,Default,,0000,0000,0000,,attribution units available. The first one\Nis the SAU the Security Attribution Unit,
Dialogue: 0,0:09:19.09,0:09:24.43,Default,,0000,0000,0000,,which is standard across chips. It's\Nbasically defined by ARM how you use this.
Dialogue: 0,0:09:24.43,0:09:29.49,Default,,0000,0000,0000,,And then there's the IDAU. The\NImplementation Defined Attribution Unit,
Dialogue: 0,0:09:29.49,0:09:34.07,Default,,0000,0000,0000,,which is basically custom to the silicon\Nvendor, but can also be the same across
Dialogue: 0,0:09:34.07,0:09:41.26,Default,,0000,0000,0000,,several chips. And to get the security\Nstate of an address, the security
Dialogue: 0,0:09:41.26,0:09:47.31,Default,,0000,0000,0000,,attribution of both the SAU and the IDAU\Nare combined and whichever one has the
Dialogue: 0,0:09:47.31,0:09:53.15,Default,,0000,0000,0000,,higher privilege level will basically win.\NAnd so let's say our SAU says this address
Dialogue: 0,0:09:53.15,0:09:59.21,Default,,0000,0000,0000,,is secure and our IDAU says this address\Nis non secure the SAU wins because it's
Dialogue: 0,0:09:59.21,0:10:05.88,Default,,0000,0000,0000,,the highest privilege level. And basically\Nour address would be considered secure.
Dialogue: 0,0:10:05.88,0:10:12.34,Default,,0000,0000,0000,,This is a short table. If both the SAU and\Nthe IDAU agree, we will be non secure if
Dialogue: 0,0:10:12.34,0:10:17.24,Default,,0000,0000,0000,,both say, hey, this is secure, it will be\Nsecure. However, if they disagree and the
Dialogue: 0,0:10:17.24,0:10:22.64,Default,,0000,0000,0000,,SAU says, hey, this address is secure the\NIDAU says it's non secure, it will still
Dialogue: 0,0:10:22.64,0:10:27.46,Default,,0000,0000,0000,,be secure because secure is to have\Nprivilege level. The opposite is true. And
Dialogue: 0,0:10:27.46,0:10:33.85,Default,,0000,0000,0000,,with even with non secure callable, secure\Nis more privileged than NSC. And so secure
Dialogue: 0,0:10:33.85,0:10:41.17,Default,,0000,0000,0000,,will win. But if we mix NS and NSC, we get\Nnon-secular callable. Okay. My initial
Dialogue: 0,0:10:41.17,0:10:45.88,Default,,0000,0000,0000,,hypothesis when I read all of this was if\Nwe break or disable the attribution units,
Dialogue: 0,0:10:45.88,0:10:52.22,Default,,0000,0000,0000,,we probably break the security. And so to\Nbreak these, we have to understand them.
Dialogue: 0,0:10:52.22,0:10:57.56,Default,,0000,0000,0000,,And so let's look at the SAU the security\Nattribution unit. It's standardized by
Dialogue: 0,0:10:57.56,0:11:02.43,Default,,0000,0000,0000,,ARM. It's not available on all chips. And\Nit basically allows you to create memory
Dialogue: 0,0:11:02.43,0:11:08.74,Default,,0000,0000,0000,,regions with different security states.\NSo, for example, if the SAU is turned off,
Dialogue: 0,0:11:08.74,0:11:13.19,Default,,0000,0000,0000,,everything will be considered secure. And\Nif we turn it on, but no regions are
Dialogue: 0,0:11:13.19,0:11:16.99,Default,,0000,0000,0000,,configured, still, everything will be\Nsecure. We can then go and add, for
Dialogue: 0,0:11:16.99,0:11:23.85,Default,,0000,0000,0000,,example, address ranges and make them NSC\Nor non secure and so on. And this is done
Dialogue: 0,0:11:23.85,0:11:28.92,Default,,0000,0000,0000,,very, very easily. You basically have\Nthese five registers. You have the SAU
Dialogue: 0,0:11:28.92,0:11:34.89,Default,,0000,0000,0000,,control register where you basically can\Nturn it on or off. You have the SAU type,
Dialogue: 0,0:11:34.89,0:11:38.33,Default,,0000,0000,0000,,which gives you the number of supported\Nregions on your platform because this can
Dialogue: 0,0:11:38.33,0:11:42.78,Default,,0000,0000,0000,,be different across different chips. And\Nthen we have the region number register,
Dialogue: 0,0:11:42.78,0:11:46.15,Default,,0000,0000,0000,,which you use to select the region you\Nwant to configure and then you set the
Dialogue: 0,0:11:46.15,0:11:50.46,Default,,0000,0000,0000,,base address and the limit address. And\Nthat's basically it. So, for example, if
Dialogue: 0,0:11:50.46,0:11:57.38,Default,,0000,0000,0000,,we want to set region zero, we simply set\Nthe RNR register to zero. Then we set the
Dialogue: 0,0:11:57.38,0:12:05.65,Default,,0000,0000,0000,,base address to 0x1000. We set the limit\Naddress to 0x1FE0, which is identical to
Dialogue: 0,0:12:05.65,0:12:08.97,Default,,0000,0000,0000,,1FFF because there are some other bits\Nbehind there that we don't care about
Dialogue: 0,0:12:08.97,0:12:14.91,Default,,0000,0000,0000,,right now. And then we turn on the\Nsecurity attribution unit and now our
Dialogue: 0,0:12:14.91,0:12:19.42,Default,,0000,0000,0000,,memory range is marked as secure if you\Nwant to create a second region we simply
Dialogue: 0,0:12:19.42,0:12:25.98,Default,,0000,0000,0000,,change RNR to, for example, 1 again insert\Nsome nice addresses. Turn on the SAU and
Dialogue: 0,0:12:25.98,0:12:33.86,Default,,0000,0000,0000,,we have a second region this time from\N4000 to 5FFF. So to summarize, we have
Dialogue: 0,0:12:33.86,0:12:40.47,Default,,0000,0000,0000,,three memory security states. We have S\Nsecure and we have NSC non secure callable
Dialogue: 0,0:12:40.47,0:12:46.15,Default,,0000,0000,0000,,and we have NS non secure. We also have\Nthe two attribution units, the SAU
Dialogue: 0,0:12:46.15,0:12:53.07,Default,,0000,0000,0000,,standard by ARM and the IDAU which is\Npotentially custom we will use SAU and
Dialogue: 0,0:12:53.07,0:13:00.12,Default,,0000,0000,0000,,IDAU a lot. So this was very important.\NCool. Let's talk about fault injection. So
Dialogue: 0,0:13:00.12,0:13:06.06,Default,,0000,0000,0000,,as I've mentioned, we want to use fault\Ninjection to compromise TrustZone. And the
Dialogue: 0,0:13:06.06,0:13:10.74,Default,,0000,0000,0000,,idea behind fault injection or as it's\Nalso called glitching is to introduce
Dialogue: 0,0:13:10.74,0:13:14.61,Default,,0000,0000,0000,,faults into a chip. So, for example, you\Ncut the power for a very short amount of
Dialogue: 0,0:13:14.61,0:13:19.31,Default,,0000,0000,0000,,time while you change the period of the\Nclock signal or even you could go and
Dialogue: 0,0:13:19.31,0:13:23.60,Default,,0000,0000,0000,,inject electromagnetic shocks in your\Nchip. You can also shoot at it with a
Dialogue: 0,0:13:23.60,0:13:29.17,Default,,0000,0000,0000,,laser and so on and so forth. Lots of ways\Nto do this. And the goal of this is to is
Dialogue: 0,0:13:29.17,0:13:34.40,Default,,0000,0000,0000,,to cause undefined behavior. And in this\Ntalk, we will specifically look at
Dialogue: 0,0:13:34.40,0:13:40.44,Default,,0000,0000,0000,,something called voltage glitching. And so\Nthe idea behind voltage glitching is that
Dialogue: 0,0:13:40.44,0:13:44.93,Default,,0000,0000,0000,,we cut the power to the chip for very,\Nvery short amount of time at a very
Dialogue: 0,0:13:44.93,0:13:49.10,Default,,0000,0000,0000,,precisely timed moment. And this will\Ncause some interesting behavior. So
Dialogue: 0,0:13:49.10,0:13:56.72,Default,,0000,0000,0000,,basically, if you would look at this on an\Noscilloscope, we would basically have a
Dialogue: 0,0:13:56.72,0:14:02.57,Default,,0000,0000,0000,,stable voltage, stable voltage, stable\Nvoltage, and then suddenly it drops and
Dialogue: 0,0:14:02.57,0:14:08.10,Default,,0000,0000,0000,,immediately returns. And this drop will\Nonly be a couple of nanoseconds long. And
Dialogue: 0,0:14:08.10,0:14:12.76,Default,,0000,0000,0000,,so, for example, you can have glitches\Nthat are 10 nanoseconds long or 15
Dialogue: 0,0:14:12.76,0:14:18.83,Default,,0000,0000,0000,,nanoseconds long and so on. Depends on\Nyour chip. And yeah. And this allows you
Dialogue: 0,0:14:18.83,0:14:24.23,Default,,0000,0000,0000,,to do different things. So, for example, a\Nglitch can allow you to skip instructions.
Dialogue: 0,0:14:24.23,0:14:29.11,Default,,0000,0000,0000,,It can corrupt flash reads or flash\Nwrites. It can corrupt memory registers or
Dialogue: 0,0:14:29.11,0:14:34.92,Default,,0000,0000,0000,,register reads and writes. And skipping\Ninstructions for me is always the most
Dialogue: 0,0:14:34.92,0:14:40.00,Default,,0000,0000,0000,,interesting one, because it allows you to\Ndirectly go from disassembly to
Dialogue: 0,0:14:40.00,0:14:45.08,Default,,0000,0000,0000,,understanding what you can potentially\Njump over. So, for example, if we have
Dialogue: 0,0:14:45.08,0:14:50.61,Default,,0000,0000,0000,,some code, this would be a basic firmware\Nboot up code. We have an initialized
Dialogue: 0,0:14:50.61,0:14:55.44,Default,,0000,0000,0000,,device function. Then we have a function\Nthat basically verifies the firmware
Dialogue: 0,0:14:55.44,0:15:00.34,Default,,0000,0000,0000,,that's in flash and then we have this\Nboolean check whether our firmware was
Dialogue: 0,0:15:00.34,0:15:05.33,Default,,0000,0000,0000,,valid. And now if we glitch at just the\Nright time, we might be able to glitch
Dialogue: 0,0:15:05.33,0:15:12.88,Default,,0000,0000,0000,,over this check and boot our potentially\Ncompromised firmware, which is super nice.
Dialogue: 0,0:15:12.88,0:15:19.48,Default,,0000,0000,0000,,So how does this relate to TrustZone?\NWell, if we manage to glitch over enable
Dialogue: 0,0:15:19.48,0:15:25.90,Default,,0000,0000,0000,,TrustZone, we might be able to break\NTrustZone. So how do you actually do this?
Dialogue: 0,0:15:25.90,0:15:30.81,Default,,0000,0000,0000,,Well, we need something to wait for a\Ncertain delay and generate a pulse at just
Dialogue: 0,0:15:30.81,0:15:36.25,Default,,0000,0000,0000,,the right time with very high precision.\NWe are talking about nano seconds here,
Dialogue: 0,0:15:36.25,0:15:40.26,Default,,0000,0000,0000,,and we also need something to drop the\Npower to the target. And so if you need
Dialogue: 0,0:15:40.26,0:15:46.45,Default,,0000,0000,0000,,precise timing and so on, what works very\Nwell is an FPGA. And so, for example, the
Dialogue: 0,0:15:46.45,0:15:51.65,Default,,0000,0000,0000,,code that was released as part of this all\Nruns on the Lattice iCEstick, which is
Dialogue: 0,0:15:51.65,0:15:56.61,Default,,0000,0000,0000,,roughly 30 bucks and you need a cheap\NMOSFET and so together this is like thirty
Dialogue: 0,0:15:56.61,0:16:02.44,Default,,0000,0000,0000,,one dollars of equipment. And on a setup\Nside, this looks something like this. You
Dialogue: 0,0:16:02.44,0:16:06.83,Default,,0000,0000,0000,,would have your FPGA, which has a trigger\Ninput. And so, for example, if you want to
Dialogue: 0,0:16:06.83,0:16:10.43,Default,,0000,0000,0000,,glitch something doing the boot up of a\Nchip, you could connect this to the reset
Dialogue: 0,0:16:10.43,0:16:14.77,Default,,0000,0000,0000,,line of the chip. And then we have an\Noutput for the glitch pulse. And then if
Dialogue: 0,0:16:14.77,0:16:20.82,Default,,0000,0000,0000,,we hook this all up, we basically have our\Npower supply to the chip run over a
Dialogue: 0,0:16:20.82,0:16:26.53,Default,,0000,0000,0000,,MOSFET. And then if the glitch pulls goes\Nhigh, we drop the power to ground and the
Dialogue: 0,0:16:26.53,0:16:33.19,Default,,0000,0000,0000,,chip doesn't get power for a couple of\Nnanoseconds. Let's talk about this power
Dialogue: 0,0:16:33.19,0:16:39.36,Default,,0000,0000,0000,,supply, because a chip has a lot of\Ndifferent things inside of it. So, for
Dialogue: 0,0:16:39.36,0:16:45.37,Default,,0000,0000,0000,,example, a microcontroller has a CPU core.\NWe have a Wi-Fi peripheral. We have GPIO.
Dialogue: 0,0:16:45.37,0:16:50.90,Default,,0000,0000,0000,,We might have Bluetooth and so on. And\Noften these peripherals run at different
Dialogue: 0,0:16:50.90,0:16:56.53,Default,,0000,0000,0000,,voltages. And so while our microcontroller\Nmight just have a 3.3 volt input,
Dialogue: 0,0:16:56.53,0:17:00.08,Default,,0000,0000,0000,,internally there are a lot of different\Nvoltages at play. And the way these
Dialogue: 0,0:17:00.08,0:17:05.41,Default,,0000,0000,0000,,voltages are generated often is using\Nin-chip regulators. And basically these
Dialogue: 0,0:17:05.41,0:17:11.45,Default,,0000,0000,0000,,regulators connect with the 3.3 voltage in\Nand then generate the different voltages
Dialogue: 0,0:17:11.45,0:17:16.74,Default,,0000,0000,0000,,for the CPU core and so on. But what's\Nnice is that on a lot of chips there are
Dialogue: 0,0:17:16.74,0:17:21.62,Default,,0000,0000,0000,,behind the core regulator, so called\Nbypass capacitors, and these external
Dialogue: 0,0:17:21.62,0:17:26.24,Default,,0000,0000,0000,,capacitors are basically there to\Nstabilize the voltage because regulators
Dialogue: 0,0:17:26.24,0:17:32.12,Default,,0000,0000,0000,,tend to have a very noisy output and you\Nuse the capacitor to make it more smooth.
Dialogue: 0,0:17:32.12,0:17:36.73,Default,,0000,0000,0000,,But if you look at this, this also gives\Nus direct access to the CPU core power
Dialogue: 0,0:17:36.73,0:17:42.39,Default,,0000,0000,0000,,supply. And so if we just take a heat gun\Nand remove the capacitor, we actually kind
Dialogue: 0,0:17:42.39,0:17:46.73,Default,,0000,0000,0000,,of change the pin out of the processor\Nbecause now we have a 3.3 voltage in, we
Dialogue: 0,0:17:46.73,0:17:52.70,Default,,0000,0000,0000,,have a point to input the core voltage and\Nwe have ground. So we basically gained
Dialogue: 0,0:17:52.70,0:17:59.99,Default,,0000,0000,0000,,direct access to the internal CPU core\Nvoltage rails. The only problem is these
Dialogue: 0,0:17:59.99,0:18:04.63,Default,,0000,0000,0000,,capacitors are for a reason. And so if we\Nremove them, then your chip might stop
Dialogue: 0,0:18:04.63,0:18:09.77,Default,,0000,0000,0000,,working. But very easy solution. You just\Nhook up a power supply to it, set it to
Dialogue: 0,0:18:09.77,0:18:14.65,Default,,0000,0000,0000,,1.2 volts or whatever, and then suddenly\Nit works. And this also allows you to
Dialogue: 0,0:18:14.65,0:18:23.15,Default,,0000,0000,0000,,glitch very easily. You just glitch on\Nyour power rail towards the chip. And so
Dialogue: 0,0:18:23.15,0:18:27.45,Default,,0000,0000,0000,,this is our current setup. So we have the\NLattice iCEstick. We also use a
Dialogue: 0,0:18:27.45,0:18:31.43,Default,,0000,0000,0000,,multiplexer as an analog switch to cut the\Npower to the entire device. If we want to
Dialogue: 0,0:18:31.43,0:18:36.78,Default,,0000,0000,0000,,reboot everything, we have the MOSFET and\Nwe have a power supply. Now hooking this
Dialogue: 0,0:18:36.78,0:18:42.30,Default,,0000,0000,0000,,all up on a bread board is fun the first\Ntime, it's okay the second time. But the
Dialogue: 0,0:18:42.30,0:18:47.08,Default,,0000,0000,0000,,third time it begins to really, really\Nsuck. And as soon as something breaks with
Dialogue: 0,0:18:47.08,0:18:52.45,Default,,0000,0000,0000,,like 100 jumper wires on your desk, the\Nonly way to debug is to start over. And so
Dialogue: 0,0:18:52.45,0:18:57.32,Default,,0000,0000,0000,,that's why I decided to design a small\Nhardware platform that combines all of
Dialogue: 0,0:18:57.32,0:19:03.07,Default,,0000,0000,0000,,these things. So it has an FPGA on it. It\Nhas analog input and it has a lot of
Dialogue: 0,0:19:03.07,0:19:07.56,Default,,0000,0000,0000,,glitch circuitry and it's called the Mark\NEleven. If you've read William Gibson, you
Dialogue: 0,0:19:07.56,0:19:13.26,Default,,0000,0000,0000,,might know where this is from. And it\Ncontains a Lattice iCE40, which has a
Dialogue: 0,0:19:13.26,0:19:18.13,Default,,0000,0000,0000,,fully open source toolchain, thanks to\NClifford Wolf and so. And this allows us
Dialogue: 0,0:19:18.13,0:19:23.23,Default,,0000,0000,0000,,to very, very quickly develop new\Ntriggers, develop new glitched code and so
Dialogue: 0,0:19:23.23,0:19:27.45,Default,,0000,0000,0000,,on. And it makes compilation and\Neverything really really fast. It also
Dialogue: 0,0:19:27.45,0:19:31.74,Default,,0000,0000,0000,,comes with three integrated power\Nsupplies. So we have a 1.2 watt power
Dialogue: 0,0:19:31.74,0:19:38.25,Default,,0000,0000,0000,,supply, 3.3, 5 volts and so on, and you\Ncan use it for DPA. And this is based
Dialogue: 0,0:19:38.25,0:19:42.88,Default,,0000,0000,0000,,around some existing devices. So, for\Nexample, the FPGA part is based on the
Dialogue: 0,0:19:42.88,0:19:48.82,Default,,0000,0000,0000,,1BitSquared iCEBreaker. The analog front\Nend, thanks to Colin O'Flynn, is based on
Dialogue: 0,0:19:48.82,0:19:53.57,Default,,0000,0000,0000,,the ChipWhisperer Nano. And then the\Nglitch circuit is basically what we've
Dialogue: 0,0:19:53.57,0:19:58.52,Default,,0000,0000,0000,,been using on bread boards for quite a\Nwhile. Just combined on a single device.
Dialogue: 0,0:19:58.52,0:20:02.55,Default,,0000,0000,0000,,And so unfortunately, as always with\Nhardware production takes longer than you
Dialogue: 0,0:20:02.55,0:20:07.44,Default,,0000,0000,0000,,might assume. But if you drop me a message\Non Twitter, I'm happy to send you a PCB as
Dialogue: 0,0:20:07.44,0:20:13.44,Default,,0000,0000,0000,,soon as they work well. And the BOM is\Naround 50 bucks. Cool. So now that we are
Dialogue: 0,0:20:13.44,0:20:19.58,Default,,0000,0000,0000,,ready to have to actually attack chips,\Nlet's look at an example. So the very
Dialogue: 0,0:20:19.58,0:20:25.39,Default,,0000,0000,0000,,first chip that I encountered that used\NTrustZone-M was the Microchip SAM 11. And
Dialogue: 0,0:20:25.39,0:20:32.01,Default,,0000,0000,0000,,so this chip was released in June 2018.\NAnd it's kind of it's a small, slow chip.
Dialogue: 0,0:20:32.01,0:20:37.93,Default,,0000,0000,0000,,It's runs at 32 megahertz. It has up to 64\Nkilobytes of flash and 16 kilobytes of
Dialogue: 0,0:20:37.93,0:20:44.21,Default,,0000,0000,0000,,SRAM, but it's super cheap. It's like one\Ndollar eighty at quantity one. And so it's
Dialogue: 0,0:20:44.21,0:20:50.23,Default,,0000,0000,0000,,really nice, really affordable. And we had\Npeople come up to us and suggest, hey, I
Dialogue: 0,0:20:50.23,0:20:54.66,Default,,0000,0000,0000,,want to build a TPM on top of this or I\Nwant to build a hardware wallet on top of
Dialogue: 0,0:20:54.66,0:21:01.12,Default,,0000,0000,0000,,this. And so on and so forth. And if we\Nlook at the website of this chip. It has a
Dialogue: 0,0:21:01.12,0:21:06.53,Default,,0000,0000,0000,,lot of security in it, so it's the best\Ncontribution to IOT security winner of
Dialogue: 0,0:21:06.53,0:21:14.90,Default,,0000,0000,0000,,2018. And if you just type secure into the\Nword search, you get like 57 hits. So this
Dialogue: 0,0:21:14.90,0:21:23.61,Default,,0000,0000,0000,,chip is 57 secure. {\i1}laughter{\i0} And even on\Nthe website itself, you have like chip
Dialogue: 0,0:21:23.61,0:21:28.70,Default,,0000,0000,0000,,level security. And then if you look at\Nthe first of the descriptions, you have a
Dialogue: 0,0:21:28.70,0:21:33.95,Default,,0000,0000,0000,,robust chip level security include chip\Nlevel, tamper resistance, active shield
Dialogue: 0,0:21:33.95,0:21:38.30,Default,,0000,0000,0000,,protects against physical attacks and\Nresists micro probing attacks. And even in
Dialogue: 0,0:21:38.30,0:21:42.44,Default,,0000,0000,0000,,the datasheet, where I got really worried\Nbecause I said I do a lot with a core
Dialogue: 0,0:21:42.44,0:21:47.65,Default,,0000,0000,0000,,voltage it has a brown-out detector that\Nhas been calibrated in production and must
Dialogue: 0,0:21:47.65,0:21:53.81,Default,,0000,0000,0000,,not be changed and so on. Yeah. To be\Nfair, when I talked to my microchip, they
Dialogue: 0,0:21:53.81,0:21:58.49,Default,,0000,0000,0000,,mentioned that they absolutely want to\Ncommunicate that this chip is not hardened
Dialogue: 0,0:21:58.49,0:22:03.68,Default,,0000,0000,0000,,against hardware attacks, but I can see\Nhow somebody who looks at this would get
Dialogue: 0,0:22:03.68,0:22:10.55,Default,,0000,0000,0000,,the wrong impression given all the terms\Nand so on. Anyway, so let's talk about the
Dialogue: 0,0:22:10.55,0:22:16.67,Default,,0000,0000,0000,,TrustZone in this chip. So the SAM L11\Ndoes not have a security attribution unit.
Dialogue: 0,0:22:16.67,0:22:21.27,Default,,0000,0000,0000,,Instead, it only has the implementation\Ndefined attribution unit. And the
Dialogue: 0,0:22:21.27,0:22:25.58,Default,,0000,0000,0000,,configuration for this implementation\Ndefined attribution unit is stored in the
Dialogue: 0,0:22:25.58,0:22:29.79,Default,,0000,0000,0000,,user row, which is basically the\Nconfiguration flash. It's also called
Dialogue: 0,0:22:29.79,0:22:33.61,Default,,0000,0000,0000,,fuses in the data sheet sometimes, but\Nit's really I think it's flash based. I
Dialogue: 0,0:22:33.61,0:22:36.75,Default,,0000,0000,0000,,haven't checked, but I am pretty sure it\Nis because you can read it, write it,
Dialogue: 0,0:22:36.75,0:22:42.19,Default,,0000,0000,0000,,change it and so on. And then the IDAU,\Nonce you've configured it, will be
Dialogue: 0,0:22:42.19,0:22:49.37,Default,,0000,0000,0000,,configured by the boot ROM during the\Nstart of the chip. And the idea behind the
Dialogue: 0,0:22:49.37,0:22:54.10,Default,,0000,0000,0000,,IDAU is that all your flash is partitioned\Ninto two parts of the bootloader part and
Dialogue: 0,0:22:54.10,0:23:00.29,Default,,0000,0000,0000,,the application part, and both of these\Ncan be split into secure, non secure
Dialogue: 0,0:23:00.29,0:23:05.10,Default,,0000,0000,0000,,callable and non secure. So you can have a\Nbootloader, a secure and a non secure one,
Dialogue: 0,0:23:05.10,0:23:09.51,Default,,0000,0000,0000,,and you can have an application, a secure\Nand a non secure one. And the size of
Dialogue: 0,0:23:09.51,0:23:14.04,Default,,0000,0000,0000,,these regions is controlled by these five\Nregisters. And for example, if we want to
Dialogue: 0,0:23:14.04,0:23:18.74,Default,,0000,0000,0000,,change our non secure application to be\Nbigger and make our secure application a
Dialogue: 0,0:23:18.74,0:23:23.65,Default,,0000,0000,0000,,bit smaller, we just fiddle with these\Nregisters and the sizes will adjust and
Dialogue: 0,0:23:23.65,0:23:31.39,Default,,0000,0000,0000,,the same with the bootloader. So this is\Npretty simple. How do we attack it? My
Dialogue: 0,0:23:31.39,0:23:36.94,Default,,0000,0000,0000,,goal initially was I want to somehow read\Ndata from the secure world while running
Dialogue: 0,0:23:36.94,0:23:41.56,Default,,0000,0000,0000,,code in the non secret world. So jump the\Nsecurity gap. My code in non secure should
Dialogue: 0,0:23:41.56,0:23:47.35,Default,,0000,0000,0000,,be able to, for example, extract keys from\Nthe secure world and my attack path for
Dialogue: 0,0:23:47.35,0:23:52.79,Default,,0000,0000,0000,,that was well, I glitched the boot ROM\Ncode that loads the IDAU you
Dialogue: 0,0:23:52.79,0:23:57.14,Default,,0000,0000,0000,,configuration. But before we can actually\Ndo this, we need to understand, is this
Dialogue: 0,0:23:57.14,0:24:01.55,Default,,0000,0000,0000,,chip actually glitchable and can we? Is it\Nsusceptible to glitches or do we
Dialogue: 0,0:24:01.55,0:24:07.36,Default,,0000,0000,0000,,immediately get get thrown out? And so I\Nused a very simple setup where just had a
Dialogue: 0,0:24:07.36,0:24:13.21,Default,,0000,0000,0000,,firmware and tried to glitch out of the\Nloop and enable an LED. And I had success
Dialogue: 0,0:24:13.21,0:24:19.09,Default,,0000,0000,0000,,in less than five minutes and super stable\Nglitches almost immediately. Like when I
Dialogue: 0,0:24:19.09,0:24:23.19,Default,,0000,0000,0000,,saw this, I was 100 percent sure that I\Nmessed up my setup or that the compiler
Dialogue: 0,0:24:23.19,0:24:28.71,Default,,0000,0000,0000,,optimized out my loop or that I did\Nsomething wrong because I never glitch to
Dialogue: 0,0:24:28.71,0:24:33.53,Default,,0000,0000,0000,,chip in five minutes. And so this was\Npretty awesome, but I also spend another
Dialogue: 0,0:24:33.53,0:24:41.55,Default,,0000,0000,0000,,two hours verifying my setup. So. OK.\NCool, we know that ship is glitchable, so
Dialogue: 0,0:24:41.55,0:24:47.15,Default,,0000,0000,0000,,let's glitch it. What do we glitch? Well,\Nif we think about it somewhere during the
Dialogue: 0,0:24:47.15,0:24:53.33,Default,,0000,0000,0000,,boot ROM, these registers are red from\Nflash and then some hardware is somehow
Dialogue: 0,0:24:53.33,0:24:57.89,Default,,0000,0000,0000,,configured. We don't know how because we\Ncan't dump the boot from we don't know
Dialogue: 0,0:24:57.89,0:25:01.54,Default,,0000,0000,0000,,what's going on in the chip. And the\Ndatasheet has a lot of pages. And I'm a
Dialogue: 0,0:25:01.54,0:25:09.16,Default,,0000,0000,0000,,millennial. So, yeah, I read what I have\Nto read and that's it. But my basic idea
Dialogue: 0,0:25:09.16,0:25:14.25,Default,,0000,0000,0000,,is if we somehow manage to glitch the\Npoint where it tries to read the value of
Dialogue: 0,0:25:14.25,0:25:19.10,Default,,0000,0000,0000,,the AS Register, we might be able to set\Nit to zero because most chip peripherals
Dialogue: 0,0:25:19.10,0:25:25.06,Default,,0000,0000,0000,,will initialize to zero. And if we glitch\Nwith the instruction that reads AS, maybe
Dialogue: 0,0:25:25.06,0:25:30.29,Default,,0000,0000,0000,,we can make our non secure application\Nbigger so that we, that actually we can
Dialogue: 0,0:25:30.29,0:25:39.22,Default,,0000,0000,0000,,read the secure application data because\Nnow it's considered non secure. But.
Dialogue: 0,0:25:39.22,0:25:44.41,Default,,0000,0000,0000,,Problem 1 The boot ROM is not dumpable. So\Nwe cannot just disassemble it and figure
Dialogue: 0,0:25:44.41,0:25:50.66,Default,,0000,0000,0000,,out when does it roughly do this. And the\Nproblem 2 is that we don't know when
Dialogue: 0,0:25:50.66,0:25:55.13,Default,,0000,0000,0000,,exactly this read occures and our glitch\Nneeds to be instruction precise. We need
Dialogue: 0,0:25:55.13,0:26:01.16,Default,,0000,0000,0000,,to hit just the right instruction to make\Nthis work. And the solution is brute
Dialogue: 0,0:26:01.16,0:26:08.14,Default,,0000,0000,0000,,force. But I mean like nobody has time for\Nthat. Right? So if the chip boots for 2
Dialogue: 0,0:26:08.14,0:26:12.82,Default,,0000,0000,0000,,milliseconds. That's a long range we have\Nto search for glitches. And so very easy
Dialogue: 0,0:26:12.82,0:26:17.16,Default,,0000,0000,0000,,solution power analysis. And it turns out\Nthat, for example, a riscure has done this
Dialogue: 0,0:26:17.16,0:26:23.03,Default,,0000,0000,0000,,before where basically they tried to\Nfigure out where in time a JTAG lock is
Dialogue: 0,0:26:23.03,0:26:30.45,Default,,0000,0000,0000,,set by comparing the power consumption.\NAnd so the idea is, we basically write
Dialogue: 0,0:26:30.45,0:26:35.65,Default,,0000,0000,0000,,different values to the AS register, then\Nwe collect a lot of power traces and then
Dialogue: 0,0:26:35.65,0:26:41.03,Default,,0000,0000,0000,,we look for the differences. And this is\Nrelatively simple to do. If you have a
Dialogue: 0,0:26:41.03,0:26:46.43,Default,,0000,0000,0000,,ChipWhisperer. So. This was my rough\Nsetup. So we just have the ChipWhisperer-
Dialogue: 0,0:26:46.43,0:26:51.74,Default,,0000,0000,0000,,Lite. We have a breakout with the chip we\Nwant to attack and a programmer. And then
Dialogue: 0,0:26:51.74,0:26:56.71,Default,,0000,0000,0000,,we basically collect a couple of traces.\NAnd in my case, even just 20 traces are
Dialogue: 0,0:26:56.71,0:27:01.78,Default,,0000,0000,0000,,enough, which takes, I don't know, like\Nhalf a second to run. And if you have 20
Dialogue: 0,0:27:01.78,0:27:07.37,Default,,0000,0000,0000,,traces in unsecure mode, 20 traces in\Nsecure mode and you compare them, you can
Dialogue: 0,0:27:07.37,0:27:11.23,Default,,0000,0000,0000,,see that there are clear differences in\Nthe power consumption starting at a
Dialogue: 0,0:27:11.23,0:27:15.47,Default,,0000,0000,0000,,certain point. And so I wrote a script\Nthat does some more statistics on it and
Dialogue: 0,0:27:15.47,0:27:20.97,Default,,0000,0000,0000,,so on. And that basically told me the best\Nglitch candidate starts at 2.18
Dialogue: 0,0:27:20.97,0:27:24.72,Default,,0000,0000,0000,,milliseconds. And this needs to be so\Nprecise because I said we're in the milli
Dialogue: 0,0:27:24.72,0:27:31.22,Default,,0000,0000,0000,,and the nano seconds range. And so we want\Nto make sure that we at the right point in
Dialogue: 0,0:27:31.22,0:27:37.52,Default,,0000,0000,0000,,time. Now, how do you actually configure?\NHow do you build the setup where you
Dialogue: 0,0:27:37.52,0:27:44.43,Default,,0000,0000,0000,,basically you get a success indication\Nonce you broke this? For this, I needed to
Dialogue: 0,0:27:44.43,0:27:50.04,Default,,0000,0000,0000,,write a firmware that basically attempts\Nto read secure data. And then if it's
Dialogue: 0,0:27:50.04,0:27:54.14,Default,,0000,0000,0000,,successful, enabled the GPIO. And if it\Nfails, it does nothing. And I just reset
Dialogue: 0,0:27:54.14,0:27:59.46,Default,,0000,0000,0000,,and try again. And so I know I knew my\Nrough delay and I was triggering of the
Dialogue: 0,0:27:59.46,0:28:04.59,Default,,0000,0000,0000,,reset of the chip that I just tried. Any\Ndelay after it and tried different glitch
Dialogue: 0,0:28:04.59,0:28:11.17,Default,,0000,0000,0000,,pulse length and so on. And eventually I\Nhad a success. And these glitches you will
Dialogue: 0,0:28:11.17,0:28:16.03,Default,,0000,0000,0000,,see with the glitcher which we released a\Nwhile back is super easy to write because
Dialogue: 0,0:28:16.03,0:28:21.94,Default,,0000,0000,0000,,all you have is like 20 lines of Python.\NYou basically set up a loop delay from
Dialogue: 0,0:28:21.94,0:28:28.32,Default,,0000,0000,0000,,delay to your setup, the pulse length. You\Niterate over a range of pulses. And then
Dialogue: 0,0:28:28.32,0:28:34.25,Default,,0000,0000,0000,,in this case you just check whether your\NGPIO is high or low. That's all it takes.
Dialogue: 0,0:28:34.25,0:28:38.31,Default,,0000,0000,0000,,And then once you have this running in a\Nstable fashion, it's amazing how fast it
Dialogue: 0,0:28:38.31,0:28:43.19,Default,,0000,0000,0000,,works. So this is now a recorded video of\Na life glitch, of a real glitch,
Dialogue: 0,0:28:43.19,0:28:49.73,Default,,0000,0000,0000,,basically. And you can see we have like 20\Nattempts per second. And after a couple of
Dialogue: 0,0:28:49.73,0:28:57.37,Default,,0000,0000,0000,,seconds, we actually get a success\Nindication we just broke a chip. Sweet.
Dialogue: 0,0:28:57.37,0:29:02.05,Default,,0000,0000,0000,,But one thing I moved to a part of Germany\Nto the very south is called the
Dialogue: 0,0:29:02.05,0:29:09.59,Default,,0000,0000,0000,,Schwabenland. And I mean, 60 bucks. We are\Nknown to be very cheap and 60 bucks
Dialogue: 0,0:29:09.59,0:29:15.44,Default,,0000,0000,0000,,translates to like six beers at\NOktoberfest. Just to convert this to the
Dialogue: 0,0:29:15.44,0:29:24.46,Default,,0000,0000,0000,,local currency, that's like 60 Club Mate.\NUnacceptable. We need to go cheaper, much
Dialogue: 0,0:29:24.46,0:29:33.65,Default,,0000,0000,0000,,cheaper, and so.\N{\i1}laughter and applause{\i0}
Dialogue: 0,0:29:33.65,0:29:40.38,Default,,0000,0000,0000,,What if we take a chip that is 57 secure\Nand we tried to break it with the smallest
Dialogue: 0,0:29:40.38,0:29:46.73,Default,,0000,0000,0000,,chip. And so this is an ATTiny which\Ncosts, I don't know, a a euro or two euro.
Dialogue: 0,0:29:46.73,0:29:52.93,Default,,0000,0000,0000,,We combine it with a MOSFET to keep the\Ncomparison that's roughly 3 Club Mate and
Dialogue: 0,0:29:52.93,0:29:57.82,Default,,0000,0000,0000,,we hook it all up on a jumper board and\Nturns out: This works like you can have a
Dialogue: 0,0:29:57.82,0:30:02.65,Default,,0000,0000,0000,,relatively stable glitch, a glitcher with\Nlike 120 lines of assembly running all the
Dialogue: 0,0:30:02.65,0:30:07.02,Default,,0000,0000,0000,,ATTiny and this will glitch your chip\Nsuccessfully and can break TrustZone on
Dialogue: 0,0:30:07.02,0:30:13.59,Default,,0000,0000,0000,,the SAM L11. The problem is chips are very\Ncomplex and it's always very hard to do an
Dialogue: 0,0:30:13.59,0:30:17.83,Default,,0000,0000,0000,,attack on a chip that you configured\Nyourself because as you will see, chances
Dialogue: 0,0:30:17.83,0:30:21.38,Default,,0000,0000,0000,,are very high that you messed up the\Nconfiguration and for example, missed a
Dialogue: 0,0:30:21.38,0:30:26.02,Default,,0000,0000,0000,,security bit, forgot to set something and\Nso on and so forth. But luckily, in the
Dialogue: 0,0:30:26.02,0:30:32.17,Default,,0000,0000,0000,,case of the SAM L11, there's a version of\Nthis chip which is already configured and
Dialogue: 0,0:30:32.17,0:30:39.59,Default,,0000,0000,0000,,only ships in non secure mode. And so this\Nis called the SAM L11 KPH. And so it comes
Dialogue: 0,0:30:39.59,0:30:43.99,Default,,0000,0000,0000,,pre provisioned with a key and it comes\Npre provisioned with a trusted execution
Dialogue: 0,0:30:43.99,0:30:49.75,Default,,0000,0000,0000,,environment already loaded into the secure\Npart of the chips and ships completely
Dialogue: 0,0:30:49.75,0:30:54.70,Default,,0000,0000,0000,,secured and the customer can write and\Ndebug non secure code only. And also you
Dialogue: 0,0:30:54.70,0:30:59.62,Default,,0000,0000,0000,,can download the SDK for it and write your\Nown trustlets and so on. But I couldn't
Dialogue: 0,0:30:59.62,0:31:04.29,Default,,0000,0000,0000,,because it requires you to agree to their\Nterms and conditions so which exclude
Dialogue: 0,0:31:04.29,0:31:08.98,Default,,0000,0000,0000,,reverse engineering. So no chance,\Nunfortunately. But anyway, this is the
Dialogue: 0,0:31:08.98,0:31:14.60,Default,,0000,0000,0000,,perfect example to test our attack. You\Ncan buy these chips on DigiKey and then
Dialogue: 0,0:31:14.60,0:31:18.99,Default,,0000,0000,0000,,try to break into the secure world because\Nthese chips are hopefully decently secured
Dialogue: 0,0:31:18.99,0:31:24.78,Default,,0000,0000,0000,,and have everything set up and so on. And\Nyeah. So this was the setup. We designed
Dialogue: 0,0:31:24.78,0:31:29.78,Default,,0000,0000,0000,,our own breakout port for the SAM L11,\Nwhich makes it a bit more accessible, has
Dialogue: 0,0:31:29.78,0:31:35.10,Default,,0000,0000,0000,,JTAG and has no capacitors in the way. So\Nyou get access to all the core voltages
Dialogue: 0,0:31:35.10,0:31:42.13,Default,,0000,0000,0000,,and so on and you have the FPGA on the top\Nleft the super cheap 20 bucks power supply
Dialogue: 0,0:31:42.13,0:31:47.22,Default,,0000,0000,0000,,and the programmer. And then we just\Nimplemented a simple function that uses
Dialogue: 0,0:31:47.22,0:31:53.23,Default,,0000,0000,0000,,openOCD to try to read an address that we\Nnormally can't read. So we basically we
Dialogue: 0,0:31:53.23,0:31:59.03,Default,,0000,0000,0000,,glitch. Then we start OpenOCD, which uses\Nthe JTAG adapter to try to read secure
Dialogue: 0,0:31:59.03,0:32:10.32,Default,,0000,0000,0000,,memory. And so I hooked it all up, wrote a\Nnice script and let it rip. And so after a
Dialogue: 0,0:32:10.32,0:32:16.98,Default,,0000,0000,0000,,while or in well, a couple of seconds\Nimmediately again got successful, I got a
Dialogue: 0,0:32:16.98,0:32:20.34,Default,,0000,0000,0000,,successful attack on the chip and more and\Nmore. And you can see just how stable you
Dialogue: 0,0:32:20.34,0:32:26.61,Default,,0000,0000,0000,,can get these glitches and how well you\Ncan attack this. Yeah. So sweet hacked. We
Dialogue: 0,0:32:26.61,0:32:31.31,Default,,0000,0000,0000,,can compromise the root of trust and the\Ntrusted execution environment. And this is
Dialogue: 0,0:32:31.31,0:32:36.08,Default,,0000,0000,0000,,perfect for supply chain attacks. Right.\NBecause if you can compromise a part of
Dialogue: 0,0:32:36.08,0:32:42.14,Default,,0000,0000,0000,,the chip that the customer will not be\Nable to access, he will never find you.
Dialogue: 0,0:32:42.14,0:32:45.77,Default,,0000,0000,0000,,But the problem with supply chain attacks\Nis, they're pretty hard to scale and they
Dialogue: 0,0:32:45.77,0:32:51.14,Default,,0000,0000,0000,,are only for sophisticated actors normally\Nand far too expensive is what most people
Dialogue: 0,0:32:51.14,0:32:58.78,Default,,0000,0000,0000,,will tell you, except if you hack the\Ndistributor. And so as I guess last year
Dialogue: 0,0:32:58.78,0:33:04.34,Default,,0000,0000,0000,,or this year, I don't know, I actually\Nfound a vulnerability in DigiKey, which
Dialogue: 0,0:33:04.34,0:33:09.18,Default,,0000,0000,0000,,allowed me to access any invoice on\NDigiKey, including the credentials you
Dialogue: 0,0:33:09.18,0:33:16.78,Default,,0000,0000,0000,,need to actually change the invoice. And\Nso basically the bug is that they did not
Dialogue: 0,0:33:16.78,0:33:20.77,Default,,0000,0000,0000,,check when you basically requested an\Ninvoice, they did not check whether you
Dialogue: 0,0:33:20.77,0:33:25.51,Default,,0000,0000,0000,,actually had permission to access it. And\Nyou have the web access id on top and the
Dialogue: 0,0:33:25.51,0:33:30.37,Default,,0000,0000,0000,,invoice number. And that's all you need to\Ncall DigiKey and change the delivery,
Dialogue: 0,0:33:30.37,0:33:37.17,Default,,0000,0000,0000,,basically. And so this also is all data\Nthat you need to reroute the shipment. I
Dialogue: 0,0:33:37.17,0:33:41.49,Default,,0000,0000,0000,,disclosed this. It's fixed. It's been\Nfixed again afterwards. And now hopefully
Dialogue: 0,0:33:41.49,0:33:45.99,Default,,0000,0000,0000,,this should be fine. So I feel good to\Ntalk about it. And so let's walk through
Dialogue: 0,0:33:45.99,0:33:52.05,Default,,0000,0000,0000,,the scenarios. We have Eve and we have\NDigiKey and Eve builds this new super
Dialogue: 0,0:33:52.05,0:33:58.09,Default,,0000,0000,0000,,sophisticated IOT toilet and she needs a\Nsecure chip. So she goes to DigiKey and
Dialogue: 0,0:33:58.09,0:34:06.61,Default,,0000,0000,0000,,orders some SAM L11 KPHs and Mallory.\NMallory scans all new invoices on DigiKey.
Dialogue: 0,0:34:06.61,0:34:13.24,Default,,0000,0000,0000,,And as soon as somebody orders a SAM L11,\Nthey talk to DigiKey with the API or via a
Dialogue: 0,0:34:13.24,0:34:17.84,Default,,0000,0000,0000,,phone call to change the delivery address.\NAnd because you know who the chips are
Dialogue: 0,0:34:17.84,0:34:23.41,Default,,0000,0000,0000,,going to, you can actually target this\Nvery, very well. So now the chips get
Dialogue: 0,0:34:23.41,0:34:30.45,Default,,0000,0000,0000,,delivered to Mallory Mallory backdoors the\Nchips. And then sends the backdoored chips
Dialogue: 0,0:34:30.45,0:34:34.42,Default,,0000,0000,0000,,to Eve who is none the wiser, because it's\Nthe same carrier, it's the same, it looks
Dialogue: 0,0:34:34.42,0:34:38.15,Default,,0000,0000,0000,,the same. You have to be very, very\Nmindful of these types of attack to
Dialogue: 0,0:34:38.15,0:34:43.31,Default,,0000,0000,0000,,actually recognize them. And even if they\Nopen the chips and they say they open the
Dialogue: 0,0:34:43.31,0:34:48.53,Default,,0000,0000,0000,,package and they try the chip, they scan\Neverything they can scan the backdoor will
Dialogue: 0,0:34:48.53,0:34:53.58,Default,,0000,0000,0000,,be in the part of the chip that they\Ncannot access. And so we just supply chain
Dialogue: 0,0:34:53.58,0:35:02.33,Default,,0000,0000,0000,,attacked whoever using an UPS envelope,\Nbasically. So, yeah. Interesting attack
Dialogue: 0,0:35:02.33,0:35:07.12,Default,,0000,0000,0000,,vector. So I talked to microchip and it's\Nbeen great. They've been super nice. It
Dialogue: 0,0:35:07.12,0:35:13.46,Default,,0000,0000,0000,,was really a pleasure. I also talked to\NTrustonic, who were very open to this and
Dialogue: 0,0:35:13.46,0:35:19.89,Default,,0000,0000,0000,,wanted to understand it. And so it was\Ngreat. And they explicitly state that this
Dialogue: 0,0:35:19.89,0:35:23.76,Default,,0000,0000,0000,,chip only protects against software\Nattacks while it has some hardware
Dialogue: 0,0:35:23.76,0:35:29.53,Default,,0000,0000,0000,,features like tamper ressistant RAM. It is\Nnot built to withstand fault injection
Dialogue: 0,0:35:29.53,0:35:34.13,Default,,0000,0000,0000,,attacks. And even if you compare it now,\Ndifferent revisions of the data sheet, you
Dialogue: 0,0:35:34.13,0:35:38.76,Default,,0000,0000,0000,,can see that some data sheets, the older\Nones they mention some fault injection
Dialogue: 0,0:35:38.76,0:35:42.55,Default,,0000,0000,0000,,resistance and it's now gone from the data\Nsheet. And they are also asking for
Dialogue: 0,0:35:42.55,0:35:46.98,Default,,0000,0000,0000,,feedback on making it more clear what this\Nchip protects against, which I think is a
Dialogue: 0,0:35:46.98,0:35:52.62,Default,,0000,0000,0000,,noble goal because we all know marketing\Nversus technicians is always an
Dialogue: 0,0:35:52.62,0:36:00.58,Default,,0000,0000,0000,,interesting fight. Let's say, cool first\Nchip broken time for the next one, right?
Dialogue: 0,0:36:00.58,0:36:07.27,Default,,0000,0000,0000,,So the next chip I looked at was the\NNuvoton NuMicro M2351 rolls off the
Dialogue: 0,0:36:07.27,0:36:14.15,Default,,0000,0000,0000,,tongue. It's a Cortex-M23 processor. It\Nhas TrustZone-M. And I was super excited
Dialogue: 0,0:36:14.15,0:36:19.69,Default,,0000,0000,0000,,because this finally has an SAU, a\Nsecurity attribution unit and an IDAU and
Dialogue: 0,0:36:19.69,0:36:23.49,Default,,0000,0000,0000,,also I talked to the marketing. It\Nexplicitly protects against fault
Dialogue: 0,0:36:23.49,0:36:31.79,Default,,0000,0000,0000,,injection. So that's awesome. I was\Nexcited. Let's see how that turns out.
Dialogue: 0,0:36:31.79,0:36:37.01,Default,,0000,0000,0000,,Let's briefly talk about the TrustZone in\Nthe Nuvoton chip. So as I've mentioned
Dialogue: 0,0:36:37.01,0:36:45.33,Default,,0000,0000,0000,,before, the SAU if it's turned off or\Nturned on without regions will be to fully
Dialogue: 0,0:36:45.33,0:36:49.63,Default,,0000,0000,0000,,secure. And no matter what the IDAU is,\Nthe most privileged level always wins. And
Dialogue: 0,0:36:49.63,0:36:55.15,Default,,0000,0000,0000,,so if our entire security attribution unit\Nis secure, our final security state will
Dialogue: 0,0:36:55.15,0:37:00.88,Default,,0000,0000,0000,,also be secure. And so if we now add some\Nsmall regions, the final state will also
Dialogue: 0,0:37:00.88,0:37:08.24,Default,,0000,0000,0000,,have the small, non secure regions. I\Nmean, I saw this looked at how this this
Dialogue: 0,0:37:08.24,0:37:14.98,Default,,0000,0000,0000,,code works. And you can see that at the\Nvery bottom SAU control is set to 1 simple
Dialogue: 0,0:37:14.98,0:37:19.34,Default,,0000,0000,0000,,right. We glitch over the SAU enabling and\Nall our code will be secure and we'll just
Dialogue: 0,0:37:19.34,0:37:26.48,Default,,0000,0000,0000,,run our code in secret mode, no problem -\Nis what I fought. And so basically the
Dialogue: 0,0:37:26.48,0:37:31.20,Default,,0000,0000,0000,,secure bootloader starts execution of non\Nsecure code. We disable the SAU by
Dialogue: 0,0:37:31.20,0:37:35.86,Default,,0000,0000,0000,,glitching over the instruction and now\Neverything is secure. So our code runs in
Dialogue: 0,0:37:35.86,0:37:43.70,Default,,0000,0000,0000,,a secure world. It's easy except read the\Nfucking manual. So turns out these
Dialogue: 0,0:37:43.70,0:37:49.76,Default,,0000,0000,0000,,thousands of pages of documentation\Nactually contain useful information and
Dialogue: 0,0:37:49.76,0:37:55.06,Default,,0000,0000,0000,,you need a special instruction to\Ntransition from secure to non secure state
Dialogue: 0,0:37:55.06,0:38:02.23,Default,,0000,0000,0000,,which is called BLXNS, which stands for\Nbranch optionally linked and exchange to
Dialogue: 0,0:38:02.23,0:38:08.30,Default,,0000,0000,0000,,non secure. This is exactly made to\Nprevent this. It prevents accidentally
Dialogue: 0,0:38:08.30,0:38:13.29,Default,,0000,0000,0000,,jumping into non secure code. It will\Ncause a secure fault if you try to do it.
Dialogue: 0,0:38:13.29,0:38:19.39,Default,,0000,0000,0000,,And what's interesting is that even if you\Nuse this instruction, it will not always
Dialogue: 0,0:38:19.39,0:38:24.53,Default,,0000,0000,0000,,transition. The state depends on the last\Nbit in the destination address, whether
Dialogue: 0,0:38:24.53,0:38:30.06,Default,,0000,0000,0000,,the status transition and the way the\Nbootloader will actually get these
Dialogue: 0,0:38:30.06,0:38:34.41,Default,,0000,0000,0000,,addresses it jumps to is from what's\Ncalled the reset table, which is basically
Dialogue: 0,0:38:34.41,0:38:38.61,Default,,0000,0000,0000,,where your reset handlers are, where your\Nstack pointer, your initial stack pointer
Dialogue: 0,0:38:38.61,0:38:43.71,Default,,0000,0000,0000,,is and so on. And you will notice that the\Nlast bit is always set. And if the last
Dialogue: 0,0:38:43.71,0:38:49.60,Default,,0000,0000,0000,,bit is set, it will jump to secure code.\NSo somehow they managed to branch to this
Dialogue: 0,0:38:49.60,0:38:56.79,Default,,0000,0000,0000,,address and run it into non secure. So how\Ndo they do this? They use an explicit bit
Dialogue: 0,0:38:56.79,0:39:02.70,Default,,0000,0000,0000,,clear instruction. What do we know about\Ninstructions? We can glitch over them. And
Dialogue: 0,0:39:02.70,0:39:09.11,Default,,0000,0000,0000,,so basically we can with two glitches, we\Ncan glitch over the SAU control enable now
Dialogue: 0,0:39:09.11,0:39:16.37,Default,,0000,0000,0000,,our entire memory is secure and then we\Nglitch over the bitclear instruction and
Dialogue: 0,0:39:16.37,0:39:23.61,Default,,0000,0000,0000,,then branch linked ex non secure again\Nrolls off the tongue will run secure code.
Dialogue: 0,0:39:23.61,0:39:29.26,Default,,0000,0000,0000,,And now our normal world code is running\Nin secure mode. The problem is it works,
Dialogue: 0,0:39:29.26,0:39:33.78,Default,,0000,0000,0000,,but it's very hard to get stable. So, I\Nmean, this was I somehow got it working,
Dialogue: 0,0:39:33.78,0:39:40.84,Default,,0000,0000,0000,,but it was not very stable and it was a\Nbig pain to to actually make use of. So I
Dialogue: 0,0:39:40.84,0:39:45.01,Default,,0000,0000,0000,,wanted a different vulnerability. And I\Nread up on the implementation defined
Dialogue: 0,0:39:45.01,0:39:52.19,Default,,0000,0000,0000,,attribution unit of the M2351. And it\Nturns out that each flash RAM peripheral
Dialogue: 0,0:39:52.19,0:39:59.78,Default,,0000,0000,0000,,and so on is mapped twice into memory. And\Nso basically once as secure as the address
Dialogue: 0,0:39:59.78,0:40:08.71,Default,,0000,0000,0000,,0x2000 and once as non secure at the\Naddress 0x3000. And so you have the flash
Dialogue: 0,0:40:08.71,0:40:15.41,Default,,0000,0000,0000,,twice and you have the the RAM twice. This\Nis super important. This is the same
Dialogue: 0,0:40:15.41,0:40:22.22,Default,,0000,0000,0000,,memory. And so I came up with an attack\Nthat I called CroeRBAR because a
Dialogue: 0,0:40:22.22,0:40:27.82,Default,,0000,0000,0000,,vulnerability basically doesn't exist if\Nit doesn't have a fancy name. And the
Dialogue: 0,0:40:27.82,0:40:32.08,Default,,0000,0000,0000,,basic point of this is that the security\Nof the system relies on the region
Dialogue: 0,0:40:32.08,0:40:36.57,Default,,0000,0000,0000,,configuration of the SAU. What if we\Nglitch this initialization combined with
Dialogue: 0,0:40:36.57,0:40:43.17,Default,,0000,0000,0000,,this IDAU layout again with the IDAU\Nmirrors the memory. Has it once a secure
Dialogue: 0,0:40:43.17,0:40:48.50,Default,,0000,0000,0000,,and once it's not secure. Now let's say we\Nhave at the very bottom of our flash. We
Dialogue: 0,0:40:48.50,0:40:54.52,Default,,0000,0000,0000,,have a secret which is in the secure area.\NIt will also be in the mirror of this
Dialogue: 0,0:40:54.52,0:41:00.55,Default,,0000,0000,0000,,memory. But again, because our SAU\Nconfiguration is fine, it will not be
Dialogue: 0,0:41:00.55,0:41:06.31,Default,,0000,0000,0000,,accessible by the non secure region.\NHowever, the start of this non secret area
Dialogue: 0,0:41:06.31,0:41:14.34,Default,,0000,0000,0000,,is configured by the RBAR register. And so\Nmaybe if we glitch this RBAR being set, we
Dialogue: 0,0:41:14.34,0:41:18.21,Default,,0000,0000,0000,,can increase the size of the non secure\Narea. And if you check the ARM
Dialogue: 0,0:41:18.21,0:41:22.95,Default,,0000,0000,0000,,documentation on the RBAR register, the\Nreset values state of this register is
Dialogue: 0,0:41:22.95,0:41:28.08,Default,,0000,0000,0000,,unknown. So unfortunately it doesn't just\Nsay zero, but I tried this on all chips I
Dialogue: 0,0:41:28.08,0:41:33.84,Default,,0000,0000,0000,,had access to and it is zero on all chips\NI tested. And so now what we can do is we
Dialogue: 0,0:41:33.84,0:41:38.80,Default,,0000,0000,0000,,glitch over this RBAR and now our final\Nsecurity state will be bigger and our
Dialogue: 0,0:41:38.80,0:41:43.39,Default,,0000,0000,0000,,secure code is still running in the bottom\Nhalf. But then the jump into non secure
Dialogue: 0,0:41:43.39,0:41:50.75,Default,,0000,0000,0000,,will also give us access to the secret and\Nit works. We get a fully stable glitch,
Dialogue: 0,0:41:50.75,0:41:56.65,Default,,0000,0000,0000,,takes roughly 30 seconds to bypass it. I\Nshould mention that this is what I think
Dialogue: 0,0:41:56.65,0:42:00.44,Default,,0000,0000,0000,,happens. All I know is that I inject a\Nglitch and I can read the secret. I cannot
Dialogue: 0,0:42:00.44,0:42:05.18,Default,,0000,0000,0000,,tell you exactly what happens, but this is\Nthe best interpretation I have so far. So
Dialogue: 0,0:42:05.18,0:42:10.97,Default,,0000,0000,0000,,wuhu we have an attack with a cool name?\NAnd so I looked at another chip called the
Dialogue: 0,0:42:10.97,0:42:18.93,Default,,0000,0000,0000,,NXP LPC55S69, and this one has 2\NCortex-M33 cores, one of which has
Dialogue: 0,0:42:18.93,0:42:26.60,Default,,0000,0000,0000,,TrustZone-M. The IDAU and the overall\NTrustZone layout seem to be very similar
Dialogue: 0,0:42:26.60,0:42:31.64,Default,,0000,0000,0000,,to the NuMicro. And I got the dual glitch\Nattack working and also the CrowRBAR
Dialogue: 0,0:42:31.64,0:42:38.73,Default,,0000,0000,0000,,attack working. And the vendor response\Nwas amazing. Like holy crap, they called
Dialogue: 0,0:42:38.73,0:42:42.50,Default,,0000,0000,0000,,me and wanted to fully understand it. They\Nreproduced that. They got me on the phone
Dialogue: 0,0:42:42.50,0:42:48.25,Default,,0000,0000,0000,,with an expert and the expert was super\Nnice. But what he said came down to was
Dialogue: 0,0:42:48.25,0:42:55.48,Default,,0000,0000,0000,,RTFM. But again, this is a long document,\Nbut it turns out that the example code did
Dialogue: 0,0:42:55.48,0:43:01.90,Default,,0000,0000,0000,,not enable a certain security feature. And\Nthis security feature is helpfully named
Dialogue: 0,0:43:01.90,0:43:10.82,Default,,0000,0000,0000,,Miscellaneous Control Register, basically,\N{\i1}laughter{\i0} which stands for Secure Control
Dialogue: 0,0:43:10.82,0:43:21.12,Default,,0000,0000,0000,,Register, {\i1}laughter{\i0} obviously. And this\Nregister has a bit. If you set it, it
Dialogue: 0,0:43:21.12,0:43:26.64,Default,,0000,0000,0000,,enables secure checking. And if I read\Njust a couple of sentences first further,
Dialogue: 0,0:43:26.64,0:43:31.12,Default,,0000,0000,0000,,when I read about the TrustZone on the\Nchip, I would have actually seen this. But
Dialogue: 0,0:43:31.12,0:43:37.63,Default,,0000,0000,0000,,Millennial sorry. Yeah. And so what this\Nenables is called the memory protection
Dialogue: 0,0:43:37.63,0:43:41.42,Default,,0000,0000,0000,,checkers and this is an additional memory\Nsecurity check that gives you finer
Dialogue: 0,0:43:41.42,0:43:46.48,Default,,0000,0000,0000,,control over the memory layout. And so it\Nbasically checks if the attribution unit
Dialogue: 0,0:43:46.48,0:43:51.87,Default,,0000,0000,0000,,security state is identical with the\Nmemory protection checker security state.
Dialogue: 0,0:43:51.87,0:43:57.96,Default,,0000,0000,0000,,And so, for example, if our attack code\Ntries to access memory, the MPC will check
Dialogue: 0,0:43:57.96,0:44:04.28,Default,,0000,0000,0000,,whether this was really a valid request.\NSo to say and stop you if you are unlucky
Dialogue: 0,0:44:04.28,0:44:10.25,Default,,0000,0000,0000,,as I was. But turns out it's glitchable,\Nbut it's much, much harder to glitch and
Dialogue: 0,0:44:10.25,0:44:15.55,Default,,0000,0000,0000,,you need multiple glitches. And the vendor\Nresponse was awesome. They also say
Dialogue: 0,0:44:15.55,0:44:22.01,Default,,0000,0000,0000,,they're working on improving the\Ndocumentation for this. So yeah, super
Dialogue: 0,0:44:22.01,0:44:26.77,Default,,0000,0000,0000,,cool. But still like it's not a full\Nprotection against glitching, but it gives
Dialogue: 0,0:44:26.77,0:44:33.04,Default,,0000,0000,0000,,you certain security. And I think that's\Npretty awesome. Before we finish. Is
Dialogue: 0,0:44:33.04,0:44:38.26,Default,,0000,0000,0000,,everything broken? No. These chips are not\Ninsecure. They are not protected against a
Dialogue: 0,0:44:38.26,0:44:43.93,Default,,0000,0000,0000,,very specific attack scenario and align\Nthe chips that you want to use with your
Dialogue: 0,0:44:43.93,0:44:47.51,Default,,0000,0000,0000,,threat model. If fault injection is part\Nof your threat models. So, for example,
Dialogue: 0,0:44:47.51,0:44:51.70,Default,,0000,0000,0000,,you're building a carkey. Maybe you should\Nprotect against glitching. If you're
Dialogue: 0,0:44:51.70,0:44:56.34,Default,,0000,0000,0000,,building a hardware wallet, definitely you\Nshould protect against glitching. Thank
Dialogue: 0,0:44:56.34,0:45:00.83,Default,,0000,0000,0000,,you. Also, by the way, if you want to play\Nwith some awesome fault injection
Dialogue: 0,0:45:00.83,0:45:05.58,Default,,0000,0000,0000,,equipment, I have an EMFI glitcher with me\Nand so. So just hit me up on Twitter and
Dialogue: 0,0:45:05.58,0:45:09.54,Default,,0000,0000,0000,,I'm happy to show it to you. So thanks a\Nlot.
Dialogue: 0,0:45:09.54,0:45:17.70,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:45:17.70,0:45:24.78,Default,,0000,0000,0000,,Herald: Thank you very much, Thomas. We do\Nhave an awesome 15 minutes for Q and A. So
Dialogue: 0,0:45:24.78,0:45:30.39,Default,,0000,0000,0000,,if you line up, we have three microphones.\NMicrophone number 3 actually has an
Dialogue: 0,0:45:30.39,0:45:34.12,Default,,0000,0000,0000,,induction loop. So if you're hearing\Nimpaired and have a suitable device, you
Dialogue: 0,0:45:34.12,0:45:39.13,Default,,0000,0000,0000,,can go to microphone 3 and actually hear\Nthe answer. And we're starting off with
Dialogue: 0,0:45:39.13,0:45:41.98,Default,,0000,0000,0000,,our signal angel with questions from the\NInternet.
Dialogue: 0,0:45:41.98,0:45:47.71,Default,,0000,0000,0000,,Thomas: Hello, Internet.\NSignal Angel: Hello. Are you aware of the
Dialogue: 0,0:45:47.71,0:45:53.56,Default,,0000,0000,0000,,ST Cortex-M4 firewall? And can your\Nresearch be somehow related to it? Or
Dialogue: 0,0:45:53.56,0:45:56.88,Default,,0000,0000,0000,,maybe do you have plans to explore it in\Nthe future?
Dialogue: 0,0:45:56.88,0:46:02.44,Default,,0000,0000,0000,,Thomas: I. So, yes, I'm very aware of the\NST M3 and M4. If you watch our talk last
Dialogue: 0,0:46:02.44,0:46:06.68,Default,,0000,0000,0000,,year at CCC called Wallet.fail, we\Nactually exploited the sister chip, the
Dialogue: 0,0:46:06.68,0:46:12.95,Default,,0000,0000,0000,,STM32 F2. The F4 has this strange firewall\Nthing which feels very similar to
Dialogue: 0,0:46:12.95,0:46:18.68,Default,,0000,0000,0000,,TrustZone-M. However, I cannot yet share\Nany research related to that chip,
Dialogue: 0,0:46:18.68,0:46:22.09,Default,,0000,0000,0000,,unfortunately. Sorry.\NSignal Angel: Thank you.
Dialogue: 0,0:46:22.09,0:46:28.72,Default,,0000,0000,0000,,Herald: Microphone number 1, please.\NMic 1: Hello. I'm just wondering, have you
Dialogue: 0,0:46:28.72,0:46:34.28,Default,,0000,0000,0000,,tried to replicate this attack on\Nmulticore CPUs with higher frequency such
Dialogue: 0,0:46:34.28,0:46:38.86,Default,,0000,0000,0000,,like 2GHz and others, how would you go\Nabout that?
Dialogue: 0,0:46:38.86,0:46:43.60,Default,,0000,0000,0000,,Thomas: So I have not because there there\Nare no TrustZone-M chips with this
Dialogue: 0,0:46:43.60,0:46:48.19,Default,,0000,0000,0000,,frequency. However, people have done it on\Nmobile phones and other equipment. So, for
Dialogue: 0,0:46:48.19,0:46:54.96,Default,,0000,0000,0000,,example, yeah, there's a lot of materials\Non glitching higher frequency stuff. But
Dialogue: 0,0:46:54.96,0:46:59.17,Default,,0000,0000,0000,,yeah, it will get expensive really quickly\Nbecause the scope, the way you can even
Dialogue: 0,0:46:59.17,0:47:03.82,Default,,0000,0000,0000,,see a two gigahertz clock, that's a nice\Ncar oscilloscope.
Dialogue: 0,0:47:03.82,0:47:09.41,Default,,0000,0000,0000,,Herald: Microphone number 2, please.\NMic 2: Thank you for your talk. Is the
Dialogue: 0,0:47:09.41,0:47:15.75,Default,,0000,0000,0000,,more functionality to go from non-secure\Nto secure area? Are there same standard
Dialogue: 0,0:47:15.75,0:47:19.74,Default,,0000,0000,0000,,defined functionalities or the proprietory\Nlibraries from NXP?
Dialogue: 0,0:47:19.74,0:47:25.13,Default,,0000,0000,0000,,Thomas: So the the veneer stuff is\Nstandard and you will find ARM documents
Dialogue: 0,0:47:25.13,0:47:29.30,Default,,0000,0000,0000,,basically recommending you to do this. But\Nall the tool chains, for example, the one
Dialogue: 0,0:47:29.30,0:47:34.80,Default,,0000,0000,0000,,for the SAM L11 will generate the veneers\Nfor you. And so I have to be honest, I
Dialogue: 0,0:47:34.80,0:47:37.90,Default,,0000,0000,0000,,have not looked at how exactly they are\Ngenerated.
Dialogue: 0,0:47:37.90,0:47:42.48,Default,,0000,0000,0000,,However, I did some rust stuff to play\Naround with it. And yeah, it's relatively
Dialogue: 0,0:47:42.48,0:47:44.75,Default,,0000,0000,0000,,simple for the tool chain and it's\Nstandard. So
Dialogue: 0,0:47:44.75,0:47:51.72,Default,,0000,0000,0000,,Herald: the signal angel is signaling.\NSignal Angel: Yeah. That's not another
Dialogue: 0,0:47:51.72,0:47:56.18,Default,,0000,0000,0000,,question from the internet but from me and\NI wanted to know how important is the
Dialogue: 0,0:47:56.18,0:48:00.68,Default,,0000,0000,0000,,hardware security in comparison to the\Nsoftware security because you cannot hack
Dialogue: 0,0:48:00.68,0:48:06.49,Default,,0000,0000,0000,,these devices without having physical\Naccess to them except of this supply chain
Dialogue: 0,0:48:06.49,0:48:09.30,Default,,0000,0000,0000,,attack.\NThomas: Exactly. And that depends on your
Dialogue: 0,0:48:09.30,0:48:14.21,Default,,0000,0000,0000,,threat model. So that's basically if you\Nbuild a door, if you build a hardware
Dialogue: 0,0:48:14.21,0:48:18.28,Default,,0000,0000,0000,,wallet, you want to have hardware\Nprotection because somebody can steal it
Dialogue: 0,0:48:18.28,0:48:22.20,Default,,0000,0000,0000,,potentially very easily and then... And if\Nyou, for example, look at your phone, you
Dialogue: 0,0:48:22.20,0:48:27.72,Default,,0000,0000,0000,,probably maybe don't want to have anyone\Nat customs be able to immediately break
Dialogue: 0,0:48:27.72,0:48:31.34,Default,,0000,0000,0000,,into your phone. And that's another point\Nwhere hardware security is very important.
Dialogue: 0,0:48:31.34,0:48:36.09,Default,,0000,0000,0000,,And there with a car key, it's the same.\NIf you rent a car, you hopefully the car
Dialogue: 0,0:48:36.09,0:48:41.92,Default,,0000,0000,0000,,rental company doesn't want you to copy\Nthe key. And interestingly, the more
Dialogue: 0,0:48:41.92,0:48:45.56,Default,,0000,0000,0000,,probably one of the most protected things\Nin your home is your printer cartridge,
Dialogue: 0,0:48:45.56,0:48:49.70,Default,,0000,0000,0000,,because I can tell you that the vendor\Ninvests a lot of money into you not being
Dialogue: 0,0:48:49.70,0:48:54.50,Default,,0000,0000,0000,,able to clone the printer cartridge. And\Nso there are a lot of cases where it's
Dialogue: 0,0:48:54.50,0:48:58.27,Default,,0000,0000,0000,,maybe not the user who wants to protect\Nagainst hardware attacks, but the vendor
Dialogue: 0,0:48:58.27,0:49:02.20,Default,,0000,0000,0000,,who wants to protect against it.\NHerald: Microphone number 1, please.
Dialogue: 0,0:49:02.20,0:49:04.75,Default,,0000,0000,0000,,Mic 1: So thank you again for the amazing\NTalk.
Dialogue: 0,0:49:04.75,0:49:07.73,Default,,0000,0000,0000,,Thomas: Thank you.\NMic 1: You mentioned higher order attacks,
Dialogue: 0,0:49:07.73,0:49:12.10,Default,,0000,0000,0000,,I think twice. And for the second chip,\Nyou actually said you you broke it with
Dialogue: 0,0:49:12.10,0:49:14.75,Default,,0000,0000,0000,,two glitches, two exploiteable glitches.\NThomas: Yes.
Dialogue: 0,0:49:14.75,0:49:19.37,Default,,0000,0000,0000,,Mic 1: So what did you do to reduce the\Nsearch space or did you just search over
Dialogue: 0,0:49:19.37,0:49:22.19,Default,,0000,0000,0000,,the entire space?\NThomas: So the nice thing about these
Dialogue: 0,0:49:22.19,0:49:27.90,Default,,0000,0000,0000,,chips is that you can actually you can if\Nyou have a security attribution unit, you
Dialogue: 0,0:49:27.90,0:49:33.72,Default,,0000,0000,0000,,can decide when you turn it on, because\Nyou can just, I had the GPIO go up. Then I
Dialogue: 0,0:49:33.72,0:49:39.61,Default,,0000,0000,0000,,enable the SAU. And then I had my search\Nspace very small because I knew it would
Dialogue: 0,0:49:39.61,0:49:45.15,Default,,0000,0000,0000,,be just after I pulled up the GPIO. And so\NI was able to very precisely time where I
Dialogue: 0,0:49:45.15,0:49:50.28,Default,,0000,0000,0000,,glitch and I was able because I wrote the\Ncode basically that does it. I could
Dialogue: 0,0:49:50.28,0:49:53.47,Default,,0000,0000,0000,,almost count on the oscilloscope which\Ninstruction I'm hitting.
Dialogue: 0,0:49:53.47,0:49:56.52,Default,,0000,0000,0000,,Mic 1: Thank you.\NHerald: Next question from microphone
Dialogue: 0,0:49:56.52,0:49:59.84,Default,,0000,0000,0000,,number 2, please.\NMic 2: Thank you for the talk. I was just
Dialogue: 0,0:49:59.84,0:50:05.17,Default,,0000,0000,0000,,wondering if the vendor was to include the\Ncapacitor directly on the die, howfixed
Dialogue: 0,0:50:05.17,0:50:10.52,Default,,0000,0000,0000,,would you consider it to be?\NThomas: So against voltage glitching? It
Dialogue: 0,0:50:10.52,0:50:14.53,Default,,0000,0000,0000,,might help. It depends. But for example,\Non a recent chip, we just used the
Dialogue: 0,0:50:14.53,0:50:19.31,Default,,0000,0000,0000,,negative voltage to suck out the power\Nfrom the capacitor. And also, you will
Dialogue: 0,0:50:19.31,0:50:23.82,Default,,0000,0000,0000,,have EMFI glitching as a possibility and\NEMFI glitching is awesome because you
Dialogue: 0,0:50:23.82,0:50:28.14,Default,,0000,0000,0000,,don't even have to solder. You just\Nbasically put a small coil on top of your
Dialogue: 0,0:50:28.14,0:50:33.07,Default,,0000,0000,0000,,chip and inject the voltage directly into\Nit behind any of the capacitors. And so
Dialogue: 0,0:50:33.07,0:50:39.57,Default,,0000,0000,0000,,on. So it it helps, but it's not a. Often\Nit's not done for security reasons. Let's
Dialogue: 0,0:50:39.57,0:50:42.65,Default,,0000,0000,0000,,see.\NHerald: Next question again from our
Dialogue: 0,0:50:42.65,0:50:46.36,Default,,0000,0000,0000,,Signal Angel.\NSignal Angel: Did you get to use your own
Dialogue: 0,0:50:46.36,0:50:55.97,Default,,0000,0000,0000,,custom hardware to help you?\NThomas: I partially the part that worked
Dialogue: 0,0:50:55.97,0:50:59.31,Default,,0000,0000,0000,,is the summary.\NHerald: Microphone number 1, please.
Dialogue: 0,0:50:59.31,0:51:05.01,Default,,0000,0000,0000,,Mic 1: Hi. Thanks for the interesting\Ntalk. All these vendors pretty much said
Dialogue: 0,0:51:05.01,0:51:08.42,Default,,0000,0000,0000,,this sort of attack is sort of not really\Nin scope for what they're doing.
Dialogue: 0,0:51:08.42,0:51:10.88,Default,,0000,0000,0000,,Thomas: Yes.\NMic 1: Are you aware of anyone like in
Dialogue: 0,0:51:10.88,0:51:15.49,Default,,0000,0000,0000,,this sort of category of chip actually\Ndoing anything against glitching attacks?
Dialogue: 0,0:51:15.49,0:51:20.19,Default,,0000,0000,0000,,Thomas: Not in this category, but there\Nare secure elements that explicitly
Dialogue: 0,0:51:20.19,0:51:25.89,Default,,0000,0000,0000,,protect against it. A big problem with\Nresearching those is that it's also to a
Dialogue: 0,0:51:25.89,0:51:30.28,Default,,0000,0000,0000,,large degree security by NDA, at least for\Nme, because I have no idea what's going
Dialogue: 0,0:51:30.28,0:51:35.45,Default,,0000,0000,0000,,on. I can't buy one to play around with\Nit. And so I can't tell you how good these
Dialogue: 0,0:51:35.45,0:51:39.13,Default,,0000,0000,0000,,are. But I know from some friends that\Nthere are some chips. Are very good at
Dialogue: 0,0:51:39.13,0:51:42.93,Default,,0000,0000,0000,,protecting against glitches. And\Napparently the term you need to look for
Dialogue: 0,0:51:42.93,0:51:47.42,Default,,0000,0000,0000,,it is called glitch monitor. And if you\Nsee that in the data sheet, that tells you
Dialogue: 0,0:51:47.42,0:51:52.23,Default,,0000,0000,0000,,that they at least thought about it\NHerald: Microphone number 2, please.
Dialogue: 0,0:51:52.23,0:51:59.95,Default,,0000,0000,0000,,Mic 2: So what about brown-out or\Ndetection? Did microchip say why it didn't
Dialogue: 0,0:51:59.95,0:52:03.49,Default,,0000,0000,0000,,catch your glitching attempts?\NThomas: It's not meet to glitch it at two
Dialogue: 0,0:52:03.49,0:52:08.17,Default,,0000,0000,0000,,to catch glitching attacks. Basically, a\Nbrownout detector is mainly there to keep
Dialogue: 0,0:52:08.17,0:52:13.58,Default,,0000,0000,0000,,your chip stable. And so, for example, if\Nyou're supply voltage drops, you want to
Dialogue: 0,0:52:13.58,0:52:17.21,Default,,0000,0000,0000,,make sure that you notice and don't\Naccidentally glitch yourself. So, for
Dialogue: 0,0:52:17.21,0:52:21.25,Default,,0000,0000,0000,,example, if it is running on a battery and\Nyour battery goes empty, you want your
Dialogue: 0,0:52:21.25,0:52:25.49,Default,,0000,0000,0000,,chip to run stable, stable, stable off.\NAnd that's the idea behind a brownout
Dialogue: 0,0:52:25.49,0:52:30.59,Default,,0000,0000,0000,,detector is my understanding. But yeah,\Nthey are not made to be fast enough to
Dialogue: 0,0:52:30.59,0:52:36.12,Default,,0000,0000,0000,,catch glitching attacks.\NHerald: Do we have any more questions from
Dialogue: 0,0:52:36.12,0:52:39.15,Default,,0000,0000,0000,,the hall?\NThomas: Yes.
Dialogue: 0,0:52:39.15,0:52:45.36,Default,,0000,0000,0000,,Herald: Yes? Where?\NMic ?: Thank you for your amazing talk.
Dialogue: 0,0:52:45.36,0:52:49.32,Default,,0000,0000,0000,,You have shown that it gets very\Ncomplicated if you have two consecutive
Dialogue: 0,0:52:49.32,0:52:55.39,Default,,0000,0000,0000,,glitches. So wouldn't it be an easy\Nprotection to just do the stuff twice or
Dialogue: 0,0:52:55.39,0:53:00.81,Default,,0000,0000,0000,,three times and maybe randomize it? Would\Nyou consider this then impossible to be
Dialogue: 0,0:53:00.81,0:53:04.16,Default,,0000,0000,0000,,glitched?\NThomas: So adding randomization to the
Dialogue: 0,0:53:04.16,0:53:08.01,Default,,0000,0000,0000,,point in time where you enable it helps,\Nbut then you can trigger off the power
Dialogue: 0,0:53:08.01,0:53:12.88,Default,,0000,0000,0000,,consumption and so on. And I should add, I\Nonly tried to to trigger once and then use
Dialogue: 0,0:53:12.88,0:53:16.88,Default,,0000,0000,0000,,just a simple delay. But in theory, if you\Ndo it twice, you could also glitch on the
Dialogue: 0,0:53:16.88,0:53:21.83,Default,,0000,0000,0000,,power consumption signature and so on. So\Nit might help. But somebody very motivated
Dialogue: 0,0:53:21.83,0:53:27.91,Default,,0000,0000,0000,,will still be able to do it. Probably.\NHerald: OK. We have another question from
Dialogue: 0,0:53:27.91,0:53:31.06,Default,,0000,0000,0000,,the Internet.\NSignal Angel: Is there a mitigation for
Dialogue: 0,0:53:31.06,0:53:36.51,Default,,0000,0000,0000,,such a attack that I can do on PCB level\Nor it can be addressed only on chip level?
Dialogue: 0,0:53:36.51,0:53:40.25,Default,,0000,0000,0000,,Thomas: Only on chip level, because if you\Nhave a heat, can you just pull the chip
Dialogue: 0,0:53:40.25,0:53:45.65,Default,,0000,0000,0000,,off and do it in a socket or if you do\NEMFI glitching, you don't even have to
Dialogue: 0,0:53:45.65,0:53:50.24,Default,,0000,0000,0000,,touch the chip. You just go over it with\Nthe coil and inject directly into the
Dialogue: 0,0:53:50.24,0:53:54.80,Default,,0000,0000,0000,,chip. So the chip needs to be secured\Nagainst this type of stuff or you can add
Dialogue: 0,0:53:54.80,0:54:00.13,Default,,0000,0000,0000,,a tamper protection case around your\Nchips. So, yeah.
Dialogue: 0,0:54:00.13,0:54:02.70,Default,,0000,0000,0000,,Herald: Another question from microphone\Nnumber 1.
Dialogue: 0,0:54:02.70,0:54:08.27,Default,,0000,0000,0000,,Mic 1: So I was wondering if you've heard\Nanything or know anything about the STM32
Dialogue: 0,0:54:08.27,0:54:11.26,Default,,0000,0000,0000,,L5 series?\NThomas: I've heard a lot. I've seen
Dialogue: 0,0:54:11.26,0:54:17.02,Default,,0000,0000,0000,,nothing. So, yes, I've heard about it. But\Nit doesn't ship yet as far as I know. We
Dialogue: 0,0:54:17.02,0:54:20.47,Default,,0000,0000,0000,,are all eagerly awaiting it.\NMic 1: Thank you.
Dialogue: 0,0:54:20.47,0:54:24.44,Default,,0000,0000,0000,,Herald: Microphone number 2, please\NMic 2: Hey, very good talk. Thank you. Do
Dialogue: 0,0:54:24.44,0:54:29.09,Default,,0000,0000,0000,,you, Will you release all the hardware\Ndesign of the board and those scripts?
Dialogue: 0,0:54:29.09,0:54:30.80,Default,,0000,0000,0000,,Thomas: Yes.\NMic 2: Is there anything already
Dialogue: 0,0:54:30.80,0:54:33.11,Default,,0000,0000,0000,,availability even if I understood it's not\Nall finished?
Dialogue: 0,0:54:33.11,0:54:38.35,Default,,0000,0000,0000,,Thomas: Oh, yes. So on chip.fail. There\Nare thoughtful domains. It's awesome.
Dialogue: 0,0:54:38.35,0:54:44.16,Default,,0000,0000,0000,,Chip.fail has the source code to our\Nglitcher. I've also ported it to the
Dialogue: 0,0:54:44.16,0:54:48.99,Default,,0000,0000,0000,,Lattice and I need to push that hopefully\Nin the next few days. But then all the
Dialogue: 0,0:54:48.99,0:54:53.11,Default,,0000,0000,0000,,hardware would be open sourced also\Nbecause it's based on open source hardware
Dialogue: 0,0:54:53.11,0:54:59.10,Default,,0000,0000,0000,,and yeah, I'm not planning to make any\Nmoney or anything using it. It's just to
Dialogue: 0,0:54:59.10,0:55:02.59,Default,,0000,0000,0000,,make life easier.\NHerald: Microphone number 2, please.
Dialogue: 0,0:55:02.59,0:55:07.34,Default,,0000,0000,0000,,Mic 2: So you said already you don't\Nreally know what happens at the exact
Dialogue: 0,0:55:07.34,0:55:14.99,Default,,0000,0000,0000,,moment of the glitch and you were lucky\Nthat you that you skipped an instruction
Dialogue: 0,0:55:14.99,0:55:24.34,Default,,0000,0000,0000,,maybe. Do you have. Yes. A feeling what is\Nhappening inside the chip at the moment of
Dialogue: 0,0:55:24.34,0:55:28.73,Default,,0000,0000,0000,,the glitch?\NThomas: So I asked this precise question,
Dialogue: 0,0:55:28.73,0:55:36.58,Default,,0000,0000,0000,,what exactly happens to multiple people? I\Ngot multiple answers. But basically my my
Dialogue: 0,0:55:36.58,0:55:41.28,Default,,0000,0000,0000,,understanding is that you basically pull\Nthe voltage that it needs to set, for
Dialogue: 0,0:55:41.28,0:55:45.77,Default,,0000,0000,0000,,example, the register. But I'm it's\Nabsolutely out of my domain to give an
Dialogue: 0,0:55:45.77,0:55:50.71,Default,,0000,0000,0000,,educated comment on this. I'm a breaker,\Nunfortunately, not a maker when it comes
Dialogue: 0,0:55:50.71,0:55:54.03,Default,,0000,0000,0000,,to chips.\NHerald: Microphone number 2, please.
Dialogue: 0,0:55:54.03,0:56:01.75,Default,,0000,0000,0000,,Mic 2: OK. Thank you. You said a lot of\Nthe chip attack. Can you tell us something
Dialogue: 0,0:56:01.75,0:56:07.51,Default,,0000,0000,0000,,about JTAG attacks? So I just have a\Nconnection to JTAG?
Dialogue: 0,0:56:07.51,0:56:12.28,Default,,0000,0000,0000,,Thomas: Yeah. So, for example, the attack\Non the KPH version of the chip was
Dialogue: 0,0:56:12.28,0:56:17.29,Default,,0000,0000,0000,,basically a JTAG attack. I used JTAG to\Nread out the chip, but I did have JTAG in
Dialogue: 0,0:56:17.29,0:56:23.63,Default,,0000,0000,0000,,normal world. However, it's possible on\Nmost - on a lot of chips to reenable JTAG
Dialogue: 0,0:56:23.63,0:56:28.69,Default,,0000,0000,0000,,even if it's locked. And for example,\Nagain, referencing last year's talk, we
Dialogue: 0,0:56:28.69,0:56:34.33,Default,,0000,0000,0000,,were able to re enable JTAG on the STM32F2\Nand I would assume was something similar
Dialogue: 0,0:56:34.33,0:56:39.44,Default,,0000,0000,0000,,as possible on this chip as well. But I\Nhaven't tried.
Dialogue: 0,0:56:39.44,0:56:47.26,Default,,0000,0000,0000,,Herald: Are there any more questions we\Nstill have a few minutes. I guess not.
Dialogue: 0,0:56:47.26,0:56:51.60,Default,,0000,0000,0000,,Well, a big, warm round of applause for\NThomas Roth.
Dialogue: 0,0:56:51.60,0:56:55.11,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:56:55.11,0:56:59.21,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:56:59.21,0:57:06.25,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!