Glitching For n00bs: A Journey to Coax Out Chips' Inner Secrets

Presented at 31C3 (2014), Dec. 27, 2014, 5:15 p.m. (60 minutes)

Despite claims of its obsolescence, electrical glitching can be a viable attack vector against some ICs. This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed. A shroud of mystery surrounds the topic of electrical glitching. Every now and then, you hear it thrown around as a possible attack vector - perhaps to aid in reverse-engineering efforts, or to understand an unknown cryptographic implementation. But what is glitching, exactly? And, more importantly, how can it be leveraged as a potentially powerful tool? This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed. Instead of covering a hypothetical "toy" implementation of a victim chip - such as where the researcher/reverser implements a cryptographic algorithm themselves as software in a common microcontroller, and then attempts to glitch the implementation - a successful blackbox attack against a production security IC will be discussed, including how the attack was mounted, how results were obtained, and approaches to interpret the results. Despite claims of its obsolescence, electrical glitching can be a viable attack vector against a variety of ICs, with a notable exception being some ultra-modern purpose-built security ICs. It is cheap to perform, you don't need an expensive laboratory, and if done properly, is non-destructive in nature. Glitching should be another tool in the reverser's arsenal, and can potentially provide results when other approaches have failed.

Presenters:

  • exide
    exide is a hardware hacker by night, and is interested in designing and reversing embedded systems, IC security, and failure analysis. Other interests involve hacking arcade platforms, automotive electrical engineering, and snowboarding.

Links:

Similar Presentations: