Test 1

Download Report

Transcript Test 1 

Method of Attack, Physical Access



Attacker has physical possession of the device
 Many devices are small and portable
Assume that attacker has only external access
 Short access time
 Lacks knowledge about internals
Attack through external interface
 Normal user interface
 USB, SD card interface
Slides created by:
Professor Ian G. Harris
Physical Access Attacks




Attacker can do what user can do
 Read numbers from a phone
 Examine digital pictures, etc.
USB/SD card allows large, fast data theft
USB may be “bootable”
 Device may automatically run code on USB
key
Attacker can rewrite Flash memory
 Install arbitrary malware
Slides created by:
Professor Ian G. Harris
Defenses Against Physical Attacks


Do not lose physical control of your device
Enable password protection on the device
 Can be inconvenient
Slides created by:
Professor Ian G. Harris
Intrusive Physical Attacks



Attacker gains extended physical access to the
device
Attacker knows about the design of the device
Attacker opens the device and accesses internal
signals
 Requires unusual sophistication
 Normal users do not need to worry
Slides created by:
Professor Ian G. Harris
Reading Internal Signals
CPU
RAM
Logic Analyzer



Attacker can view data transferred between ICs
Intellectual property (songs, videos, etc.)
Secret keys, etc.
Slides created by:
Professor Ian G. Harris
Reading Internal Signals, Defenses




Encrypt all data in transit between ICs
 Expensive and time consuming
Make device tamper-proof
 Very expensive
Use internal board layers for routing
 Layers can be sanded down
Epoxy over ICs to hide part numbers
 Epoxy is removable
Slides created by:
Professor Ian G. Harris
Reprogramming FLASH Memory
CPU
Flash

JTAG
Attacker can reprogram the entire device though
its JTAG interface
Slides created by:
Professor Ian G. Harris
Reprogramming FLASH Defenses


Make flash unprogrammable
 Blow an internal fuse
 Updates become impossible
Require secret key to access JTAG
 Costly
Slides created by:
Professor Ian G. Harris
“Super” Intrusive Attacks



Attacker gains access to the design of the ICs
inside the device
Requires time, knowledge, and access
Only large organizations could launch this type
of attack
Slides created by:
Professor Ian G. Harris
Hardware Trojans
CPU
ASIC
Trojan



Trojan
Attacker modifies IC design before fabrication
Spy at the design and/or fabrication site
IC includes altered functionality
Slides created by:
Professor Ian G. Harris
Side-Channel Attacks

Examine “information leakage” via power and delay
analysis
if (key[I]) then {
. . .
}


If key[i] == 1 then power will be higher and delay will be
longer
Requires precise knowledge of IC algorithm and
implementation
Slides created by:
Professor Ian G. Harris
IP Watermarking




Attacker steals IP design and sells it as his own
Need to prove that a stolen design is actually
stolen
Insert “markers” into the design which can be
recognized later
 Add extra logic that has no real function
Markers must not be apparent to the attacker
Slides created by:
Professor Ian G. Harris
ATmega Assembly
a = b + c;
Compiler
lw $r1, ($s1)
lw $r2, ($s2)
add $r3, $r2, $r1
sw $r3, ($s3)
Load b from memory
Load c from memory
Add b and c
Store result a in memory
Assembler
10010001000000110000001000000001
add
$r3
$r2
Slides created by:
Professor Ian G. Harris
$r1
Assembly Instructions
Assembly instructions are a readable mnemonic for
machine instructions
One-to-one mapping from assembly instructions to
machine instructions
• Except macros
ADD R0, R1
0000110000000001
Slides created by:
Professor Ian G. Harris
ATmega Instruction Formats
ADD instruction
Rd <- Rd + Rr
OOOO11RDDDDDRRRR
16-bit machine instructions
6-bit opcode
2 5-bit register arguments (32 registers)
Direct Register Addressing mode used
Slides created by:
Professor Ian G. Harris
Instruction Format, 1 register
ANDI instruction
Rd <- Rd && K
0111KKKKDDDDKKKK
4-bit opcode
1 4-bit register argument (only 16 registers)
8-bit constant
Slides created by:
Professor Ian G. Harris
Instruction Format, 1 register
ASR (arithmetic shift right) instruction
Rd <- Rd >> 1
1001010DDDDD0101
11-bit opcode
1 5-bit register argument
Slides created by:
Professor Ian G. Harris
Instruction Format, Branch
BREQ (branch if equal) instruction
Z == 1 then PC <- PC + K + 1
111100KKKKKKK001
Assumes that comparison (sub) already performed
9-bit opcode
11 constant, PC offset addressing
Branch distance is limited
Slides created by:
Professor Ian G. Harris
Assembly Code Structure
An input line may take one of the four following forms:
1. [label:] directive [operands] [Comment]
2. [label:] instruction [operands] [Comment]
3. Comment
4. Empty line
Label is an alias for a line of code
• Used for jumps/branches
Slides created by:
Professor Ian G. Harris
Example Assembly Program
label: .EQU var1=100 ; Set var1 to 100 (Directive)
.EQU var2=200 ; Set var2 to 200
test:
rjmp test
; Infinite loop (Instruction)
; Pure comment line
.EQU assigns a string to a constant
Semicolon (;) sets off comments
Slides created by:
Professor Ian G. Harris
Some Arithmetic Operations
Some instructions take immediate (constant) arguments
Some instructions use carry from previous operations
Slides created by:
Professor Ian G. Harris
Some Logical Operations
Logical operations are bitwise
Some instructions take only one argument
Slides created by:
Professor Ian G. Harris
Accessing Registers/Memory
All registers are memory mapped
Special instructions are used to access non-register
memory
Slides created by:
Professor Ian G. Harris
General Purpose Registers
General-purpose registers are written using:
• LDI - Load Immediate
LDI R16, 0xFF R16 <- 0xFF
• MOV - Copy Register
MOV R0, R1 R0 <- R1
• SBR - Set Bits in Register
SBR R0, 0xFF R0 <- R0 | 0xFF
• CBR - Clear Bits in Register
CBR R0, 0xAA R0 <- R0 & (0xFF - 0xAA)
Slides created by:
Professor Ian G. Harris
LDI Instruction
LDI Rd, K
8-bits for the immediate, K
4-bits for the register, Rd
Can only access 16 registers (R16 - R31)
SBR and CBR have the same limitation
Slides created by:
Professor Ian G. Harris
MOV Instruction
MOV Rd, Rr
5-bits for each register, can access all registers
Can move from high regs to low regs
Slides created by:
Professor Ian G. Harris
I/O Registers
I/O registers are written/read using:
• IN - In Port
IN R0, PORTB
R0 <- PINB
• OUT - Out Port
OUT R0, PORTB PORTB <- R0
• SBI - Set Bit in I/O Register
SBI PORTB, 3 PORTB <- PORTB | 1<<3
• CBI - Clear Bits in I/O Register
CBI PORTB, 3 PORTB <- PORTB & !(1<<3)
Slides created by:
Professor Ian G. Harris
SBI Instruction
SBI A, b
5 bits specify register, 3 bits specify bit to set
Slides created by:
Professor Ian G. Harris
Addressing SRAM (Ext. I/O)
•Instructions are 16-bits long
•SRAM addresses are 16-bits long
•Address cannot fit in the instruction
•Memory addresses are stored in special-purpose
registers
•X, Y, and Z registers are each 2 bytes
•LD, ST instructions are used to access SRAM
Slides created by:
Professor Ian G. Harris
Data Indirect Addressing
LDI XH HIGH(0x01A8)
LDI XL HIGH(0x01A8)
LD R0, X
ST X, R0
•Registers X, Y, and Z can be used to address SRAM
•XH (YH, ZH) and XL (YL, ZL) are low and high bytes
Slides created by:
Professor Ian G. Harris
Branching
PC typically advances by 2 after each instruction
• Instructions are 2 bytes long
Branching changes the PC counter to a new location
Unconditional Branches always occur
Conditional Branches occur only if a condition is
true
Needed to implement conditional control flow (if,
then) and loops (while, for, etc.)
Labels are used to name branch destination
Slides created by:
Professor Ian G. Harris
Unconditional Branching
JMP k
32-bit instruction
Need 22-bits to address 4M memory space
Assembler substitutes label with address
Slides created by:
Professor Ian G. Harris
Relative Jump (RJMP)
RJMP k
Only 16-bit instruction, address is 12 bits long (4K range)
PC relative addressing used
• Destination is PC + k + 1
Restricted to close jumps (+/- 2K)
Not usually a problem (especially on small processors)
Slides created by:
Professor Ian G. Harris
Conditional Branches
Branch occurs is appropriate condition is satisfied
Conditions depend on results of previous
arithmetic operations
ADD R0, R1
BRVS dest
.
.
dest: ADD R2, R3
BRVS is Branch is Overflow is Set
Branch occurs if previous addition resulted in overflow
Slides created by:
Professor Ian G. Harris
Status Register (SREG)
SREG contains information about the results of
arithmetic/logic operations
Bit 5 – H: Half Carry Flag
Bit 4 – S: Sign Bit, S = N ⊕ V
Bit 3 – V: Two’s Complement Overflow Flag
Bit 2 – N: Negative Flag
Bit 1 – Z: Zero Flag
Bit 0 – C: Carry Flag
Slides created by:
Professor Ian G. Harris
Conditional Branch Instructions
Test indicates the
relationship between operands
Boolean shows values in
SREG
Slides created by:
Professor Ian G. Harris
Branch Conditions
SREG must be set before conditional branch instruction
C code example: if x < y then x++; else y++;
Assume x is in R0 and y is in R1
CP R0, R1
BRLT then
else: INC R1
RJMP done
then: INC R0
done: …
Compare operation, CP, used
to set SREG
• Does not affect other regs
Slides created by:
Professor Ian G. Harris
Skip Instructions
“Skip” instructions skip the next instruction if a condition
is satisfied
Can be used as a mini conditional branch
SBRC - Skip if bit in register is cleared (0)
SBRS R0, 0
INC R0
Rounds R0 up to nearest even number
Slides created by:
Professor Ian G. Harris
Subroutines
RCALL k calls a subroutine starting at label k
• PC + 1 is pushed onto the stack
RET returns from a subroutine
• PC is popped off of the stack
No other calling procedures are followed
• Registers are not pushed/popped
• Arguments are not pushed/popped
• No local vars allocated on stack
Slides created by:
Professor Ian G. Harris
Using the Stack
PUSH Rd places contents of Rd on the stack
 Decrements stack pointer (SP)
POP Rd places contents of stack in Rd
• Increments (SP)
SP must be initialized to top of SRAM, RAMEND
LDI
OUT
LDI
OUT
R0, LOW(RAMEND)
SPL, R0
R0, HIGH(RAMEND)
SPH, R0
Slides created by:
Professor Ian G. Harris
Assembler Directives
Assembler directives give commands to the assembler
Do not generate machine code instructions
.DSEG
var1: .byte 1
var2: .byte 2
.CSEG
ldi XL, LOW(var1)
ldi XH, HIGH(var1)
ld R0, X
.DSEG declares data segment
• Placed in SRAM
.CSEG declares code segment
• Placed in FLASH
.BYTE allocates space
• Only in data segment
Slides created by:
Professor Ian G. Harris
EEPROM Segment
.ESEG
eeconsts:.db 0xff,
0x11
.CSEG
fconsts: .dw 0xffff
.ESEG declares initialized data in EEPROM
.DB declares a data byte in program memory (CSEG)
or EEPROM (ESEG)
.DW declares a word (16-bits) in CSEG or ESEG
Slides created by:
Professor Ian G. Harris
Other Assembler Directives
.DEF <symbol>=R<n>
 Define a symbol to refer to a register
 Ex. .DEF i=R9
 Placement in file should precede first use
 .UNDEF undefines the symbol
.EQU <constant>=<expression>
 Define a constant to refer to a constant value
 Ex. .EQU ZERO = 0
 Constant cannot be redefined or undefined
.SET <variable>=<expression>
 Same as .EQU except variables can be changed later
Slides created by:
Professor Ian G. Harris