THP Entry: Embedded Hardware Security With The ChipWhisperer

KONICA MINOLTA DIGITAL CAMERA

There are thousands upon thousands of papers discussing various aspects of embedded hardware security, and dozens of books covering the same subject. The attacks discussed in the literature are very cool – things like side-channel power analysis and clock glitching used to extract keys from a system. The experimental setups in these papers are extraordinarily expensive – you can buy a new car for less. [coflynn] was disheartened with the price of these tools, and thought building his own would make for a great entry to The Hackaday Prize.

The hardware part of the ChipWhisperer includes a breakout board with an FPGA, ADC, and connectors for a lot of different probes, adapters, breakout boards, and a target board, With all these tools, it’s not unreasonable to say that [coflynn] could carry out a power analysis attack on a lot of embedded hardware.

Open source hardware is just one part of this entry. The biggest focus of this project is the open source software for analyzing whatever the probes and target boards record. With this software, anyone can monitor the power used when a chip runs a cryptographic function, or glitch a clock for some unintended functionality in a device. In keeping with the academic pedigree of all the literature on these attacks, there are a ton of tutorials for the ChipWhisperer for all those budding security researchers out there. Very cool stuff, and arguably one of the most technical entries to The Hackaday Prize.

Video below.


SpaceWrencherThe project featured in this post is an entry in The Hackaday Prize. Build something awesome and win a trip to space or hundreds of other prizes.

13 thoughts on “THP Entry: Embedded Hardware Security With The ChipWhisperer

  1. I recently watched a documentary on YouTube regarding the Cray architecture and within the section on gate coupling there was mention of using differential connections between each gate, to keep a constant power profile during computation. Could this be an answer to this type of attack?

    1. On small geometry, the leakage current can get to 30-50% of power consumption (the rest being the dynamic, I/O etc). So do exact opposite of what the rest of the industry do and skip out on all the fancy stuff to keep out the leakage current small and power management and you got yourself a chip that consumes heaps of power whether it is busy or not.

      Not sure if anyone would want such a chip as you can’t implement lots of stuff if you can’t dissipate huge amount of heat from a small area.

    2. ECL is one of the oldest integrated logic families and employs differential signalling–it’s also an analog (non-saturating) logic family, which makes it very fast. On wire-wrapped prototype boards, it’s not unusual to see twisted-pair used for logic signals.

      Before ECL, there were other differential signalling logic families.

    1. Constant time might be sufficient for webservers etc., i.e., when the response time is the only observable side channel. However, it can counter only basic Simple Power Analysis (SPA) attacks and offers no protection at all against Differential Power Analysis (DPA). Actually, constant time makes DPA much easier (-> trace alignment).

Leave a Reply to Tiago DiasCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.