As we are all thrilled to say goodbye to 2020 and ring in the new year, we know that much of the world is still going through waves of lockdowns. Since many of you are isolating at home, we wanted to provide a guide for getting started with the open-source ChipWhisperer platform without needing a full lab setup or expensive equipment.
Follow these selected step-by-step tutorials to learn more about how to conduct side-channel power analysis, and voltage and clock glitching. Many tutorials can be completed for free without any additional hardware.
Whether you’re a novice or a pro when it comes to embedded security and side-channel attacks, here is a list of tutorials, tips, and tools for every budget (starting at a whopping $0!) that can kick off your hacking-at-home adventures.
Visit our forum for technical support and to share what you're working on (we are adding a "Show & Tell" category). You can also visit our Help Center for additional support resources.
Self-guided hacking using the open-source ChipWhisperer platform for every budget end level of expertise.
Level 1 - Free Tutorials, No Hardware Required ($0)
SCA101 with sample traces (no hardware required) - Introductory
An introduction to side-channel power analysis attacks. These attacks involve measuring the power consumption of a device while it’s performing sensitive operations. This can be used to attack password checks and even recover full encryption keys. Goes from the basics to attacking real AES-128 implementations.
Follows https://learn.chipwhisperer.io/courses/power-analysis-101.
Solution
SCA201 with sample traces (no hardware required) - Advanced
Extends what was shown in SCA101. Explore techniques to resynchronize traces, attack different AES-128 implementations, and break an AES-256 bootloader. Online course in development.
Solution
Fault201 traceless (1_XA) labs - Advanced
Introduction to Side-Channel Power Analysis (free course)
Level 2 - Free Tutorials with ChipWhisperer Nano ($50)
The ChipWhisperer-Nano is a low-cost tool for side-channel power analysis training. It allows performing attacks against algorithms such as AES using side-channel power analysis. It includes a Cortex-M0 based target device which can be programmed with various algorithms. Many of the educational examples from the ChipWhisperer-Lite will also work on the ChipWhisperer-Nano.
The ChipWhisperer-Nano has more limited triggering capability compared to the ChipWhisperer-Lite or ChipWhisperer-Pro, and as such is limited primarily to training environments. It includes basic voltage fault-injection capability (but cannot perform clock fault injection).
Features
Integrated STM32F0 target for running cryptographic and security algorithms.
Fixed gain front-end designed for working with integrated target.
8-bit ADC up to 20 MS/s, which can be driven from internal or external clock sources.
Low-cost design suitable for use in large class-room environments.
Programmer for STM32F0 integrated onto board.
Uses same Jupyter-based environment as ChipWhisperer-Lite and ChipWhisperer-Pro.
Tutorials
SCA101 - Introductory
Fault101 Nano voltage glitch labs - Introductory
An introduction to voltage and clock glitching attacks. By disrupting a device’s power or clock, we can cause unintended behaviour, such as corrupting variables or even skipping password checks. Online course in development.
SCA201 - Advanced
Fault201 traceless (1_XA) labs - Advanced
Use the fault attacks your learned about in Fault101 to attack cryptographic implementations and recover their keys. The full versions of these labs are not available for the Nano; however, traceless notebooks that cover the theory of some attacks are available.
Level 3 - Free Tutorials with ChipWhisperer-Lite ($250)
The ChipWhisperer-Lite integrates hardware for performing power analysis measurement, device programming, glitching, serial communications, and an example target that can be loaded with cryptographic algorithms all into a single board. The single-board version show here comes with an 32-bit STM32F303 Arm Cortex-M4 processor as a target (other versions are available).
Features
Low-Noise Amplifier (LNA) with adjustable gain of up to +60 dB for analog power measurements.
10-bit ADC up to 105 MS/s, with ultra flexible clocking mechanism allow synchronous power capture.
Generate clock glitches with sub-nS resolution on timing.
Crowbar-based voltage glitch generator.
Built-in serial port for communications and programming STM32Fx targets.
Built in XMEGA and AVR programmers.
Open-source design allowing you to modify microcontroller & FPGA firmware.
Integrated STM32F303 32-bit Arm target for power analysis & fault injection integrated onto board.
Can separate target off board to use tool on additional targets.
Tutorials
SCA101 - Introductory
Fault101 - Introductory
SCA201 - Advanced
Fault201 - Advanced
LPC1114 Glitch - Advanced
Requires LPC-P1114 ($14)
Use the voltage glitching attacks from Fault101 to bypass code protection on a development board and dump its secured flash. Requires an LPC-P1114 development board, as well as modifications (removing components, cutting traces) to the board.
Level 4 - $250+ endless possibilities!
Our CW305 FPGA target board opens a world of possibilities.
First, we have example hardware implementations and corresponding attacks for both AES and ECC:
These provide a nice playground for hardware developers to experiment with countermeasures. The examples also make it easy to understand how to implement other target cores on the CW305.
But the CW305 target isn’t just for hardware developers, thanks to Arm’s DesignStart. Follow our detailed guide to port DesignStart to the CW305. This gives you an FPGA-based target which looks and feels like our standard STM32 target. But because it’s on an FPGA, you can do things that weren’t possible before. Like for example, combine debug trace information with power traces, to gain a new level of visibility into what a target is doing - which can be super helpful, whether you’re developing an attack, or a countermeasure.
Features
Custom USB interface provides address/data bus for FPGA, including data transfer and configuration.
Example AES hardware implementation demonstrates data transfer.
Arm DesignStart for FPGA with Cortex-M1 or Cortex-M3 can be run on this board.
3-channel PLL generates 5-160 MHz with frequency configurable over USB.
VCC-INT supply which can be programmed over the range of 0.8V-1.10V via USB.
VCC-INT shunt resistor, with 20dB LNA to amplify signal.
VCC-INT direct connection for voltage fault injection.
ChipWhisperer 20-pin connector to simplify usage with ChipWhisperer capture, for both side-channel power analysis and clock glitching.
Mounting holes for XY table mounting.
We hope you enjoyed our "learning at home" guide. We love hearing about what our community is working on, so please stay in touch!
Join us on Discord
Visit our Forum (tech support/community project discussions)
Follow us on Twitter
Subscribe to our Newsletter
Visit our Help Center
Comments