Close

Does this project spark your interest?

Become a member to follow this project and don't miss any updates

ChipWhisperer™: Security Research

Open Source Hardware Security Analysis

5 82 75
Enjoy this project?
Share on twitter   Share on Facebook

This project was created on 04/29/2014 and last updated 11 days ago.

Description
ChipWhisperer is the first complete open-source solution for embedded hardware security research including side-channel power analysis and glitching. Tools from commercial vendors cost considerably more (think $20k+), making this the project that promises to bring all sorts of fun tools to every engineer or developer interested in embedded security. It's fully documented (including tutorials) making it possible to really get started on your own.
Details

Check out my 2-min video at YouTube . Links to project details (GIT, Wiki, Docs) are on the left.

Project logs
  • Glitching a Linux Target

    11 days ago • 0 comments

    Here's an interesting update - I've just done some glitch attacks against a Raspberry Pi running a stock Linux kernel. I haven't done anything too interesting beyond just proving it works, but there's a lot of useful points you could glitch away. Basically I programmed a raspberry pi with this little chunk o code:

    int main(void){
        int i,j,cnt;
        while(1){
         for(i=0; i<5000; i++){
           for(j=0; j<5000; j++){
              cnt++;
           }
         }
         printf("%d %d %d\n", cnt, i, j);
        }
    }

    Which if is working normally should print out "25000000 5000 5000". But by inserting glitches into the power lines of the chips (glitching done with a MOSFET crowbarring the 1.2V supply right at the underside of the BGA to GND), which gives you a power like this:

    You can get incorrect results! Here's a print-out where I insert such a glitch event:

    This simple code was chosen since it's easy to insert glitches 'anywhere'. You don't need to go out of your way to determine exact moment of glitching. Note that the glitches are not resetting the system or causing it to crash, or even crashing the specific code. They are just affecting a few instructions such that it counts wrong! If that count is part of something like a bounds check that means you could overwrite an array.

    Anyway see the video for more details:

  • Updated with RECON Slides, DEFCON Annoucement

    15 days ago • 0 comments

    Lots of good news. First off - for those interested I did post my RECON Slides  online just after the conference. They are supposed to release video at some point so you'll be able to get that.

    I'm also going to be at BlackHat and DEFCON! I plan on giving a talk in the hardware hacking village at DEFCON, I don't have anything on either of the official schedules this year though. As an additional bonus there will be a ChipWhisperer Complete Kit that I built going for auction at the Vegas 2.0 Fundariser for the EFF. It might save you a bundle! I'll be packing a few free PCBs as usual, but I'm normally limited in how much I can carry.

    Speaking of EFF, the company I've started to spin up for selling assembled ChipWhisperers (NewAE Technology) is now a organizational member of the EFF, check it out on their thanks page.

    I'm reworking how the analyzer software works right now, so still haven't pushed out a release. The system will now generate a script file & run the script file automatically, instead of hiding everything behind the GUI. This makes it a lot easier to both (A) save your setup and (B) hack in new moduels to test with. It should be a great improvement, and will let you play with the system even more.

    I'm still posting new documentation to the Python Docs page (see links panel on left), so there's a few new tutorials there, including examples of both clock & power glitching. That's all for now anyway, back to work finishing off this code...

  • Template Attacks & Free PCBs at RECON

    2 months ago • 0 comments

    There's been a flurry of activity on the GIT repo lately, as I'm adding support for template attacks. These attacks are exceedingly powerful (capable of breaking AES with a single trace), so I'm excited about support for this. It's not quite done yet so don't clone the repo & expect things not to break! With any luck all the bugs will be ironed out this week and a release will come shortly afterwards.

    I'm also going to be giving a short (30-min) talk at Recon in Montreal at the end of June. If you'll be there be sure to say hello. As usual I'll be packing ChipWhisperer PCBs that I'll be giving out. It's the closest I can afford to 'free' open-source hardware ;-)

View all 4 project logs

Discussions

Tiago wrote 25 days ago null point

Great project! How much does it cost you to manufacture it?

Are you sure? [yes] / [no]

coflynn wrote 23 days ago null point

Thanks! If you DIY everything I think it's about $300-$400 depending how much of it you build. The FPGA board is $200 which is the main cost, although it's possible to build part of the FPGA file for cheaper boards (Spartan 6 LX9 boards). These versions have less features but still useful...

Are you sure? [yes] / [no]

Mike Szczys wrote 2 months ago null point

Thanks for entering this one in The Hackaday Prize.

Good luck with your talk at Recon. Any chance that will be available online?

Are you sure? [yes] / [no]

coflynn wrote 2 months ago null point

Definitely will be available online - I'm not 100% sure if the RECON folks record the talks, but if not I'll upload my own version!

Are you sure? [yes] / [no]

Eric Evenchick wrote 3 months ago null point

Nice to see some open information on the black magic of side-channel analysis. Thanks for sharing this.

Are you sure? [yes] / [no]