For a number of years, software coverage guided fuzzing is a technique which is widely used in the vulnerability identification. Coverage guided fuzzing of software can be applied to source code as well as compiled binary code, through instrumentation or emulation. Unfortunately, when it comes to embedded systems with encrypted or inaccessible code, it makes it impossible to apply conventional fuzzing. In this presentation a technique is introduced which relies on side channel signals produced by a device to detect unique execution paths, and using this information for future input mutations.
There are a number of challenges related to side channel analysis for path identification. First, this presentation discusses the challenges related to timing, power, electromagnetic and serial side channel processing. Second, a method of combining multiple side channel signals in a single unique and reproducible label is described. Third, an overview to different methods used to reduce noise and jitter observed on the collected side channel signals. And finally the presentation describes a use case of applying black box fuzzing method to real world code running on multicore 1.1GHz chip.
Sergei Volokitin is a security analyst at Riscure in the Netherlands where his work is mostly focused on security evaluation of embedded systems and security testing of smart card platforms and TEE based solutions. He has a number of publications on Java Card platform attacks and conference presentations on hardware security.