Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

Fault Injection is often the weapon of choice for breaking into devices when exploitable software vulnerabilities are not known or absent. While Fault Injection attacks are nowadays common, typical concepts,methodologies, techniques, and attacks are often not sufficiently understood. While achieving success by simply glitching a target can yield results, it’s important to note that this approach alone doesn’t facilitate the creation of innovative attacks. In this training, students will experience and appreciate the Art of Fault Injection (TAoFI) in order to exploit the full potential of Fault Injection attacks.

This training assumes that students already have some experience with performing Fault Injection attacks, either obtained at work, at home, or at a previously attended training (e.g., from Colin, Joe or Thomas). Students are encouraged to work together in teams of two, sharing their experiences, to tackle the challenges together more efficiently. Even though not recommended, students may work individually as well.

Students will be using advanced techniques to characterize the effects of voltage glitches on the Espressif ESP32 system-on-Chip (SoC). The faults resulting from these voltage glitches are carefully analyzed and described to build a thorough understanding of the target’s susceptibility to voltage glitches. This enables the students to create powerful Fault Injection exploits. During this training, rather than focusing on a specific set of tools, the students will focus more on the concepts, methodologies, techniques, and attacks relevant to Fault Injection attacks.

Students will experience, with guidance from experts, performing real-world Fault Injection attacks, that were either disclosed by Raelize or other security researchers. Students will be using the NewAE ChipWhipserer-Husky, typical hardware lab tooling like an oscilloscope and a hardware debugger. Students are provided with a virtual machine (VM) with all the required tooling installed, as well as access to the required hardware. Students are allowed to bring their own ChipWhisperer or any other voltage glitch tooling they may have.

Upon completing the training, students will be proficient to execute sophisticated Fault Injection attacks on real-world targets using commercially available tooling. The knowledge gained from understanding the underlying concepts, methodologies, techniques, and attacks, can be used by the students to perform novel Fault Injection attacks on other targets of interest.

What to Expect? | Key Learning Objectives:

• Understand Fault Injection techniques and attacks like an expert
• Identify non-trivial vulnerabilities using advanced Fault Injection techniques
• Create advanced Fault Injection exploits using commercially available tooling
• Reproduce top-notch security research from Fault Injection experts

Training Detailed Description:

The following list of topics are covered by practical exercises (75%) which are supported by (25%) presentations. Most of the exercises are performed on a custom development board based on the Espressif ESP32 System-on-Chip (SoC), on which Raelize performed multiple Fault Injection attacks

This training starts by building up a solid understanding of the typical concepts and methodologies Fault Injection. Then, students dive straight into the advanced techniques and attacks, which are used to create powerful Fault Injection exploits. Throughout the training there will be ample opportunity to discuss any relevant topic in order to shape up a deeper understanding of Fault Injection and related topics.

Fundamentals

• Overview of Fault Injection
• Raelize’s Fault Injection Reference Model (FIRM)
• Get familiar with the target (Espressif ESP32)
• Get familiar with the tooling (NewAE ChipWhisperer and typical lab tooling)

Advanced Techniques

• Target characterization (with/without custom code)
• Target characterization in the dark (i.e., without custom code)
• Analyzing faults to identify target behavior
• Plotting results to identify target behavior
• Modeling faults to build attack primitives
• Advanced triggering for timing (GPIO, UART, SPI & Power)
• Vulnerability identification by reverse engineering
• Vulnerability verification with hardware debugger
• Effective glitch parameter selection strategies

Advanced Attack

• Bypassing Secure Boot (ESP32; CVE-2019-15894)
• Bypassing Encrypted Secure Boot (ESP32; CVE-2020-13629)
• Controlling the Program Counter (ESP32)
• Glitching the OTP Transfer (ESP32; CVE-2019-17391

Note, Raelize used Riscure’s ElectroMagnetic Fault Injection (EMFI) tooling to perform the above research.During this training, as the students will be performing Crowbar Glitching using NewAE’s ChipWhipserer-Husky platform, not all attacks may be performed successfully during the training. Riscure’s tooling may be available throughout the training for demonstration purposes.

Who Should Attend? | Target Audience:

This training is intended for:

• Security Analysts, Researchers & Enthusiasts
• Forensic Investigators
• Anyone else interested in advanced Fault Injection techniques and attacks

Note, this is really an advanced course. The fundamentals are addressed in a systematic way, but students are assumed to be have already experiencied injecting Clock, Voltage, ElectroMagnetic or other types of glitches.

What to Bring? | Software and Hardware Requirements:

The students of this training are expected to bring a modern laptop or workstation:

• with sufficient memory (at least 8 GB)
• with at least four available USB-A ports (i.e., bring an USB hub)
  • Raelize will have extra USB hubs available (USB-C/USB-A) during the training
• installed with VMware or VirtualBox
• installed with a modern browser (i.e., Google Chrome)

Note, the Fault Injection hardware will be attached to the VM. Please, make sure that forwarding different types of USB devices to your VM works as expected. In our experience this works best using VMware products (e.g., VMware Workstation Player)

What to Bring? | Prerequisite Knowledge and Skills:

The students of this training are expected to:

• have experience performing basic Fault Injection attacks
• be familiar with interfacing with embedded devices
• be familiar with typical lab tooling
• be familiar with reverse engineering software
• be familiar with programming Python and C
• be familiar with common cryptography (RSA, AES and SHA)

ABOUT THE TRAINERS

Niek Timmers (@tieknimmers) is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

Cristofaro Mune (@pulsoid) is Security Researcher at Raelize and he has been in the security field for 20+ years. He has 15+ years of experience with evaluating SW and HW security of secure products, as well as 10+ years of experience in assessing TEE security. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups. His research on Fault Injection, TEEs, Secure Boot, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.