ChipWhisperer is an open platform for
embedded hardware security research. CW was developed by Colin O'flynn.
gocw is a re-implementation of CW
software stack, written in go.
gocw main features:
- Clean interface to CW capture device.
- Self contained flash programmers for XMEGA and STM32F targets.
- Web based UI to view captured power traces.
- Efficient implementation of several power-analysis algorithms (DPA/CPA/Templates) using gonum.
- Get external git repositories:
$ git submodule init
$ git submodule update- Get package dependencies:
$ go get -d ./...- Generate enum strings, mocks, static file resources:
$ go get -u golang.org/x/tools/cmd/stringer
$ go get -u github.com/omeid/go-resources/cmd/resources
$ go get -u github.com/golang/mock/gomock
$ go install github.com/golang/mock/mockgen
$ go generate ./hardware ./...
$ go test github.com/google/gocw- Build firmware files. See CW wiki for information on how to install the required toolchains.
$ mkdir build
$ cd build
# For STM32 targets run the following:
build$ PLATFORM=CWLITEARM cmake ..
# For XMEGA targets run the following:
build$ PLATFORM=CWLITEXMEGA cmake ..
build$ makeThe tests under tests/ are e2e integration tests that verify gocw stack is
working properly. Each test programs the target, sends requests over the serial
based communication protocol, and verifies the firmware returns the expected
output.
To run the tests, plugin CW device, and run:
$ go test ./tests/simple_serial_smoke_test.go -count 1 -v
$ go test ./tests/aes_smoke_test.go -count 1 -v
$ go test ./tests/ecdh_smoke_test.go -count 1 -vThe following demonstrates how to use gocw to mount a correlation power
analysis (CPA) on the first round of AES-128 running on the target device.
- Program the target device.
$ go run cmd/program.go -logtostderr -firmware build/firmware/tiny_aes.hex- Capture 50 traces, 5000 samples per trace, starting from offset 0 from the trigger:
$ go run cmd/capture.go -logtostderr \
-traces 50 -samples 5000 -offset 0 -output captures/aes_t50_s5000.json.gz- Launch Web UI to view the captures:
$ go run viewer/server.go -port 8080 -dir capturesBrowse to http://localhost:8080, and examine the power trace:
Load new traces by clicking on the rows in the traces window:
Zoom in by selecting a samples time region:
The web UI monitors the captures directory for changes. We can run the server
in the background go run viewer/server.go&, and new capture files will automatically
be displayed on the captures window.
- Run correlation power analysis to recover the key:
$ go run cmd/attack_sbox_cpa.go -logtostderr -input captures/aes_t50_s5000.json.gz
...attack_sbox_cpa.go:113] Loaded capture with 50 traces / 5000 samples per trace
...attack_sbox_cpa.go:165] Fully recovered key: 2b7e151628aed2a6abf7158809cf4f3c-
Correlation Power Analysis attacks the SBOX lookup of the first round of AES-128. Attack fully recovers the key from ~50 traces.
-
Differential Power Analysis attacks the SBOX lookup of the first round of AES-128. Attack fully recovers the key from ~500 traces.
-
ECDH Template Attack builds a power trace classifier that identifies when a EC multiplication operation resulted with a zero-coordinate point. Classifier successfully identifies traces in the validation set from training from ~150 traces.
gocw was only tested on ChipWhisperer-lite
with XMEGA and STM32F targets. Contributions for additional hardware support are welcome.
This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.