# Side-Channel Workshop
In this lab, we will walk through a simple power analysis (SPA) side-channel attack.

The provided data client will connect you to an embedded device that accepts 4-digit passwords, compares them to the correct password using the `strcmp` (string compare) function, and returns the result (correct/incorrect) and a power side-channel trace of the device performing the operation.

**Your goal: use the power traces to crack the 4-digit password**

## Prologue
Just run this once to import the network backend

In [None]:
from network_captures import *

## Step 1: Create Client
First, we need to create the client. You can create one of two clients, each with a different difficulty.

In [None]:
# basic difficulty (large trigger signal, 4-digit numeric)
dc = DataClient()

# basic difficulty (no trigger signal, 4-digit numeric)
# dc = DataClient(path=DataClient.MED_PATH)

# advanced difficulty (no trigger signal, any 4-digit value)
# dc = DataClient(path=DataClient.ADV_PATH, seed='changeme')

## Step 2: Fetch trace
Next, we need to use the client to fetch a trace from the server using a password guess. Note: your first fetch may take a bit.

In [None]:
trace = dc.fetch('0000')

# advanced binary input
# trace = dc.fetch([b'\x01\x02\03\x04'])

## Step 3: Plot trace
Once we have the trace, we can then plot it. Here, you can see the effect of different levels of smoothing as well as how to stack multiple plots in one view.

**NOTE: The `%maplotlib widgit` line is needed for an interactive plot**

In [None]:
%matplotlib widget
plot_helper(trace, 1)
plot_helper(trace, 10)
plot_helper(trace, 100)

We can see that the device running this comparison operation results in a structured trace, where (presumably) different operations result in different amounts of power draw. We will be able to use this structure to infer the correctness of our key guesses by comparing traces of 

---
## Your Turn!
Now, using these steps, see if you can crack the password!

Please don't just brute-force all 10k possible combinations. That will both bog down the server for your fellow attackers and defeat the purpose of the exercise :)

Feel free to add more Python code cells to work with using the `+` button in the upper left.

---
## Finished?
If you've finished early or just want a challenge, try some of the following:

* Figure out the optimal strategy for guessing passwords (what is the minimum number of guesses to ensure cracking the PIN?)
* Try using the advanced data client. The timing-critical section will be harder to spot and the password is 4 bytes of binary input instead of 4 digits

---
## Need a hint?
Scroll down to receive some hints

# DON'T LOOK BELOW HERE UNLESS YOU WANT HINTS

In [None]:

















# DANGER: HINTS AHEAD!























# DANGER: HINTS AHEAD!

















# DANGER: HINTS AHEAD!















# DANGER: HINTS AHEAD!






# DANGER: HINTS AHEAD!




# DANGER: HINTS AHEAD!



# DANGER: HINTS AHEAD!


# DANGER: HINTS AHEAD!

# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!

## Hint 1
Let's assume that the structure of the power trace is primarily dependent on the code being run and the data being operated on (and for this exercise, that is the case, although you may notice some minor noise between individual traces, which smoothing can help iron out).

If this is true, then two identical runs (identical inputs to identical code) should look similar. You can see that's the case by running the code block below:

In [None]:
%matplotlib widget
plot_helper(dc.fetch('0000'), 10)
plot_helper(dc.fetch('0000'), 10)

Given that, there's two primary variables that could vary in the trace.

First, if the same code path is taken, but different values are operated on, the spacing of features (spikes) over time (horizontally) should be similar across runs, but certain features may vary in amplitude (height) and shape. For example, where input of `0000` resulted in a spike around `x=90`, a different input may result in a shorter spike or even a dip.

Second, if different inputs push the computation down different code paths, one of which takes longer than the other (e.g., one trace went down the longer branch of an `if` or one trace stayed in a loop for longer), you may the features of one trace get delayed (occuring further to the right) after a certain point in time.

In [None]:

















# DANGER: HINTS AHEAD!























# DANGER: HINTS AHEAD!

















# DANGER: HINTS AHEAD!















# DANGER: HINTS AHEAD!






# DANGER: HINTS AHEAD!




# DANGER: HINTS AHEAD!



# DANGER: HINTS AHEAD!


# DANGER: HINTS AHEAD!

# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!

## Hint 2
Check out the man page for `strcmp` below. What are the possible return values? What impacts could different return values have on the structure of the power trace?

---
```
STRCMP(3)                BSD Library Functions Manual                STRCMP(3)

NAME
     strcmp, strncmp -- compare strings

LIBRARY
     Standard C Library (libc, -lc)

SYNOPSIS
     #include <string.h>

     int
     strcmp(const char *s1, const char *s2);

     int
     strncmp(const char *s1, const char *s2, size_t n);

DESCRIPTION
     The strcmp() and strncmp() functions lexicographically compare the null-terminated
     strings s1 and s2.

     The strncmp() function compares not more than n characters.  Because strncmp() is
     designed for comparing strings rather than binary data, characters that appear after
     a `\0' character are not compared.

RETURN VALUES
     The strcmp() and strncmp() functions return an integer greater than, equal to, or
     less than 0, according as the string s1 is greater than, equal to, or less than the
     string s2.  The comparison is done using unsigned characters, so that `\200' is
     greater than `\0'.

SEE ALSO
     bcmp(3), memcmp(3), strcasecmp(3), strcoll(3), strxfrm(3), wcscmp(3)

STANDARDS
     The strcmp() and strncmp() functions conform to ISO/IEC 9899:1990 (``ISO C90'').

BSD                            October 11, 2001                            BSD
```
---


In [None]:

















# DANGER: HINTS AHEAD!























# DANGER: HINTS AHEAD!

















# DANGER: HINTS AHEAD!















# DANGER: HINTS AHEAD!






# DANGER: HINTS AHEAD!




# DANGER: HINTS AHEAD!



# DANGER: HINTS AHEAD!


# DANGER: HINTS AHEAD!

# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!

## Hint 3
Check out the implementation of `strcmp` (simplified for readability):
    
```
int strcmp(const char* s1, const char* s2) {
    while(*s1 && (*s1 == *s2)) {
        s1++;
        s2++;
    }
    return *s1 - *s2;
}
```

If `s1` is the input you send and `s2` is the correct password, what behaviors of `strcmp` might cause different structures in the power?

In [None]:

















# DANGER: HINTS AHEAD!























# DANGER: HINTS AHEAD!

















# DANGER: HINTS AHEAD!















# DANGER: HINTS AHEAD!






# DANGER: HINTS AHEAD!




# DANGER: HINTS AHEAD!



# DANGER: HINTS AHEAD!


# DANGER: HINTS AHEAD!

# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!

## Hint 4:
There are two important features the implementation of `strcmp`.

First, the loop that compares the strings aborts as soon as a difference is found. This will result in the comparison of strings whose first two characters match to take longer than it would have if only the first character matched. If this happens, you should see a delay in the features more correct string after a certain point in the trace.

Second, if the strings do not match, they return a negative value if the first string is smaller than the second and a positive value the other way around. The differences in these values (and the code that may rely on the sign of its return) should cause the trace to have no offset in time like above, but should cause it to have a different feature if the test password was greater than the correct password than it would if it was lesser than the correct password.

In [None]:

















# DANGER: HINTS AHEAD!























# DANGER: HINTS AHEAD!

















# DANGER: HINTS AHEAD!















# DANGER: HINTS AHEAD!






# DANGER: HINTS AHEAD!




# DANGER: HINTS AHEAD!



# DANGER: HINTS AHEAD!


# DANGER: HINTS AHEAD!

# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!
# DANGER: HINTS AHEAD!

## Hint 5 (LAST HINT!)
The correct first digit is 6.

Let's see what 6 looks like in comparison to greater and lesser strings (zoom the graph to the features between 800 and 1300 to see the details). You should see `0000` and `1000` looking similar, `8000` and `9000` looking similar, but with a rise around 950 instead of a dip, and `6000` looking like `0000`, but the dip lasting a bit longer to around 1000, and all features afterwards being offset a bit further.

In [None]:
%matplotlib widget
plot_helper(dc.fetch('0000'), 10) # lesser
plot_helper(dc.fetch('1000'), 10) # lesser
plot_helper(dc.fetch('6000'), 10) # correct
plot_helper(dc.fetch('8000'), 10) # greater
plot_helper(dc.fetch('9000'), 10) # greater