Course pages 2019–20
Hardware Security
Principal lecturers: Dr Markus Kuhn, Dr Sergei Skorobogatov, Dr Franck Courbon
Additional lecturer: Shih-Chun You
Taken by: MPhil ACS, Part III
Code: P232
Hours: 16 (4 lectures, 6 practical exercises, 3x2h seminar sessions)
Class limit: max. 8 students
Prerequisites: Digital Electronics, Programming in C
Aims
This course provides a practical introduction to aspects of hardware security, in particular the reverse engineering of embedded microcontroller devices that implement a cryptographic application.
The particular target on which the practical exercises center this year is the evaluation kit of an authentication chip embedded in consumer electronics accessories, such as ink-jet printer tanks or batteries, which implements a challenge-response protocol based on elliptic-curve public-key cryptography.
Sessions
- Lecture 1: Introduction to Hardware Security (Skorobogatov)
Exercise 1: ARM Cortex programming, debugging, decompiling, logic analysis (Kuhn) - Lecture 2 + Exercise 2: PCB reverse engineering (Skorobogatov)
- Lecture 3: Public-key cryptography (Kuhn)
Exercise 3: firmware readout and protocol logging (Skorobogatov+Kuhn) - Lecture 4: Elliptic-curve cryptography (Kuhn)
Exercise 4: decompilation – communications (Kuhn+Skorobogatov) - Lecture 5: Feedback on exercises (Skorobogatov+Kuhn)
Exercise 5: decompilation – elliptic-curve cryptography (Kuhn+You) - Reading class 1: side-channel analysis (Kuhn+You)
Exercise 6: re-implementation of single-wire interface or elliptic-curve layer - Reading class 2: VLSI reverse engineering (Courbon)
- Reading class 3: fault attacks (Courbon)
In addition to these eight weekly 2-hour meetings, there will also be an optional weekly 1-hour exercise help session.
Each exercise is due after two weeks.
Objectives
On completion of this module, students should:
- have gained hands-on experience in some of the tools and methods involved in reverse-engineering a digital product,
- better understand the problem of hardening a product design against reverse engineering and tampering,
- be familiar with a range of hardware-level attack techniques and countermeasures.
Coursework
The course includes three reading sessions in which several papers are discussed. Each student is expected to give a 20–30 minute presentation covering 1–3 papers in one of these reading sessions and prepare an essay on the topics covered.
Practical work
Exercise 1: implementation of a basic morse-code transmitter and receiver on a 32-bit microcontroller (warm-up exercise for familiarization with ARM Cortex-M4 development, debugging and decompilation)
Exercise 2: preparation of a circuit diagram from high-resolution photographs and X-ray images of a target printed circuit board
Exercise 3: extraction of the firmware and recording of a protocol exchange from a microcontroller PCB (same target as in Exercise 2).
Exercises 4+5: partial decompilation (using Ghidra) of the firmware extracted in Exercise 3, along the execution path taken by the protocol exchange observed in Exercise 3.
Exercise 6: reimplementation of the observed and decompiled elliptic-curve scalar multiplication (ECSM) operation in a high-level language (e.g., Python, Sage, Julia, Perl)
Assessment
60% exercises: each exercise handed in will be marked and the scores of the four exercises with the highest mark will each contribute 15% to the overall mark of the course.
20% reading-class presentation.
20% reading-class essay.
Recommended reading
Hankerson/Menezes/Vanstone: Guide to Elliptic Curve Cryptography. Springer 2004.
Mangard/Oswald/Popp: Power Analysis Attacks: Revealing the Secrets of Smart Cards power analysis attacks. Springer 2007.