

# **ESIL SIDE-CHANNEL SIMULATION**



# **> iq**

- Nicolas
- R&D dept. @ Kudelski Security
- Embedded systems security research
  - Reverse engineering



- Karim & Sylvain
- Security Evaluation Lab @ Kudelski IoT
- Hardware attacks
  - Glitch / EM
  - Lasers !





RZLIN 0-2\_-0-02-0

#### Introduction

- Fault attack is an interesting attack path for IoT
- For low cost devices, there is only software protection
- Set-up cost have decreased a lot recently

RZGW ~~2\_~0-2-40



# **FAULT ATTACKS**

- Disturb a device execution from its normal behavior
- Various hardware technique allows that
- Some software or micro-architectural methods as well: Rowhammer, LVI, V0LTpwn, ...





<u> ~2\_~0-2</u>,0-02-0



<u> ~2\_~0-2</u>-40



*≈Z∠w* ∘ <u>2</u>\_0 – <u>2</u> – 0

## **Fault effects**

- Effects on the CPU can vary in many ways
  - Skip instruction(s)
  - Corrupt register/memory reads/writes
- Literally depends on the silicon, the type of fault, ...



### **Simulate fault effects**

- Glitching is a first step but finding practical exploits is another
- Not always access to source code
- Not always easy to emulate a firmware
- Hardware glitch campaigns may be very long
- Useful for code audit to catch some vulnerabilities

RZLIN 0~2\_0-02-0

#### **Problems ?**



RZLIN 0~2\_/0-02-0

## **Existing tools**

- Lazart (VERIMAG laboratory, University of Grenoble)
  - Based on LLVM
  - Needs source :(
- FiSim (Riscure)
  - Based on Unicorn & Capstone
  - Only works on supported architectures :(
  - Not publicly available :(

RZLIN 0~2\_0-02-0



# **ESIL FOR FAULT SIMULATION**

### **Our approach**

- Use R2's ESIL to simulate parts of the firmware
  - On raw firmware, can be used during the reversing phase with a single tool
- Instrument the VM using r2pipe and Python
  - Setup stack/registers
  - Run the simulation
  - Record the results



# GLitchoz0r 3k

- Python module
- Easy setup
  - Set simulation start/end address
  - Set initial registers
  - Set success conditions
  - ...
  - Results !

```
import glitchoz0r3k
glitchoz0r3k.GLITCHES = [glitchoz0r3k.glitch.Skip]
g = glitchoz0r3k.Glitchozor()
g.open('testcases/target')
g.set start(0×000012da)
g.set_end(0×00001327)
ops = g.analyze()
print(f"Number of ops : {ops}")
def conditions(ctx):
    Tests for registers to verify that our glitch worked
    if ctx['regs']['rax'] = 0:
        return True
    else:
g.set conditions(conditions)
for r in g.run():
    print(r['glitch_str'])
```



## Fault models and conditions

- All fault models are implemented as a function
- Fault models are added to the simulation

```
class Skip(Glitch):
    """
    Simple glitch. Skips the instruction
    """
    def apply(pipe):
        cur_instr = pipe.cmdj("pdj 1@PC")[0]
        new_addr = cur_instr['offset']+cur_instr['size']
        pipe.cmd('aer PC = '+hex(new_addr))
        return f"Skip {cur_instr['disasm']} @ {hex(cur_instr['offset'])}"
```

• One fault model per simulation

```
class ZeroDReg(Glitch):
    """
    Zero destination register
    """
    def apply(pipe):
        cur_instr = pipe.cmdj("pdj 1@PC")[0]
        changes = pipe.cmdj('aeaj 1@PC')
        try:
            reg = changes['W'][0]
            pipe.cmd(f"aer {reg} = 0")
            return f"Zero {reg} in {cur_instr['disasm']} @ {hex(cur_instr['offset'])}"
        except:
            return None
```





# RESULTS

## Naive check

```
#include "stdio.h"
   #include "string.h"
   #include "stdint.h"
   uint8_t check1(uint8_t * src, uint8_t * dst)
           uint8 t i = 0. res = 0:
           for(i=0; i<8; i++) {</pre>
                    res \models (src[i] ^ dst[i]);
           return res;
12 }
14 int main(int argc, char * argv[])
15 {
           uint8_t source[8] = {1,2,4,0,1,8,1,2};
           uint8_t destination[8] = {1,2,3,4,5,6,7,8};
           if(check1(source, destination)) {
                    printf("Bad boy\r\n");
           } else {
                    printf("Good boy\r\n");
23
24 }
```

RZLON 0-2\_-0-02-0

## Naive check

#### ~/Projects/glitch-simulation master\* > python3 t

• Skipping the for loop makes the password check return a correct value

| 0×00001184  | 0fb645fe                   | <pre>movzx eax, byte [i]</pre> | ; target.c:9  | <pre>for(i=0;</pre> | i<8; | i++) {                                |
|-------------|----------------------------|--------------------------------|---------------|---------------------|------|---------------------------------------|
| 0×00001188  | 83c001                     | add eax, 1                     |               |                     |      |                                       |
| 0×0000118b  | 8845fe                     | mov byte [i], al               |               |                     |      |                                       |
| ; CODE XREF | <pre>from dbg.check1</pre> | ລ 0×1161                       |               |                     |      |                                       |
| 0×0000118e  | 80 <b>7d</b> fe07          | cmp byte [i], 7                |               |                     |      |                                       |
| 0×00001192  | 76cf                       | jbe 0×1163                     |               |                     |      |                                       |
| 0×00001194  | 0fb645ff                   | movzx eax, byte [res]          | ; target.c:12 | return n            |      |                                       |
| 0×00001198  | 5d                         | pop rbp                        | ; target.c:13 |                     |      |                                       |
| 0×00001199  | c3                         | ret                            |               |                     |      | · · · · · · · · · · · · · · · · · · · |

RZLIN ~~2\_~0-2-~0

## **Stronger check**

```
uint8_t check2(uint8_t * src, uint8_t * dst)
        uint8_t i = 0, res1 = 0, res2 = 0;
        for(i=0; i<8; i++) {</pre>
                 res1 ⊨ src[i] ^ dst[i];
        for(i=0; i<8; i++) {</pre>
                res2 ⊨ src[i] ^ dst[i];
        if (res1 \neq 0 || res2 \neq 0) {
                 return 1;
        } else {
                return 0;
```

RZLIN 0~2\_/0-02-0

## **Stronger check**

| > python3 <u>target glitch.py</u><br>Number of ops : 278 |           |               |     |
|----------------------------------------------------------|-----------|---------------|-----|
|                                                          |           | [00:11<00:00, |     |
| Skip movabs rax, 0×80706050                              | 4030201 ລ | 0×1306(count= | 10) |
| Skip jmp 0×1238 බ 0×1231(co                              | unt=275)  |               |     |

#### • If statement is a branch

- Branches follow each other

| ; CODE XREFS<br>0×0000121a | from dbg.check2 a<br>807dfd07 | <pre>0×119a, 0×11ed     cmp byte [i], 7</pre> |  |  |
|----------------------------|-------------------------------|-----------------------------------------------|--|--|
| 0×0000121a                 | 76cf                          | jbe 0×11ef                                    |  |  |
| 0×00001220                 |                               | <pre>cmp byte [res1],</pre>                   |  |  |
| 0×00001224                 |                               |                                               |  |  |
| 0×00001226                 |                               | <pre>cmp byte [res2],</pre>                   |  |  |
| 0×0000122a                 |                               |                                               |  |  |
|                            |                               |                                               |  |  |
| 0×0000122c                 |                               | mov eax, 1                                    |  |  |
| 0×00001231                 |                               |                                               |  |  |
|                            |                               |                                               |  |  |
| 0×00001233                 |                               | mov eax, 🛛                                    |  |  |
|                            |                               |                                               |  |  |
| 0×00001238                 | 5d                            | pop rbp                                       |  |  |
| 0×00001239                 |                               |                                               |  |  |

RZLIN 0~2\_/0-02-0

#### **Stronger stronger check**

```
uint8_t check3(uint8_t * src, uint8_t * dst)
        uint8_t i = 0, res1 = 0, res2 = 0;
         for(i=0; i<8; i++) {</pre>
                 res1 ⊨ src[i] ^ dst[i];
         for(i=0; i<8; i++) {</pre>
                 res2 ⊨ src[i] <u>^ dst[i];</u>
         if (res1 = 0 & bb res2 = 0) {
                 return 0;
         } else {
                 return 1;
         }
```

RZLIN ~~2\_/0-2-40

### **Fault attacks on AES**

- Well known and documented fault attack
  - Works great on embedded devices
- With at least 4 faulted ciphertexts, it is possible to recover the AES key
- If we can generate good faulted ciphertexts and recover the key, the glitch simulation is working



#### The *famous* Balda test

- "If it simulates AES, ESIL is close enough"
  - Good example (memory reads/writes, arithmetic operations, loops, ...)
- Problem : ESIL works fine on x86, but does not work on ARM nor RISC-V
  - Incorrect results, or infinite loops





# **ESIL / ASM DIFFING**



- Validate ESIL implementation against a real device
- Improve ESIL support for embedded architectures (e.g. ARM)
- Automate comparison process for:
  - Few instructions / functions
  - Full binary execution
- Architecture agnostic







- Instrumentation of Radare2 with Python (r2pipe)
- Simultaneously open two pipes
  - DEBUG
    - QEMU
    - Device [JTAG / SWD]
  - ESIL
    - ESIL VM setup
    - ESIL synchronization with DEBUG (registers & memory space)
- Step and compare registers until discrepancy happens ... or not :)

RZLIN 0~2\_0-02-0

#### **Use case**

- Compiled binary
  - Specific function within firmware
- Unit tests
  - Relocate current map to executable memory (e.g. SRAM)
    - "omb. 0x2000000"
  - Write assembly
    - "wa MOV r1,#0x0;SUBS r1,#1;SUBS r1,#1;"@ addr
  - Configure "instruction pointer"
  - Execute



RZ4W ~~2\_~0-~2-~0

#### **Features**

- Display previous and current instruction
- Highlight differences between registers
- Synchronize registers between DEBUG and ESIL pipes
- Interact with DEBUG / ESIL pipes



#### Demo

ECTI

| ESIL:<br>[] name addr<br>                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | bytes disasm                                                                                                                     | comment esil    | refs                       | xrefs |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------|----------------------------|-------|
| r15 0×000102b4 02f0                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | 098f9 bl #0×125e8                                                                                                                | pc,lr,=,75240,  | oc,= 0×000125e8 0×000102b8 |       |
| [PC] name addr                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | bytes disasm                                                                                                                     | comment esil    | refs xrefs                 |       |
| r15 0×000125e8 80b                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 5                                                                                                                                | 8,sp,-=,lr,r7,2 | ,sp,=[*]                   |       |
| DEBUG:<br>[] name addr                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | bytes disasm                                                                                                                     | comment esil    | refs                       | xrefs |
| pc 0×000102b4 02f0                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 098f9 bl #0×125e8                                                                                                                | pc,lr,=,75240,  | pc,= 0×000125e8 0×000102b8 |       |
| [PC] name addr                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | bytes disasm                                                                                                                     | comment esil    | refs xrefs                 |       |
| pc 0×000125e8 80b                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 5                                                                                                                                | 8,sp,-=,lr,r7,2 | ,sp,=[*]                   |       |
| REG DEBUG<br>sp 0×407ffd68<br>lr 0×000102b9<br>pc 0×00012588<br>r0 0×00012701<br>r1 0×00000001<br>r2 0×407ffd74<br>r3 0×00012ae1<br>r4 0×00000000<br>r5 0×00000000<br>r6 0×00000000<br>r7 0×00000000<br>r7 0×00000000<br>r8 0×00000000<br>r9 0×00000000<br>r10 0×00000000<br>r10 0×00000000<br>r11 0×00000000<br>r12 0×00012b51<br>cpsr 0×00000030<br>Oocops something cha<br>[d]isplay registers<br>[e]sil → TARGET<br>[t]arget → ESIL<br>[s]tep<br>[i]nteractive<br>[v]erbose<br>[q]uit | ESIL<br>0×407ffd68<br>0×000102b8<br>0×000125e8<br>0×00011e70<br>0×407ffd74<br>0×00000000<br>0×00000000<br>0×00000000<br>0×000000 |                 |                            |       |

<u> ~2\_~0-2</u>,0-02-40





## **ESIL improvements**

- 1 PR in progress
  - Fix ARM IT Block (#17509)
- 7 PRs merged
  - ARM fixes ( #17347 / #17058 )
  - RISC-V fixes (#17115 / #17078 / #17005 / #16996 / #16962 )
- Multiple issues fixed
- AES now works on ARM32/Thumb/RISC-V

RZ4W ~~2\_~0-~2-~0



# **FINAL TESTS AND CONCLUSION**

### **Final test**

- Apply the fault simulator on AES
- If the faults allow to recover the AES key, it is a win

RZLIN ~~2\_~0-2-~0

### **Final test results**

Skip bls 0x8704 @ 0x8760(count=21059) Skip ldrb r2, [fp, -6] @ 0x8704(count=21060) Skip add r2, r1, r2 @ 0x8714(count=21064) Skip add r3, r2, r3 @ 0x8718(count=21065) Skip ldrb r3, [r3] @ 0x871c(count=21066) Skip mov r0, r3 @ 0x8720(count=21067) Skip ldrb r2, [fp, -6] @ 0x8724(count=21068) Skip ldrb r3, [fp, -5] @ 0x8728(count=21069) Skip ldr r1, [pc, 0x5c] @ 0x872c(count=21070) Skip ldrb r0, [r1, r0] @ 0x8730(count=21071) Skip ldr r1, [fp, -0x10] @ 0x8734(count=21072) Skip add r2, r1, r2 @ 0x873c(count=21074) Skip add r3, r2, r3 @ 0x8740(count=21075) Skip mov r2, r0 @ 0x8744(count=21076) Skip strb r2, [r3] @ 0x8748(count=21077) Skip ldrb r3, [fp, -6] @ 0x874c(count=21078) Skip add r3, r3, 1 @ 0x8750(count=21079) 8% :

4a614e376613ece8918c05ef907b822d 0bf38842e2d571487b490fe850556adc 30f8558ace8a90d873eeacebe92d481d 30f8558ace8a90d873eeacebe92d481d ea614c8796061506b384561917cac783 ea614c8796061506b384561917cac783 20d43b67809df10b7cb98d4a93b31eb0 20d43b67809df10b7cb98d4a93b31eb0 ea614c8796061506b384561917cac783 20d43b67809df10b7cb98d4a93b31eb0 20d43b67809df10b7cb98d4a93b31eb0 20d43b67809df10b7cb98d4a93b31eb0 20d43b67809df10b7cb98d4a93b31eb0 701277f0bb608870e1225a3bce31c2c7 20d43b67809df10b7cb98d4a93b31eb0 c469174e53d5821a9d0c4b859cc94366 e2f6dfb704a578399be07803fb81f03c : 79/1000 [01:34<09:44, 1.58it/s]

RZLIN ~~ 2\_\_\_ 0-~ 2-~ 0

### **Future work**

- Implement multiple faults during the same simulation
- Add fault models
  - Single bit flip on instruction to simulate laser-induced faults
- Enhance ESIL for other architectures



## Conclusion

- Glitch simulation reproduced on real hardware
- Ability to identify potential fault injection points in firmware
- Radare2 allows to *quickly*\* add a new architecture with no change in the simulation code
  - \* If ESIL works correctly





# **BONUS : INSTRUCTION TRACING USING ESIL**

## Side channel tracing

- Since we can simulate a full AES, we can use ESIL information to retrieve memory reads / writes
  - We can generate / plot a trace of memory accesses
- We can apply a "CPA" attack to recover the key
  - Tools already exist https://github.com/SideChannelMarvels/Daredevil



### **Side channel tracing**



<u> ~2\_~0~2</u>~0